Hardened Runtime for distribution outside the Mac App store

I am working on an open source weather app for distribution outside the Mac App store: https://sourceforge.net/projects/heat-meteo

The project builds and runs fine in Xcode.

The batch build script was using ALTOOL which can’t/shouldn’t be used anymore. I am trying to set it up for notarytool.

This is what I think is now happening.

Again, all works fine in the Xcode debugger.

In Xcode, the build is setup with Automatically manage signing for both Debug and Release. They are using my Apple Development account, 4V7….

What I have read if that if I want to distribute outside of the Mac App store, it must be signed with my Developer ID Application, 7VN….

I tried to do an xcodebuild then codesign to switch from 4V7 to 7VN. That actually worked. codesign -dv --verbose=4 <app> shows the correct account. However when I do that, codesign --display --verbose <app> shows I lost the hardened runtime and then notarytool fails because hardened runtime isn’t set. The hardened runtime flag IS set before the codesign command.

I can physically turn off Automatically manage signing in Xcode for Release, but how to I select my Developer ID Application account? It does not appear to be a choice.

If it matters, the application needs both WeatherKit and Location entitlements and they are set to YES in the entitlements file.

I’m guessing, and this pure guessing, I need to adjust something in https://developer.apple.com/account but I don’t know what.

Thanks in advance.

Ed

Answered by EdwardD20 in 749782022

@eskimo - how should should the Xcode archive take to process? It's ben over 24 hours with no feedback.

I also experimented with xcodebuild options for archive (-exportArchive -exportPath ./Build/Release -archivePath ./Build/Archive -exportOptionsPlist exportOptions.plist) and I get this message: error: archive at path '/Users/ed/Documents/Xcode-Projects/meteorologist/trunk/Build/Archive' is malformed

If it matters, my exportOptions.plist file looks like this: { destination = export; signingCertificate = "Developer ID Application"; signingStyle = automatic; teamID = 7**...; }

@eskimo - Did I lose you? :(

Did I lose you?

Nope, I’ve just been somewhat out of the office.

You no longer receive an email notification from Apple

Right. I confirmed with the notary team that this is expected. And I did that soon enough that I was able to add this tidbit to TN3147 Migrating to the latest notarization tool.

Strange.

Yeah, this is a recent, and annoying, bug in DevForums.

# Builds with **Apple Development**, not **Developer ID Application**

You’re creating two builds there:

  • The one in the Xcode archive

  • The one exported from the Xcode archive

I’d expect the first to be Apple Development signed and the second Developer ID signed. Presumably you’re seeing both as Apple Development signed?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Just to clarify:

Just to clarify:

How did you generate that screen shot?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I guess this ends as an unsolved (undoable?) issue. :(

Did you miss my last post?

Yes. If you reply in comments, I’m not notified. See tip 5 in Quinn’s Top Ten DevForums Tips.

I exported the Archive, did a Show Package Contents on the .app, opened Contents, then did a quick view on embedded.provisionprofile.

OK. That Quick Look functionality is cool but, if you want to see the real info, it’s best to dump profiles using the command line. TN3125 Inside Code Signing: Provisioning Profiles shows how.

Anyway, with regards that screen shot, I’m confused by your confusion (-: The item you labelled “My Developer ID code” is your App ID. This consists of your App ID prefix, 7WNRPT262U [1], and your bundle ID, com.heat.Meteorologist. It’s best if your App ID prefix matches your Team ID. That’s the case here, which is good.

The item you labelled “Not my Developer ID” is a list of Apple Development certificates. These are, indeed, not your Developer ID certificates. Those should start with Developer ID Application.

When you said “I exported the Archive”, how did you export it? From the command line? Or from the Xcode organiser?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] I had to type that in my hand. If you dump the profile using the command line, you can then copy snippets as text, which makes everyone’s life easier.

Thank you for the DevForums tip.

I shared the entire script I'm using. All being done via the command line.

@eskimo - Did I not reply correctly?

Did I not reply correctly?

I think you need more help than I have time for here on DevForums. I recommend that you open a DTS tech support incident so that I can allocate the time to investigate your issue in more depth.

If you do open a TSI, make sure to reference this thread for context.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I opened a TSI which allowed more time and effort into finding the solution and it turned out to be very simple. In my ExportOptions.plist file, I needed:

	&lt;key>method&lt;&#x2F;key>
	&lt;string>developer-id&lt;&#x2F;string>
Hardened Runtime for distribution outside the Mac App store
 
 
Q