« xDev 16.6 Issue | Home | MBS Xojo Plugins, ver… »

Notarize apps for MacOS


While FileMaker runtimes are deprecated, they are still a great tool to give away a test copy of your fabulous solution. Apple now recommends you to notarize your app. This is a step further than normal code signing as the app is actually uploaded to a test system which scans it for malware. Looks like for next year this may be required for apps to launch without a warning dialog.

The following steps work for us with the test.app on Desktop. File paths, names, bundle and Apple IDs will be different for you:
  1. Install Xcode and run it once to get the command line tools installed.
  2. Build a runtime app in FileMaker Pro Advanced.
  3. Adapt our SignScript FM 17 (included with MBS Plugin download).
    Please change name of certificate, the path and the name of the app. For codesign lines, please add --options runtime as command line parameters after the -f command line parameter. Run the script and watch for the last lines saying accepted and Developer ID.
  4. Next build an disk image. With a GUI app or simply via terminal with right path:
    /usr/bin/hdiutil create -imagekey zlib-level=9 -srcfolder /Users/cs/Desktop/Test -fs HFS+ -volname Test /Users/cs/Desktop/Test.dmg
  5. Sign the disk image. e.g. via Terminal:
    codesign -f -vvvv -s "Developer ID Application: Christian Schmitz Software GmbH" /Users/cs/Desktop/Test.dmg
  6. Notarize the app. Run xcrun in terminal. The bundle ID is found in the info.plist file of the runtime app inside the bundle. Please pass your own Apple ID here for your Apple developer account:
    xcrun altool --notarize-app -f /Users/cs/Desktop/Test.dmg --primary-bundle-id com.filemaker.client.runtime12.test -u Developer@monkeybreadsoftware.de -p @keychain:"Application Loader: Developer@monkeybreadsoftware.de"
    This may take a while and return a RequestUUID.
  7. Wait for an email from Apple or periodically check the status of the notarization until it has completed. Please put in again your Apple ID and the request UUID from above.
    xcrun altool --notarization-info 193b7ad2-36e1-45d5-880c-c297250f77b2 -u Developer@monkeybreadsoftware.de -p @keychain:"Application Loader: Developer@monkeybreadsoftware.de"
    This may take a while till this tool returns success and you can run it several times. Otherwise you get an email when the app is done. Once done you get Package Approved in the call above.
  8. Add the staple ticket to the dmg:
    xcrun stapler staple -v /Users/cs/Desktop/Test.dmg
    This will add the notarization to the disk image.
  9. Now you can test the final app in the disk image:
    spctl -a -v /Applications/test.app
    This shows on 10.13.6 only "source=Developer ID", but on 10.14 shows "source=Notarized Developer ID", so it worked!
If you followed all steps, got the paths right and the Apple ID, bundle ID and file names, your app should show the notarized state and run without a warning dialog on MacOS 10.14 Mojave.

MBS is available for paid support to help you getting your app notarized if needed.
02 11 18 - 10:08
seven comments

F I R S T E X P E R I E N C E S W I T H N O T A R I Z A T I O N

we have uploaded our filemaker solution “Desktop Enterprise”, containing a filemaker 17 runtime, via terminal command xcrun altool for notarization. the app (runtime) as well as the .dmg file are signed properly with valid certificates and can be installed without problem after download.

upload to Apple was performed succesfully from macOS 10.13.6.

our solution was NOT notarized, as were told via email after some time.

in the mail Apple sent, they state, that we should refer to the log file available in Xcode for specific reasons for the rection of the notarization. but as we do not use Xcode, – the runtime is created and delivered by filemaker as you know, this information does not help.

in the same mail Apple also refers to the Xcode help system:

https://help.apple.com/xcode/mac/current/#/dev88332a81e?sub=dev5d7745789

there, they state, a potential problem for rejection may be, that the runtime may not be “hardened” (hardened runtime is a optional feature in Xcode building an app).


NOW THE FOLLOWING QUESTIONS ARISE:

1. did anyone get a filemaker runtime notarized successfully (christian schmitz?)

2. are runtimes hardened (i doubt it) and if not so, will we get filemker to produce a hardened runtime, at least with fmpa 17? (i doubt it).

3. how do we (not building with Xcode) get the informations (log file) which describes the reason(s), which led to the rejection of the notarization of the app.

best regards
andreas roth
Andreas Roth (URL) - 05 11 18 - 10:14

1. did anyone get a filemaker runtime notarized successfully (christian schmitz?)

Yes.

2. are runtimes hardened (i doubt it) and if not so, will we get filemker to produce a hardened runtime, at least with fmpa 17? (i doubt it).

You need to do this by using “—options runtime” in the codesign lines in the code signing script.

3. how do we (not building with Xcode) get the informations (log file) which describes the reason(s), which led to the rejection of the notarization of the app.

When you run xcrun altool —notarization-info… line, it may return later the URL of the log file, which you can download.
Christian Schmitz (URL) - 05 11 18 - 10:20

I am trying to notarize also and I am having issues with the command line giving me this error: *** Error: The specified item could not be found in the keychain. When I run step 6 from the instructions. I have tried entering my Apple ID but I continue to get this error. I believe I have it in my keychain. Any suggestions?
Stephen - 13 11 18 - 18:46

Did you add your developer account in Xcode preferences?
Christian Schmitz (URL) - 13 11 18 - 18:51

Ok, I was able to get it uploaded after entering my developer account into Xcode but the DMG was rejected with these errors in the log: ““Archive contains critical validation errors”“ and “message”: “b’hdiutil: attach failed – no mountable file systems\n’”. I use DMG Canvas to prepare my DMG and codesign the app and the DMG. I’ll have to keep working on it.
Stephen - 13 11 18 - 20:48

Hey! I am now also getting the “hardened runtime” error. Could you be a bit more specific on the code you mention here:

You need to do this by using “—options runtime” in the codesign lines in the code signing script.

Where in the codesign script does it go? Any additional info would be helpful. Thanks, again!
Stephen - 21 11 18 - 11:31

Open the script. Find all lines starting with codesign. Add the —options runtime there:

e.g.
codesign -f -vvvv —options runtime -s “Developer ID Application: Christian Schmitz Software GmbH” test.app
Christian Schmitz - 21 11 18 - 14:38


  
Remember personal info?

Emoticons / Textile


Notify:
Hide email:

Small print: All html tags except <b> and <i> will be removed from your comment. You can make links by just typing the url or mail-address.