Notarization for .NET Core Binary

Question

u3310 OP

Created Oct ’19

Replies 5

Boosts 0

Views 2.1k

Participants 2

Hello,

I tried to nortarize .pkg file but pkg file still have some errors.Please see log.

My application use .NET core binary by Microsoft(https://dotnet.microsoft.com/download/dotnet-core/2.2) .

Can anyone please provide solution for this errors?

///Log///

{

"path": "xxxxxx.zip/.../netcoreapp2.1/publish/runtimes/osx-x64/native/libgdiplus.dylib",

"message": "The signature does not include a secure timestamp.",

"docUrl": null,

"architecture": "x86_64"

},

{

"path": "xxxxx.zip/.../dotnet-runtime-2.1.11-osx-x64/dotnet",

"message": "The binary is not signed.",

"docUrl": null,

"architecture": "x86_64"

},

{

"path": "xxxxx.zip/.../dotnet-runtime-2.1.11-osx-x64/dotnet",

"message": "The signature does not include a secure timestamp.",

"docUrl": null,

"architecture": "x86_64"

},

{

"path": "xxxxx.zip/.../dotnet-runtime-2.1.11-osx-x64/dotnet",

"message": "The executable does not have the hardened runtime enabled.",

"docUrl": null,

"architecture": "x86_64"

},

Best Regard,

Boost

Answer 1

DTS Engineer OP

Apple

Oct ’19

Notarisation requires that every Mach-O image must be signed with a secure timestamp. Additionally, executables have the hardened runtime enabled. How you achieve this depends on your development environment. Are you building your app with Xcode? With command-line tools? Or using a third-party tool?

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

u3310 OP

Oct ’19

Hello,

My app is built with Visual Studio for mac and I make .pkg file by pkgbuild command.

For .NET Core Binary, my pkg just include that binary to install easily on macOS for user.

Best Regards.

0

Answer 3

DTS Engineer OP

Apple

Oct ’19

If you’re building with a third-party tool, you need to ask the tool’s vendor how best to set up your build so that it passes notarisation. I can explain the requirements of notarisation, but the best way to meet those requirements is tool dependent.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 4

u3310 OP

Oct ’19

Hello,

If we use any third-paty library or application depend on our application, we always need to ask their vendor about that?

Do you have any solutions except above that?

Best Regards,

0

Answer 5

DTS Engineer OP

Apple

Oct ’19

If we use any third-paty library or application depend on our application, we always need to ask their vendor about that?

The requirements for notarisation are relatively straightforward:

Every Mach-O image must be signed by a Developer ID (A).
And must have a secure timestamp (B).
Every executable must have the hardened runtime enabled (C).
If the extra security checks enabled by the hardened runtime cause problems, those checks can be disabled using the various hardened runtime entitlements (D).

Xcode takes care of A through C for simple apps, assuming those apps follow the nested code rules outlined in Technote 2206 macOS Code Signing In Depth. If you’re building from the command line, you become responsible for following those rules. I can help you with the mechanics of this (what arguments to pass to

codesign

and so on) but the overall process is your responsibility. And if you’re using a third-party tool to build your app, I would expect the vendor to step up and help with this.

Point D is the tricky one. The best way to deal with these extra security checks depends on how your code is written. If you wrote the code, I can advise you on how to do this. However, if you’re using third-party code, you’ll have to either ask the vendor (if the code is closed source or it has a responsive support channel) or work this out for yourself (if the code is open source with no support channel).

With regards the specific code in question here, I’m pretty sure it includes a JIT and thus point D is relevant.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0