Notarizing & stapling linux executable

Sorry, but you’re going to have to resolve the whole linux/macOS issue before you can make any progress here.

Sorry for my typo... it is not a Linux executable it is a "Unix" executable... and defeinelty runs under MacOS.

it is not a Linux executable it is a "Unix" executable...

*laugh*

I too was very confused by the Linux thing. Linux executables typically ship as ELF, not Mach-O, and thus would be treated as data by the code signing and notarisation systems.

I have also tried building a

.pkg

IMO an installer package seems like the right choice here.

I have figured out how to codesign everything… which creates and adds in a “_CodeSignature/CodeResources” subfolder & file.

That seems to be where things are going wrong. If you want to code sign your data, you must put it in a bundle-like structure. If you can’t do that, you should stick to just code signing your executables.

Your data will still be protected in transit by the code signature on the

.pkg

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

[1] By code signing. It’s likely that your data will be protected by the file system permissions, although that depends on its install location.

Look at the bright side. I only answered your question in the first place because you said "linux" in the title. Normally, any time I see someone mention "stapling", it means they have some kind of horrible custom build process, for some horrible custom installer, that installs some horrible software in a totally non-standard way. eskimo will frequently chime in with some tips and low-level information regarding intimate details of the whole notarization process.

Personally, I don't think that's the right approach. Once someone starts talking about staples, I say "full stop". You've gone into the rabbit hole and you won't get out without assistance.

The solution is ridiculously easy, but may require you to do something differently than you have before. For many people, especially those with horrible custom-built processes, that is a non-starter. They haven't changed those processes since 2003 and they have no intention of changing anything now.

I say just make an app bundle. Maybe have it display a dialog that says "software installed" or something. Whatever. It doesn't matter. Put all your executables in appropriate places in the bundle where the signing processes expect to find them. I find "Contents/Helpers" to be helpful. Notarize your app. Wait 3 minutes. OK. You're done.

Now, since you are doing something funky with Unix installers, keep doing that. Just install your app bundle into /Library/Application Support or a similarly hidden location. It shouldn't be any problem to reference them from there instead of wherever they were before. If you must have backwards compatibility, your installer can create symbolic links or something.

PS: If you really want to go the extra mile and show that your software is one of the top 1% in quality of all Mac software, maybe have your placeholder app bundle also function as an uninstaller if the user wishes to do that. Crazy, I know.

John...

Thanks for your advice.... I am able to build a standard app bundle that seems to work OK.. so I am heading in the direction you suggested.