Apple notarizing for Mojave (10.14) and beyond

Dan Nigrin's icon

Uh oh - this time a bad news update. So I got access to a Cortana beta machine, and tried downloading the same .dmg I referenced above, and this time I got "...can't be opened because its integrity cannot be verified. This software needs to be updated. Contact the developer for more information." - with only options being Move to Trash and Cancel. This was after double-clicking the app.

If instead I right click and choose Open, I *can* open it from there however.

But this has all got me nervous, because it suggests that the original codesigning, even after notarizing that existing .dmg, is not being respected by the new OS, on a machine that has never seen the app before....

Dan Nigrin's icon

Phew, false alarm - there was something funky with the .dmg I tried with, going back to even the un-notarized one, I now realize that on a 10.13 system it has problems too. Weird that this didn't come up the first time I tried it the other day...

Anyway, I tried again with a known good .dmg, successfully notarized and stapled, and this time it works fine on a Catalina beta system that's never seen that .dmg or .app before. What's odd though is that I *don't* get the warm and fuzzy "Apple has checked this software..." message, and instead just get the "you downloaded this from the Internet, are you OK with opening" message. Anyway, it does open fine, and works normally. So all good - for now at least!

Dan Nigrin's icon

And one last message to maybe help other people working their way through this stuff - after notarizing and stapling another existing .dmg I had, that contained a previously signed .app - this time I went to the Catalina system, and downloaded the existing .dmg - meaning the un-notarized one. Guess what - it worked!

I then did the same process with yet another .dmg, but this time, before I double-clicked the app on Catalina to run it - I turned off all networking. So no access to the Internet. You guessed it - the app wasn't allowed to launch. Reconnecting the computer to the Internet and trying again then allowed it to run.

So bottom line - it seems that all notarizing does is get your app's bundleid "registered" with Apple, such that any use of that app moving forward is allowed, regardless of when it was installed, etc...

Arvid Tomayko's icon

Excellent work Dan!

So bottom line - it seems that all notarizing does is get your app's bundleid "registered" with Apple, such that any use of that app moving forward is allowed, regardless of when it was installed, etc...

That is how I understand it too. So one note to users might be that if you are using the app on a machine that is going to be offline you need to run it at least once before going offline. But then again, how often are any of us even truly offline these days??? :-)

Dan Nigrin's icon

Actually, I believe that if codesigning an app and bundle with hardened runtime (unlike what we're doing now), I think that the app itself gets signed in some way, such that it will be approved in offline situations? I thought I remembered reading something along these lines on an Apple site somewhere.

Anyway, I'm sure all of this stuff will become clearer as things progress.

Ernest's icon

Thanks very much for all the current info. I haven't done this developer thing for 15 years, so please forgive the stupid question: what is 'stapling' and when do I have to do it?

Also, is it really necessary to run applications from the applications folder now? I'd rather just let the app reside with the data file in a folder of the user's choosing.

Dan Nigrin's icon

Perhaps the best initial place to start is here: https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution

One doesn't *have* to run applications from the Applications folder I don't believe, but by this point most end-users expect that that's where they ought to reside...

Ernest's icon

thanks )

Ernest's icon

I'm just as far as code signing with Max8.08 and Mojave 10.14.6, and Im already stuck, sorry. It odes appear to work with following -v message.

Husserl21_mojave ernestmeyer$ codesign -f -s "3rd Party Mac Developer Application: ernest meyer (LVHXCU7VYT)" -v -d /Users/ernestmeyer/Desktop/Husserl21_mojave/_Husserl20.app 
Executable=/Users/ernestmeyer/Desktop/Husserl21_mojave/_Husserl20.app/Contents/MacOS/_Husserl20
Identifier=Max Runtime NOCEF
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=124049 flags=0x0(none) hashes=3872+2 location=embedded
Signature size=8911
Timestamp=Aug 2, 2019 at 1:39:06 PM
Info.plist=not bound
TeamIdentifier=GBXXCFCVW5
Sealed Resources=none
Internal requirements count=1 size=180

However when I inspect the result with RB App Checker Lite 1.15 it reports:

Raw assessment: { damaged = "/Users/ernestmeyer/Desktop/Husserl21_mojave/_Husserl20.app/: code has no resources but signature indicates they must be present"; }

What do I do next?




Ernest's icon

You know, it's been two years since High Sierra was released, since when Cycling74 has sold a new software version, and building standalone still doesn't work properly on it without spending at least a month fiddling with it. When Max 8 first came out, I thought, well I better wait a few releases before asking for standalone that work on High Sierra. Now that's two operating systems ago. I must confess, after 10 years of exactly the same experience on this platform, I'm regret to say, today, I started to lose faith it will ever be any better, and Im really thinking of just writing c++ instead. So Im going to download JUCE again and see if I can build a working MacOS executable before Cycling74 supports Catalina. It's beginning to seem like a better use of time.

Dan Nigrin's icon

Hi Ernest,

To just codesign an app, forgetting about "hardened runtime" for now, the command is very straightforward:

codesign -f -s "Developer ID Application: Daniel Nigrin" /Users/dnigrin/Desktop/MyApp.app --deep

I'm not sure in looking at your example you specified the --deep flag? I'm guessing that's responsible for all of the problems that were then shown in the report?

Ernest's icon

THANKS SO MUCH! My bad, I thought -d and --deep were the same thing, and I haven't yet found docs on it for 10.14.6 which returns totally different messages than shown by tutorial video or above, so I can empathize with everyone's problems now. I was prompted for admin password eight times, then it said 'replacing existing signature.' RB App Checker Lite now tells me the 'application may still run if opened explicitly' but is not notarized, shown below.

