Codesigning and notarizing your LC standalone for distribution outside the Mac Appstore -
This tutorial describes the necessary tasks to get your app code signed and notarized for distribution outside the Mac Appstore.
- Codesigning your app (including some necessary preparations)
- creating and code signing package installer (.pkg)
- creating and code signing a DMG using DropDMG or hdiutil (optional)
- Notarizing and stapling your app, pkg or dmg
Most is done with shell commands.
Files
An overview how to notarize an app:
This lesson as PDF:
A Livecode stack which should do all needed steps for you. See chapter 10.
It is strongly recommended that you read at least chapter 9 before using the stack.
1. Prerequisites
Please make sure that you fullfil the following requirements before you continue
1.1. Apple ID
If you do not already own an Apple ID, you can create one here: https://appleid.apple.com
1.2. Enable two factor authentication for your Apple ID
You need to have 2 factor authentication (2FA) enabled for your Apple ID. You can do this in your Apple ID Account at https://appleid.apple.com
1.3. App-specific password
You´ll need an app-specific password. You can create one at https://appleid.apple.com
There is a blue link Generate Password...
In my given examples below I will use tic-tac-toe in places of app-specific password.
1.4. Developer ID
You´ll need a Deverloper ID. Therefore you´ll need to be a member in the Apple Developer Programm. Join here https://developer.apple.com
In my examples i use developer@mrd.de as Developer ID.
1.5. Creating Developer ID Application and Installer certificates
1.5.1. Create Developer ID Application certificate using Developer account
The certificate types for distribution outside the Apple "App Store” for Mac OS are:
- Developer ID Application <- this is needed for signing .app and .dmg
This certificate is used to code sign your app for distribution outside of the Mac App Store.
- Developer ID Installer <- this is needed for signing package installers (.pkg)
This certificate is used to sign your app’s "Installer Package" for distribution outside of the Mac App Store.
Note: If you are not distributing “Installer Packages”, the only certificate you need is “Developer ID Application”
You can create the certificates either in your Apple Developer account, see screenshot.
After you´ve created the certificate you can download the certificate. You can now add it to your Keychain by double clicking on the downloaded file.
1.5.2. CreateDeveloper ID Application certificate using Xcode
or directly in Xcode -> Preferences -> Accounts
1. press Manage Certificates -> a window pops up
2. press + sign
3. select the certificate you want to create
The certificate will automatically added to the Keychain.
1.5.3. Create a Developer ID Installer certificate
You'll need a Developer ID Installer certificate, if you plan to distribute your app as a package installer.
To create that certificate, follow steps 1.5.1 and 1.5.2, but select Developer ID Installer instead of Developer ID Application
1.6. Xcode 10.2
For this tutorial Xcode 10.2.1 command line tools were used for code signing, notarzing and stapling. Xcode 11 should work as well.
1.7. Standalone with correct bundle identifier
The bundle identifier is set in the standalone settings -> Mac tab
You should use the following form for the bundle identifier com.<YourCompany>.YourAppname
or if you own a domain use <YourDomain>.YourAppname e.g. tk.rebbe.dropuploadx
Note: In my given examples below I will use tk.rebbe.dropuploadx in places of bundle identifier.
1.8. Some notes about how to add additional files or folders
It is important or better said mandatory that additional files and folders are copied to the standalone using the Copy Files tab in the standalone settings. Please do not add those files or folders to the app bundle manually after standalone creation.
You have to use the Copy Files tab in the standalone settings!
2. Preparations for code signing
Before code signing an LC app, some changes must be done to the standalone (bundle)
2.1. Removing the extended attributes
Run the following command in terminal
sudo xattr -cr "<path_to_app_bundle>"Replace <path_to_app_bundle> with the path to your standalone.
Put the path in quotes, this would avoid problems when the path contains spaces.
Or just drag and drop the standalone on terminal window. This will take care of spaces etc. as well
Example
sudo xattr -cr "/Users/matthias/Downloads/DropUpload/DropUpload.app"To make sure all attributes are removed, run the following command in terminal
sudo xattr -lr "<path_to_app_bundle>"Replace <path_to_app_bundle> with the path to your standalone.
Put the path in quotes, this would avoid problems when the path contains spaces.
