One of my App's targets produces a .saver module, but I have failed to figure out how to notorize it, is this possible?
Accepted Reply
Reply to self with what I’ve done for Catalina:
You can’t notarize the .saver directly, but you can in a round-about-way notarize a ZIP file, which is how I distribute my screen saver. Here are the steps I use for my simple saver, your mileage will undoubtably vary:
- /usr/bin/codesign -f -o runtime --timestamp --sign “insert Developer ID Installer certificate identifier here” XYZZY.saver
- compress the code signed .saver e.g. XYZZY.saver.zip
- /usr/bin/xcrun altool --verbose --notarize-app --primary-bundle-id “insert identifier here" -u “xyzzy@plugh.com" -p “insert app-specific PW for your Apple ID here" -t osx -f XYZZY.saver.zip
- Aside: store the App-specific password in your keychain and reference it from the command line like this:
/usr/bin/xcrun altool --store-password-in-keychain-item "AC_PASSWORD" -u xyzzy@plugh.com -p “insert App-specific PW from Apple here”
- wait for notarization, check status like this:
/usr/bin/xcrun altool --notarization-history 0 -u “xyzzy@plugh.com" -p "@keychain:AC_PASSWORD”
- While you can notarize a ZIP archive, you can’t staple the notarization ticket to it directly. Instead, run stapler against each individual item that you originally added to the archive. Then create a new ZIP file containing the stapled items for distribution.
- /usr/bin/xcrun stapler staple XYZZY.saver
- Re-zip the saver and distribute
-
Where should the .saver file and the saver.zip be located on my hard drive?
Replies
Reply to self with what I’ve done for Catalina:
You can’t notarize the .saver directly, but you can in a round-about-way notarize a ZIP file, which is how I distribute my screen saver. Here are the steps I use for my simple saver, your mileage will undoubtably vary:
- /usr/bin/codesign -f -o runtime --timestamp --sign “insert Developer ID Installer certificate identifier here” XYZZY.saver
- compress the code signed .saver e.g. XYZZY.saver.zip
- /usr/bin/xcrun altool --verbose --notarize-app --primary-bundle-id “insert identifier here" -u “xyzzy@plugh.com" -p “insert app-specific PW for your Apple ID here" -t osx -f XYZZY.saver.zip
- Aside: store the App-specific password in your keychain and reference it from the command line like this:
/usr/bin/xcrun altool --store-password-in-keychain-item "AC_PASSWORD" -u xyzzy@plugh.com -p “insert App-specific PW from Apple here”
- wait for notarization, check status like this:
/usr/bin/xcrun altool --notarization-history 0 -u “xyzzy@plugh.com" -p "@keychain:AC_PASSWORD”
- While you can notarize a ZIP archive, you can’t staple the notarization ticket to it directly. Instead, run stapler against each individual item that you originally added to the archive. Then create a new ZIP file containing the stapled items for distribution.
- /usr/bin/xcrun stapler staple XYZZY.saver
- Re-zip the saver and distribute
-
Where should the .saver file and the saver.zip be located on my hard drive?
Cool ! That almost asnwers the problem I am having , too!
One question, though: where would I find the 'Developer ID Installer certificate identifier' ?
Also, I don't think I have an 'app-specific PW' - what do I do?
The last step in your instractions is not clear to me:
does 'xcrun stapler staple XYZZY.saver' "run stapler against each individual item" for me?
or do I have to do this for each and every item inside the package myself?
Thanks a lot in advance!
I get my Dev ID Installer from Keychain Access in the Certificates section: Developer ID Installer: Your Name (123456). Use the string "Your Name (123456)".
Generate the App Specific PW here: https://support.apple.com/en-us/HT204397
You have to run stapler againsts every item in the archive, then recerate the archive. For me, there's only one item the saver module.
I was able to make this work for my distribution via a DMG instead of ZIP.
I use appdmg to build the DMG that contains my .saver file. It is a very handy tool that does the Developer ID signing. It doesn't do the notarization, but the steps provided above against the DMG file works a treat.
I added the app-specific password by logging in to https://appleid.apple.com with my developer account
After notarizing, I simply ran the staple command on the DMG and it was notarized. There is a lot of auto-magic going on there.
I was able to validate that "source" is "Notarize Developer ID" using: spctl --assess -vvv --type install <fileName>.dmg. You should see something like:
Code Block # spctl --assess -vvv --type install screensaver.dmg screensaver.dmg accepted source=Notarized Developer ID origin=Developer ID Application: <your developer account name> (<your team identifier>)
Note the Notarized part. Otherwise you would just see source = Developer ID
Where should the
.saver
file and thesaver.zip
be located on my hard drive?
It doesn’t really matter. Usually folks do development in a directory that they create within their home directory.
ps I recommend steering clear of directories, like Document and Desktop, that are protected by MAC.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"