PKG Generate

Code Signing Certificates, Identifiers & Profiles
DPKProd OP
Created May ’23
Replies 10
Boosts 0
Views 1.1k
Participants 2

Hi,

I made an application in JXA that I would like to distribute.

1. I downloaded and installed an installation certificate via my developer account,
2. I generated my PKG with the following distribution XML file:
```language
code-block

<?xml version="1.0" encoding="utf-8" standalone="no"?> <installer-script minSpecVersion="1.000000"> <title>PRODUCT VERSION</title> <background mime-type="image/png" file="banner.png" scaling="proportional"/> <background-darkAqua mime-type="image/png" file="banner.png" scaling="proportional"/> <os-version min="12.0" /> <app id=« Organisation-PRODUCT-VERSION" /> <welcome file="welcome.html" mime-type="text/html" /> <conclusion file="conclusion.html" mime-type="text/html" /> <license file="LICENSE.txt"/> <options customize="never" allow-external-scripts="no"/> <domains enable_anywhere="true" /> <choice customLocation="/Applications" /> <choices-outline> <line choice="PRODUCT"/> </choices-outline> <choice id="PRODUCT" title="PRODUCT"> <pkg-ref id="PRODUCT.pkg"/> </choice> <pkg-ref id="PRODUCT.pkg" auth="Root">PRODUCT.pkg</pkg-ref> </installer-script>

I do get a signed PKG. But here is the error message I get when I try to install my PKG:
Cannot open ‘« Application ».pkg&#039; because Apple cannot verify it is free of malware.
This software needs to be updated. Contact the developer to learn more.
This file was uploaded on an unknown date.

If I right click with the mouse and then open, the PKG runs.
Is a tag missing in my XML?
Do I need to generate another certificate?

Thanks for your help

Answered by DPKProd in 754133022

Ok, that's good... I got what I wanted... Here is I did for someone.

  • Clean APP :

xattr -cr File.app

  • Sign App :

codesign -s "Developer ID Application" -f --timestamp -o runtime File.app

  • create PKG
  • submitting app :

xcrun notarytool submit --keychain-profile "PasswordApp"

  • and :

xcrun stapler staple File.pkg

Thank for your help

Replies  10
Boosts  0
Views  1.1k
Participants  2
DTS Engineer OP
Apple
May ’23

Are you trying to distribute via the Mac App Store? Or independently?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
DPKProd OP
May ’23

Hi, No I try to distribue myself, independently.

0
DTS Engineer OP
Apple
May ’23

I try to distribue myself, independently.

OK.

In that case, in order to pass Gatekeeper, you’ll need to sign your code and your installer and then notarise your installer. See:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
DPKProd OP
May ’23

Hi, I still have the same error. Here is my procedure in detail

  • Script editor: main.scpt save as application.
  • I sign my code: codesign -s "Developer ID Application" -f --timestamp -o runtime /contents/Resources/Scripts/Main.scpt

Error: "Main.scpt: resource fork, Finder information, or similar detritus not allowed" -xattr -cr Main.scpt

  • I resign my code: codesign -s "Developer ID Application" -f --timestamp -o runtime /contents/Resources/Scripts/Main.scpt=OK
  • CodeSign Main.scpt -vvvvvv = Main.scpt: valid on disk, Main.scpt: satisfies its Designated Requirement.

Then I create the package with the tool : the macOS installer builder: https://medium.com/swlh/the-easiest-way-to-build-macos-installer-for-your-application-34a11dd08744

When the package is built, to execute it, I have to right click on it and open. The error message is displayed but I can execute package. I'd like no to display the error message :)

0
DTS Engineer OP
Apple
May ’23

When signing bundled code, and this includes an applet saved by Script Editor, you must sign the bundle, not the code within the bundle. For example, if you save your script as an app called Test730184, sign it like so:

