I have an app for which I use bitrock to generate an installer and then I put that into a disk image for distribution.
I do not upload my app for notarization before building the installer but I do notarize the disk image. This appears to be OK and the gatekeeper recognizes the installer and my app is installed.
Running 'spctl -a -vv' on the installed app indicates that everything is OK and if I start the app it starts without a problem, but I would have thought that since the app was not notarized that spctl would have reported a problem and gatekeeper would have complained when it was started.
Is my process OK or, dispite what spctl reports, I do in fact need to notarize the app be fore it is packaged by bitrock.
Barry
OK. In that case things are probably not fine. Here’s what I recommend you do:
Note down all the code in your product. If the code is in a bundle, use the root of the bundle, not bundle’s main executable.
Get the cdhash for each of chunk of code:
% codesign -d -vvv /path/to/your/code
.
Now package up your app with that third-party installer and notarise it as you described in your first post.
Once notarisation is done, use
to get a list of all the cdhashes that are included in your ticket. See my 23 Apr 2019 post on this thread for instructions.--notarization-info
Now check that all the cdhashes from step 1 are included in the notarisation ticket you got in step 4. If they are, you’ll all good. If they’re not, you have a problem.
If it turns out you do have a problem, you’ll need to switch to two-stage notarisation. See the note about third-party installers in Customizing the Notarization Workflow.
Or just drop the third-party installer (-:
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"