This is an outstanding and very worked-out lesson with great detail. Thank you!

Hi team, the Stack provided in this lessons seems to be exactly what I was looking for but I'm having troubles to identify where to get the contents of the fields. I understand this is due to my poor knowledge on the subject and would really appreciate any help to learn:
1 - from where to "Drag the App bundle"
2 - is the "sudo password" created in this step or it is coming from another place (where?)
3 - "Keychain item name of your app-specific password. Please see chapter 7 of the following livecode lesson:" don't know where the "following lesson" is
With answer to the previous questions I guess I would be able to move forward, hopefully till the end.
Many thanks in advance

@Simon Schwartzman
Hi Simon,
I am the author of the lesson and the stack, so please allow me to answer your questions
1. You drag the Mac OS standalone you´ve created with Liveode, from the Finder to the field. This will enter the path of the app into the field.
2. If your Mac user account has admin rights, then enter here your user account password. See https://support.apple.com/en-us/HT202035 for additional information about the sudo password.
3. Thanks for pointing this out. This should be " See "Please see chapter 7". This has been corrected now.

I´ve also made some adjustments to the lesson regarding your questions 1 and 2, in case others will also have the same questions.

Regards,
Matthias

Hi Matthias, many thanks for your prompt answer and for sharing this useful tool.
I have made some progress but getting an error, please see below the log of the process (I have put XXXX on the passwords):

Removing extended attributes...
executing:
pw=XXXXXXX; echo $pw | sudo -S xattr -cr "/Users/simonschvartzman/Desktop/LuckroSpotNS/LuckroSpotNS/LuckroSpotNS.app"
checking if all ext. attributes were removed

renaming localization folders...

Adjusting permissions...
executing: pw=XXXXXX; echo $pw | sudo -S chmod -R u+rw "/Users/simonschvartzman/Desktop/LuckroSpotNS/LuckroSpotNS/LuckroSpotNS.app"

will wait 3 seconds

Codesigning app...
executing: codesign --deep --force --verify --verbose --sign "Simon Schvartzman - Y5MN66BY780 --options runtime "/Users/simonschvartzman/Desktop/LuckroSpotNS/LuckroSpotNS/LuckroSpotNS.app"
Simon Schvartzman(Y5MN66BY780): no identity found
process aborted

What am I doing wrong?

Hi Simon, there is somethin wrong with you developer id. Is it possible by any chance that you´ve forgot a space between Simon Schvartzman and (Y5MN66BY780). At least in my developer id there is a space between my name and the (.....) part.

And another thing i just noticed. The developer id should also contain 'Developer ID Application: ' So in your case it should be

Developer ID Application: Schvartzman (Y5MN66BY780)

I'm getting an aborted process at the code signing phase, here is the status:

Codesigning app...
executing: codesign --deep --force --verify --verbose --sign "Developer ID Application: David Kesler (2FY45R2CL9)" --options runtime "/Users/djkesler/Desktop/launcher/FCLauncher.app"
error: The specified item could not be found in the keychain.
process aborted

I copied my developer id directly from my certificate in the key chain.

Can you think of a reason it couldn't find it, or is the "specified item" something other than the developer ID entry?

Thanks for writing this program! Am am hopeful to get my app notarized soon.

DK

Hi David,

to be honest, i have no clue.
The error message indicates, as far as i understand, that your certificate "Developer ID Application" could not be found in the keychain. But as you stated, you´ve copied it from directly from the keychain. So that could not be the case.

Did you already try to enter the Developer ID manually into the appropriate field? Maybe there was a hidden character when copying it from the keychain.app.

Regards,
Matthias

Matthias, I work my way through the problem. I was initially running the notarization app on a "High Sierra" machine, the first time I ran it on my "Mojave" machine it work! There was a slight difference in the way the certificate was presented between the OSs and that is what gave me the idea that that may be the problem. I am now waiting for apple to analyze my app.

Thanks again so much for doing this.
DK

Great to hear that you´ve found out what was causing it.
Thanks for letting us know.
All the best.

Regards,
Matthias

At the end of a "Codesign App, then notarize and staple" there is a dialog that ask "Open Output Folder?". I have looked to see if there is anything written into the folder that contained the original app, but the time stamp did not seem to indicate that anything had been written to that folder, unless it was the two log files. Is that all that the question is asking, "OK to write the log files?"

