How to notarize a screen saver

Reply to self with what I’ve done for Catalina:

You can’t notarize the .saver directly, but you can in a round-about-way notarize a ZIP file, which is how I distribute my screen saver. Here are the steps I use for my simple saver, your mileage will undoubtably vary:

• /usr/bin/codesign -f -o runtime --timestamp --sign “insert Developer ID Installer certificate identifier here” XYZZY.saver
• compress the code signed .saver e.g. XYZZY.saver.zip
• /usr/bin/xcrun altool --verbose --notarize-app --primary-bundle-id “insert identifier here" -u “xyzzy@plugh.com" -p “insert app-specific PW for your Apple ID here" -t osx -f XYZZY.saver.zip
• Aside: store the App-specific password in your keychain and reference it from the command line like this:

  /usr/bin/xcrun altool --store-password-in-keychain-item "AC_PASSWORD" -u xyzzy@plugh.com -p “insert App-specific PW from Apple here”

• wait for notarization, check status like this:

  /usr/bin/xcrun altool --notarization-history 0 -u “xyzzy@plugh.com" -p "@keychain:AC_PASSWORD”

• While you can notarize a ZIP archive, you can’t staple the notarization ticket to it directly. Instead, run stapler against each individual item that you originally added to the archive. Then create a new ZIP file containing the stapled items for distribution.
  • /usr/bin/xcrun stapler staple XYZZY.saver
  • Re-zip the saver and distribute

Cool ! That almost asnwers the problem I am having , too!

One question, though: where would I find the 'Developer ID Installer certificate identifier' ?

Also, I don't think I have an 'app-specific PW' - what do I do?

The last step in your instractions is not clear to me:

does 'xcrun stapler staple XYZZY.saver' "run stapler against each individual item" for me?

or do I have to do this for each and every item inside the package myself?

Thanks a lot in advance!

I get my Dev ID Installer from Keychain Access in the Certificates section: Developer ID Installer: Your Name (123456). Use the string "Your Name (123456)".

Generate the App Specific PW here: https://support.apple.com/en-us/HT204397

You have to run stapler againsts every item in the archive, then recerate the archive. For me, there's only one item the saver module.

• I was able to make this work for my distribution via a DMG instead of ZIP.

• I use appdmg to build the DMG that contains my .saver file. It is a very handy tool that does the Developer ID signing. It doesn't do the notarization, but the steps provided above against the DMG file works a treat.

• I added the app-specific password by logging in to https://appleid.apple.com with my developer account

• After notarizing, I simply ran the staple command on the DMG and it was notarized. There is a lot of auto-magic going on there.

• I was able to validate that "source" is "Notarize Developer ID" using: spctl --assess -vvv --type install <fileName>.dmg. You should see something like:

Code Block # spctl --assess -vvv --type install screensaver.dmg 
screensaver.dmg accepted
source=Notarized Developer ID
origin=Developer ID Application: <your developer account name> (<your team identifier>)

Where should the .saver file and the saver.zip be located on my hard drive?

It doesn’t really matter. Usually folks do development in a directory that they create within their home directory.

ps I recommend steering clear of directories, like Document and Desktop, that are protected by MAC.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"