Notarize prefPane in /Contents/PlugIns

spctl -a -v my.prefPane
> My.prefPane: rejected (the code is valid but does not seem to be an app)

That’s expected. You’re asking

spctl

to do an

execute

assessment on the preference pane and those are not directly executable.

Alas,

spctl

does not have a good way of assessing bundles. If you’d like to see that added, I encourage you to file an enhancement request along those lines.

xcrun stapler validate --verbose my.prefPane
> My.prefPane does not have a ticket stapled to it.

That’s also expected. When you staple a ticket on to an app, it gets attached to just the app. The nested code within the app is covered by the ticket, but stapler does not attach a copy of that ticket to each bit of nested code.

Are these the only problems you’re facing? Or are you seeing other problems at runtime? And with regards that second point, have you tested on the latest 10.15 beta?

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I have the latest 10.15 but I don't seem to be able to get a failure even when runing a build that has not been notarized.

I guess I still have a few more questions:

Notarizing the .prefPane seems to work fine and will work for the Sparkle update distribution that is just the (notarized) .prefPane bundle stored in a .zip file. However, for new users, I need to use an installer. Previously, my prefPane was provided as a pref pane file that when double-clicked would launch System Preferences to install it. Unfortunately, Gatekeeper broke in 10.11.4 where it (incorrectly) rejects any non-app software even when properly signed. Since the installer (being an app) is allowed by Gatekeeper, it will hand off the pref pane to System Preferences to continue the installation.

So for the new-user distribution I have the prefPane embedded in the PlugIns folder of a simple app. and that app is stored on a dmg. Do I need to first notarize the prefPane (which will be copied into /PreferencePanes by the OS during install), then copy the prefPane into the Installer app (/PlugIns), resign the installer since it content changed, and then notarize the installer, and fianlly notarize the dmg?

As a test, after notarizing the .dmg (without notarizing the contained .app), I run "xcrun stapler validate --verbose" on the .dmg and get "The validate action worked", but opening the .dmg and running the same command on the enclosed .app results in "My.app does not have a ticket stapled to it." although spctl -a -v shows that the app is notarized.

For the sake of those reading along at home, I’m going to be helping DesertNomad via other channels.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hello,

I distribute a similar software, a prefPane with some helper apps. The prefPane is distributed with an installer app which resides on a dmg.

When last year Apple introduced notarization I started to notarize the installer. Now that we have to notariize the dmg, am I correct that the process will notarize all dmg content and that the ticked stampled on the dmg covers all its content too, making the notarization of the installer before adding to dmg useless ?

Thanks

Marco

the process will notarize all dmg content and that the ticked stampled on the dmg covers all its content too

Correct.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"