How Best To Notarize When You Have A Large Disk Images

Hi.


I am trying to determine the best way that we can add App Notarization into our build / deployment workflow.


We deploy using a disk image that contains our main app, two helper apps and a lot of content. The disk image can be in excess of 2GB.

At this present time our build workflow code signs all three apps and then builds a disk image containing everything. The final stage involves code signing the disk image.


To support notarization we have two options:

1. Send the entire code signed disk image to the notarization service.

2. Send the apps to the notarization service via a zip file, staple the apps, add the apps and the content to the disk image and then code sign the disk image.


We know option 1 will work but this will involve a very lengthy upload to the notarization service and I imagine, a processing overhead due to the large disk image size.


We would prefer to use option 2 due to it being much more efficient. We know we can notarize the apps by uploading a zip file so that isn't a problem. However, what isn't obvious from the documentation is if GateKeeper is happy to accept a code signed disk image that hasn't been processed by App Notarization but contains applications that have been.



Any advice would be greatly appreciated.


Kev.

Replies

I suggest separating the executables from content. Have the executables download the content the first time it is run.

what isn't obvious from the documentation is if GateKeeper is happy to accept a code signed disk image that hasn't been processed by App Notarization but contains applications that have been.

My recommendation is that you try this and see whether the resulting user experience is acceptable. One specific thing to watch out for is the behaviour when the user launches the app directly from the disk image.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi John.


Thanks for your suggestion.


This is a solution we are looking into for other reasons but requires changes to various parts of our system. In the meantime, I am looking solutions that are easier to implement.

Hi.


Thanks for your reply.


We were going to try it but since the documentation is a bit vague we didn't want to implement a solution that seemed to work now but then failed a few weeks later.


Is there a way to configure Gatekeeper on the command line so that it will respond to existing Developer IDs the same way that it will respond to new Developer IDs in 10.14.5?

If only we had known about this six months ago!

Is there a way to configure Gatekeeper on the command line so that it will respond to existing Developer IDs the same way that it will respond to new Developer IDs in 10.14.5?

I don’t know, alas )-:

Personally I do this sort of testing in a VM. This has two advantages:

  • You can safely install the version of the OS that you care about.

  • You can use snapshots to repeatedly test one specific scenario.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"