Notarization of .app bundles enclosed in disk images/installer packages

Hello,


I am the author of xcnotary, an open source tool to help developers automate their notarization workflow. I wanted to clarify the following behavior to make sure I'm providing users with correct instructions.


I can see that the notarization service inspects the content inside .pkg/.dmg submissions. For example, if I attempt to notarize a signed package containing an improperly signed .app bundle, the service correctly fails.


The service does also appear to notarize the enclosed bundle (checked using "spctl -a -t exec -v"). However, the bundle isn't stapled, and so would need a network request on the first run (checked using stapler validate -v with network turned off.)


My question is: what is the general "contract" the notarization service expects to provide:


  • Will it always notarize enclosed bundles?
  • Is it expected that it won't be stapling them?


If so, in the interest of shipping bundles that are already stapled, should the build process always be two-step as follows?


  1. Notarize and staple the .app bundle.
  2. Package it into a container (.dmg/.pkg), and then notarize and staple that container.


Thank you,

David

Up vote post of dvar Down vote post of dvar
326 views
Posted by
dvar
Reply
Add a Comment

Accepted Reply

If so, in the interest of shipping bundles that are already stapled, should the build process always be two-step as follows?

No. Our general advice here is that you sign everything, from the inside out, and then notarise and staple the outermost container. That ticket covers all the code included in the container. When Gatekeeper checks the code signature of the container, it will ingest the ticket, avoiding the need for a round trip to the notary service on first run.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

If so, in the interest of shipping bundles that are already stapled, should the build process always be two-step as follows?

No. Our general advice here is that you sign everything, from the inside out, and then notarise and staple the outermost container. That ticket covers all the code included in the container. When Gatekeeper checks the code signature of the container, it will ingest the ticket, avoiding the need for a round trip to the notary service on first run.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

That's great! Many thanks for the reply!


David

Posted by
dvar
Up vote reply of dvar Down vote reply of dvar
Add a Comment