Or just drag and drop the standalone on terminal window. This will take care of spaces etc. as well
Example
sudo xattr -lr "/Users/matthias/Downloads/DropUpload/DropUpload.app"If you see your prompt and no other output, then all is fine and you can continue
2.2. Renaming the localization folders
Right click on your app bundle and select "show package content".
open the folder Contens/Resources
you'll see .lproj folders. The names of all .lproj folders have to be iso country codes. So
rename those folders that do not have the iso country code in their names.
For example rename German.lproj to de.lproj, Dutch.lproj to nl.lproj and so on.
2.3. changing permissions
To make sure that you are the owner of all externals and other stuff you´ve included in your app bundle we need to change the permissions.
Run the following command in terminal
sudo chmod -R u+rw "<path_to_standalone_app_bundle>"Example
sudo chmod -R u+rw "/Users/matthias/Downloads/DropUpload/DropUpload.app"
Put the path in quotes, this would avoid problems when the path contains spaces.
Or just drag and drop standalone on terminal window. This will take care of spaces etc. as well
3. Codesigning
To codesign .app, a .pkg or a .dmg you need your Developer ID certificates (see steep 1.4)
Signing .app and .dmg is done with the tool sign and the Developer ID Application certificate.
.pkg installers are signed using the tool productsign and the Developer ID Installer certificate
More detailed information comes here...
3.1. Codesigning standalone - get the exact name of your Developer ID for signing
To codesign your app and later the dmg you´ll need the exact name of your Developer ID application.
Open Keychain Access
The name of the Developer ID begins with Developer ID Application: followed by your name and you your ID. See the yellow highlighted entry.
Remember: the Developer ID Installer is needed for signing a package installer .pkg. See the green highlighted entry
3.1.1. Codesigning standalone - now codesign
Run the following command in Terminal
codesign --deep --force --verify --verbose --sign "<your_developer_ID>" --options runtime "<path_to_app_bundle>"Replace <your_developer_id_application> with the name you investigated in the previous step. Keep the quotes.
Replace <path_to_app_bundle> with the path to your standalone. Put the path in quotes, this would avoid problems when the path contains spaces. Or just drag and drop the standalone on terminal window. This will take care of spaces etc. as well
Example
codesign --deep --force --verify --verbose --sign "Developer ID Application: Matthias Rebbe (386687PEUL)" --options runtime "/Users/matthias/Downloads/DropUpload/DropUpload.app"
If code signing was successfull then you should see something like this
A special note about entitlements
If you want to include an entitlements file, then please use this syntax
codesign --deep --force --verify --verbose --sign "<your_developer_ID>" --options runtime --entitlements "<path/to/entitlements.plist>" "<path_to_app_bundle>"Please see also lesson Entitlements for signed and notarized apps for more information
Important Note:
If you are using LC 9.6.1 or higher and make use of the revZip external in your standalone then it is currently mandatory to include an entitlements file with at least the com.apple.security.cs.disable-library-validation entitlement set to true.
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
4. Verifying the signed app (optional)
As the command in the previous step returned signed app bundle with Mach-0 universal (x86_64) [tk.rebbe.dropuploadx] there is no need to run this step. But you can, if you want. ;)
To verify we could enter the following command in Terminal
codesign --verify --verbose "<path_to_app_bundle>"Replace <path_to_app_bundle> with the path to your standalone.
Put the path in quotes, this would avoid problems when the path contains spaces. Or just drag and drop the standalone on terminal window. This will take care of spaces etc. as well
Example
codesign --verify --verbose "/Users/matthias/Downloads/DropUpload/DropUpload.app"
This command is also usefull to find out if any app or DMG, not only yours, is codesigned or not.
It the app is code signed, then you should see something like this
5. Create and codesign a package installer .pkg (optional)
Create a signed package installer in one step:
To create and sign a package installer from the standalone in just one step please run the following command in Terminal
productbuild --sign "your_Developer_ID_installer" --component "<path_to_app>" /applications "<path_to_signed_pkg>" The above command creates a package installer from your app and signs it automatically after creation.
Replace <path_to_app> with the path of the signed app
Replace <path_to_signed_pkg> with the path where the signed .pkg shall be written
Put the path in quotes, this would avoid problems when the path contains spaces. Or just drag and drop the PKG on terminal window. This will take care of spaces etc. as well
When running the above command macOS will show 2 dialogs asking for the password to get access the keychain.
