Skip to content

Instantly share code, notes, and snippets.

@nmoinvaz

nmoinvaz/cxosxnotarize.md

Last active August 15, 2022 20:45
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save nmoinvaz/8e460d77cef70a6dcce549ff76050ba5 to your computer and use it in GitHub Desktop.
Save nmoinvaz/8e460d77cef70a6dcce549ff76050ba5 to your computer and use it in GitHub Desktop.
Download ZIP
Cross-Platform macOS Notarization
Raw
cxosxnotarize.md

Cross-Platform macOS Notarization

Requires cross-platform iTMSTransporter tool written in Java. The Transporter command line utility uploads app binaries to iTunes Connect. It uses third-party delivery methods called Signiant and Aspera.

https://itunesconnect.apple.com/transporter/1.9.8/iTMSTransporterToolInstaller_1.9.8.exe https://help.apple.com/itc/transporteruserguide/#/apdAbeb95d60

iTMSTransporter contains several jar files that can be run with Java. They have a self-update mechanism that will update to the latest version of iTMSTransporter.

  1. Create an iTunes Music Store Package (.itmsp directory)
  2. Copy files to upload to .itmsp directory
  3. Generate metadata.xml with correct hashes
<?xml version="1.0" encoding="UTF-8"?>
<package version="software5.9" xmlns="http://apple.com/itunes/importer">
    <software_assets
        app_platform="osx"
        primary_bundle_identifier="com.xyzco.app">
        <asset type="developer-id-package">
            <data_file>
                <file_name>xyz.dmg</file_name>
                <checksum type="md5">1d6de88ace92f22c815cc9663d902609</checksum>
                <size>2299183</size>
            </data_file>
        </asset>
    </software_assets>
</package>
  1. Use the Transporter to upload the package
java iTMSTransporter.jar -m upload -u [Apple ID e-mail] -p [Apple App-ID Token] -f [Directory of .itmsp]
// Possibly use -json argument to get json response easily

  1. Parse response to get upload_id

  2. Check status of upload until the service is finished processing

    1. JSON-RPC request to generateAppleConnectToken
    2. JSON-RPC request to developerIDPlusInfoForPackageWithArguments with upload_id (reponse contains DevIDPlus)

  3. Request ticket from https://api.apple-cloudkit.com/database/1/com.apple.gk.ticket-delivery/production/public/records/lookup using POST

{"records":[{"recordName":"2/2/4dca04a3465b95866423323d7f3e1e31ad3ac0ef"}]}
4dca04a3465b95866423323d7f3e1e31ad3ac0ef = cd hash of software

  1. Response returns signedTicket with base64 encoded asn1 signed ticket

  2. Add signed ticket info into code sign blob of software. Code sign blob is a super blob, signed ticket is added to the super blob as a blob wrapper.

Additional Resources

  1. https://itunespartner.apple.com/en/movies/faq/Transporter_Getting%20Set%20Up
  2. https://help.apple.com/itc/transporteruserguide/
  3. https://developer.apple.com/videos/play/wwdc2015/304/
  4. https://discussions.apple.com/thread/4960669
  5. https://derflounder.wordpress.com/2019/04/10/notarizing-automator-applications/
  6. https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow
  7. https://asperasoft.com/
  8. https://www.signiant.com/
  9. https://github.com/pingwinator/ipa2itc/
  10. https://stackoverflow.com/questions/16582119/how-to-use-itmstransporter
@qq5000521
Copy link

Support on windows, apple has been hidden.

@nmoinvaz
Copy link
Author

Apple now has a web API that can be used to submit software for notarization: https://developer.apple.com/documentation/notaryapi/submitting_software_for_notarization_over_the_web?changes=latest_b_2_1&language=objc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment