Can't Code Sign Manually, and --deep doesn't work

I represent a number of "Omnis Developers", people who write apps with Omnis, a RAD, high level language, that does not compile, but rather, we distribute an Omnis Runtime app with our library of code that is interpreted at runtime. We create business apps mainly.

To distribute our apps we include our library of code with a copy of the Omnis runtime app. So when we go to code sign and notarize our apps we are actually signing and notarizing the Omnis app, which we did not create, we license it. Omnis Inc. creates and maintains their executable that we license and distribute.

So when we approach Notarization, we are not the developers of the app we are notarizing. We do not intimately know it's insides, where is the code, and what doesn't need to be code signed.

We were provided a path to notarization by Omnis Inc and it worked fine, still works fine, under Catalina and Xcode 11. That method included using the --deep command. It worked. Omnis is a non-standard app I believe, in terms of where it has code inside it.

Under BigSur and Xcode 12 the --deep command inserts detritus.. you get that message that finder information and similar detritus is not allowed. You cannot finally sign the main app after signing ALL of it's insides. You get stuck.

Instead of using the --deep command Apple recommended to me, or one engineer did, that I sign the insides of the app manually. I did that, but not knowing what to sign I signed everything. I got the "similar detritus" problem.

I am petitioning Omnis to give me a list of folders inside the app that actually need to be code signed. I am hoping that by signing only some things that I will not get the detritus message.

I am posting about this here in case anyone has anything to tell me that will help me.

I have the work around of running a Catalina Virtual Machine and Xcode 11.. that is what I am doing presently. One developer pointed out that Apple will probably not allow code signing from older OS's eventually.. and we will be really stuck. So I am working on this issue presently.

Either the --deep command has to work and not insert detritus, or signing everything has to not insert detritus, or a list of things to sign will not insert detritus.. one of these has to give way to signing without that message coming up.

This is of concern to many Omnis developers worldwide.

We have the Catalina workaround, but for how long?

Sincerely,

Das Goravani

Up vote post of Das Goravani Down vote post of Das Goravani
515 views
Posted by
Das Goravani
Reply
Add a Comment

Replies

That method included using the --deep command.

I would avoid using the --deep argument for details outlined in this post.

Regarding:

Apple recommended to me, or one engineer did, that I sign the insides of the app manually.

Right, this would be an acceptable path to take here given that you arrange your bundle with a set of nested code directories outlined here. I do not know how the Omnis bundle is structured, but if you can arrange your signed code to fit the nested code structure mentioned in the previous link, this should put you in a good place to pass Notarization.

If you continue to experience issues here, you may want to contact the Vendor of this app and have them open a TSI so that DTS can take a look at your entire built app and recommend any changes that would allow the app to be successfully Developer ID signed and Notarized.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Post not yet marked as solved Up vote reply of meaton Down vote reply of meaton
Add a Comment