Apple to upgrade the system after MAC10.15, users generally have little effect, but the developers busy for a while, every time Apple made the new system developers are playing around, this is the history of bad habits.
This forced start Notarizition mechanism, the previous codesign and productsign not work, and must be notarized to send the folder to the Apple server. Otherwise it can only require the user to press the right when you first install (use) pop-up menu "open" to install or use, and also "threatened" says a certain period of a day without notarized app can not run, so only your nose to go along with the flow. The problem is that domestic blog and forums are no detailed Raiders (there is also OK, I might not search only).
Nonsense say enough is enough, and now into the topic.
Of course, is codesign, not simply based on the old is gone, and to add several parameters, I give an example, the reader to compare:
sudo codesign -f -o runtime --entitlements {path}/app.entitlements --timestamp --deep -s "Developer ID Application: xxx" -i "com.xxx.abc" "{path}/abc.app" If the configuration inside the entitlements in the project file environment (open Hardened Runtime strong run), may be omitted "--entitlements {path} /app.entitlements"
Such signature is the app also can be used, with codesign -vv xxx.app not find any problem. With spctl -a -v xxx.app I can not see what the problem is. And before the same thing (in fact, later we learned that is not the same)
Followed by pkgbuild + productbuild packaged with a pkg file, specifically I will not go into detail, a little trouble, but not difficult.
Again it is to use productsign signature pkg:
productsign --sign "Developer ID Installer: xxx" "from-pkg.pkg" "to-pkg.pkg"So far this legacy also play, not much difference. Here to talk about Notarizition mechanism.
1. already signed pkg sent to Apple notarized.
xcrun altool --notarize-app --primary-bundle-id "com.xxx.abc" --username "my apple id" --password "app-password" --asc-provider "ProviderShortname" -t osx --file $Base_Path/Output/abc.pkg &> $Base_Path/abc.txt--primary-bundle-id followed bundle id's own app, -u or --username followed by Apple ID ;-p or following the --password is the user password, here to pay attention to what looks like Apple's requirements for starting a two-step authentication mechanism after the app password to get in. Be logged appleid.apple.com, to enable two-step authentication user security inside (that is, more than receiving a verification code using a mobile phone only), then you can see the creation app password, right, is this password, avoid exposure to real password. . . The third argument is the provider, use the command line:
xcrun altool --list-providers -u "my apple id" -p "app password"Queried like this:
#ProviderName ProviderShortname WWDRTeamID
#------------------------------ --------------------------- ----------
#abc TECHNOLOGY LIMITED abcTECHNOLOGYLIMITED DD12345678 Here the provider is using because I am not the app holder, are members of the company under the group, so use "--asc-provider group abbreviation", there are other parameters can achieve the same function, self-searching. ; -T or --type should be the target platform running it; -f or --file behind pkg path is followed. These commands can all be used
xcrun altool -hQueried. Finally, follow the "&> abc.txt" to print the log or uuid. General see 0 bytes, then quietly wait for it.
After a successful notary in general, content abc.txt is:
No errors uploading 'xxx.pkg'.
RequestUUID = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Other cases may be wrong, I remember yesterday used the -tsc-provider "team name", log will show I was not inside the group. It is necessary to print out the log, then slowly analysis.
Since the adoption of the notary, then the corresponding bills add to the mix:
#添加票据
xcrun stapler staple abc.pkg
#查询结果(这里可以看到,苹果系统会下载一个xxx.ticket的文件到临时文件,然后。。。)
xcrun stapler staple -v abc.pkg
At this point, pkg completed a notary, in fact, inside the app, too pkg completed notarized. re-enter
spctl -a -v abc.app
#打印的结果是:
/xxx/abc.app: accepted
source=Notarized Developer ID
#如果没公证的话,应该显示这样的:
/xxx/abc.app: accepted
source=Developer ID
There are inquiries about pkg
spctl -a -v --type install abc.pkg
#公证后的
/xxx/abc.pkg: accepted
source=Notarized Developer ID
#没公证的
/xxx/abc.pkg: rejected
source=Unnotarized Developer IDin conclusion:
codesign app-->productsign pkg-->send to apple server & get a uuid->add ticket
Besides, I like to be lazy, do not forget to capture this crop, and will forward to see.