Thanks,
DK

Hi David,
no, the logfiles are written regardless what you are selecting in the answer dialog. This dialog shall, in case the user closed the window where the original file was stored, open that window again to show the modified files and the logs.

Now to your question about modification date. Although the app bundle still shows the date when the standalone was created, it definitely has something new in it. In the app bundle in Contents there is now a new file called "CodeResources". And this file shows definitely a modification/creation date that is newer than the date when the standalone was created.

To verify you could right click on the app bundle and select "show package content".( I am not sure if this is the correct english expression. I am working with a German Mac OS).
Now open the folder contents and you will see that new file.

Regards,
Matthias

Flawless instructions and everything worked until the final step of trying to staple the dmg. I received this error:
Codesign offset 0x19b1ffb length: 9501
Stored Codesign length: 9501 number of blobs: 3
Total Length: 9501 Found blobs: 3
Although we wrote the ticket, the written data did not validate. Please restore /Users/BJ/Desktop/mycoolapp.dmg from backup to try again.
The staple and validate action failed! Error 73.

Thoughts?

Hi BJ,
just a shot in the dark, but is it possible that you´ve enabled iCloud drive/desktop synchronization? If so, could you try to store your standalone in a folder which is not synchronized with iCloud drive and run the complete notarization process from start?

Could you also tell what version of MacOS, Xcode and LC you are using.

If just the staple action fails, then it would mean, notarization went through and your Standalone at least could be distributed.
It would only mean, that every time the standalone is opened, Mac OS tries to check with Apple if the standalone is notarized or not.

Regards,
Matthias

LC 9.5.1, High Sierra 10.13.6, Xcode Version 10.0 (10A255). Still no luck. Moved files to /users/BJ/ and tried it from there vs being on the desktop. Also, iCloud is not sync'n desktop. Staple of mycoolapp.app is successful but it just fails when attempting to staple the mycoolapp.dmg file.

Also, in step 6.2.1. you reference needing to save the result but I didn't see any place after this step where it was needed? Not sure if it matters, but I thought I'd ask.
*** Please make a record of the returned RequestUUID (either by copying it to the clipboard, making a screenshot or just by writing it down). You will need it later. ***

The RequestUUID can be used to check the status of the notarization process as described in step 6.3. This normally makes no sense when doing all steps manually. But it could even help there. Just imagine the notarization process is finished, but for whatever reason the Apple email does not arrive or did not arrive yet. Checking the status would give you the needed information.

I am not sure, what went wrong on your side. Did you run through all steps manually?
If so, could you try the NotarizationHelper stack which is included in the lesson?
If not, could you try to manually staple the DMG using the command in Terminal as described in Step 6.5.2?

Matthias,
Thanks for these great instructions. It saved my life when the new version of App Wrapper failed on notarization. Following your instructions I was able to do it from the command line. I have a question: I distribute my app on a DMG. Is it necessary to staple both the app and the DMG? I did the notarization with the DMG method, and only stapled the DMG. Will it work alright?
Regards,
Devin

Devin,
as far as i've have understood the guidelines, there is no need to notarize and staple both the app and the disk image which contains the app. It's sufficient to put the unnotarized app on the disk image and notarize and staple just the DMG.

If you want to notarize software inside a .zip file. then you've to notarize/staple the app, because the notarization result cannot be attached onto the archive.

Regards,
Matthias

Devin,
one question i've forgotten to ask. Why did yo do the notarization using command line? Didn't you try the attached stack, which should be able to do all the needed steps automatically?

Or did you try and it didn´t work? I am very interested in any feedback about using that stack.

Regards,
Matthias

Matthias, I've been using the attached stack for a while and it works like a charm. It is indeed of great help!
Regards, Simon

Simon,
thanks for your feedback.

Matthias,
I had purchased App Wrapper to do code-signing and notarization, and to be honest, it didn't even occur to me to try your stack! App Wrapper just wraps terminal commands in a GUI, and when it failed the log noted which command had failed, so I copied it out of the log and pasted it into the command line. The problem was (I guess) that the altool command wasn't in my PATH file, so I just provided the full file path to altool on the command line, and it worked.
I may try to use your stack next time and see how it works.
Cheers,
Devin

Hi Matthias. I just want to let you know of a problem I had with an app that used the CameraControl to record Video and Audio that I resolved with the help of LiveCode's Ian MacPhail and Panos Merakos.

