Apple expects that all ARM executables are code signed. I have no problem notarizing my graphical applications as dmg files. However, the terminal applications are another story. Over the years, it seems that specifics have changed, and Apple's documentation is vague and scattered.
I really think that both Apple engineers and 3rd party developers would benefit if Apple could provide a concrete worked example of how they would like command line applications created without Xcode to be signed, notarized and distributed. While I think the intentions for code signing are noble, the experience as a 3rd party developer is attempting to comply with code signing is extremely frustrating. Having a tool that simplifies the process and guides users through the required certificates, signing, notarization, etc. would really help, in particular for people like me who are scientists not professional developers.
For my own specific example, I am trying to package a simple open source application - https://github.com/rordenlab/niimath .
When I submit this for notarization, I get a log file that says:
The binary is not signed with a valid Developer ID certificate
However, running
codesign --verify --verbose --strict niimath
suggests this is not the case.
Below is my script to try to submit this. Only the first four lines are modified.
CODE_SIGN_SIGNATURE="Developer ID Application: My Name"
CODE_INSTALL_SIGNATURE="3rd Party Mac Developer Installer: My Name (12ABCDEFGH)"
APPLE_ID_USER=myname@gmail.com
APP_SPECIFIC_PASSWORD=abcd-efgh-klmn-opqr
APP_NAME=niimath
cd ~/src/niimath/src
gcc	-sectcreate TEXT info_plist Info.plist -O3 -DHAVE_ZLIB -o niimathX86 niimath.c bw.c core.c tensor.c core32.c core64.c niftilib/nifti2_io.c znzlib/znzlib.c -I./niftilib -I./znzlib	-lm -lz -target x86_64-apple-macos10.12 -mmacosx-version-min=10.12
strip niimathX86
gcc	-sectcreate TEXT info_plist Info.plist -O3 -DHAVE_ZLIB -o niimathARM niimath.c bw.c core.c tensor.c core32.c core64.c niftilib/nifti2_io.c znzlib/znzlib.c -I./niftilib -I./znzlib	-lm -lz -target arm64-apple-macos11 -mmacosx-version-min=11.0
strip niimathARM
lipo -create -output niimath niimathX86 niimathARM
rm niimathX86
rm niimathARM
BIN_DIR=../../bin
mkdir -p $BIN_DIR
cp $APP_NAME $BIN_DIR/$APP_NAME
cd $BIN_DIR
Verify the Info.plist was embedded in the executable during linking
echo "Verifying Info.plist"
launchctl plist $APP_NAME
Codesign the executable by enabling the hardened runtime (--options=runtime) and include a timestamp (--timestamp)
echo "Code signing..."
#codesign --timestamp --options=runtime -s "$CODE_SIGN_SIGNATURE" -v $APP_NAME
#codesign -vvv --force --deep --strict --options=runtime --timestamp	-s "$CODE_SIGN_SIGNATURE" ${APP_NAME}
#codesign -vvvv --deep --strict ${APP_NAME}
#codesign -dv --verbose=4 ${APP_NAME}
#codesign -dv --verbose=4 ${APP_NAME}
https://developer.apple.com/forums/thread/120989
codesign -vvv --force --strict --options=runtime --timestamp -s "$CODE_SIGN_SIGNATURE" ${APP_NAME}
codesign --verify --verbose --strict $APP_NAME
#productbuild --identifier "com.mricro.niimath.pkg" --sign "$CODE_SIGN_SIGNATURE" --timestamp --root /tmp/niimath / niimath.pkg
#productbuild --sign "$CODE_SIGN_SIGNATURE" --component niimath /Applications ./
#productbuild --identifier "com.mricro.pkg" --sign "$CODE_SIGN_SIGNATURE" --timestamp --root /bin / ghostscript64.pkg
#CODE_SIGN_SIGNATURE="3rd Party Mac Developer Installer: Christopher Rorden (68BQDQS28R)"
echo productbuild --identifier "com.mricro.niimath" --sign "$CODE_INSTALL_SIGNATURE" --timestamp --root ./ /usr/local/bin ${APP_NAME}_macOS.pkg
productbuild --identifier "com.mricro.niimath" --sign "$CODE_INSTALL_SIGNATURE" --timestamp --root ./ /usr/local/bin ${APP_NAME}_macOS.pkg
#productsign --sign "$CODE_INSTALL_SIGNATURE" "${APP_NAME}.pkg" "${APP_NAME}_macOS.pkg"
Notarizing with Apple...
echo "Uploading..."
xcrun altool --notarize-app -t osx --file ${APP_NAME}_macOS.pkg --primary-bundle-id com.mricro.${APP_NAME} -u $APPLE_ID_USER -p $APP_SPECIFIC_PASSWORD --output-format xml > upload_log_file.txt
WARNING: if there is a 'product-errors' key in upload_log_file.txt something went wrong
we could parse it here and bail but not sure how to check for keys existing with PListBuddy
/usr/libexec/PlistBuddy -c "Print :product-errors:0:message" upload_log_file.txt
now we need to query apple's server to the status of notarization
when the "xcrun altool --notarize-app" command is finished the output plist
will contain a notarization-upload->RequestUUID key which we can use to check status
echo "Checking status..."
sleep 20
REQUEST_UUID=`/usr/libexec/PlistBuddy -c "Print :notarization-upload:RequestUUID" upload_log_file.txt`
while true; do
	xcrun altool --notarization-info $REQUEST_UUID -u $APPLE_ID_USER -p $APP_SPECIFIC_PASSWORD --output-format xml > request_log_file.txt
	parse the request plist for the notarization-info->Status Code key which will
	be set to "success" if the package was notarized
	STATUS=`/usr/libexec/PlistBuddy -c "Print :notarization-info:Status" request_log_file.txt`
	if [ "$STATUS" != "in progress" ]; then
		break
	fi
	echo $STATUS
	echo "$STATUS"
	sleep 10
done
download the log file to view any issues
/usr/bin/curl -o log_file.txt `/usr/libexec/PlistBuddy -c "Print :notarization-info:LogFileURL" request_log_file.txt`
staple
echo "Stapling..."
xcrun stapler staple ${APP_NAME}_macOS.pkg
xcrun stapler validate ${APP_NAME}_macOS.pkg
open log_file.txt