How To Configure the project with Xcode to support Apple Notarization Service

March 6, 2020  In “How confirm the program satisfied requirements”, --strict option was missing, added it.

There are some way to support Apple Notarization Service.

From February 3, 2020, if the app want to be notarized, the app need to meet the original notarization prerequisites.

現役のプログラマーが書くプログラミング情報

macOS 10.15 Catalinaからセキュリティ強化の一環で、Apple Notarization Servic…

This article describe that how to configure the project with Xcode.

スポンサーリンク

Notarization Prerequisites

Notarization Prerequisites are following:

  • All Executables are need to be code signed.
  • Enable Hardened Runtime of all of the applications and the command line tools (CLI).
  • Use “Developer ID Application Certificate”, “Developer ID Kernel Extension Certificate” or “Developer ID Installer Certificate” to code signing.
  • Include a secure time stamp.
  • “com.apple.security.get-task-allow” or variations are not contained in the entitlement.
  • Linked to macOS 10.9 SDK or later SDK.

Code Signing to Executables

Configure to sign the executable.

Configuration of the application target and the CLI target

Set the “Code Signing Identity” to “Developer ID Application” certificate.

If you manage the certificate by yourself, set the “Code Signing Style” to “Manual”, “Development Team” to the empty and “Provisioning Profile” to “none”.

Configure to sign on copy

In the application target configuration, configure to sign on copy frameworks.

METHOD 1 : Configure in the General tab

Set the “Embed” to “Embed & Sign” in “Frameworks, Libraries, and Embedded Content” in the General tab.

METHOD 2 : Configure in the Copy Files Phase

Turn on “Code Sign On Copy” in the “Copy Files” phase.

Configure a build framework target

Make the framework to be not code-signing.

  • Set the “Code Signing Identity” to “Sign to Run Locally”.

Configuration of the Bundle Resource

If resources are copied in “Copy Bundle Resources” phase, the configuration is not needed.

But if resources are copied in “Copy Files” phase, you need to turn on “Code Sign On Copy” options.

Configuration of the Helper programs

In the “Copy Files” phase, turn on “Code Sign On Copy” option of CLI and turn off it of the Application Packages. The code signing of the application package is done in building.

You need to set “Destination” to “Wrapper” and “SubPath” to “Contents/Helpers”

Enables the Hardened Runtime

You need to enable the Hardened Runtime. To enable it:

  • Click “Capability” in the “Signing & Capabilities” tab of the application target.
  • Double Click the “Hardened Runtime”.

The Sandbox option may be turning on. If you want to disable it, edit the entitlement file (*.entitlements).

Open the entitlement file. Set the “App Sandbox” to “No”, if you find it. If it is not available, the Sandbox is disabled.

Include the secure timestamp

The secure timestamp will be contained in Archive process by Xcode.

To confirm the secure timestamp is actually contained

You can confirm the secure timestamp is actually contained with the codesign tool.

codesign -dvv Example.app

Many items will be exported to the terminate. If you find “Signed Time”, the secure timestamp is not contained.

Signed Time=Feb 23, 2020 15:46:07

If the secure timestamp is contained, the “Timestamp” can be found instead of the “Signed Time”.

Timestamp=Feb 23, 2020 15:51:27

Don’t include the “com.apple.security.get-task-allow” and variations

Delete the “com.apple.security.get-task.allow” from the entitlement file if it is available.

Next, change the “Code Signing Inject Base Entitlements” to following:

  • Debug : Yes
  • Release : No

If the “Code Signing Inject Base Entitlements” is No, the debugger can’t attach to it.

Use macOS 10.9 SDK or Later SDK

To use macOS 10.9 SDK or later SDK, update to the appropriate version of Xcode.

Xcode 6 or later use macOS 10.9 SDK or later SDK. However, these versions can be used for developing embedded helpers and frameworks.

Requirements to Notarize

You need to use Xcode 10 or later to develop a notarized application. Requirement of Xcode 10 is macOS High Sierra 10.13.6 or later.

現役のプログラマーが書くプログラミング情報

古いOSもサポートするアプリを開発するときや、古いOSで開発するときに、どのXcodeを使えば良いか分からないときがあり…

How to confirm prebuilt libraries

You need to confirm the linked SDK and the deployment target of third-party libraries, that are embedded and you don’t have the source file.

You can confirm with the otool tool.

otool -l Example.framework/Example

The target file of the otool is a binary file not a framework directory.

Many items are exported, you need to find the “sdk” and the “minos”.

Load command 7
       cmd LC_BUILD_VERSION
   cmdsize 32
  platform 1
       sdk 10.15
     minos 10.15

The “sdk” is a linked SDK, the “minos” is a deployment target. Above example program is linked to macOS 10.15 SDK, and the deployment target is 10.15.

How confirm the program satisfied requirements

You can confirm the program satisfied requirements with the codesign tool.

codesign --verify --deep --verbose --strict Example.app

If the program satisfied its requirements, the codesign tool will export following:

Example.app: valid on disk
Example.app: satisfies its Designated Requirement

a sealed resource is missing or invalid

If the any files are not found, the codesign tool will export following. This example, the embedded helper application has error.

MiddleSizeApp.app: a sealed resource is missing or invalid
In subcomponent: /Users/Example/Desktop/MiddleSizeApp 2020-02-23 15-52-15/Products/Applications/MiddleSizeApp.app/Contents/Helpers/HelperApp.app
file missing: /Users/Example/Desktop/MiddleSizeApp 2020-02-23 15-52-15/Products/Applications/MiddleSizeApp.app/Contents/Helpers/HelperApp.app/Contents/Resources/Base.lproj/Main.storyboardc/Info.plist
file missing: /Users/Example/Desktop/MiddleSizeApp 2020-02-23 15-52-15/Products/Applications/MiddleSizeApp.app/Contents/Helpers/HelperApp.app/Contents/Resources/Base.lproj/Main.storyboardc/NSWindowController-B8D-0N-5wS.nib
file missing: /Users/Example/Desktop/MiddleSizeApp 2020-02-23 15-52-15/Products/Applications/MiddleSizeApp.app/Contents/Helpers/HelperApp.app/Contents/Resources/Base.lproj/Main.storyboardc/MainMenu.nib
file missing: /Users/Example/Desktop/MiddleSizeApp 2020-02-23 15-52-15/Products/Applications/MiddleSizeApp.app/Contents/Helpers/HelperApp.app/Contents/Resources/Base.lproj/Main.storyboardc/XfG-lQ-9wD-view-m2S-Jp-Qdl.nib

Related Articles

 

スポンサーリンク
最新情報をチェックしよう!
>現役のプログラマーが書くプログラミング情報

現役のプログラマーが書くプログラミング情報

日々の開発の中での学びや分かったこと、調べたことなどを書いていくブログです。

CTR IMG