My understanding is that notarization will fail because I am not saving data to an approved location in iCloud. Does Max have a way for me to find the user's ~/Documents folder or home path? I looked everywhere in the docs and I can't find anything on it.




Dan Nigrin's icon

Notarization is failing because you haven't notarized yet - refer to steps 2 - 6 at the beginning of the thread...

Ernest's icon

Yes, I am about to start notarization, but first, I am wanting to stop it failing because I am currently saving user program data to the same directory as the app, because, that's the path you get from 'thispatcher' when you send it a 'path' message in standalone now. So it won't pass notarization, and to my understanding, it's now necessary to save user data to a directory which is backed up by iCloud (but not audio data because it rejects apps if they try to save too much data to iCloud.' I can wait til Monday if you're working weekends )

Dan Nigrin's icon

You don't have to save data to a directory that is backed up by iCloud. You are not permitted to write to the app bundle itself though, or to the Applications folder.

What has and still works for me is to write to the Application Support folder. In the standalone object, in your top-level patch, if you specify YourAppName in the "Preferences File Name" attribute, it will create a folder for you at ~/Library/Application Support/YourAppName/ . You can then use that to save files to.

Ernest's icon

ok, I'll have to try that that. It means putting the initial data for the user somewhere inside the bundle, and on startup checking if the ~/Library/Application Support/YourAppName/ folder is empty, of so, copying data to it and using it, otherwise, reading the data from there. Its going to take a little time to set up. Do you use Javascript for your file operations?

Ernest's icon

FYI, the codesign above still does not open on Mojave 10.14.6, only instead of saying it is damaged, it says it needs to be updated.


So then it appears to be true that code signing is not sufficient any more FOR FIRST TIME SIGNERS, as reported on Apple's developer site, it says this when I request a certificate now:


It's possible others are not aware of this requirement because they are not newly registered developers.

Dan Nigrin's icon

Re: the app not opening - does the machine you are trying to open it on have Internet access when you open it? It'll need that. Also, have you notarized and stapled the .dmg or .zip file before trying?

Dan Nigrin's icon

Also wild guess - it shouldn't matter, but maybe the leading underscore character is messing things up?

Dan Nigrin's icon

Re: your approach for data - what you outlined above should work.

I use Javascript in some instances, but I also rely on some of Jasch's externals, createfolder and getpaths: http://www.jasch.ch/dl/

AudioMatt's icon

Dan, you're a saint for dealing with this BS for everyone.

Ernest's icon

remove the underscore? I will try but I don't think that makes a difference. When I download the developer ID certificate, a message appears on the Apple website saying I still have to notarize it, like this:

So its doing exactly what Apple says will happen.

Dan Nigrin's icon

Yeah, don't remove the underscore first, that's only a "last resort" kind of thing!

So yes then - why don't you proceed with the notarization and stapling steps, after the codesigning ? That should get you there I think. The steps posted at the beginning of this thread are all still valid and correct, except for step #1, which now should have the "--options runtime" portion removed. That means that our apps will not be "hardened runtime" yet, but for the moment Apple is allowing that. And Cycling is looking into getting that to work at some point as well...

Dan Nigrin's icon

@AudioMatt - thanks but far from a saint, trust me! And I view this stuff as collective learning; it's all still very new for everyone, and each new case that fails or succeeds hopefully teaches us all something about the process...

For example - in reading through that Apple screenshot above, I'm wondering if Apple is making a distinction between newly issued Developer ID Certificates vs. existing ones, in terms of allowing apps to be notarized without the hardened runtime status? Hopefully Ernest's case will let us know!

Ernest's icon

The .maxpat, windows .exe. and macOs .app all have files in different places found in different ways. So I have to check if the user data exists on load, replace the data from default file if not, for which, it queries whether it's a standalone or not, queries what the operating system is, builds a different path for each with regular expressions, reload the maxpat to check it works, delete the data file and see if it replaces it properly, reload it to check it loads any user data changes, run the make on macOS and windows machines, add missing files from the windows build again, check the windows build works, run scripts for Apple, upload it, download it, and repeat all the checks all over again. And there is no working example of any of it anywhere, and to be sure it all works, there are so many steps I am going to need to mark up a printed spreadsheet checklist, or I will get confused and skip a step by mistake . Thanks again for your help.

Dan Nigrin's icon

It's beyond the scope of this thread - but yes, there's lots of details to attend to for this stuff! The messy and tedious business of developing multi-platform standalones I'm afraid....

Ernest's icon

Yah. First I will just delete the user data stuff altogether and see if I can get it notarized at all. Couple more hours on that first.

Ernest's icon

ok, it passed notarization, and after uploading, downloading, and double-clicking, Gatekeeper lets it run, but then just the icon sits in the beltstrap and the patch window doesn't open, no menu, nothing. Unlike prior experience, the app worked fine after successful codesign, with the --deep (not -d) option. Then it passed notarization tests, but after stapling, it doesn't work.

I did notice the CEF files are still included in 8.08, even if the standalone says not to include them. Should I try removing the CEF files?

Ernest's icon

Aha. Figured out a workaround for new developers on 8.08

1: codesign .app file with --deep option
2. Put in zip file and Notarize it.
3. THROW IT OUT. the process of notarization destroys the file. But you are now a notarized developer!
4 codesign the original file with --deep option AGAIN. DO NOT NOTARIZE THE SECOND TIME.