If the creation/signing was successful, you should see similar messages like the following ones:
productbuild: Adding component at /users/matthias/test.app
productbuild: Using timestamp authority for signature
productbuild: Signing product with identity "Developer ID Installer: Matthias Rebbe (xxxxxx)" from keychain /Users/matthias/Library/Keychains/login.keychain-db
productbuild: Adding certificate "Developer ID Certification Authority"
productbuild: Adding certificate "Apple Root CA"
productbuild: Wrote product to /Users/matthias/test.pkg
productbuild: Supported OS versions: [10.9, )
Create an unsigned package installer:
If you just want to create an unsigned package installer then run the following command in Terminal
productbuild --component "<path_to_app>" /applications "<path_to_signed_pkg>" The above command creates just the package installer without signing it. Please follow step 5.1 to manually sign it.
5.1. Codesigning the package installer
This step is only needed, if you 've created an unsigned package installer
Please note: To sign a package installer the tool productsign is needed, not codesign.
Run the following command in Terminal
productsign --sign "<your_developer_id_installer>" "<path_to_pgk>" "<path_to_signed_pkg>"Replace <path_to_pkg> with the path of the newly created .pkg.
Replace <path_to_signed_pkg> with the path where the signed .pkg shall be written
Put the path in quotes, this would avoid problems when the path contains spaces. Or just drag and drop the PKG on terminal window. This will take care of spaces etc. as well
Example
productsign --sign "Developer ID Installer: Matthias Rebbe (386687PEUL)" "/users/matthias/name.pkg""/users/matthias/name_signed.pkg"If code signing was successful, then you should see something like this:
productsign: using timestamp authority for signature
productsign: signing product with identity "Developer ID Installer: Matthias Rebbe (386687PEUL)" from keychain /Users/matthias/Library/Keychains/login.keychain-db
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to /users/matthias/name_signed.pkg
If you want to distribute the package installer directly, then go to step 7.2 Notarizing app (DMG/PKG method)
6. Creating DMG (optional)
If you want to distribute your app or package installer on DMG then follow the next steps.
Run the following command in Terminal to create the DMG
hdiutil create -volname "<Name_of_Volume>" -srcfolder "<path_to_your_app_or_pkg>" -ov -format UDZO "<Name_of_the_DMG>"Replace <Name_of_Volumes> with the name the DMG volume shall show up with, when mounted. Keep the quotes.
Replace <path_to_your_app_or_pkg> with the path to your standalone or .pkg
Put the path in quotes, this would avoid problems when the path contains spaces. Or just drag and drop the standalone on terminal window. This will take care of spaces etc. as well
Replace <Name_of_the_DMG> with the filename the DMG file shall have, for example DropUpload.dmg. Keep the quotes
Example for creating a .dmg from an .app
hdiutil create -volname "DropUpload" -srcfolder "/Users/matthias/Downloads/DropUpload/DropUpload.app" -ov -format UDZO "DropUpload.dmg"
Example for creating a .dmg from an .pkg
hdiutil create -volname "DropUpload" -srcfolder "/Users/matthias/Downloads/DropUpload/DropUpload.pkg" -ov -format UDZO "DropUpload.dmg"
The above commands would create a DMG with the name DropUpload.dmg and the volumename DropUpload, so when the DMG is mounted the volume name would be DropUpload.
6.1. Codesigning the DMG
Run the following command in Terminal
codesign --deep --force --verify --verbose --sign "<your_developer_id_application>" --options runtime "<path_to_dmg>"Replace <path_to_DMG> with the path of the newly created DMG.
Put the path in quotes, this would avoid problems when the path contains spaces. Or just drag and drop the DMG on terminal window. This will take care of spaces etc. as well
Example
codesign --deep --force --verify --verbose --sign "Developer ID Application: Matthias Rebbe (386687PEUL)" --options runtime "/users/matthias/name.dmg"
If code signing was successful, then you should see something like this
6.2. Verifying the codesigning (optional)
As the command in the previous step returned "signed" there is no need to run this step.
However,if you want to check, if a DMG is code signed, run the following command in Terminal
codesign --verify --verbose "<path_to_dmg>"Replace <path_to_DMG> with the path of the newly created DMG.
