5 Replies
      Latest reply on Aug 16, 2019 8:45 PM by jim_meyer
      jim_meyer Level 1 Level 1 (0 points)

        I have a MacOS Service application that I am trying to notarize & staple… 


        The built application consists of a folder that includes the linux exectuable file along with serveral supporting subfolders.  Those subfolders include mostly dylibs along with some xml configuration files.  There is no .app bundle along with its normal /Contents and other packaged files.


        I have figured out how to codesign everything…  which creates and adds in a “_CodeSignature/CodeResources” subfolder & file.  But but since it is not an app bundle I am unable to notarize it.


        I am able to zip the folder (including the “_CodeSignature/CodeResources”) and notarize that…  but then there is no way to staple the notarization to the zip or back to the original pre-zip files. 


        I have also tried building a .pkg but when I try to notarize that it fails to find the codesign for the executable....  and I have the same problem with a dmg instead of a zip.


        Is there some way to properly notarize and staple in this situation?

        • Re: Notarizing & stapling linux executable
          john daniel Level 4 Level 4 (520 points)

          Sorry, but you’re going to have to resolve the whole linux/macOS issue before you can make any progress here.

          • Re: Notarizing & stapling linux executable
            jim_meyer Level 1 Level 1 (0 points)

            Sorry for my typo...  it is not a Linux executable it is a "Unix" executable...  and defeinelty runs under MacOS.

              • Re: Notarizing & stapling linux executable
                john daniel Level 4 Level 4 (520 points)

                Look at the bright side. I only answered your question in the first place because you said "linux" in the title. Normally, any time I see someone mention "stapling", it means they have some kind of horrible custom build process, for some horrible custom installer, that installs some horrible software in a totally non-standard way. eskimo will frequently chime in with some tips and low-level information regarding intimate details of the whole notarization process.


                Personally, I don't think that's the right approach. Once someone starts talking about staples, I say "full stop". You've gone into the rabbit hole and you won't get out without assistance.


                The solution is ridiculously easy, but may require you to do something differently than you have before. For many people, especially those with horrible custom-built processes, that is a non-starter. They haven't changed those processes since 2003 and they have no intention of changing anything now.


                I say just make an app bundle. Maybe have it display a dialog that says "software installed" or something. Whatever. It doesn't matter. Put all your executables in appropriate places in the bundle where the signing processes expect to find them. I find "Contents/Helpers" to be helpful. Notarize your app. Wait 3 minutes. OK. You're done.


                Now, since you are doing something funky with Unix installers, keep doing that. Just install your app bundle into /Library/Application Support or a similarly hidden location. It shouldn't be any problem to reference them from there instead of wherever they were before. If you must have backwards compatibility, your installer can create symbolic links or something.


                PS: If you really want to go the extra mile and show that your software is one of the top 1% in quality of all Mac software, maybe have your placeholder app bundle also function as an uninstaller if the user wishes to do that. Crazy, I know.

              • Re: Notarizing & stapling linux executable
                eskimo Apple Staff Apple Staff (12,655 points)

                it is not a Linux executable it is a "Unix" executable...


                I too was very confused by the Linux thing.  Linux executables typically ship as ELF, not Mach-O, and thus would be treated as data by the code signing and notarisation systems.

                I have also tried building a .pkg

                IMO an installer package seems like the right choice here.

                I have figured out how to codesign everything…  which creates and adds in a “_CodeSignature/CodeResources” subfolder & file.

                That seems to be where things are going wrong.  If you want to code sign your data, you must put it in a bundle-like structure.  If you can’t do that, you should stick to just code signing your executables.

                Your data will still be protected in transit by the code signature on the .pkg.  However, once it’s installed, only the code will be protected [1].  That may actually be what you want anyway, assuming that the user might need to tweak some of those “xml configuration files”.

                Share and Enjoy

                Quinn “The Eskimo!”
                Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                let myEmail = "eskimo" + "1" + "@apple.com"

                [1] By code signing.  It’s likely that your data will be protected by the file system permissions, although that depends on its install location.