Apple notarizing for Mojave (10.14) and beyond


    Oct 21 2018 | 12:35 pm
    Apple has made updates in Mojave (10.14) to Gatekeeper, re: app “notarizing,” even for apps outside of the Mac App Store.  Although currently optional, they suggest that Gatekeeper will require notarization in a future Mac OS update:  https://developer.apple.com/developer-id/
    When users on macOS Mojave first open a notarized app, installer package, or disk image, they’ll see a more streamlined Gatekeeper dialog and have confidence that it is not known malware. Note that in an upcoming release of macOS, Gatekeeper will require Developer ID signed software to be notarized by Apple.
    Wondering if anyone has tried to get their Apple Developer ID-signed Max standalone notarized by Apple, and how they did it.  There is some info that Apple provides, that suggests that one has to enable “hardened runtime” status for the app, which seems similar to the entitlements signing required for the App Store, but what I’m concerned about is that the examples Apple provides suggest that one has to do these things within XCode, which obviously won’t work for standalones created with Max:
    I know it’s early for this stuff, but trying to stay ahead of the Apple curveballs that they continue to throw...

    • Oct 26 2018 | 8:34 pm
      OK, answering my own question here, but hopefully this will help others (or me when I forget how I did it a month from now!). Here's the steps I took for successful Apple Max app Notarization. Note that you need to be running at least Mac OS 10.14 for all of these steps to work (steps 0-5 worked for me on 10.13.6, but not the last step, step 6), as well as XCode 10.0.
      Step 0)  Remove libmozjs185.dylib from the app bundle. Currently (as of Max 8.0.1), the version of the Javascript library that's used was apparently compiled using an older SDK that Apple objects to. So for now at least, you need to remove this file (and therefore no Javascript will be supported in your app). Hopefully Cycling can address this in a subsequent Max update.
      Step 1)  Codesign the app to enable “Hardened Runtime” status.  Here’s the command I used in the Terminal.  The key change from previous "regular" Developer codesigning is the part at the end, “--options runtime”
      codesign -f -s "Developer ID Application: Daniel Nigrin" /Users/dnigrin/Desktop/MyApp.app --deep --options runtime
      Step 2)  For some reason the Notarizer only works with pkg, dmg or zip files.  So I just wrapped up the .app inside a .dmg, as I would if I were to be distributing it to end-users.  FWIW, I use an app called DropDMG for this, but there are free options too.
      Step 3)  Notarize the package you made in Step 2.  Note that the -u and the -p parameters represent your Apple ID username and password.  I believe there are ways to access your Mac’s keychain for these, but I just put them directly into the Terminal command.  Note that you’re not using your regular Apple ID password for this; I believe you have to first ensure that you have dual factor authentication set up with Apple, and then you have to set up an App-specific password for the Terminal at https://appleid.apple.com .  Once you do that, you use that app-specific password in the Terminal command:
      xcrun altool --notarize-app -f /Users/dnigrin/Desktop/MyApp.dmg --primary-bundle-id com.defectiverecordssoftware.myapp -u xxxxxx@xxxxxxxx.com -p xxxx-xxxx-xxxx-xxxx
      Step 4)  After a bit of time (a few minutes, I guess it’s dependent on your .dmg size and upload speed to Apple), you’ll get a response in the Terminal, and eventually via email too – the email will say whether you’re been successfully notarized or not:
      2018-10-23 08:56:37.955 altool[28413:6636960] No errors uploading '/Users/dnigrin/Desktop/MyApp.dmg'.
      RequestUUID = 7bce4b12-f52e-46ea-8071-xxxxxxxxxx
      Step 5)  You can also do a validating step in the command line, using the UUID provided above. 
      xcrun altool --notarization-info 7bce4b12-f52e-46ea-8071-xxxxxxxxxx -u xxxxxx@xxxxxxxx.com -p xxxx-xxxx-xxxx-xxxx
      This is useful for debugging too, as the response provides a long URL that points to the log for the entire process. If you're not successful in notarizing, inspection of this log is critical to figure out what went wrong:
      2018-10-23 09:01:55.039 altool[28575:6641949] No errors getting notarization info.
         RequestUUID: 7bce4b12-f52e-46ea-8071-xxxxxxxxxx
                Date: 2018-10-23 12:56:38 +0000
              Status: success
          LogFileURL: https://osxapps-ssl.itunes.apple.com/itunes-assets/Enigma118/v4/19/e7/3e/19e73e6f-4c9d-4814-e5fc-f50dbe125129/developer_log.json?accessKey=1540494114_5933353877481991634_mfV3Cu%2B67wlqwqik7OJSLImkk3LOdbtxnu5cnXIswIoXQqqHiVFlgX9TMQMnzKmLaqaBJABiXJcZRy6ipPojgoyz%2FRpilI1G%2FjPryQnY%2B6%2FHI0nmiBaK1rPQcl8HT6QvtFlvhIp1Vs3LCp%2B%2B34O5k4T%2FY2IGOlv6u <snip>
         Status Code: 0
      Status Message: Package Approved
      Step 6)  The last step is where one “staples” the notarization ticket from Apple to your .dmg, which is how the Mac OS subsequently knows that it’s notarized:
      xcrun stapler staple /Users/dnigrin/Desktop/MyApp.dmg
      Hope this helps. There's a good video overview from a recent Apple WWDC conference that reviews this stuff (plus much more, including explanation of Entitlements, Purpose Strings, etc...) https://developer.apple.com/videos/play/wwdc2018/702/
    • Nov 18 2018 | 8:40 pm
      Dan, you are amazing. Haven't tried it yet, but I would have never figured this out on my own. How did you do it!?
      Tim
    • Nov 19 2018 | 4:13 am
      i wonder if they will one day manage to (legally or technically) forbid third parties to avoid gatekeeper when installing stuff (aka symlink installer) completely.
      from that day on i will call macos no longer an operating system.
    • Nov 19 2018 | 12:55 pm
      @Tim - you're very kind, thank you! Basically just a lot of Googling, poring over Apple published info, and trial and error! If you do try it, please report back with your experience. As with the collective Max community's experience with getting Mac App Store apps approved, we definitely do better when we aggregate everyone's info!
      @Roman - only time will tell. Agree that that would be a sad day though....
    • Nov 19 2018 | 2:28 pm
      That will be the day to switch to Linux... Though there is little hope for a Linux port of Max after Ableton took over...:-(
    • Nov 19 2018 | 11:07 pm
      I'll mess with this at some point, but for now, I'll keep working in Xcode. The relationship between Max and Apple is too tenuous for my comfort.