I followed your instructions in this lesson doing each step manually and my app was successfully signed and notarized. Then when I tested out the app on a Mac with Catalina the app would crash as soon as I opened the camera.

I read the crash report andI found the thread that crashed:

Thread 10 Crashed:: Dispatch queue: com.apple.root.default-qos
0 libsystem_kernel.dylib 0x00007fff6e696a76 __terminate_with_payload + 10
1 libsystem_kernel.dylib 0x00007fff6e6b0406 abort_with_payload_wrapper_internal + 119
2 libsystem_kernel.dylib 0x00007fff6e6b0411 abort_with_payload + 9
3 com.apple.TCC 0x00007fff64d9e59f __CRASHING_DUE_TO_PRIVACY_VIOLATION__ + 163
4 com.apple.TCC 0x00007fff64d9c531 __TCCAccessRequest_block_invoke.114 + 500
5 com.apple.TCC 0x00007fff64d9ca58 __tccd_send_message_block_invoke + 231

Also I noticed that the app did not ask for permission to open the Camera and Microphone as it should
have.

Ian referred me to a bug report where others had experienced this same issue with entitlements where Panos explained that entitlements needed to be included in the codesigning command and explained how to do that. https://quality.livecode.com/show_bug.cgi?id=22660#c4

So to include the entitlements for camera and audio input you need to create a file called 'entitlements.plist' with just the following text.

com.apple.security.device.audio-input

com.apple.security.device.camera

I was having trouble implementing the suggestions in the bug report so I got a clearer explanation from Panos that I am including here.

The entitlements.plist file can be saved anywhere as long as the "" is valid.

Then the entitlements are added to the codesign command as follows:

codesign --options runtime --verbose --deep --force --sign "myCertificateName" --entitlements "" ""

You need to do this if your app needs any of the entitlements that LiveCode can ask for. Panos gave me the complete list here. You would only include the ones your app needs to use in your entitlements.plist file.

com.apple.security.cs.allow-jit

com.apple.security.cs.allow-unsigned-executable-memory

com.apple.security.cs.allow-dyld-environment-variables

com.apple.security.cs.disable-library-validation

com.apple.security.cs.disable-executable-page-protection

com.apple.security.device.audio-input

com.apple.security.device.camera

com.apple.security.personal-information.location

com.apple.security.personal-information.addressbook

com.apple.security.personal-information.photos-library

com.apple.security.automation.apple-events

Perhaps this can be added to this lesson to prevent future LC users from running into this.

Also it would be good to have this function included in your app, a checklist of the available entitlements that the user could check off and then the app would add those to the codesign command.

Anyway thanks for this lesson. It really helped me to understand the codesigning, notarizing and stapling process.

OH no. The plist is in XML format but all the XML tags got eaten in the page rendering. I don't know how to escape them in the comments here.

Look at the bug report that is linked here to see how the entitlements.plist should be formatted.

A comment about the SIgn'n'Notarize helper stack. I tried using that at first but it would fail at different points. I ended up using it in debug mode to output the list of commands and then entering them manually. I can't remember what was going wrong. It was probably one of the General Settings that I had entered incorrectly as I didn't fully understand the process. Now that I have a handle on it I will go back and see if I can get your helper stack to work.

Thanks.

Martin

Hello all,

The "codesign" command that includes the entitlements file is the following, as Martin said:

codesign --options runtime --verbose --deep --force --sign "myCertificateName" --entitlements "path/to/entitlements.plist" "path/to/standalone.app"

(I post it again, because some parts were lost in page rendering)

Thanks Matthias, a great piece of work. I can see why Apple implemented the new security protocol, but wow it's difficult to figure out. I finally got there thanks to you.
Cheers
Craig

Dear Matthias, I have followed your marvellous instructions and have produced a notarized and stapled app with a log that says success in all externals and entitlements (i.e. revBrowser). I have also checked in Terminal with "spctl --assess --type open --context context:primary-signature --verbose", "spctl -a -vvv" and "xcrun stapler validate" and all cases received a positive response. Only when I now try to run the app on my desktop it no longer runs and I get the message "Application Not Responding". I have trawled through a lot of Livecode and Apple fora to no satisfaction. Any thoughts/solutions very happily accepted. Regards Russell

