can't codesign and notarise Max8.1.3 standalones

MaxMSPadvancedbugs/issues
thomashummel's icon

thomashummel

Hi,

i want to codesign and notarise a Max8.1.3 standalone. It just contains a window with a bang.
I work on Mac OS10.15.4. In the terminal, i type

codesign -s myIdentity --deep -f Untitled1.app (and also Untitled1 Helper (GPU) a.s.o.)
The standalone starts correctly, but notarisation says
"The executable does not have the hardened runtime enabled."

Alternatively, i type
codesign -s myIdentity --deep --options runtime -f Untitled1.app (and also Untitled1 Helper (GPU) a.s.o.)
The notarisation succeeds, but the standalone starts with plenty of errors like
mxo/Contents/MacOS/fseventwatcher) not valid for use in process using Library Validation: mapping process and mapped file (non-platform) have different Team IDs

What shall i do?
Thank you Thomas

maybites's icon

maybites

Hi
this is a tricky problem, and I solved it for my app:

maybe the instructions plus the scripts inside the repository can be helpful for you.

cheers

martin

thomashummel's icon

thomashummel

Hi,

unfortunately still not solved...:
I just tried the following: i codesigned every file in Untitled1.app (more than 1.000), without --options runtime.
I additonally codesigned Resources/MaxPluginScanner and some other with --options runtime. But not Contents/MacOS/Untitled1 itself.
Now Untitled1.app starts without error. So better. But notarisation fails only because Contents/MacOS/Untitled1 is not hardened. Now i run codesign with --options runtime on Contents/MacOS/Untitled1. Result: My Untitled1.app immediately crashs.

Thomas

Adam Verver's icon

Adam Verver

Hi Thomas, I am having the same issue. Were you able to get this issue resolved?

Please note that I created another topic discussion (partly because the word "notarise" is misspelled in this topic's title, and partly because the issue is independent of notarization): https://cycling74.com/forums/issue-with-code-signing-mac-standalones-with-hardened-runtime

Please feel free to reply to either topic discussions.

Thank you.

Adam

Adam Verver's icon

Adam Verver

The issue discussed above was resolved by Ben Bracken on that topic's page: https://cycling74.com/forums/issue-with-code-signing-mac-standalones-with-hardened-runtime

The bottom line is that for the runtime-hardened (a requirement for notarization) code signed standalone (generated with Max 8.3.1) to load externals and work correctly, code signing must be done while adding the entitlements option with a proper entitlements file. See that topic for more detail.

Armen Karamian's icon

Armen Karamian

Here is a crappy script I'm using to properly sign everything.

#!/bin/bash

appname="$1"
signature="Developer ID Application: John Doe (xxxxxxxxxx)"

# Sign the individual frameworks and binaries
codesign --force --deep --options runtime --sign "$signature" "${appname}.app/"
codesign --force --deep --options runtime --sign "$signature" "${appname}.app/Contents/Frameworks/MaxAudioAPIImpl.framework/Versions/A/MaxAudioAPIImpl"
codesign --force --deep --options runtime --sign "$signature" "${appname}.app/Contents/Frameworks/MaxLua.framework/Versions/A/MaxLua"
codesign --force --deep --options runtime --sign "$signature" "${appname}.app/Contents/Frameworks/JitterAPI.framework/Versions/A/JitterAPI"
codesign --force --deep --options runtime --sign "$signature" "${appname}.app/Contents/Frameworks/${appname} Helper (Plugin).app/Contents/MacOS/${appname} Helper (Plugin)"
codesign --force --deep --options runtime --sign "$signature" "${appname}.app/Contents/Frameworks/${appname} Helper (GPU).app/Contents/MacOS/${appname} Helper (GPU)"
codesign --force --deep --options runtime --sign "$signature" "${appname}.app/Contents/Frameworks/Chromium Embedded Framework.framework/Chromium Embedded Framework"
codesign --force --deep --options runtime --sign "$signature" "${appname}.app/Contents/Frameworks/MaxAudioAPI.framework/Versions/A/MaxAudioAPI"
codesign --force --deep --options runtime --sign "$signature" "${appname}.app/Contents/Frameworks/MaxLuaImpl.framework/Versions/A/MaxLuaImpl"
codesign --force --deep --options runtime --sign "$signature" "${appname}.app/Contents/Frameworks/libmozjs185_impl.dylib"
codesign --force --deep --options runtime --sign "$signature" "${appname}.app/Contents/Frameworks/${appname} Helper.app/Contents/MacOS/${appname} Helper"
codesign --force --deep --options runtime --sign "$signature" "${appname}.app/Contents/Frameworks/${appname} Helper (Renderer).app/Contents/MacOS/${appname} Helper (Renderer)"
codesign --force --deep --options runtime --sign "$signature" "${appname}.app/Contents/Frameworks/libmozjs185.dylib"
codesign --force --deep --options runtime --sign "$signature" "${appname}.app/Contents/Frameworks/JitterAPIImpl.framework/Versions/A/JitterAPIImpl"
maybites's icon

maybites

Here are my codesign scripts for another standalone: