I represent a number of "Omnis Developers", people who write apps with Omnis, a RAD, high level language, that does not compile, but rather, we distribute an Omnis Runtime app with our library of code that is interpreted at runtime. We create business apps mainly.
To distribute our apps we include our library of code with a copy of the Omnis runtime app. So when we go to code sign and notarize our apps we are actually signing and notarizing the Omnis app, which we did not create, we license it. Omnis Inc. creates and maintains their executable that we license and distribute.
So when we approach Notarization, we are not the developers of the app we are notarizing. We do not intimately know it's insides, where is the code, and what doesn't need to be code signed.
We were provided a path to notarization by Omnis Inc and it worked fine, still works fine, under Catalina and Xcode 11. That method included using the --deep command. It worked. Omnis is a non-standard app I believe, in terms of where it has code inside it.
Under BigSur and Xcode 12 the --deep command inserts detritus.. you get that message that finder information and similar detritus is not allowed. You cannot finally sign the main app after signing ALL of it's insides. You get stuck.
Instead of using the --deep command Apple recommended to me, or one engineer did, that I sign the insides of the app manually. I did that, but not knowing what to sign I signed everything. I got the "similar detritus" problem.
I am petitioning Omnis to give me a list of folders inside the app that actually need to be code signed. I am hoping that by signing only some things that I will not get the detritus message.
I am posting about this here in case anyone has anything to tell me that will help me.
I have the work around of running a Catalina Virtual Machine and Xcode 11.. that is what I am doing presently. One developer pointed out that Apple will probably not allow code signing from older OS's eventually.. and we will be really stuck. So I am working on this issue presently.
Either the --deep command has to work and not insert detritus, or signing everything has to not insert detritus, or a list of things to sign will not insert detritus.. one of these has to give way to signing without that message coming up.
This is of concern to many Omnis developers worldwide.
We have the Catalina workaround, but for how long?
Sincerely,
Das Goravani