Hi Russell

I wonder if there are any entitlements that you might need to include in the entitlements file. Have you had a look at the "Entitlements for signed and notarized apps" lesson?

https://runrev.screenstepslive.com/admin/v2/sites/14751/toc/manuals/4071/chapters/246840?showCurrentArticle=1293515

Kind regards

Elanor

Hi Russel, the correct link to that lesson is
http://lessons.livecode.com/m/4071/l/1293515-entitlements-for-signed-and-notarized-apps

@Martin Koob
Thanks for your useful information. Seems i have to either enhance my lesson or at least should mention the entitlements stuff lesson. I will see, if i even get my NotarizeHelper stack updated. So that one can define an entitlement.plist file before code signing.

Thanks Both. Just got an all round success response with following entitlements:

com.apple.security.files.bookmarks.app-scope

com.apple.security.files.bookmarks.document-scope

com.apple.security.network.client

com.apple.security.network.server

I am using Browser only - I assumed these would be the required entitlements. There is nothing added in the Externals folder and the app works great before the notarizing process. As mentioned I have gone through the entire process including stapling and at every stage I've got a "success" response. However, the app is not working anymore. I tried making a simple app without a Browser and without entitlements which also got the success response and will work in the Applications folder. Is there anything else that should be in the entitlements? Please advise.

Did you already try to add all the entitlements as described in the lesson Elanor mentioned?

@Russell What happens when you just code sign the app. Does it still works then?

@Russell On what macOS version are you getting the "Application not responding" message?

@Russell Any chance that you are on Mojave and have installed the Security Update 2020-005 10.14.6? If so, did you install it in September or October. If in September then could you check. Apple re-released the Security Update 2020-005 because it was causing problems. Maybe this is also the cause for your problems.

Interesting Matthias and worth a try in that I am using Mojave and I have just installed the updated update before I started these app builds. I have checked for further updates and I am up to date. Not sure that helps?

I'll add the other entitlements and check the code sign app over the next couple of days. Thanks again both.

@Russell Okay, then it seems you've updated in October. Apple re-released fixed versions on the 1st or 2nd of October.

On other projects today. I'll put the other entitlements in as suggested by Elanor and check the code signing stage over the next couple of days. Thanks again for your help.

Sorry for including the wrong link in my comment, I was logged in as an admin and I should have noticed. Thank you for providing the correct link Matthias.

Elanor

Hmmmmm. Well I added the "Elanor entitlements" to the ones I mention above and the app worked when code signed and when I notarized it! Not completely convinced what has sorted this. But it works. Thanks very much to you both.
Regards
Russell

I am glad to hear that it finally worked for you. I am currently reworking this lesson. I will add the Entitlements stuff. The NotarizeHelperStack was also enhanced so it allows now to select the needed entitlements for Code Signing. It is not yet online. I want to finish the lesson update first.

Further to: I came across these two helpers on the Apple "Ensure Properly Formatted Entitlements"

Correctly formats the entitlements file: plutil -convert xml1

Verifies the formatting: plutil -lint

That is useful because it removes any line gaps in the file etc.

Regards
Russell

Hi all,
the lesson and the NotarizeHelper stack were updated. The stack now allows code signing with entitlements.

Hi Matthias, thanks for your work on this!
I'm getting an error after the upload for notarization:
Status Code: 2
Status Message: Package Invalid

Which shows on the web page:
"severity": "error",
"code": null,
"path": "MITA.zip/MITA.app/Contents/MacOS/MITA",
"message": "The signature of the binary is invalid.",
"docUrl": null,
"architecture": "x86_64"

I used both the mrSign stack and individuals commands in Terminal to try this with the same result.
I've rechecked to confirm that my Apple ID, Developer ID Application are both correct. The Developer ID Application is in the format: Developer ID Application: Peter Bogdanoff (XXXXXX)

I set the Primary bundle id into the Mac page of the Standalone Application settings and that is loaded into Primary bundle id field: com.artsinteractiveinc.mita

In Terminal I ran codesign --verify and I get: satisfies its Designated Requirement

Do you have any idea why this fails?

Does my App ID (from my Apple Dev account: Certificates, Identifiers & Profiles/Identifiers) have anything to do with the Primary bundle id? Those two things are different. Is that App ID needed for any of this?