Put the path in quotes, this would avoid problems when the path contains spaces. Or just drag and drop the DMG on terminal window. This will take care of spaces etc. as well
Example
codesign --verify --verbose "/users/matthias/name.dmg"
7. Notarizing your App, Package Installer (.pkg) or DMG
To get our app notarized by Apple we need to upload it to Apple. Apple does not allow an app to be uploaded directly. Only zip files, Installer packages or DMGs can be uploaded.
Please go to step 7.2, if you want to notarize a PKG or DMG, otherwise continue with the following step to notarize the app using the zip method.
7.1. Notarizing an app (zip method)
7.1.1. creating a zip file from app
Therefore we need to create a zip file from our app first.
The easiest way to do this is to right click on our app and select compress. After the zip file was created we can upload it to Apple.
7.1.2. Uploading the zip file to Apple for Notarization / Analysis
Run the following command in Terminal
xcrun altool -type osx --notarize-app --primary-bundle-id "<primary-bundle-id>" --username "<your_AppleID>" --password "<yourAppSpecificPassword>" --file "<path_to_zip>" [--ascprovider "<ascProvider>"]<primary-bundle-id> = specify an identifier that helps you keep track of automated correspondence from the notarization service. This is for your own use and does not have to be the bundle identifier. In my example i am using the bundle-id tk.rebbe.dropuploadx . Please put the bundle identifier in quotes.
<your_AppleID> = Your AppleID you´ve used for registering your Apple deverloper account. Put the AppleID in quotes
<yourAppSpecificPassword> = The password you´ve created at https://appleid.apple.com For details see chapter 1.3. Put the password in quotes.
Note: See chapter 7 on how to reference to a password stored in Keychain Access instead of using your app specific password directly.
<path_to_zip> = the path to the zip. Put the path in quotes. This will avoid problems when the path contains spaces or any of the following characters \`!$
Or just drag and drop the zip file on terminal window. This will take care of spaces etc. as well
<ascProvider> = shortname of the TeamID (optional)
If you are a member of multiple development teams and your e-mail adress is attached to more than one development team, then you´ll need to add the shortname of your team id, otherwise Apple´s notarization service does not know for which team you are doing the notarization or request. (see chapter Addendum 2 - the asc provider)
Example
xcrun altool -type osx --notarize-app --primary-bundle-id "tk.rebbe.dropuploadx>" --username "developer@mrd.de" --password "tic-tac-toe" --file "/users/matthias/name.zip"
If the upload was successful and the file was accepted for notariziation you should see something like the output in the screenshot below
*** Please make a record of the returned RequestUUID (either by copying it to the clipboard, making a screenshot or just by writing it down). You will need it later. ***
Apple is now analysing your uploaded file. If all is well, you´ll get an email from Apple confirming that your app is ready for distribution.
The analysis process could take a while. The fastest here was about 2 minutes, the longest so far 35 minutes.
If you don´t want to wait for the Apple confirmation e-mail and want to check the notarization status see step 7.3.
7.1.3. Delete the zip file again
As the zip file was only needed to upload the app for notarization we can now delete the zip file again. We do not need it anymore.
7.2. Notarizing app (DMG/PKG method)
To get our DMG and the containing pkg or app notarized by Apple we need to upload it to Apple.
7.2.1. Uploading the PKG or DMG to Apple for Notarization / Analysis
Run the following command in Terminal
xcrun altool -type osx --notarize-app --primary-bundle-id "<bundle-id>" --username "<your_AppleID>" --password "<yourAppSpecificPassword>" --file "<path_to_dmg_or_pkg>" [--ascprovider "<ascProvider>"]<bundle-id> = specify an identifier that helps you keep track of automated correspondence from the notarization service. This is for your own use and does not have to be the bundle identifier. In my example i am using the bundle-id tk.rebbe.dropuploadx . Please put the bundle identifier in quotes.
<your_AppleID> = Your AppleID you´ve used for registering your Apple deverloper account. Please put it in quotes
<yourAppSpecificPassword> = The password you´ve created at https://appleid.apple.com For details see chapter 1.3. Put the password in quotes.
Note: See chapter 7 on how to reference to a password stored in Keychain Access instead of using your app specific password directly.
