- What we want is to get a Developer Id https://developer.apple.com/developer-id/ to be able to sign the binaries for distribution.
- The company needs to get an Apple Developer Account Membership for macOS for $99/y https://developer.apple.com/programs/enroll/
- Apple needs a A D-U-N-S® Number to register the account, the person doing the registration will need to get in touch with somebody that knows the legal part.
- The registration could take a couple days
- When done, a certificate can be created for signing, you'll need to sync it with Xcode.
- Now the binary can be signed, and the signature can be verified.
- Wait... There is a new extra step now, called notarization! The idea is that the signed binary is sent to Apple for verification and Apple returns some metadata if success or fail
- This metadata needs to be added to the binary using the stapler tool.
- Then the binary is ready for distribution 🚀
See documentation for creating an app specific password
security add-generic-password -a "username@domain.com" -w REPLACE_WITH_THE_APP_SPECIFIC_PASSWORD -s "NOTARIZATION_PASSWORD"
xcrun altool --notarize-app --primary-bundle-id "com.bundlename.hello" --username "username@domain.com" --password "@keychain:NOTARIZATION_PASSWORD" --file ./the_file_to_notarize.zip
xcrun altool --notarization-history 0 --username "username@domain.com" --password "@keychain:NOTARIZATION_PASSWORD"
Date RequestUUID Status Status Code Status Message
------------------------- ------------------------------------ ------- ----------- ----------------
2019-07-25 16:09:01 +0000 7147b28a-b277-4a7d-ab11-a2fb58239892 success 0 Package Approved
xcrun altool --notarization-info 7147b28a-b277-4a7d-ab11-a2fb58239892 --username "username@domain.com" --password "@keychain:NOTARIZATION_PASSWORD"
2019-07-25 15:34:54.617 altool[60393:556446] No errors getting notarization info.
RequestUUID: 7147b28a-b277-4a7d-ab11-a2fb58239892
Date: 2019-07-25 16:09:01 +0000
Status: success
LogFileURL: <https://osxapps-ssl.itunes.apple.com/itunes-assets/Enigma123/v4/cf/59/3f/cf593.../developer_log.json?accessKey=156425....>
Status Code: 0
Status Message: Package Approved
Note: Check the log file, even if notarization succeeds, because it might contain warnings that you can fix prior to your next submission.
Log File Example
{
"logFormatVersion": 1,
"jobId": "7147b2...",
"status": "Accepted",
"statusSummary": "Ready for distribution",
"statusCode": 0,
"archiveFilename": "MyArchiveNameFile.zip",
"uploadDate": "2019-07-25T16:09:01Z",
"sha256": "77302a5f1e0c1c62a7191d72...",
"ticketContents": [
{
"path": "MyArchiveNameFile.zip/App.dmg",
"digestAlgorithm": "SHA-256",
"cdhash": "e04310bf..."
},
{
"path": "MyArchiveNameFile.zip/Installer.pkg",
"digestAlgorithm": "SHA-1",
"cdhash": "1ad88d..."
}
],
"issues": null
}xcrun stapler staple "File_to_staple"
See common errors: https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/resolving_common_notarization_issues
You can resolve a few common stapler issues by upgrading your tools. In particular, if you see error -68 on macOS 10.13.x, you can resolve the issue by upgrading to macOS 10.14 or later. Alternatively, run the following command once to clear the Valid cache:
sudo killall -9 trustd; sudo rm /Library/Keychains/crls/valid.sqlite3
Full example (this can take a few minutes depending to the size of the file)
echo "-> Upload file to Apple for Notarize process";
xcrun altool --notarize-app --primary-bundle-id "com.bundlename.hello" --username "username@domain.com" --password "@keychain:NOTARIZATION_PASSWORD" --file "pathtofile"
echo "-> Check status";
xcrun altool --notarization-history 0 --username "username@domain.com" --password "@keychain:NOTARIZATION_PASSWORD"
# Or for a specific id
# xcrun altool --notarization-info REPLACE_WITH_ID --username "username@domain.com" --password "@keychain:NOTARIZATION_PASSWORD"
echo "-> Staple file";
xcrun stapler staple "the_file_to_notarize"An alternative is to use Mortennn/Notarize
For first time setup
- Download latest release https://github.com/Mortennn/Notarize/releases/latest
- Decompress archive
cd ~/Downloads/notarize./install.sh- Done!
What does Mortennn/Notarize actually do? Uses
xcrun altoolto upload the app package to Apple's servers. Waits for the app to be notarized. Checks every 30 seconds. Staples the app package with the generated certificate usingxcrun stapler staple <path>
- Get a Code Signign Certificate multiple options
- Choose between OV and EV certificate
- EV would be the best (if possible), it's more expensive but gets an INSTANT SmartScreen Reputation, the downside is that it's only available with Two Factor Authentication USB key: Private keys are stored on an external hardware token which is required in order to sign code, protecting your certificate from being exported and used by unauthorized personnel.
- See Microsoft doc for more info https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate
- Get the certificate from a provider
- Choose between OV and EV certificate
var path = require('path');
var signcode = require('signcode');
var keytar = require('keytar');
keytar.findPassword('code_signing_password').then(function (pass) {
var options = {
overwrite: true,
cert: path.join(__dirname, 'CodeSigning-Certificate.p12'),
path: path.join(process.argv[2]),
password: pass
};
signcode.sign(options, function (error) {
if (error) {
console.error('!!! Signing failed - ERROR !!!', error.message);
} else {
console.log(options.path + ' is now signed.');
}
});
});
I just went through... literally months of figuring all this stuff out. And this was STILL helpful. Thank you for sharing this!