Now you can distribute it independently and it works, because you've already been recognized as a notarized developer, the second time, you can just codesign it. Of course there's no way of getting it on the Mac store, and it doesn't open files from unapproved file locations which is the next problem I have to solve. Good night. Sorry for crosspost.

Dan Nigrin's icon

Congrats! That said I'm not sure I fully understand why the notarization step caused the app to stop working - to my knowledge, notarization only makes changes to things on Apple's side, and not on the app or the dmg or zip. Also to clarify, notarizing specifies that the app/package is notarized, not that the developer is notarized. But all of this stuff is quite murky, so if you've found a way to make it work, that's all that matters!

Ernest's icon

I'm still not sure exactly what it is, but maybe it's the stapling. Anyway, Im waiting for the production release of Catalina before making any more standalones. Regarding file access, I can now read, but not write files, so.I made a save-disabled version for Macs. You've been a champ, Dam, thanks very much.

Dan Nigrin's icon

Just to confirm - you are NOT using the "--options runtime" option when you codesign, correct? That's what enables hardened runtime status, and as you can see from earlier in this thread, that's what has broken other people's standalones, at least with Max as it exists currently. We are not currently required to include that for notarization and stapling, as Apple has at least temporarily relaxed its standard, prior to Cortana release.

So just double-checking on that....

Ernest's icon

Hi Dan, sorry not to give you complete info, here is what I did. I also needed the -v option on the codesign cmd to get it to work, which I think verifies the timestamp (which is a new stated requirement), but as mentioned I can't find complete docs on the command options so Im not sure. The directions stated I only needed the sudo command if I have an older version of Xcode installed too, but I still needed to run the sudo command first. Also I ran the codesign on the .app package, but I couldn't notarize the built .app directly, so I put it in a zip file, that reported success from notarization, then I unzipped it and ran stapler on the contents, as directed above. I wasn't planning to make a .dmg installer, but if there are instructions how to do that for a max build somewhere, of course I could add that too. Also I tried skipping the stapler step, and as suspected, its the stapling which is corrupting the file. So I shared it without stapling. there's no guarantee that won't later be rejected by Apple as stapling was stated to be a requirement, whatever it is.

sudo xcode-select -s full-path-to-xcode 
codesign -f -s "Developer ID Application: certificate-name-and-number-in-parentheses-as-per-instructions"  full-path-and-filename -v --deep

xcrun altool --notarize-app --primary-bundle-id "arbitrary-id" --username "my-Apple-id" --password "function-generated-pwd-as-per-instructions" --file full-path-and-filename 
xcrun stapler staple  full-path-and-filename 

Dan Nigrin's icon

Unsure why you're having trouble with the codesigning/notarizing/stapling then affecting your app functioning, that all seems correct on quick glance.

BTW, the -v option just means "verbose" - it will give you more info when it does its processing.

Ernest's icon

Well, when I didn't have the -v option, the os only asked for admin username and password in a popup window once, and the result did not include my certificate. Sp I added the -v option to see what was going on, then, it asked for my Apple ID and password five times and the result was successfully codesigned, but it still did not pass Mojave or Catalina beta gatekeeper until also notarized. I don't have High Sierra installed currently. Since then I just run with -v option and it works fine.

Ernest's icon

HI Dan, I did get kind of a reply from C74 that I 'just need to add the right entitlements' to write files. I looked through the entitlements page, but I couldn't figure it out exactly how to do that without doing a lot more experimentation, and now I am due for heart surgery in a couple of days, I have to drop finishing my two years work for macos and offer Windows only, my remaining time will basically be deleting all my Apple apps from my website. Maybe someone else will want to figure it out now, but as Apple will require hardened runtimes in January, it only makes a difference for a few months. Wishing you happy patching in your own future, cheerio.

Dan Nigrin's icon

Most importantly, good luck with your heart surgery!

Re: writing files entitlement, this is what I use:

com.apple.security.files.user-selected.read-write

Perhaps that helps for you...

Ben Bracken's icon

Just to clarify, the Max Runtime (which is included in all Max Standalones) is built with "Hardened Runtime" enabled, so there is no other action required related to this aspect of the new Apple requirements when building Max Standalone applications on MacOS. However, you will need to sign, notarize and staple your standalone yourself if you wish to pass these new requirements. You can read more about general Catalina support (and Standalones) here:
https://cycling74.com/articles/max-8-1-mac-os-10-15-catalina-support-and-notarization/

Dan Nigrin's icon

Thanks Ben!

Christophe Duquesne's icon

Hello
I'm Christophe Duquesne from Haken Audio and our Continuum Editor is quite a huge Max patch (see here https://www.hakenaudio.com/sound-engine ).
Thanks a lot for all the great info and help in this thread (we went through pretty much all the issues raised here...).
After a lot of tries and fails, we finally manage to get a Notarized “Hardened Runtime”, and since I would never never have managed to get it working without the help I found here I thought it was fair sharing the result we ended with, if it can help others ... So here it is (also as in an attached pdf file ):

Add a standalone object to your patch, set a Bundle Identifier to something like com.yourCompany.yourAppName and of course also create one in your https://developer.apple.com/ (so you need to pay for an Apple developer license).

In the standalone also update the icon path to the proper MacOS Application Icon, and any other info you may need.

