Notarizing Filmulator for macOS 10.15 Catalina (Illustrated)

HIRAM · June 12, 2019, 10:27am

App notarization for macOS 10.15 Catalina

Once the .app bundle is deployed codesign (timestamped and with the hardened runtime flag on) and zip it with

codesign --deep --force -v -s "Developer ID Application: Firstname Lastname (XXXXXXXXXX)" -o runtime --timestamp *.app && ditto -c -k --sequesterRsrc --keepParent *app Filmulator.zip

Next you must transport the zip to the mothership (Apple Computer, Inc.)

xcrun altool --notarize-app --primary-bundle-id "com.filmulator" -u "USERNAME" -p "PASSCODE" --file Filmulator.zip

Apple will scan the app for malware.

Once this is complete the app has been notarized and a cryptographic signature called a ticket is generated by the mothership. This process takes a few minutes. Check your status with

xcrun altool --notarization-history 0 -u  "USERNAME" -p "PASSCODE" | head -6 | tail -1

At this point the ticket has been issued certifying that Siri did her due diligence during the malware scan. The ticket is stored in Apple’s servers.

When you launch, the app may contact the mothership to retrieve the ticket if the ticket has not been stapled to the app. Staple the ticket to the app with:

stapler staple *app

Then you can verify the attachment of the ticket:

stapler validate -v *app

It is possible to notarize both .apps and .dmgs. First generate the dmg using your stapled app and codesign it:

sudo hdiutil create -ov -fs HFS+ -srcfolder *.app Filmulator-$(git describe --tags --always)-Qt5.13.dmg && sudo codesign --deep --force -v -s "Developer ID Application: Firstname Lastname (XXXXXXXXXX)" --timestamp *.dmg

zip that and send it off to the mothership

zip Filmulator.dmg.zip *dmg && xcrun altool --notarize-app --primary-bundle-id "com.filmulator" -u "USERNAME" -p "PASSCODE" --file Filmulator.dmg.zip

The .dmg doesn’t take as long as the .app does to notarize. Watch the status again:

xcrun altool --notarization-history 0 -u  "USERNAME" -p "PASSCODE" | head -6 | tail -1

Once this succeeds you may staple and distribute:

sudo stapler staple *dmg

Verify your ticket with:

stapler validate -v *dmg

Automated notarization

github.com

keybase/client/blob/46f5df0aa64ff19198ba7b044bbb7cd907c0be9f/packaging/desktop/package_darwin.sh#L278-L306


      
          # Notarize the dmg
          notarize_dmg() {(
            cd "$out_dir"
            if [ "$skip_notarize" = "1" ]; then
              echo "Skipping notarize..."
              return
            fi
            echo "Uploading $dmg_name to notarization service in $out_dir"
            uuid=`xcrun altool --notarize-app --primary-bundle-id "keybase.notarize" --username "apple-dev@keyba.se" --password "@keychain:notarization" --file "$dmg_name" 2>&1 | grep 'RequestUUID' | awk '{ print $3 }'`
            echo "Successfully uploaded to notarization service, polling for result: $uuid"
            sleep 15
            while :
            do
              fullstatus=`xcrun altool --notarization-info "$uuid" --username "apple-dev@keyba.se" --password "@keychain:notarization" 2>&1`
              status=`echo "$fullstatus" | grep 'Status\:' | awk '{ print $2 }'`
              if [ "$status" = "success" ]; then
                echo "Notarization success"
                xcrun stapler staple "$dmg_name"
                return
              elif [ "$status" = "in" ]; then

This file has been truncated. show original

Hope this has been informative, enjoy your stay in beautiful Santa Catalina Island.

anon41087856 · June 12, 2019, 10:54am

Now tell us, what did you procrastinate ?

mannikon · June 12, 2019, 11:27am

hypnotised by cheese, validated by bart