<path_to_dmg_or_pkg> = the path to the DMG or PKG.
Put the path in quotes. This will avoid problems when the path contains spaces or any of the following characters \`!$
Or just drag and drop the DMG/PKG on terminal window. This will take care of spaces etc. as well
<ascProvider> = shortname of the TeamID (optional)
If you are a member of multiple development teams and your e-mail adress is attached to more than one development team, then you´ll need to add the shortname of your team id, otherwise Apple´s notarization service does not know for which team you are doing the notarization or request. (see chapter Addendum 2 - the asc provider)
Example - uploading a dmg
xcrun altool -type osx --notarize-app --primary-bundle-id "tk.rebbe.dropuploadx" --username "developer@mrd.de" --password "tic-tac-toe" --file "/users/matthias/name.dmg" Example - uploading a pkg
xcrun altool -type osx --notarize-app --primary-bundle-id "tk.rebbe.dropuploadx" --username "developer@mrd.de" --password "tic-tac-toe" --file "/users/matthias/name.pkg"
If the upload was successful and the file was accepted for notarization you should see something like the output in the screenshot below
*** Please make a record of the returned RequestUUID (either by copying it to the clipboard, making a screenshot or just by writing it down). You will need it later. ***
Apple is now analysing your uploaded file. If all is well, you'll get an email from Apple confirming that your app is ready for distribution.
The analysis process could take a while. The fastest here was about 2 minutes, the longest so far 35 minutes.
If you don't want to wait for the Apple confirmation e-mail and want to check the notarization status see step 7.3.
7.3. Check the status of analysis
Run the following command in Terminal
xcrun altool --notarization-info <requestUUID> --username "<your_AppleID>" --password "<yourAppSpecificPassword>" [--ascProvider <"ascProvider>"]<requestUUID> = the ID which was returned after successful upload (see 7.2.1)
<your_AppleID> = Your AppleID you´ve used to join Apple´s deverloper program. Put your AppleID in quotes.
<yourAppSpecificPassword> = The password you´ve created at https://appleid.apple.com. Put the password in quotes.
<ascProvider> = shortname of the TeamID (optional)
If you are a member of multiple development teams and your e-mail adress is attached to more than one development team, then you´ll need to add the shortname of your team id, otherwise Apple´s notarization service does not know for which team you are doing the notarization or request. (see chapter Addendum 2 - the asc Provider)
Example
xcrun altool --notarization-info 8a741234-12b4-1d34-12a4-74abcde2e93c --username "developer@mr-d.de" --password "tic-tac-toe"
7.3.1. Check the status of analysis - ...in progress
If the analysis process is not finished, then you see something like this
7.3.2. Check the status of analysis - ...Success
If the anaylsis process was successfull you should see something like this
with Status Message: Package Approved
7.4. confirmation e-mail from Apple
You will also receive an e-mail from Apple informing you about the result of the notarization/analysis.
7.5. staple the app, DMG or PKG. Optional, but recommended.
Stapling means the notarization ticket is added to the app/DMG.
This step is not mandatory, but recommended. It ensures that Gatekeekper can find the notarization ticket even when a network connection (internet connection) isn't available.
Without this step every time an app, dmg or pkg is launched Gatekeeper has to check online if the PKG/DMG/App was notarized or not.
Stapling ensures that Gatekeeper can approve the notarization even when an internet connection isn't available.
7.5.1. staple the app. Optional, but recommended.
To staple it run the following from Terminal
xcrun stapler staple -v "<path_to_app>"Replace <path_to_app> with the path of the standalone.
Put the path in quotes. This will avoid problems when the path contains spaces or any of the following characters \`!$
Or just drag and drop the app on terminal window. This will take care of spaces etc. as well
Examples
xcrun stapler staple -v "/Users/matthias/Downloads/DropUpload/DropUpload.app"If the staple was successfull then you should see The staple and validate action worked!
Instead of stapling the original standalone on the harddisk for distribution, you could just copy the app from the mounted DMG and use that for distribution as zip.
But at least i wanted to show that you also can staple the app. ;)
7.5.2. staple the DMG/PKG. Optional, but recommended.
To staple the DMG run the following from Terminal
xcrun stapler staple -v "<path_to_dmg_or_pkg>"Replace <path_to_DMG> with the path of the DMG or PKG.