% codesign -s "Developer ID App" --timestamp -o runtime Test730184.app

Then I create the package with the tool

I’m not able to help you with third-party tooling. For that, you’ll have to seek support from the tool’s vendor.

However, you don’t need this tool right now. Packaging Mac Software for Distribution has a single command you can run in Terminal to create an installer package for your app. This will be super bare bones, but it will be enough for you to test this workflow. That is, you’ll be able to notarise it and, once notarised, it’ll pass Gatekeeper.

Oh, and speaking of notarisation, you are notarising this, right?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
DPKProd OP
May ’23
Accepted Answer

Ok, that's good... I got what I wanted... Here is I did for someone.

  • Clean APP :

xattr -cr File.app

  • Sign App :

codesign -s "Developer ID Application" -f --timestamp -o runtime File.app

  • create PKG
  • submitting app :

xcrun notarytool submit --keychain-profile "PasswordApp"

  • and :

xcrun stapler staple File.pkg

Thank for your help

0
DPKProd OP
Jun ’23

Hi, I come back for a little problem....

My jxa app uses Keyboard Maestro engine.

When I clean and sign my code, I can notary my app but when I execute my app, permissions about control keyboard maestro don't ask...

If I don't sing my code, permissions ask... How can I do to ask permission when my code is signed ? Here is my plist app :

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>CFBundleAllowMixedLocalizations</key>
	<true/>
	<key>CFBundleDevelopmentRegion</key>
	<string>fr</string>
	<key>CFBundleExecutable</key>
	<string>applet</string>
	<key>CFBundleIconFile</key>
	<string>applet</string>
	<key>CFBundleIdentifier</key>
	<string>com.LaChaineDeLuc.FastBoard</string>
	<key>CFBundleInfoDictionaryVersion</key>
	<string>6.0</string>
	<key>CFBundleName</key>
	<string>FastBoard 4.2.2</string>
	<key>CFBundlePackageType</key>
	<string>APPL</string>
	<key>CFBundleShortVersionString</key>
	<string>4.2.2</string>
	<key>CFBundleSignature</key>
	<string>aplt</string>
	<key>LSMinimumSystemVersionByArchitecture</key>
	<dict>
		<key>x86_64</key>
		<string>10.16</string>
	</dict>
	<key>LSRequiresCarbon</key>
	<true/>
	<key>NSAppleEventsUsageDescription</key>
	<string>Access required to control Keyboard Maestro</string>
	<key>NSSystemAdministrationUsageDescription</key>
	<string>This script needs access to administer this system to run.</string>
	<key>OSAAppletShowStartupScreen</key>
	<false/>
	<key>WindowState</key>
	<dict>
		<key>bundleDividerCollapsed</key>
		<true/>
		<key>bundlePositionOfDivider</key>
		<real>0.0</real>
		<key>dividerCollapsed</key>
		<false/>
		<key>eventLogLevel</key>
		<integer>2</integer>
		<key>name</key>
		<string>ScriptWindowState</string>
		<key>positionOfDivider</key>
		<real>419</real>
		<key>savedFrame</key>
		<string>20 190 700 678 0 0 1440 875 </string>
		<key>selectedTab</key>
		<string>description</string>
	</dict>
</dict>
</plist>
0
DTS Engineer OP
Apple
Jun ’23

My jxa app uses Keyboard Maestro engine.

How? Via its Apple event interface?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
DPKProd OP
Jun ’23

Yes, Via its Apple event interface. Normaly, I get a permission to read and write in user directory, and a permission for jxa controls keyboard maestro

When I clean my .app with xattr -cr or just with :

xattr -rd com.apple.FinderInfo xattr -rd com.apple.ResourceFork:

Permissions don't apear

0
DTS Engineer OP
Apple
Jun ’23

To notarise your app you must enable the hardened runtime. One of its security enhancements is that you can only send Apple events if your process is signed with the com.apple.security.automation.apple-events entitlement.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
PKG Generate
First post date Last post date
 
 
Q