Here is the situation:
- We are shipping an application bundle which is submitted to the notarization service for approval.
- The application bundle adheres to the notarization standards and is approved.
- Problem: We need to ship a zip file inside this application. This zip file has all the files that are signed. Most of the files are signed by us. However there are some 3P zip files which are not signed by us. We would rather not open these 3P zip files as there might be SLAs involved here.
- As a result we end up with a zip file which contains mixed signatures. This zip file needs to be part of that application that needs to be notarized.
- Question: What is the best way to do this in order for the notarization service to approve the application and ship the zip file as part of the application? Note: We don't know if all the files inside the 3P zips are correctly signed (example: With Hardened Runtime). They are all signed though
- Also, when the zip files contents are laid out onto the customer machine, they are all signed and validated. However, some files might not have hardened runtime.
Thanks in advance.
As a result we end up with a zip file which contains mixed signatures.
Mixed signatures aren’t a problem in general. The notary service doesn’t care about the code signing identity that signed the code, it just cares that the identity is a valid Developer ID identity.
The hardened runtime is a problem. To pass notarisation, each executable must be signed with the hardened runtime.
If your vendor is delivery a zip archive that doesn’t meet the criteria for notarisation, you’ll have to talk to them about fixing that. Or re-sign the code yourself. Or remove that code.
Remember that macOS checks whether the code is covered by a notarised ticket before allowing it to run. So, while it’s feasible to ‘hide’ code from the notary service — by putting it an encrypted zip archive, for example — that doesn’t help you because, if the notary service doesn’t ‘see’ the code, it won’t include it in your ticket, and thus macOS won’t run it. My Notarisation Fundamentals post talks about this concept in more detail.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"