Put the path in quotes. This will avoid problems when the path contains spaces or any of the following characters \`!$
Or just drag and drop the DMG/PKG on terminal window. This will take care of spaces etc. as well
Example stapling a dmg
xcrun stapler staple -v "/users/matthias/name.dmg"Example stapling a pkg
xcrun stapler staple -v "/users/matthias/name.pkg"
If you see The staple and validate action worked!, then your DMG/PKG was successfully stapled and is ready for distribution.
8. Addendum 1 - reference to a password stored in keychain
Instead of using your password directly in the Terminal commands you can use a reference to the saved password in keychain. Therefore you have to store your password in Keychain Access.
8.1. Use Terminal to store password in keychain.
Enter the following command in Terminal
security add-generic-password -a "<apple_id>" -w "<app_specific_password>" -s "<keychain_item_name>"Replace <apple_id> with the your Apple ID you´ve use to join the Apple Developer Program. Put it in quotes
Replace <app_specific_password> with the the app-specific password you´ve created at https://appleid.apple.com. (See chapter 1.3). Put it in quotes.
Replace <keychain_item_name> with the name you want the password be saved under in Keychain. This will be the Keychain Item Name. Put it in quotes.
Example
security add-generic-password -a "developer@mrd.de" -w "tic-tac-toe" -s "Notarizing"The above example would add the password tic-tac-toe for account developer@mrd.de to Keychain and would name it Notarizing.
8.2. Use Keychain Access to store password in Keychain
- Select File->New Password Item (cmd+N)
- Enter the desired name example Notarizing in the field Keychain Item Name
- Enter your developer email example developer@mrd.de in the field Account Name
- Enter your app specific password example tiac-tac-toe in the field Password
The screenshot shows the German GUI of the Keychain Access.app. See red translations.
8.3. How to reference to a Keychain password?
In Step 8 the password parameter was
--password "<yourAppSpecificPassword>"Example
--password "tic-tac-toe"
To reference to a password in keychain the parameter would be
--password "@keychain:<name_of_pw_in_keychain>"Replace <name_of_pw_in_keychain> with the Keychain Item Name you´ve use when adding the password to the Keychain
Example
--password "@keychain:Notarizing"
Importan Note: The first time you run altool, you get a security confirmation dialog asking you whether to allow altool to read the password from the keychain. Enter your (Mac) user password and click on Always allow.
9. Addendum 2 - the asc provider
If you are a member of multiple development teams and your e-mail adress is attached to more than one development team, then you´ll need to add the shortname of your team id, otherwise Apple´s notarization service does not know for which team you are doing the notarization or request.
To get a list of all development teams (it seems Apple call them provider) your e-mailadress is attached to run this shell command in Terminal:
For Xcode 10
/Applications/Xcode.app/Contents/Applications/Application\ Loader.app/Contents/itms/bin/iTMSTransporter -m provider -u "<your_AppleID>" -p "<yourAppSpecificPassword>"For Xcode 11
/Applications/Xcode.app/Contents/Developer/usr/bin/iTMSTransporter -m provider -u "<your_AppleID>" -p "<yourAppSpecificPassword>"Note: iTMSTransporter only allows the password parameter as plain password . --password "<yourAppSpecificPassword>"
or as a reference to a file, which has your app-specific password stored. --password "@file:<pathToYourPasswordFile>"
for example --password "@file:/users/matthias/documents/mr.txt". In this example the file mr.txt must contain the app-specific password.
You cannot use the parameter @keychain with the iTMSTransporter!
After running the above command you´ll should see a long output of information. At the end of the output you´ll should see something like this:
In the above screenshot the e-mailadress is attached to two teams (providers). We need the short name of the provider we want to do the notarization/request for.
Let´s say we want to do the request for Multitronic Vertrieb, then the password parameter for the altool commad would look like this
--ascprovider "Multitronic"
10. Addendum 3 - Livecode stack
Using author´s Livecode stack to automate the above steps .
10.1. The Livecode Stack
There´s a Livecode stack available which does all the steps required for Notarization and Stapling.
For creating DMGs the stack uses hdiutil or the command line tool of DropDMG.
DropDMG is more powerful and allows to add layouts, licenses and much more to the DMG.
