[question] how do you notarize MacOS app?

[cvl]

No description provided.

[a7ul]

Hey @cvl
I havent done this before

But the process should be same as that of Qt

Here is a guide that does this: https://skyronic.com/2019/07/app-notarization-for-qt-applications/

[cvl]

Trying to correctly sign & notarize Mysterium desktop app for MacOS:
https://github.com/mysteriumnetwork/mysterium-vpn-desktop

using the following script
https://github.com/mysteriumnetwork/mysterium-vpn-desktop/blob/master/deploy/pack-macos.sh

After signing, as per tutorial, I use ditto -ck --rsrc --sequesterRsrc "deploy/darwin/build/MysteriumVPN.app" "deploy/darwin/build/MysteriumVPN.zip"
to create zip (for uploading to apple).

Then xcrun altool --notarize-app -t osx -f "deploy/darwin/build/MysteriumVPN.zip" --primary-bundle-id="network.mysterium.desktopvpn" -u "username" -p "passwd"

I get the following error from Apple though:

{
"logFormatVersion": 1,
"jobId": "123",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "MysteriumVPN.zip",
"uploadDate": "2020-04-08T14:17:55Z",
"sha256": "123",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "MysteriumVPN.zip/Contents/MacOs/qode",
"message": "The executable does not have the hardened runtime enabled.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MysteriumVPN.zip/Contents/Resources/dist/nodegui_core-d3eecda678d6cb88e4609fa1fd6c1d61.node",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MysteriumVPN.zip/Contents/Resources/dist/nodegui_core-d3eecda678d6cb88e4609fa1fd6c1d61.node",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MysteriumVPN.zip/Contents/Resources/dist/static/myst",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MysteriumVPN.zip/Contents/Resources/dist/static/myst",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MysteriumVPN.zip/Contents/Resources/dist/static/myst",
"message": "The executable does not have the hardened runtime enabled.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MysteriumVPN.zip/Contents/Resources/dist/static/openvpn",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MysteriumVPN.zip/Contents/Resources/dist/static/openvpn",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MysteriumVPN.zip/Contents/Resources/dist/static/openvpn",
"message": "The executable does not have the hardened runtime enabled.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MysteriumVPN.zip/Contents/Resources/dist/static/myst_supervisor",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MysteriumVPN.zip/Contents/Resources/dist/static/myst_supervisor",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MysteriumVPN.zip/Contents/Resources/dist/static/myst_supervisor",
"message": "The executable does not have the hardened runtime enabled.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MysteriumVPN.zip/Contents/Frameworks/QtPrintSupport.framework/Versions/5/QtPrintSupport",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MysteriumVPN.zip/Contents/Frameworks/QtPrintSupport.framework/Versions/5/QtPrintSupport",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MysteriumVPN.zip/Contents/Frameworks/QtGui.framework/Versions/5/QtGui",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MysteriumVPN.zip/Contents/Frameworks/QtGui.framework/Versions/5/QtGui",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MysteriumVPN.zip/Contents/Frameworks/QtDBus.framework/Versions/5/QtDBus",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MysteriumVPN.zip/Contents/Frameworks/QtDBus.framework/Versions/5/QtDBus",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MysteriumVPN.zip/Contents/Frameworks/QtCore.framework/Versions/5/QtCore",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MysteriumVPN.zip/Contents/Frameworks/QtCore.framework/Versions/5/QtCore",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MysteriumVPN.zip/Contents/Frameworks/QtWidgets.framework/Versions/5/QtWidgets",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MysteriumVPN.zip/Contents/Frameworks/QtWidgets.framework/Versions/5/QtWidgets",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
}
]
}

Any suggestions?

[cvl]

After further trial&error I've one outstanding error from apple notarizer:

"issues": [
{
"severity": "error",
"code": null,
"path": "MysteriumVPN.zip/Contents/MacOs/qode",
"message": "The signature of the binary is invalid.",
"docUrl": null,
"architecture": "x86_64"
}
]

Any ideas why qode signature could be invalid?

[cvl]

Seems I've managed to pull it off, sorry for bothering.

[cvl]

Gatekeeper still blocks though..

[a7ul]

But what does it say ? Does the gatekeeper say its from an unidentified developer or something else ?

[cvl]

just this:

com.apple.xpc.launchd[1] (com.apple.xpc.launchd.oneshot.0x1000000e.qode[4870]): removing service since it exited with consistent failure - OS_REASON_EXEC | Gatekeeper policy blocked execution

[cvl]

Currently using the following code to pack: https://gist.github.com/cvl/13aba5df52caaf68cdd68952c9c064ca

And to notarize: https://gist.github.com/cvl/8de372938485855c6951a518f8f2e723

[zolia]

@cvl can it be related with app crashing and gatekeeper message is just a side effect message? As posted here: https://forums.developer.apple.com/thread/126896

[cvl]

App is not crashing when unsigned.