Hi Peter,
to be honest i have no clue what is wrong.
The lines
"path": "MITA.zip/MITA.app/Contents/MacOS/MITA",
"message": "The signature of the binary is invalid.",
shows the reason why it is rejected.
Could you please try the following command

codesign -verify -verbose.

Peter,
or for a more detailed result
codesign -dv -verbose

The result in Terminal for those two commands--

codesign --verify --verbose: 'valid on disk' (and) 'satisfies its Designated Requirement'

codesign -dv -verbose: 'edited signature app bundle with Mach-O universal (x86_64) [com.artsinteractiveinc.mita]'

Should the last one NOT say "edited'?

Peter, my fault.
Could you please just run
codesign -dv

Btw. On what macOS are you and what Xcode are you using? I could try to notarize one of my app in a VM with that configuration, just to make sure that this is not someting related to the Xcode version.

codesign -dv returns:
Format=app bundle with Mach-O universal (x86_64)
CodeDirectory v=20500 size=180071 flags=0x10000(runtime) hashes=5620+3 location=embedded
Signature size=9012
Timestamp=Nov 21, 2020 at 1:26:19 AM
Info.plist entries=30
TeamIdentifier=U768M256PT
Runtime Version=10.9.0
Sealed Resources version=2 rules=13 files=113
Internal requirements count=1 size=188

In on macOS 10.14.8
Xcode: 10.3

Peter,
please excuse my late answer.
1. You mean 10.14.6 and not 10.14.8, right?
2. Which LC are you using. If LC 9.6x, you should use Xcode 11.3.

Unfortunately i do not get Xcode 10.3 installed on macOS 10.14.6 for whatever reason.

Matthias, yes macOS 10.14.6. I moved to another machine with Catalina + xCode 11.7. I still got the same error.

Since I was getting the error description, "the signature of the binary is invalid" I then tried removing a folder of stack files and JPG files from the MacOS folder inside the package (they were all in a folder named "Data") and the process was successful, "Your Mac software has been notarized."

Is the script supposed to sign each of these files? These are files that I need to run my program.

Matthias -- I got it to work. I needed to change the files that I needed in the package to be set by the LiveCode Standalone Application Settings. I added them to the stacks and files tabs in the Standalone Application Settings and LIveCode moved them to new locations in the package, and this worked properly for codesigning and notarizing. I'll now have to change my IDE paths to access the files, but this is minor.

Incidentally, I used macOS 10.14.6, LC 9.6.1, and Xcode 10.3 to do this successfully.

I'm now trying to get dropDMG to create the DMG automatically. I gave dropDMG access in macOS privacy settings... I'll continue to tweak the settings to get it right.

Thanks very much!!!

Peter,
good to know that it works now.
I have one question:
How did you add the files before? Did you create the standalone and added them manually afterwards to the MacOS folder?
Anyway. It's working now. That's the main thing.

Yes, I did that -- create the standalone, then added the files manually. I used scripting to sign everything in that folder, as well as the EXE. It worked for pre-Catalina.

Hi Peter,
...as well as the EXE... ?? Did you add an .exe file to your app bundle?

Anyway,
maybe i should mention in the lesson, that additional files have to be added using the 'Copy Files' section in the standalone builder.

Sorry, no I was referring to the executable.

Yes, to mention the stacks and files tabs would be very helpful.

Good to know. I was a little bit confused. ;)

I've added now a note about how to add additional files and folders to the standalone. It's in section 1.9.
Thanks for bringing this up, Peter.

"For creating DMGs the stack uses hdiutil or the command line tool of DropDMG." Hi Matthias, is this something I need to download and install or does the stack do this for me? Thanks

Hi Matthias, just a quick note. On the settings page you have flagged some fields as req'd (with an *) but not the sudo password (which I don't know so left out). When I run the app it asks me for a sudo password and says it's req'd? Thanks

Ok, signing was successful, notarizing failed with this message "Failed to get the password for the keychain item 'spyc-jdam-qssb-bbda'.". At some point it asked for my keychain password and I gave it my login password (since I don't know what my keychain pw would be). Is that why this failed? How do I rectify this? I looked at my keychain and it's not locked, so if should have been able to gain access just fine?? In fact I closed it and opened it and it didn't ask for a pw. Not sure what this all means. Thanks

Hi Mark, instead of entering your app specific password you need to add the name under where the app specific password was stored in the key chain. Please see chapter 7 on how to add you app specific password to the key chain.

