--strictoption was missing, added it.
There are some way to support Apple Notarization Service.
From February 3, 2020, if the app want to be notarized, the app need to meet the original notarization prerequisites.
macOS 10.15 Catalinaからセキュリティ強化の一環で、Apple Notarization Servic…
This article describe that how to configure the project with Xcode.
- 1 Notarization Prerequisites
- 2 Code Signing to Executables
- 2.1 Configuration of the application target and the CLI target
- 2.2 Configure to sign on copy
- 2.3 Configure a build framework target
- 2.4 Configuration of the Bundle Resource
- 2.5 Configuration of the Helper programs
- 3 Enables the Hardened Runtime
- 4 Include the secure timestamp
- 5 Don’t include the “com.apple.security.get-task-allow” and variations
- 6 Use macOS 10.9 SDK or Later SDK
- 7 How confirm the program satisfied requirements
- 8 Related Articles
Notarization Prerequisites are following:
- All Executables are need to be code signed.
- Enable Hardened Runtime of all of the applications and the command line tools (CLI).
- Use “Developer ID Application Certificate”, “Developer ID Kernel Extension Certificate” or “Developer ID Installer Certificate” to code signing.
- Include a secure time stamp.
- “com.apple.security.get-task-allow” or variations are not contained in the entitlement.
- Linked to macOS 10.9 SDK or later SDK.
Code Signing to Executables
Configure to sign the executable.
Configuration of the application target and the CLI target
Set the “Code Signing Identity” to “Developer ID Application” certificate.
If you manage the certificate by yourself, set the “Code Signing Style” to “Manual”, “Development Team” to the empty and “Provisioning Profile” to “none”.
Configure to sign on copy
In the application target configuration, configure to sign on copy frameworks.
METHOD 1 : Configure in the General tab
Set the “Embed” to “Embed & Sign” in “Frameworks, Libraries, and Embedded Content” in the General tab.
METHOD 2 : Configure in the Copy Files Phase
Turn on “Code Sign On Copy” in the “Copy Files” phase.
Configure a build framework target
Make the framework to be not code-signing.
- Set the “Code Signing Identity” to “Sign to Run Locally”.
Configuration of the Bundle Resource
If resources are copied in “Copy Bundle Resources” phase, the configuration is not needed.
But if resources are copied in “Copy Files” phase, you need to turn on “Code Sign On Copy” options.
Configuration of the Helper programs
In the “Copy Files” phase, turn on “Code Sign On Copy” option of CLI and turn off it of the Application Packages. The code signing of the application package is done in building.
You need to set “Destination” to “Wrapper” and “SubPath” to “Contents/Helpers”
Enables the Hardened Runtime
You need to enable the Hardened Runtime. To enable it:
- Click “Capability” in the “Signing & Capabilities” tab of the application target.
- Double Click the “Hardened Runtime”.
The Sandbox option may be turning on. If you want to disable it, edit the entitlement file (*.entitlements).
Open the entitlement file. Set the “App Sandbox” to “No”, if you find it. If it is not available, the Sandbox is disabled.
Include the secure timestamp
The secure timestamp will be contained in Archive process by Xcode.
To confirm the secure timestamp is actually contained
You can confirm the secure timestamp is actually contained with the codesign tool.
codesign -dvv Example.app
Many items will be exported to the terminate. If you find “Signed Time”, the secure timestamp is not contained.
Signed Time=Feb 23, 2020 15:46:07
If the secure timestamp is contained, the “Timestamp” can be found instead of the “Signed Time”.
Timestamp=Feb 23, 2020 15:51:27
Don’t include the “com.apple.security.get-task-allow” and variations
Delete the “com.apple.security.get-task.allow” from the entitlement file if it is available.
Next, change the “Code Signing Inject Base Entitlements” to following: Debug : Yes Release : No If the “Code Signing Inject Base Entitlements” is No, the debugger can’t attach to it.
Use macOS 10.9 SDK or Later SDK
To use macOS 10.9 SDK or later SDK, update to the appropriate version of Xcode.
Xcode 6 or later use macOS 10.9 SDK or later SDK. However, these versions can be used for developing embedded helpers and frameworks.
Requirements to Notarize
You need to use Xcode 10 or later to develop a notarized application. Requirement of Xcode 10 is macOS High Sierra 10.13.6 or later.
How to confirm prebuilt libraries
You need to confirm the linked SDK and the deployment target of third-party libraries, that are embedded and you don’t have the source file.
You can confirm with the otool tool.
otool -l Example.framework/Example
The target file of the otool is a binary file not a framework directory.
Many items are exported, you need to find the “sdk” and the “minos”.
Load command 7 cmd LC_BUILD_VERSION cmdsize 32 platform 1 sdk 10.15 minos 10.15
The “sdk” is a linked SDK, the “minos” is a deployment target. Above example program is linked to macOS 10.15 SDK, and the deployment target is 10.15.
How confirm the program satisfied requirements
You can confirm the program satisfied requirements with the codesign tool.
codesign --verify --deep --verbose --strict Example.app
If the program satisfied its requirements, the codesign tool will export following:
Example.app: valid on disk Example.app: satisfies its Designated Requirement
a sealed resource is missing or invalid
If the any files are not found, the codesign tool will export following. This example, the embedded helper application has error.
MiddleSizeApp.app: a sealed resource is missing or invalid In subcomponent: /Users/Example/Desktop/MiddleSizeApp 2020-02-23 15-52-15/Products/Applications/MiddleSizeApp.app/Contents/Helpers/HelperApp.app file missing: /Users/Example/Desktop/MiddleSizeApp 2020-02-23 15-52-15/Products/Applications/MiddleSizeApp.app/Contents/Helpers/HelperApp.app/Contents/Resources/Base.lproj/Main.storyboardc/Info.plist file missing: /Users/Example/Desktop/MiddleSizeApp 2020-02-23 15-52-15/Products/Applications/MiddleSizeApp.app/Contents/Helpers/HelperApp.app/Contents/Resources/Base.lproj/Main.storyboardc/NSWindowController-B8D-0N-5wS.nib file missing: /Users/Example/Desktop/MiddleSizeApp 2020-02-23 15-52-15/Products/Applications/MiddleSizeApp.app/Contents/Helpers/HelperApp.app/Contents/Resources/Base.lproj/Main.storyboardc/MainMenu.nib file missing: /Users/Example/Desktop/MiddleSizeApp 2020-02-23 15-52-15/Products/Applications/MiddleSizeApp.app/Contents/Helpers/HelperApp.app/Contents/Resources/Base.lproj/Main.storyboardc/XfG-lQ-9wD-view-m2S-Jp-Qdl.nib