Notarytool, WeatherKit and a non App Store app

I work on an open source weather app for macOS. I would like to sign it for distribution. I used to do this with a shell script using xcodebuild, codesign and altool using this process: https://scriptingosx.com/2019/09/notarize-a-command-line-tool

Obviously I now need to convert to use notarytool.

I use the following steps:

xcrun notarytool store-credentials

xcodebuild -with -authenticationKeyID and -allowProvisioningUpdates

xcrun codesign -s "$dev_teamid" --entitlements

codesign -dv --verbose=4

/usr/bin/ditto -c -k --keepParent

xcrun notarytool submit --wait --keychain-profile

xcrun notarytool log

xcrun stapler staple

I ran with the credentials for Developer ID Application: (not Apple Development Certificate)

All steps seem to run fine.

The notarytool log shows: "statusSummary": "Ready for distribution”

Yet when I try to run I get the message The application can’t be opened.

When I click on the ? in the upper right corner, I get an empty window that pops up.

Combing through the Console, these two messages jump out:

Checking profile: Mac Team Provisioning Profile: com.heat.Meteorologist

com.heat.Meteorologist: Unsatisfied entitlements: com.apple.developer.weatherkit

What step have I missed?

Thank you.

Up vote post of EdwardD20 Down vote post of EdwardD20
891 views
Posted by
EdwardD20
Reply
Add a Comment

Replies

It looks like you’re claiming an entitlement that’s not authorised by your provisioning profile. As a first step I recommend that you confirm that, using the techniques described in the Code Signing Crashes on Launch section of Resolving Trusted Execution Problems.

From there you need to work out how that happened. It’s hard to say based on the info you’ve provided but I suspect that you’re not using the Xcode archive workflow, which makes everything trickier. For more on this, see the Export an App from Xcode section of Creating Distribution-Signed Code for Mac.

I used to do this with a shell script … using this process

That tutorial makes sense is targeted at folks building a command-line tool. If you’re building an app, you can get Xcode to do more of the heavy lifting. Compare the instructions in the above-mentioned Export an App from Xcode section with the much-less-fun instructions in the Export a Non-App Product Built with Xcode section.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thank you Quinn. I will summarize the one step I was missing, from your link https://developer.apple.com/forums/thread/701514, was this (emphasis on the final sentence):

To create a distribution provisioning profile, follow the instructions in Developer Account Help. Make sure to choose a profile type that matches your distribution channel (Mac App Store or Developer ID).

Once you have a distribution provisioning profile, copy it into your program’s bundle. For information about where to copy it, see Placing Content in a Bundle.

...

% cp "ConfigApp-Dist.provisionprofile" "to-be-signed/ConfigApp.app/Contents/embedded.provisionprofile"

Modifying the app in this way will break the seal on its code signature. This is fine because you are going to re-sign the app before distributing it.

IMPORTANT If you’re building your product with Xcode then you might find that Xcode has embedded a provisioning profile within your bundle. This is a development provisioning profile. You must replace it with a distribution provisioning profile.

Posted by
EdwardD20
Up vote reply of EdwardD20 Down vote reply of EdwardD20
Add a Comment