Mac standalone codesigning: 2021 update


    Apr 07 2021 | 1:02 am
    In what seems like an annual tradition now, it is once again time to wrestle with Apple and figure out the hoops one needs to jump through to properly prepare a standalone for distribution on the Mac platform.
    This post is NOT going to be an exhaustive series of steps required - I refer you to many previous posts on this topic, in particular the excellent Cycling 74 summary by @Ben Bracken from Sept 2019: https://cycling74.com/articles/max-8-1-mac-os-10-15-catalina-support-and-notarization
    Since that article was written, it seems that a new requirement is to codesign each and every binary embedded in the app bundle (the --deep flag for codesign does not seem to work as advertised). Folks at Cycling helped me with a script that seems to be working - it signs each and every binary in the bundle. This process seems to be working to allow for distributed apps to successfully run on Catalina (10.15) as well as Big Sur (11.x).
    See the Ruby script below, including the places at the top you'll need to modify it, shown IN CAPS. Copy everything between the ===== lines, and save it as a text file named "standalone-codesigning-script.rb":
    ==================================== require 'open3'
    authority = "Developer ID Application: YOUR CERTIFICATE NAME" entitlements = "PATH/TO/YOUR-APP-NAME.entitlements" appbundle = "PATH/TO/YOUR-APP-NAME.app" appname = "YOUR-APP-NAME" resources = []; count = 1;
    # codesign the stuff in C74 folder Dir.glob("#{appbundle}/Contents/Resources/C74/**/*.{mxo,dylib,framework,bundle}") do |f| if !File.symlink?(f) resources.push(f) end end
    resources.each do |resource| puts count.to_s + ": " + resource cmd = "codesign -s \"#{authority}\" --timestamp --deep -f \"#{resource}\"" stdout, stderr, status = Open3.capture3(cmd) raise stderr unless status.success? end
    resources.clear
    # codesign the stuff in Frameworks folder Dir.glob("#{appbundle}/Contents/Frameworks/**/*.{mxo,dylib,framework,bundle}") do |f| if !File.symlink?(f) resources.push(f) end end
    resources.each do |resource| puts count.to_s + ": " + resource cmd = "codesign -s \"#{authority}\" --timestamp --deep -f \"#{resource}\"" stdout, stderr, status = Open3.capture3(cmd) raise stderr unless status.success? end
    # codesign the Max executable cmd = "codesign -f -s \"#{authority}\" --timestamp --deep --options runtime --entitlements \"#{entitlements}\" \"#{appbundle}\"" stdout, stderr, status = Open3.capture3(cmd) raise stderr unless status.success? =======================================
    To run the script, open the Terminal and run this command:
    ruby PATH/TO/standalone-codesigning-script.rb PATH/TO/YOUR-APP-NAME.app
    If you get an error saying "resource fork, Finder information, or similar detritus not allowed", then run the following in the Terminal, and then try again: xattr -cr PATH/TO/YOUR-APP-NAME.app
    That should get you a properly signed application, which you should then proceed to notarize and staple, as outlined in the article linked to above.
    I hope this is helpful - good luck! Please know I offer no guarantees with this, and also please know I'm not a Ruby wizard - I had a lot of help with the above.

    • Apr 07 2021 | 7:35 am
      Dan, huge time saver! Thank You, B
    • Apr 07 2021 | 3:51 pm
      šŸ‘ Ā šŸ™ŒšŸ™
    • Apr 07 2021 | 6:47 pm
      Thanks for posting this!
    • Apr 07 2021 | 6:56 pm
      Thanks everyone. But the real credit goes to the Cycling folks who assisted on this.... I'm just the messenger! :-)
    • Apr 07 2021 | 7:49 pm
      when i remember right, you invested a lot of time in the past to share some procedures.
    • Apr 07 2021 | 8:06 pm
      True - though many of those are now irrelevant/incorrect, thanks to Apple, LOL.
    • Apr 07 2021 | 8:29 pm
      Last Christmas I gave you my heart But the very next day you gave it away This year, to save me from tears I'll give it to someone special
    • Nov 25 2021 | 5:37 pm
      Hey Dan.
      Here we go again with MacOS 12.0.1 Monterey. Codesigning the app breaks Miraweb -- no longer does it output the IP, it outputs "http://none:-1"
      I'm experimenting with entitlements, and haven't been able to narrow down what might be needed that wasn't needed in Big Sur.
      Figured I'd ask if you had any thoughts or ideas. I know this is pretty esoteric.
      Mike
    • Nov 25 2021 | 5:44 pm
      You're right Michael on the esoteric side of things, I'm afraid I have zero experience in codesigning an app that includes Mira. All I can suggest is perusing the various Apple documentation on entitlements; since Mira uses networking protocols, perhaps they've changed and/or tightened up something there?
      Also somewhat randomly, I noticed recently that there was a Mira package update, so just be sure you're using the latest...
      Sorry couldn't be of more help! Perhaps the Cyclists will chime in if they're on this thread....
    • Nov 25 2021 | 6:04 pm
      Figured it out Dan. Found the needle in a haystack by removing single strands of hay at a time.
      com.apple.security.app-sandbox
      That's the culprit. Kills Mira dead.
      Now I'm off to see if removing that entitlement will cause any other problems, but I wanted to share this bit of data.
      Thanks for the reply! Mike
    • Nov 27 2021 | 12:42 am
      If Iā€™m remembering correctly, that entitlement is only necessary if you plan on distributing your app on the Mac App Store.ā€¦
    • Nov 27 2021 | 12:44 am
      Yes, I came across this as well. B