Then generate the app standalone

codesign -s [Developer ID] --options runtime --timestamp --deep --entitlements [path/to file.entitlements] -f [path/to/YourAppStandalone.app]

[Developer ID] usually looks like "Developer ID Application: YourName (a number)"

For an application like ours, doing only Midi (no audio, but still requires com.apple.security.device.audio-input ) the minimum file.entitlements file content shall be

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>com.apple.security.device.audio-input</key>
        <true/>
        <key>com.apple.security.cs.disable-library-validation</key>
        <true/>
    </dict>
</plist>

Note that with wrong entitlements, the app may crash, or have weird behavior, so to make sure test it after codesigning it, to stay on the safe side …. If it does not work anymore, then you need additional entitlement (check here, end of the pot, for more https://cycling74.com/articles/max-8-1-mac-os-10-15-catalina-support-and-notarization )

In our case we have extra files (presets, documentation, firmware for the Continuum, etc.) associated to the Max standalone app. But you have to manage this with care due to apple Quarantine and Translocation mechanism.

So first put all your associated files in a folder and Zip it (but don’t put the app standalone in it). In a folder (let’s call it Folder for DMG ) put the Zip and the app standalone.

Your users will have 1) to open a DMG 2) to put the Zip somewhere on their disk and unzip it 3) to manually move the app standalone in the resulting folder (if not moved manually, for example if you move it within a folder… it will be translocated and will not be able to access to external files).

Build the DMG with

hdiutil create -ov -scrub -srcfolder [path/to/Folder for DMG] -volname [your Volume Name] [path/to/XXX.dmg]

For the Notarization, you will need an app specific Apple password (it looks like «abcd-efgh-ijkl-mnop») (see here to get such a password https://support.apple.com/en-mk/HT204397 )

Now you can Notarize

xcrun altool --notarize-app -t osx -primary-bundle-id [YourBundleId, the one you put in the standalone object] -u [Your AppleId: the mail you use to connect to apple developpers] -p [your app specific password looking like abcd-efgh-ijkl-mnop] -f [path/to/XXX.dmg]

It will take time since it will first upload the dmg to Apple (so depending on your bandwidth and the size of your app, that can be really long).

You should finaly get an answer like: RequestUUID = 1cc1503c-c04a-407c-a3ff-dd5354ee29cb

This only means that your request was submitted, you still need to wait for the validation: you can either wait for a mail that Apple will send you, either check the progress with :

xcrun altool --notarization-history 0 -u [Your AppleId: the mail you use to connect to apple developpers] -p [your app specific password looking like abcd-efgh-ijkl-mnop]

Wait for the mail or something like :

Date                      RequestUUID                          Status      Status Code Status Message   
------------------------- ------------------------------------ ----------- ----------- ---------------- 
2019-11-11 12:52:05 +0000 1cc1503c-c04a-407c-a3ff-dd5354ee29cb success     0           Package Approved 

Then you can staple the DMG with:

xcrun stapler staple -v [path/to/XXX.dmg]

You are done… you can send your XXX.dmg to your users !!!

Generate Notarizd-Hardened MacOS Max App.pdf
application/pdf 194.21 KB
Generate Notarized-Hardened MacOS Max App

Dan Nigrin's icon

Excellent work! Congrats Christophe and thanks for sharing.

And thank you for posting the Cycling link as well, as there's important info there (especially the addendum re: the various entitlements, I believe that was the major problem we were all having before with our hardened runtime codesigned apps not working properly, that we were not including the appropriate entitlements.) https://cycling74.com/articles/max-8-1-mac-os-10-15-catalina-support-and-notarization

I too have had success with getting a hardened runtime standalone working correctly, distributed over the web as a .dmg, using the instructions at the link above, which essentially cover the same ground as you I believe.

Josep Garces's icon

Hi, first of all, thank you for all of you who are sharing the knowledge. I'm working also with a huge patch www.liveloop.live and I've managed to successfully notarize a Standalone, but it won't work. The problem is when I code sign it with the entitlements which are necessary for my app, the app won't even open after code sign it. If I code sign it again without the entitlements, then it will open. What might be the problem?

I created the entitlements with the latest version of Xcode and I share the entitlements file:
https://www.dropbox.com/s/c5go825jsdliawg/entitlements.plist?dl=0

This are the entitlements list I use:
com.apple.security.app-sandbox
com.apple.developer.networking.wifi-info
com.apple.security.cs.disable-library-validation
com.apple.security.cs.allow-dyld-environment-variables
com.apple.security.cs.allow-jit
com.apple.security.cs.allow-unsigned-executable-memory
com.apple.security.automation.apple-events
com.apple.security.device.audio-input
com.apple.security.device.microphone
com.apple.security.device.usb
com.apple.security.files.user-selected.read-write
com.apple.security.files.downloads.read-write
Inter-App Audio-enabled apps

Than you very much!

Christophe Duquesne's icon

Hello Josep
I think you are putting too much entitlements (and I had issues with the com.apple.security.app-sandbox that you are using). You need to identify the minimal set of entitlements you need so your app still runs after code signing (I did it sequentially to be sure: codesign, test, if Ok remove one entitlement, codesign again, if it still runs you can forget this entitlement, if not you need it...). But, of course, that requires that you identify a set that works, and the final set you need is depending on what your app is doing.

The entitlement I use is limited to

com.apple.security.device.audio-input
com.apple.security.cs.disable-library-validation

Once you are done with entitlements and code signing, then you can go to notarization

Ernest's icon

I found the app worked before stapling, but not after. Without stapling Apple won't accept it. I did try saying this before but I was blown off.

Josep Garces's icon

Hello Christophe,
Thank you for your reply. I did further tests and I found out that the problem is by the entitlements com.apple.developer.networking.wifi-info

I need wifi access for my app to run properly and in the apple site is said "To add this entitlement to your app, enable the Access WiFi Information capability in Xcode"
https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_networking_wifi-info?language=objc

After reading https://medium.com/better-programming/wifi-permission-changes-for-ios-12-1-iphone-x-and-other-devices-c313e24f90ae , I added the following capabilities at App ID configuration:
Associated Domains
Custom Network Protocol
Network Extensions

I did not find Access Wifi Information at the capabilities.

I did download again the profile file and still not working when I code sign with the wifi capabilities.

Any clue how to solve this?

Josep Garces's icon

Another problem I found after codesigning with entitlements, I need to read and write files and even if I added the following entitlements, it does not read or write in any file. The location of the file is Library/Application Support/MyAPP/set.txt

Dan Nigrin's icon

Just some quick feedback @Josep.

I agree with Christophe, that you need to significantly limit the entitlements you are using. Comments on two specific one:

- com.apple.security.app-sandbox - this is needed for apps being sold on the Mac App Store, and definitely shouldn't be necessary for any app not being sold on the store.

- com.apple.developer.networking.wifi-info - if your app simply needs internet access (via wifi or otherwise), I really don't think you need this entitlement. It's for finding out info *about* the wifi settings, and not just using wifi to access the internet.

Finally, re: read/write of files, the path you list is a system path, which is generally not allowed for apps to write to, as opposed to the user-specific location, which my notarized app signs to successfully: ~/Library/Application Support/MyAPP/set.txt

Josep Garces's icon

Thank you Dan,

In fact, you where right, I removed com.apple.security.app-sandbox, com.apple.developer.networking.wifi-info and the standalone has access to internet and also it can access to ~/Library/Application Support/MyAPP/set.txt

I had aded sandbox in the entitlements because i would like to add my app at Apple Store, but seems another difficulty.

For the moment seems to work properly, I need to make further test with another computer. I will update here if I encounter more problems.

Thank you very much for this community, I could not have figure out how to notarize the up by myself.

Code & Love

www.liveloop.live

Dan Nigrin's icon

Thanks @Josep - I haven't tried recently to submit to the Mac Apple Store, but another well-versed person in that task (@James Howard Young) has recently had some trouble with the current version of Max, and he had to downgrade - see the end of this thread.

Let us know your experience (perhaps in that thread rather than this one to not confuse things)...

Dan Nigrin's icon

Looks like Apple has set Feb 3, 2020 as the date by which hardened runtime will be required for notarization: https://developer.apple.com/news/?id=12232019a

Josep Garces's icon

NO SOUND:
While code signing,I had an error with "libmozjs185_impl.dylib.cstemp " which I deleted (I don't think this is the problem with the sound because I have sound on my computer running mojave, but didn't work on another laptop with catalina.

I successfully codesigned with the following entitlements:

com.apple.security.cs.disable-library-validation
com.apple.security.cs.allow-dyld-environment-variables
com.apple.security.cs.allow-jit
com.apple.security.cs.allow-unsigned-executable-memory
com.apple.security.automation.apple-events
com.apple.security.device.audio-input
com.apple.security.device.microphone
com.apple.security.device.usb
com.apple.security.files.user-selected.read-write

I made a pkg with Packages and successfully notarized it.

The app installed with no problem, I can open amxd and vst devices, I could connect midi controllers through USB and seems to work well but I have NO SOUND at all.

Would you suggest what's the reason for others entitlement to work but not the sound?

Dan Nigrin's icon

Can't really think of anything...

Are you using the built-in audio, or an audio interface that's on firewire or something? Any errors in the Max window?

Josep Garces's icon

Hi @Dan!
I've done further tests and still I have not find the problem of the audio. I tried with built-in audio and also audio interface and works. In the Max window does not show any errors. I checked the log file after notarizing and I've got many issues with severity warnings about all the .mxo that are in the bundle. Below you can find the example of ad_coreaudio.mxo which is mention that is not signed neither time stamp. I'm not sure if that's the problem because I would suspect that none .mxo would work but the app seems to work normally except the audio signal.

{
"severity": "warning",
"code": null,
"path": "LiveLoop_Pro_Broken_Test.pkg/LiveLoop_Pro.pkg Contents/Payload/Applications/LiveLoop Pro.app/Contents/Resources/C74/externals/ad/ad_coreaudio.mxo/Contents/MacOS/ad_coreaudio",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "warning",
"code": null,
"path": "LiveLoop_Pro_Broken_Test.pkg/LiveLoop_Pro.pkg Contents/Payload/Applications/LiveLoop Pro.app/Contents/Resources/C74/externals/ad/ad_coreaudio.mxo/Contents/MacOS/ad_coreaudio",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},


We need to keep in mind that after February 3rd, this issues will generate a problem, so I'm afraid we have to code sign all the .mxo (please, let me know if I'm wrong as I really wish I'm wrong because this is a lot of extra work)

So I have now code sign and drop all the .mxo to code sign all at once (+700) and I'm now testing whether this is the problem. FINGERS CROSSED!

Dan Nigrin's icon

Hi Josep. Did you use the '--timestamp', '--deep' and '-f' flags when codesigning? If not, that would account for all the warnings above that you showed... If you did use them, then not sure why they weren't signed?

Also, where did you see all the warnings above when codesigning?

Josep Garces's icon

I sign with the following code:
codesign -s "ID APPLICATION (XXXXXXXXXX)" --options runtime --timestamp --deep --entitlements /PATH/TO/entitlements.plist -f /PATH/TO/MYAPP

The warnings above are in the log url that appears after notarizing.