@Mark
Regarding "For creating DMGs the stack uses hdiutil or the command line tool of DropDMG." Hi Matthias, is this something I need to download and install or does the stack do this for me?

hdiutil is a macOS system tool and is already available. DropDMG is a commercial tool from https://www.c-command.com and must be downloaded.

@DavidKesler You mention in your post: "I work my way through the problem. I was initially running the notarization app on a "High Sierra" machine, the first time I ran it on my "Mojave" machine it work! There was a slight difference in the way the certificate was presented between the OSs and that is what gave me the idea that that may be the problem. I am now waiting for apple to analyze my app."

I have the same problem with certificates in Big Sur i.e: "The specified item could not be found in the keychain." even though I have checked that the wording is correct. Could you let me know what was different between the certificates on High Sierra and Mojave?

Or @Matthias/@Elanor any thoughts in this regard gratefully received.

Thanks.

Russell

Hi Russell

Have a look at your Certificates in Keychain Access and see if everything looks ok, nothing has expired and the private keys are all in place etc.

Elanor

Russell,

I never actually found out why it started working, I was just ecstatic it did.

I can say that whenever I have had a problem since, it has been down to making sure everything is exactly the same as the keychain, without doing a copy and paste. If you read Matthias’ comment just before I had the successful notarization on Oct 09, 2019 he suggested that copying from the keychain can introduce problems, so I retype my Apple Developer ID Application and the application specific password.

Also, if you change the label you gave to the app specific password, there are two places in the keychain that must match for it to work.

I have to say since the Matthias put out the new version that included the entitlements, I have had problems only with typographical errors that I have made.

I am SO thankful to Matthias for this program!

Matthias,
I agree with your commenters that you've been a light in the wilderness with respect to code-signing. I've had no success to date, but I can share a few things I've learned so far -- apart from the obvious lesson I've learned (the hard way) that typos can be fatal when using your stack.
The first problem I encountered was an error when LiveCode improperly included tsNet in an automatic search for inclusions. (The solution was to select the inclusions manually.)
A second problem was an error message that "altool" could not be found. Hoping to avoid having to download the entire XCode, I had installed only the Command-Line-Tools. A web search indicated that CLT did not include "altool" -- heads up to others who've made the same mistake -- so I spent a day downloading XCode, hoping that this would resolve the problem. Apparently, everyone needs XCode.
Sadly, I'm now getting an error message "Failed to get the password for the keychain item..." In ignorance, I probably just screwed up my keychain (and maybe my developer account) over previous failed attempts.
Curiously, when I misinterpreted your General Settings item "Name of app-specific password*" as meaning the actual password and not its Keychain name, I actually got a few steps closer before the process aborted.
Obviously, I've got to persist until this works, but you've given us a great start. Thanks!

Update:
Using Matthias' livecode stack, I was able to code-sign both my app and a DMG that employed the very nice design options available via the third-party DropDMG app. (Both were confirmed using the terminal commands that Matthias provided.)
However, in order to circumvent the problem experienced with accessing the keychain password item, I then resorted to using the Terminal to include the actual app-specific password. From there, using Matthias' examples, I was able to notarize and staple my dmg successfully.
Although Matthias' livecode stack probably works fine from start to finish, in my experience this strategy is what got this to work.

The instructions for Matthias' livecode stack include the warning that when revZip external is employed, a that references this must must be included in an entitlements file. Because this is apparently not among the externals included in the default entitlements file created by that stack, am I correct to assume that I should *instead* create an entitlements file manually that includes this line (along with one for the Internet external that also is not included in the default)?

I don't use these externals in my own code, but these are required as inclusions in order to employ Curry Kenworthy's third-party extension "WordReport" to generate MSWD-compatible documents. (That extension currently breaks in macOS Catalina and possibly even in Windows 10, but hopefully will be fixed by its author some time soon.)

Thanks!

Jeff,
if i recall it correctly then the warning about revZip and the needed entitlement is within the lesson and not exclusively as a comment for the attached stack. The stack already has a feature to include that entitilement or even all entitlements that are recommended by Livecode.

