I had a query regarding stapling the ticket to the notarised binary.
Is it mandatory to staple the ticket to the binary/pkg?
I understand network connection would be required for Gatekeeper to validate. But can we still continue to notarize the binaries successfully and not staple the ticket?
Is it mandatory to staple the ticket to the binary/pkg?
Not currently, but it is strongly recommended.
On 10.14.5, notarisation only kicks in during Gatekeeper checks, that is, on the first launch of a newly downloaded app or on installation of an installer package [1]. If Gatekeeper can’t find a notarisation ticket stapled to the item, it attempts to get that ticket from the Apple notarisation servers. Assuming the Mac is online, this typically works and thus the Gatekeeper check succeeds.
However, if you don’t staple the ticket to the package and the Mac is offline during the Gatekeeper check, this access will fail )-:
My experience is that stapling is the easiest part of this whole process, so I’m curious as to why you’d want to skip it?
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"[1] The system also checks notarisation on kernel extensions (KEXTs), but I’m presuming that’s not relevant to your case.
Thanks for the details.
We do have a product build system where we do not want to modify the package by stapling the ticket for now. So as is understood Gatekeeper will require to be online in this case to validate by getting the ticket online from Apple notarisation server.
We distribute the app by a .zip file.
Stapler doesn't support to staple a zip file.
Is there anyway to staple a .zip file?
Is there anyway to staple a
file?.zip
No. The standard approach here is to staple the
.app.zip.appditto.zipShare and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"