Dan Nigrin's icon

Interesting - that seems like exactly the process I use, but I haven't looked at the log URL in a while, when I otherwise get no warnings in the Terminal. I will do that when I get a chance to see if I get similar warnings! (which I agree, come Feb 3rd, will pose a problem...)

Josep Garces's icon

Fixed!

Apparently all the .mxo needs to be code signed.

I'm very happy I found the problem :D

Peace brothers!

Dan Nigrin's icon

Great! But weird, as that's supposed to be what the --deep flag helps with, to sign all the objects within the bundle....

Dan Nigrin's icon

Though now that you mention it, I *do* now remember (it's been a while) that when codesigning for the Mac App Store, I *did* need to sign the embedded .mxo's individually, even though I was using the --deep flag.

So looks like there's some similarities with that!

Josep Garces's icon

I managed to notarise successfully but I can't get rid off the 1 issues in the log file created by apple, with the binary that's inside in /Contents/MacOS whish the message says: "The signature of the binary is invalid.",

{
"severity": "warning",
"code": null,
"path": "MyApp.pkg/MyApp.app/Contents/MacOS/MyApp",
"message": "The signature of the binary is invalid.",
"docUrl": null,
"architecture": "x86_64"
},

I'm concern that this could be a cause of no launching the app after February 3rd, so I would suggest we together could find the way to codesign this file without getting issues by apple.

Any thoughts?

Dan Nigrin's icon

I will do my best to do some testing on my side in the next few days and report back with what I've found.... Thanks for your report Josep!

SSingh's icon

Ok...... so I got my standalone notarized following the instructions posted by Cycling74 for 8.1. But when I try to open the signed/notarized version I get:

“dac~.mxo” cannot be opened because the developer cannot be verified."

In the other thread about getting into the App store, it was recommended that ~ is removed from .mxo files. However I can't even find this .mxo file anywhere in the package. I got this error after I code signed and notarization didn't help.

SSingh's icon

After a bit a experimentation, I see the above dac~.mxo error has something to do with sandboxing. When I removed that, or entitlements entirely, the app just wouldn't open (stopped responding). But I have just tried to make just a simple standalone with a single button, and that is not working either. It will open, but button doesn't even show up, just diagonal stripes. I'm lost and frustrated...... Both my original app and the simple one asked for permission to access documents folder. Don't know if this has something to do with it. Oh yeah, and I am running Catalina, using Max 8.1 and trying to share a beta with testers using Catalina as well as those who can't bypass gatekeeper because their computers belong to schools.

Dan Nigrin's icon

Can you list what entitlements are in the entitlements file you're using when codesigning?

SSingh's icon

As Max and Apple keep updating things, I am not sure any more which parts of previous discussions on this topic apply anymore! I figured by following Cycling74's specific instructions, things would work.

<key>com.apple.security.app-sandbox<;/key>
    <true/>
    <key>com.apple.security.files.user-selected.read-write<;/key>
    <true/>
    <key>com.apple.security.device.usb<;/key>
    <true/>
    <key>com.apple.security.device.firewire<;/key>
    <true/>
    <key>com.apple.security.device.audio-input<;/key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory<;/key>
    <true/>
    <key>com.apple.security.cs.allow-jit<;/key>
    <true/>

Ben Bracken's icon

One thing to note is that if you are not submitting to the App store, you should *not* use com.apple.security.app-sandbox. The entitlements we use for Max itself can be found at the bottom of this article:
https://cycling74.com/articles/max-8-1-mac-os-10-15-catalina-support-and-notarization/

SSingh's icon

Ok! It worked! What a relief, thanks for the help. I thought the sandboxing was part of part this guide, but somehow that was planted in my head from the other thread about the app store. I had already tried doing it without the sandboxing, but it didn't work. I suppose a couple extra entitlements I added did the trick. Still have to try running the app on a different computer, but I assume it will work now. Here is what I ended up using:

<key>com.apple.security.automation.apple-events<;/key>
    <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables<;/key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation<;/key>
    <true/>
    <key>com.apple.security.device.usb<;/key>
    <true/>
    <key>com.apple.security.device.firewire<;/key>
    <true/>
    <key>com.apple.security.device.audio-input<;/key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory<;/key>
    <true/>
    <key>com.apple.security.cs.allow-jit<;/key>
    <true/>
    <key>com.apple.security.files.user-selected.read-write<;/key>
    <true/>

MAX.XAM's icon

PLEASE HELP!

I successfully signed and notarized my standalone. It wasn't a smooth process at all, but its done. ...or so I thought. My standalone allows the user to change the color of the UI, when a new color is selected at text file is created (or modified). When the app is launched it will load this text file and will set the UI color to the last color selected by the user. The color selected is saved to this text file. After notarizing my standalone, the app will not create or modify this text file within the my app's sub-folder within the Application folder. If I move just the app to the desktop (outside of it's own sub-folder) the text file can be created and modified. There is some permission issue I am dealing with here. The directory I have my app in has read & write permissions. I am out of ideas here. This text file can not be created as long as my standalone is notarized and in it's own folder.

This issue only occurs after downloading my standalone DMG from the internets. The app worked fine prior to uploading it.

Prior to notarizing the app it was working fine after I would drag the app's folder to the Applications folder within the DMG I created. I used DMG Canvas to create the DMG and I am using Catalina 10.15.3 beta

Any ideas?