@Jeff
Regarding Curry's Wordreport.
I did not use it currently in a standalone, but what i can say is, that Wordreport defintely works here in the LC IDE under Catalina and Big Sur. The only thing what is breaking it, is if you use non ascii characters. But this is not OS dependet. There is a workaround for that. If you like, we could talk about that in the use list.

Thanks for your incredibly quick reply! Obviously this is not the place to discuss third-party providers. Although I've been using LC since 2014, I've just now subscribed to that use-list -- which apparently differs from the LC forums whose incredibly generous contributors have helped save my butt more than a few times since 2017.
If/when I am approved to join, perhaps we can pursue this issue there -- wherever "there" is. Curry recently confirmed that WordReport does break in Catalina+ standalones -- as I'd reported to him over a year ago -- but promises to fix this some time in the future. One of my apps remains on hold until then.
jeff k

Just in case anyone needs to include the (not always) optional "asc provider" when notarizing via Terminal, I've found that in order to avoid an error, a hyphen is required in the command: --asc-provider "". (The instructions in Sections 7.x instead read: --ascprovider "")
Also, as regards Section 9 Addendum 2, the instructions illustrate references to Xcode in order to identify one's development team. I can't vouch that this works for everyone, but the following did for me:
xcrun altool --list-providers -u "" -p ""
In my case, it turned out that the short name needed was just the ten-character string associated with my Developer ID.

Thank you very much for pointing the typo out. It's corrected now.
Regarding your comment regarding Section 9Add2 i do not fully understand. Did you had problems with the example code? If so, could please you tell me which version of Xcode you are using?
Regards
Matthias

As regards Section 9Add2, my point was simply that the examples apparently assume that one has installed the entire 40GB Xcode package. Last year I opted to install only the lightweight (1.2GB) command line developer tools, which are sufficient to perform the codesigning/notarizing/stapling when following your detailed instructions. Hence, the simpler command line that I found worked for me.
Still, your explanation that asc provider might be needed proved very helpful. I'd been stymied for over a week when Apple suddenly began rejecting my attempts to submit a .dmg for notarization, until Dev Support informed me that I had (unintentionally ) created an unneeded Podcast account using my same Apple ID some time before the first notarization failure occurred. Including asc-provider resolved the problem.

I see that this conversation is not active for quite a while, but will try for a response nonetheless.

My progress with Matthias' codesigning stack gets only as far as "error: The specified item could not be found in the keychain. process aborted". I lack experience and knowledge about certificates and keychain matters, so no doubt I've just done something clueless, but haven't been able to determine the problem.

My keychain has an item of "Kind: application password" with the password Apple supplied, and also the certificate created by Certificate Assistant, but I can't figure out which step(s) I've done incorrectly.

I appreciate any guidance.

Hello Bruce,

I have not seen this error before, but it sounds like the keychain item that the stack is looking for does not match the one the exists in your keychain. I would suggest you doublecheck the names are identical.

Kind regards,
Panos
--

Hello Bruce, as Panos wrote. It seems that altool cannot find the Keychain item you've specified in the settings of the Notarizer stack. Did you follow the steps in Chapter 8 correctly to add the password to the KeyChain? If so then maybe you've used upper/lower case characters in the item name and did not use them in the settings of the stack or vice versa. Altool is case-sensitive, so please make sure that the name you are entering in the settings is identical including upper and lower case characters as the one in the Keychain.

Bruce,
If you scroll up to my comments on June 10 & June 16 2021, you'll find that I too experienced problems using the keychain strategy.

My solution was simply to do the entire code-signing procedure using Terminal. The instructions/examples that Matthias provided are so clear and explicit that this was a lot easier than trying to figure out what went wrong with keychain.

Thanks for the replies to my post. I am grateful for the assistance.

It appears I have solved the password problem. In Matthias' stack I now get as far as this error:

Codesigning app...
executing: codesign --deep --force --verify --verbose --sign "Bruce Dalby (SLG8YJMU8V)" --options runtime "/Users/brucedalby/Documents/Tonal Assistant/Tonal Assistant.app"
/Users/brucedalby/Documents/Tonal Assistant/Tonal Assistant.app: replacing existing signature
Warning: unable to build chain to self-signed root for signer "Developer ID Application: Bruce Dalby (SLG8YJMU8V)"
/Users/brucedalby/Documents/Tonal Assistant/Tonal Assistant.app: errSecInternalComponent
process aborted

In my keychain is a Developer ID Application of the indicated identity, issued by Developer ID Certification Authority, and marked "This certificate is marked as trusted for this account." If I issue a request to evaluate that keychain item Certificate Assistant tells me:

Evaluation Status: Success
Certificate Status: Good

So, I seem to be making progress, but still don't understand what's missing. Is the problem that my certificate is self-signed? I remember dialogues that offered signing by other Authorities, but didn't know how to access the necessary emails or links.