10.2. Overview
This chapter is just a quick overview. More detailed information about settings can be found in chapters 8.3 to 8.6
If you want, you can test right away following steps
1 - go to settings and enter fill out all fields with appropriate values.
2 - drag your app bundle you want to codesign¬arize to this field
Note: If your standalone is currently stored in a folder which is synchronised with Dropbox, iCloud Drive or any other Cloud Drive, then please move the standalone to a folder that is not synchronised. There was feedback from users who encountered problems when trying to notarize a standalone which was stored on a folder which was synchronised.
3 - enter the Primary bundle id.
According to Apple´s documentation you can enter what you want as the primary bundle id. Specify an identifier that helps you keep track of automated correspondence from the notarization service. The value you give doesn’t need to match the bundle identifier of the submitted app or have any particular value. It only needs to make sense to you. The notarization service includes the value whenever it emails you regarding the given altool submission. If you don´t enter a primary bundle id then the stack uses the bundle identifier of the app.
Allowed characters are a-z,A-z, 0-9 and the period (.)
4 - Select the desired action
5 - Press START
6 - The status field shows information including encountered errors during the codesigning and notarization process. If an error is detected then an answer dialog will popup and the process is aborted.
7 - Debug mode - This will create a list of all shell commands to the clipboard as far as this is possible
8 - Select an action
9 - Press to start the selected action
The image below shows a successful notarization.
10.3. The Main Window
1 - empty all fields
2 - go to settings
3 - drag your app bundle into this field. The app bundle is your standalone you´ve created with Livecode.
Note: If your standalone is currently stored in a folder which is synchronised with Dropbox, iCloud Drive or any other Cloud Drive, then please move the standalone to a folder that is not synchronised. There was feedback from users who encountered problems when trying to notarize a standalone which was stored on a folder which was synchronised.
4 - enter Primary Bundle ID here
According to Apple´s docoumentation you can enter what you want as the primary bundle id. Specify an identifier that helps you keep track of automated correspondence from the notarization service. The value you give doesn’t need to match the bundle identifier of the submitted app or have any particular value. It only needs to make sense to you. The notarization service includes the value whenever it emails you regarding the given altool submission. If you don´t enter a primary bundle id then the stack uses the bundle identifier of the app. Allowed characters are a-z,A-z, 0-9 and the period (.)
5 - the RequestUUID which is returned after successful upload. This field will be automatically filled and is not editable.
6 - The status field shows information including encountered errors during the codesigning and notarization process. If an error is detected then an answer dialog will popup and the process is aborted.
7 - enable this to just create the shell commands without executing them. This will option will be removed in future versions
8 - select the desired action. Currently you can decide between
- signing,creating and signing DMG, notarizing and stapling
- signing, notarizing and stapling App
- list all recent notarization requests -> See chapter 5
9 - push this button to start the desired action
10.4. The Settings
10.4.1. General Settings
1 - Close settings stack
2 - empty all fields
3 - enter your sudo password. This is needed for some tasks. See https://support.apple.com/en-us/HT202035 for additional information about the sudo password.
4 - Your AppleID - please enter the Apple ID you´ve used for the Apple Developer Membership
5 - Keychain item name of your app-specific password. Please see chapter Addendum 1 - reference to a password stored in keychain.
6 - Mark if your Apple ID is attached to multiple iTunes providers
7 - press to retrieve from Apple a list of all iTunes providers your AppleID is attached to
8 - select the iTunes provider you want to use for your tasks
9 - Your Apple Developer ID Application. This contains your name and a number. e.g Developer ID Application: Matthias Rebbe (123456GEUL)
10 - Your Apple Developer ID Installer. This contains your name and a number. e.g Developer ID Installer: Matthias Rebbe (123456GEUL)
11 - Select if you want to overwrite existing Package Installers (.pgk)
12 - select if you have installed DropDMG and want use that tool for creating DMG
13 - click to open settings for DropDMG
14 - select if you want to overwrite existing DMG (this setting will be ignored if DropDMG is used)
15 - select if you want to include an entitlements file for code signing an app
16 - click to open entitlements settings
17 - save settings
10.4.2. DropDMG settings
1 - Close settings
2 - empty all fields
3 - save settings
4 - default path to DropDMG´s command line tool
5 - press to select an other path
6 - Configuration to be used for DMG creation.