Christophe Duquesne's icon

Hello
This is not a notarization issue, but related to Apple's Quarantine and Translocation mechanism.
And yes moving the file by a simple drag&drop is sufficient (you do need to move the app file itself, not the folder containing it). On our side we have writen an installation procedure for our users so we make sure they need to move the app file from the DMG provided for download to the destination folder on their drive.

If you want to know more about Translocation, this link provides a detailed description: https://www.synack.com/blog/untranslocating-apps/

Christophe

Dan Nigrin's icon

When my (signed and notarized) app needs to write and later read back a file, I do this in ~/Library/Application Support/My_App_Name/ , where My_App_Name has been specified in the standalone object's inspector.

So bottom line, modify your app to write/read from there instead.

MAX.XAM's icon

Christophe, thanks for the info. Would it be best to just make a proper installer for my standalone? I would like to have my standalone be in its own folder.

Dan, Thanks for the info. If I go this route, do I have to notarize my standalone with any special entitlements?

Christophe Duquesne's icon

what we do is put a zip and the app in a DMG: the user is asked to unzip the zip where he wants the app to be, and then he just have to drag&drop the app in the resulting folder. Everybody seems happy with this.
Of course, an installer will also work.

Roman Thilenius's icon


if two people want to share one ID, will that work using different machines at different IP adresses?

Dan Nigrin's icon

@Max.xam - re: entitlements, you should definitely review the post by Cycling here (the end of it): https://cycling74.com/articles/max-8-1-mac-os-10-15-catalina-support-and-notarization . The entitlements you may need will depend on the functionality of your app. That said, for the ability to write to the Application Support folder, I could be wrong, but I don't believe any special entitlement is necessary. The ones I currently use for my apps that need notarization are:

Allow Unsigned Executable Memory
Disable Library Validation
Audio Input

@Roman - not sure I'm following you? What ID are you talking about?

MAX.XAM's icon

I don't know if I've uncovered a bug in the notarizing process or what... I cannot find a solution for this one. Please help if you can

I successfully signed and notarized a standalone that was built in 8.0.8. I found a bug in my standalone, so then I fixed the bug and re-built the standalone in 8.1.2 (mistake?). I sign standalone with no issues, I even check the 8.1.2 app for signing errors in RB AppChecker Lite, no signing errors are found. I the send the .dmg to apple for notarizing and it fails 100% of the time. I check the notarizing and it says "source==Unnotarized Developer ID" there is also mentioned of a self-signed root CA being part of the issue.

I use the same exact command line commands for both my 8.0.8 and 8.1.2 apps. These apps were not built or signed on the same machine. Could this be an issue? I tried re-notarize my 8.0.8 app after the 8.1.2 failed, the 8.08 app is successfully notarized.

Things of note:
- Same bundle identifier is used for both the 8.0.8 and 8.1.2 apps, and same in app password is used for both
- Same exact commands are used to sign and notarize both apps
- If I re-build the bug fixed app in 8.08 it will still fail notarizing process
- I am using the very latest Catalina. I have also tried this on Mojave
- Latest Xcode is being used
- I contacted Apple, no real help from them as of yet and they are VERY slot to respond bak

I searched this error and it looks like a few people have this same issue. Most of the threads i find about this issue do not have a solution posted or not a solution that works for me. Please help!

PS - I got to say this whole notarizing process is janky AF, frustrating, and overkill.

Arvid Tomayko's icon

As I understand it, Apple finally implemented the full requirements for notarizing – hardened runtime, etc on Feb 3. That might be part of your problem. I'm dreading having to make any updates to my publicly-distributed standalone now for this reason…

MAX.XAM's icon

ARVID,

What is the difference in the requirements pre Feb. 3rd and post Feb 3? BTW my notarizing started to fail on Feb. 3rd . :/

Do I have to harden the standalone app now?

/sigh

Josep Garces's icon

Have you checked the errors that apple sends? you can check the errors on:

xcrun altool -u ID -p xxxx-xxxx-xxxx-xxxx --notarization-info UUID

Check the errors and code sign again the files that it shows.

I had to code sign also the following files:

-YOURAPPNAME.app
-YOURAPPNAME.cstemp (inside MacOS)
-sqlite3_darwin-x64.node
-MSPReWireDevice
-all the .mxo files

Arvid Tomayko's icon

I do not know. I'll post here again if I find anything out.

Dan Nigrin's icon

Re: what is the difference pre/post Feb 3, see this Apple post: https://developer.apple.com/news/?id=12232019a , in particular the link within it, which points here: https://developer.apple.com/news/?id=09032019a

Dan Nigrin's icon

@Max.xam, also if possible and to just have a complete picture, would be great if you could post the exact command you used to codesign, as well as what entitlements you are granting.

Dan Nigrin's icon

Interesting - I was under the impression that the --deep flag was supposed to sign everything inside?

Ben Bracken's icon

Are you trying to notarize a previously signed standalone, or is this a new standalone? If you want to notarize a previously signed standalone, follow the instructions here:
https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution#3087722

If you are starting from scratch, follow the complete instructions here:
https://cycling74.com/articles/max-8-1-mac-os-10-15-catalina-support-and-notarization/

There is a slight modification that I've made to the above instructions, and that is to encourage the use of the --force flag instead of -f. I have not 100% confirmed that this is required, but we have had reports that indicate -f is obsolete.

Dan Nigrin's icon

Aha, that would explain it (--force rather than just --f)....

MAX.XAM's icon

Ben,

Please see my earlier post from today. Too sum what happened.