Yeah, Newbie here.

Bruce,
i never had this error. But according to a post in Apple's developer forum the following steps might help.
I did not test it and i cannot guarantee that his will work...
In case that you don't have a current TimeMachine backup, you should backup the Keychain folder first.
So please make a copy of this folder
~/Library/Keychains
Then
- Remove your account information from Xcode and quit Xcode
- In Keychain Access delete all of your certificates and also all Apple Root and Intermediate certificates.
- Download all Apple Root and Intermediate certificates from here https://www.apple.com/certificateauthority/
- Manually install all of the downloaded Apple root and intermediate certificates
- Start Xcode and in Preferences > Accounts add your account again
- Select 'download manual profiles'
After that try again.

Thanks, Matthias. I followed your instructions as best I could, and am now at this error:

Codesigning app...
executing: codesign --deep --force --verify --verbose --sign "Bruce Dalby (JX9J26GZ72)" --options runtime --entitlements /private/var/folders/pv/fqn9xn2x7914jltd7_6_yf6r0000gp/T/TemporaryItems/entitlements.plist "/Users/brucedalby/Documents/Tonal Assistant/Tonal Assistant.app"
error: The specified item could not be found in the keychain.
process aborted.

...but I have know idea whether I got further in the process, or worse, having started from scratch with certificates, I'm missing something and this is actually an earlier-in-the-process error.

The error says "entitlements." In your app in settings there's a checkmark for entitlements, and it is checked.

The error says "can't find item in keychain." The password? In my keychain is a password Tonal Assistant; Kind: application password; Account: my Apple ID login email; Where: the finder location of the app bundle (shown in error message): Show password: The password provided by Apple.

I appreciate your patience. All this is phenomenally complex and confusing. In 40 years of using computers extensively, including successful development and distribution of several apps, I've never encountered a matter so difficult and frustrating. And I don't think the problem is that I'm just dense. And it's definitely not your instructions or app. It's obvious an ENORMOUS amount of work was put into those. OK, done venting...

Code signing does not need a password, but it needs to fetch information about your Developer certificated. In your post you are using "Bruce Dalby (JX9J26GZ72)" as the name of your Developer Application certificate. Are you sure that that is the exact name? My certificates names are like this "Developer ID Application: Matthias Rebbe (xxxxxxGEUL) and "Developer ID Installer: Matthias Rebbe (xxxxxxGEUL)

Well, I made progress. I got to:

*** App sucessfully signed ***
and
***Zipfile created***

But then:

Begin Notarizing...
uploading /Users/brucedalby/Documents/Tonal Assistant/Tonal Assistant.zip
executing: xcrun altool -type osx --notarize-app --primary-bundle-id "com..tonalassistant" --username "[email protected]" --password "@keychain:" --file "/Users/brucedalby/Documents/Tonal Assistant/Tonal Assistant.zip"
*** Error: Failed to read legacy keychain item '', Error Domain=ITunesConnectFoundationErrorDomain Code=-25300 "The specified item could not be found in the keychain." UserInfo={NSLocalizedDescription=The specified item could not be found in the keychain., NSLocalizedFailureReason=The specified item could not be found in the keychain.}
*** Error: altool encountered an error.
*** Error: The specified item could not be found in the keychain. (-25300)
process aborted

Mathias, I am EXTREMELY grateful for your assistance. I hope my ignorant mistakes are not frustrating you too much. :-)

Hello Bruce, the parameter --password "@keychain:<keychainitem>" requires that you have stored your password in your Keychain. <keychainitem> references to that entry. You have to replace <keychainitem> with the name under which you've stored your app password in your Keychain. See chapter 8 for more information. If you want to specify your password in the command, then please use --password "<yourPassword>" replace <yourPassword> with your app password.