7 - press to select DropDMG configurations.
8 - Layout to be used for DMG creation
9 - press to select a DropDMG Layout
10 - License to be add to the DMG
11 - press to select a DropDMG License
12 - check to overwrite existing DMG. Otherwise DropDMG adds a counter to the name e.g. MyDMG-1.dmg
this is automatically handled by DropDMG´s command line tool
13 - go back to general settings
10.4.3. Entitlements settings
1 - Close settings
2 - empty all fields
3 - save settings
4 - the available entitlements - press the ones you want to be included in the entitlements plist file
5 - press to select all entitlements
6 - press to unselect all entitlements
7 - go back to general settings
This dialog contains all the entitlements that Livecode uses. To allow some features of LiveCode to work correctly in signed and notarized apps you need to include the relevant entitlements in an entitlements file. The permissions are then incorporated into the code signature when you build the app.
Or according to lesson Entitlements for signed and notarized apps an option is to sign your app using all the entitlements that LiveCode uses. This will ensure that no features will break because the proper entitlement was not used.
10.5. Show all recent notarization requests (sucessful, failed or in progress ones)
1 - close stack
2- Refresh the list
3 - empty the table
4 - Retrieves information for the selected request from Apple´s Notarization service.
5 - Open the Logfile URL for the selected request.
Note: Fetching the list of all recent notarization requests from Apple´s servers may take some time, so please be patient.
10.5.1. Show detailed information for selected request
1 - close field
2 - information for a request looks like this
3 - this is the Logfile URL you can open directly using the the other option
Note: Fetching the detailed information from Apple´s servers may take some time (approx. 5-10 seconds).
10.5.2. Show logfile for selected request
The field shows the logfile content for the selected notarization request. The logfile is fetched from Apple servers.
Note: Fetching the logfile data from Apple´s servers may take some time (approx. 5-10 seconds).
The following screenshot shows the logfile content of a successful notarization
The following screenshot shows the logfile content of an unsuccessful notarization.
11. Troubleshooting
It can happen that your app will not be approved and the notarization fails. This can have several reasons. But how do you get to know what the reason was?
You can either use the stack mentioned in chapter 9 to find out or you use the shell and run several command to find out.
This chapter explains how to find out using shell commands.
11.1. How to get detailed information about a notarizatian request
11.1.1. Get a list of all recent requests
To list all recent notarization request run the following command in Terminal
xcrun altool --notarize-history 0 --username "<your_AppleID>" --password "<yourAppSpecificPassword>" [--asc-provider "<ascProvider>"]<your_AppleID> = Your AppleID you´ve used for registering your Apple deverloper account. Please put it in quotes
<yourAppSpecificPassword> = The password you´ve created at https://appleid.apple.com For details see chapter 1.3. Put the password in quotes.
Note: See chapter 7 to see how to reference to a password stored in Keychain Access instead of using your plain app specific password
<ascProvider> = shortname of the TeamID (optional)
If you are a member of multiple development teams and your e-mail adress is attached to more than one development team, then you´ll need to add the shortname of your team id, otherwise Apple´s notarization service does not know for which team you are doing the notarization or request. (see chapter Addendum 2 - the asc provider)
The screenshot below is an example and shows a list of recent notarization request i´ve done. The column status shows the status of the notarization requests. The latest requests are always
at the top of the list. So our failed request is the first one. We need the requestUUID of that request. Copy the id to the clipboard. We need it in the next step.
11.1.2. Get information for a single request
In the previous step we´ve copied the requestUUID of the failed notarization to the clipboard.
Now run the following shell command in Terminal:
xcrun altool --notarization-info <requestUUID> -u "developer@mrd.de" -p "@keychain:Notarizing"<requestUUID> = the requestUUID for which we want more information. In our case this is the id we´ve copied to the clipboard
The screenshot below shows the information for our failed notarization. But we still don´t see any reason, but a URL.
Copy the complete URL to your clipboard and open it then in your webbrowser.
You should see something like this.
In our example the reason for the failed notarization was that the binary used an SDK older than the 10.9 SDK. In this example the app i tried to notarize was created with on older version of Livecode. So creating the standalone using a current version of LC should solve the notarization problem.
This is an outstanding and very worked-out lesson with great detail. Thank you!