Search code examples
xcodemacoscode-signingsoftware-distributionnotarize

How to notarize an app bundle containing helpers embedded in it?


Does anyone know how to send a Mac application bundle containing embedded helper app bundles to be notarized by Apple? When I try to archive a simple application, everything goes smoothly. The app is archived properly, and I can upload the archive and my app gets notarized in a question of minutes.

However, when I try to archive an app bundle containing helper app bundles in it, using script phases and try to automatically sign and notarize my application bundle via the normal, automatic workflow of creating an archive, I am unable to upload the app bundle for notarization. So, what should I do?

Any help is appreciated.


Solution

  • Thanks to the new documentation by Apple produced during WWDC 2019, I was finally able to solve this problem, which was not possible before, even after having used a DTS ticket. Basically, if you have a complex bundle and you need to build it automatically using scripts, you CANNOT use the automatic workflow via Archive and then upload the app bundle via the Organizer in Xcode.

    So, for those having this problem now and in the future, here is what solved my problem:

    1) Go to the project navigation panel and click on your project

    2) Go to each of your targets by clicking on Build settings and make the following modifications (enter the word "signing" in the search box, as that narrows down the build settings that show up):

    • Go to Code Signing Identity and on the Release build change Mac Developer (the default value) to your Developer ID Application on your keychain.
    • Go to Code Signing Inject Base Entitlements and on the Release build change Yes (the default value) to No. If you fail to do this, your app bundle will be rejected by the notarization server, as you are allowing code injection into your app, which is needed for debugging, but is a security risk.
    • Go to Code Signing Style and on the Release build change Automatic to Manual. If you fail to do this, proper signing will fail.
    • Go to Other Code Signing Flags and on the Release build add --timestamp. This will flag Xcode that you want to add a secure timestamp to your app. If you fail to do this, your app bundle will be rejected by the notarization server.

    3) To build your app for distribution, do the following:

    • Create a new Scheme that includes all targets using Release build settings
    • Click Build or Command + B as a key shortcut and you will have all your bundle properly signed as long as you follow the inside-out rule (i.e., code at deeper-level directories should be signed first!)

    4) To notarize the app bundle you just created and signed properly, and with a valid secure timestamp, then you have several options:

    • Create a .dmg disk image and follow the instructions in this answer. However, skip the code signing instructions, as what I explain here covers all the problems and caveats explained there. Alternatively, you can zip and upload the zip file as I explain below:
    • Compress your app bundle to a zip file by using this in Terminal: /usr/bin/ditto -ck --keepParent "*APP_PATH*" "*ZIP_PATH*"

    5) Upload the disk image or zip file by using this in Terminal: xcrun altool --notarize-app --primary-bundle-id "your-primary-bundle-id-here" --username "*your-username*" --password "*your-app-specific-password-here*" --file *your-path-here*. You need to go to your appleid.apple.com account to generate an app-specific password for the altool app. This is a security measure, so that you do not send your Apple ID password in the clear. You can do that in the Security panel of your Apple ID management account. Do not do anything until you get the confirmation that the upload was successful.

    6) To request the notarization history status, run this in the Terminal: xcrun altool --notarization-history 0 -u "*your-account*" -p "*your-app-specific-password-here*". You should see a list of uploads and their respective dates and RequestUUID's. The latest upload is usually the first on the list.

    7) To request the notarization status, including access to the notarization log file run this in Terminal: xcrun altool --notarization-info RequestUUID -u "*your-account*"

    8) If you get the status that your app bundle was approved, then you can staple that approval by running this in Terminal: xcrun stapler staple *path-to-your-app-bundle*.