问题
Does anyone know how to send a Mac application bundle containing embedded helper app bundles to be notarized by Apple? When I try to archive a simple application, everything goes smoothly. The app is archived properly, and I can upload the archive and my app gets notarized in a question of minutes.
However, when I try to archive an app bundle containing helper app bundles in it, using script phases and try to automatically sign and notarize my application bundle via the normal, automatic workflow of creating an archive, I am unable to upload the app bundle for notarization. So, what should I do?
Any help is appreciated.
回答1:
Thanks to the new documentation by Apple produced during WWDC 2019, I was finally able to solve this problem, which was not possible before, even after having used a DTS ticket. Basically, if you have a complex bundle and you need to build it automatically using scripts, you CANNOT use the automatic workflow via Archive and then upload the app bundle via the Organizer in Xcode.
So, for those having this problem now and in the future, here is what solved my problem:
1) Go to the project navigation panel and click on your project
2) Go to each of your targets by clicking on Build settings and make the following modifications (enter the word "signing" in the search box, as that narrows down the build settings that show up):
- Go to Code Signing Identity and on the Release build change Mac Developer (the default value) to your Developer ID Application on your keychain.
- Go to Code Signing Inject Base Entitlements and on the Release build change Yes (the default value) to No. If you fail to do this, your app bundle will be rejected by the notarization server, as you are allowing code injection into your app, which is needed for debugging, but is a security risk.
- Go to Code Signing Style and on the Release build change Automatic to Manual. If you fail to do this, proper signing will fail.
- Go to Other Code Signing Flags and on the Release build add --timestamp. This will flag Xcode that you want to add a secure timestamp to your app. If you fail to do this, your app bundle will be rejected by the notarization server.
3) To build your app for distribution, do the following:
- Create a new Scheme that includes all targets using Release build settings
- Click Build or Command + B as a key shortcut and you will have all your bundle properly signed as long as you follow the inside-out rule (i.e., code at deeper-level directories should be signed first!)
4) To notarize the app bundle you just created and signed properly, and with a valid secure timestamp, then you have several options:
- Create a .dmg disk image and follow the instructions in this answer. However, skip the code signing instructions, as what I explain here covers all the problems and caveats explained there. Alternatively, you can zip and upload the zip file as I explain below:
- Compress your app bundle to a zip file by using this in Terminal:
/usr/bin/ditto -ck --keepParent "*APP_PATH*" "*ZIP_PATH*"
5) Upload the disk image or zip file by using this in Terminal: xcrun altool --notarize-app --primary-bundle-id "your-primary-bundle-id-here" --username "*your-username*" --password "*your-app-specific-password-here*" --file *your-path-here*. You need to go to your appleid.apple.com account to generate an app-specific password for the altool app. This is a security measure, so that you do not send your Apple ID password in the clear. You can do that in the Security panel of your Apple ID management account. Do not do anything until you get the confirmation that the upload was successful.
6) To request the notarization history status, run this in the Terminal: xcrun altool --notarization-history 0 -u "*your-account*" -p "*your-app-specific-password-here*". You should see a list of uploads and their respective dates and RequestUUID's. The latest upload is usually the first on the list.
7) To request the notarization status, including access to the notarization log file run this in Terminal: xcrun altool --notarization-info RequestUUID -u "*your-account*"
8) If you get the status that your app bundle was approved, then you can staple that approval by running this in Terminal: xcrun stapler staple *path-to-your-app-bundle*.
回答2:
You can find useful information here
See if you can pass the notarization. For me, I have to unpack some jars and sign the files in it and repack it.
Another problem I had is that java apps cannot run when you codesign it with 'runtime' option, which might be the same problem you are having(disappear).
To see the errors, you can run your app from the terminal and you will see the errors. In this case, you can try use --entitlements to add some exceptions.
Here's the the entitlements I used to get my application to run
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-executable-page-protection</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
</dict>
</plist>
command to sign the app:
codesign --force --verbose=9 -s "Developer ID Application: XXXXXXX" --options runtime --deep --entitlements ./entitlements Myapp.app
来源:https://stackoverflow.com/questions/53101626/how-to-notarize-an-app-bundle-containing-helpers-embedded-in-it