1. Sign and notarize my 8.08 standalone with no issues prior to Feb 3rd
2. Find a bug in my patcher (ARGH!), fix bugs, and rebuild standalone in 8.1.2
3. Feb 3rd hits
4. Successfully sign the 8.1.2 standalone and notarize fails. I am using the same exact commands for signing and notarizing that I used for the 8.08 standalone
5. Bang my head against the wall

I will try the --force tag and get back to this thread with my findings

Ben Bracken's icon

@MAX.XAM Reading through your notes, it doesn't seem like you are going through the whole signing/notarization process, which you will definitely have to do, using the instructions in the article I posted. It is no longer the "same standalone" and is considered a completely new version. Please follow the instructions there and let us know how it goes.

MAX.XAM's icon

Ben,

I now can successfully sign and notarize my standalone, but when I open it if looks like this:

Notice the error message

Someone else posted about this same issue in this thread, but did not post a solution

Here are the commands I am using

Codesign
codesign -s "XXXXXXX" --timestamp --options runtime --deep --force "/Users/qatester/Desktop/XXXXXX/XXXXXXX.app"

Notarize
xcrun altool --notarize-app -primary-bundle-id XXXXX -u XXXXX -p XXXXXX -f "/users/qatester/desktop/XXXXXXX.dmg" --asc-provider XXXXXXX

Staple
xcrun stapler staple -v "/users/qatester/desktop/XXXXX.dmg"

I cannot notarize my standalone unless I use "--options runtime".

Dan Nigrin's icon

In your codesigning command, you are not specifying the --entitlements option - you need that, as well as the filepath to your entitlements file.

MAX.XAM's icon

Dan,

hmm.... I have no idea what entitlements I would include. My app is a MIDI test tool, so it uses core audio for sure. I was thinking I would not need an entitlements file.

Dan Nigrin's icon

I'm almost positive you will need to at least include:

<key>com.apple.security.device.audio-input</key> <true/>

And if you use any 3rd party externals, you'll need:

<key>com.apple.security.cs.disable-library-validation</key> <true/>

I can't remember where I saw it, but at one point I think Cycling posted what they suggested were a "minimum set" of entitlements? Maybe I hallucinated it.

Ben Bracken's icon

Check out the Addendum which walks through the various entitlements that we generally recommend.

MAX.XAM's icon

Okay, my app is now signed and notarized. The missing entitlements was my issue. I am a n00b... Thanks to everyone in this thread for your help!

Dan Nigrin's icon

Congrats, and thanks for reporting back!

Josep Garces's icon

Hi,

I successfully notarized my app but I'm having a problem which seems to be Core Audio driver. When my app opens, it starts the DSP automatically and it crashes with the following report, does any body has a clue what might be causing the crash? The app is codesigned with the entitlements needed to have permission to microphone and external audio:

Thread 0:: JUCE Message Thread Dispatch queue: com.apple.main-thread
0 libsystem_kernel.dylib 0x00007fff65a5a25a mach_msg_trap + 10
1 libsystem_kernel.dylib 0x00007fff65a5a5d0 mach_msg + 60
2 com.apple.audio.CoreAudio 0x00007fff2db6ee85 HALC_Object_GetPropertyData_DI32 + 135
3 com.apple.audio.CoreAudio 0x00007fff2d9d9866 HALC_ProxyObject::GetPropertyData(AudioObjectPropertyAddress const&, unsigned int, void const*, unsigned int, unsigned int&, void*) const + 314
4 com.apple.audio.CoreAudio 0x00007fff2d878739 HALC_ProxyIOContext::GetPropertyData(AudioObjectPropertyAddress const&, unsigned int, void const*, unsigned int, unsigned int&, void*) const + 481
5 com.apple.audio.CoreAudio 0x00007fff2d9579a6 HALC_ShellObject::GetPropertyData(unsigned int, AudioObjectPropertyAddress const&, unsigned int, void const*, unsigned int, unsigned int&, void*) const + 1796
6 com.apple.audio.CoreAudio 0x00007fff2d850c9f HAL_HardwarePlugIn_ObjectGetPropertyData(AudioHardwarePlugInInterface**, unsigned int, AudioObjectPropertyAddress const*, unsigned int, void const*, unsigned int*, void*) + 349
7 com.apple.audio.CoreAudio 0x00007fff2d926d2f HALPlugIn::ObjectGetPropertyData(HALObject const&, AudioObjectPropertyAddress const&, unsigned int, void const*, unsigned int&, void*) const + 59
8 com.apple.audio.CoreAudio 0x00007fff2d8ea453 HALObject::GetPropertyData(AudioObjectPropertyAddress const&, unsigned int, void const*, unsigned int&, void*) const + 411
9 com.apple.audio.CoreAudio 0x00007fff2db5e936 HALDevice::GetPropertyData(AudioObjectPropertyAddress const&, unsigned int, void const*, unsigned int&, void*) const + 608
10 com.apple.audio.CoreAudio 0x00007fff2d764440 AudioObjectGetPropertyData + 277
11 com.liveloop.liveloop 0x000000010bb88bc4 juce::CoreAudioClasses::CoreAudioIODeviceType::getNumChannels(unsigned int, bool) + 116
12 com.liveloop.liveloop 0x000000010bb7eebf juce::CoreAudioClasses::CoreAudioIODeviceType::scanForDevices() + 687

Dan Nigrin's icon

Josep, is that the thread that crashed? Look through the entire report, you'll likely see several threads listed, and the one that crashed will say that next to it - that's the data that the Cyclists will likely need to debug....

Josep Garces's icon

I found the crash now:

Crashed Thread: 31 Dispatch queue: com.apple.root.default-qos

Any idea what that could be?