Notarization errors

Bonjour,

L’année dernière, j’étais parvenu à notariser une appli.
Je n’y arrive plus.

Avant, il y avait des warnings. Désormais, il y a des erreurs.
Il me semble qu’Apple laissait passer certains problèmes le temps que les développeurs se mettent en conformité. Ce n’est visiblement plus le cas.

Certaines erreurs concernent 4D, d’autres des plugins tiers.
Si quelqu’un de bien informé, notamment chez 4D, pouvaient nous dire quand ces problèmes seront réglés ou au moins comment les régler nous-mêmes.

Voici la liste des erreurs :
“issues”: [
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Plugins/4D InternetCommands.bundle/Contents/MacOS/4D InternetCommands”,
“message”: “The binary uses an SDK older than the 10.9 SDK.”,
“docUrl”: null,
“architecture”: “i386”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Plugins/Common Crypto.bundle/Contents/MacOS/Common Crypto”,
“message”: “The signature of the binary is invalid.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Plugins/TobitProXL.bundle/Contents/MacOS/TobitProXL”,
“message”: “The binary is not signed.”,
“docUrl”: null,
“architecture”: “i386”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Plugins/TobitProXL.bundle/Contents/MacOS/TobitProXL”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “i386”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Resources/php/Mac/php-fcgi-4d”,
“message”: “The signature algorithm used is too weak.”,
“docUrl”: null,
“architecture”: “i386”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Resources/php/Mac/php-fcgi-4d”,
“message”: “The executable does not have the hardened runtime enabled.”,
“docUrl”: null,
“architecture”: “i386”
}
]

Bonjour,

Effectivement, Apple a communiqué sur le fait qu’à partir du 03 février 2020, les warnings deviendraient des erreurs.

En v17, il faut retirer PHP et les Internet Commands.

Il existe des moyens de vous en sortir si vous avez tout de même besoin de les utiliser en installant des versions supérieures de ces produits, mais le plus propre, c’est de passer en v18.

En espérant vous avoir aidé.

Cordialement,

Bonjour,

En complément de la réponse de Migad.

Etant donné que vous êtes inscrit au 4D Summit à Paris, vous avez pu lire https://events.4d.com/summit2020/sessions-techniques/qu’une session sur la ‘Notarisation’ est programmée>. Elle sera animée par un expert 4D sur le sujet.

Cette session sera l’occasion de rentrer dans les détails du process avec 4D v18, mais aussi dans le contexte v17.

Bien cordialement,

Merci d’avoir répondu rapidement.

Doit-on comprendre que ces problèmes ne seront jamais réglés en v17 ?

Bonjour,

Oui, cette session fait partie de celles que nous suivrons avec la plus grande attention.
Merci.

Hi,

I understand that v17 R6 has PHP in 64bits as well as Internet Command.

It shouldn’t be a problem to notorize your application.

I tried in R6. It’s even worse and I removed some plugins.

Have a look :
“issues”: [
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/MacOS/Appli”,
“message”: “The executable does not have the hardened runtime enabled.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/MacOS/InstallTool.app/Contents/Library/LaunchServices/com.4D.Helper”,
“message”: “The executable does not have the hardened runtime enabled.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/MacOS/InstallTool.app/Contents/MacOS/InstallTool”,
“message”: “The executable does not have the hardened runtime enabled.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/4D Compiler.bundle/Contents/MacOS/4D Compiler”,
“message”: “The binary is not signed.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/4D Compiler.bundle/Contents/MacOS/4D Compiler”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/4DSLI.bundle/Contents/MacOS/4DSLI”,
“message”: “The binary is not signed.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/4DSLI.bundle/Contents/MacOS/4DSLI”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/4DZip.bundle/Contents/MacOS/4DZip”,
“message”: “The binary is not signed.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/4DZip.bundle/Contents/MacOS/4DZip”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/CodeEditor.bundle/Contents/MacOS/CodeEditor”,
“message”: “The binary is not signed.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/CodeEditor.bundle/Contents/MacOS/CodeEditor”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/HTTPServer.bundle/Contents/MacOS/HTTPServer”,
“message”: “The binary is not signed.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/HTTPServer.bundle/Contents/MacOS/HTTPServer”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/LanguageSyntax.bundle/Contents/MacOS/LanguageSyntax”,
“message”: “The binary is not signed.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/LanguageSyntax.bundle/Contents/MacOS/LanguageSyntax”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/LDAPComponent.bundle/Contents/MacOS/LDAPComponent”,
“message”: “The binary is not signed.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/LDAPComponent.bundle/Contents/MacOS/LDAPComponent”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/MonitorGraph.bundle/Contents/MacOS/MonitorGraph”,
“message”: “The binary is not signed.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/MonitorGraph.bundle/Contents/MacOS/MonitorGraph”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/SQLServer.bundle/Contents/MacOS/SQLServer”,
“message”: “The binary is not signed.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/SQLServer.bundle/Contents/MacOS/SQLServer”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/StructEditorEngine.bundle/Contents/MacOS/StructEditorEngine”,
“message”: “The binary is not signed.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/StructEditorEngine.bundle/Contents/MacOS/StructEditorEngine”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/SVG.bundle/Contents/MacOS/SVG”,
“message”: “The binary is not signed.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/SVG.bundle/Contents/MacOS/SVG”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/WebViewerCEF.bundle/Contents/Frameworks/4D Helper.app/Contents/MacOS/4D Helper”,
“message”: “The binary is not signed.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/WebViewerCEF.bundle/Contents/Frameworks/4D Helper.app/Contents/MacOS/4D Helper”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/WebViewerCEF.bundle/Contents/Frameworks/4D Helper.app/Contents/MacOS/4D Helper”,
“message”: “The executable does not have the hardened runtime enabled.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/WebViewerCEF.bundle/Contents/Frameworks/Chromium Embedded Framework.framework/Chromium Embedded Framework”,
“message”: “The binary is not signed.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/WebViewerCEF.bundle/Contents/Frameworks/Chromium Embedded Framework.framework/Chromium Embedded Framework”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/WebViewerCEF.bundle/Contents/Frameworks/Chromium Embedded Framework.framework/Libraries/libEGL.dylib”,
“message”: “The binary is not signed.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/WebViewerCEF.bundle/Contents/Frameworks/Chromium Embedded Framework.framework/Libraries/libEGL.dylib”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/WebViewerCEF.bundle/Contents/Frameworks/Chromium Embedded Framework.framework/Libraries/libGLESv2.dylib”,
“message”: “The binary is not signed.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/WebViewerCEF.bundle/Contents/Frameworks/Chromium Embedded Framework.framework/Libraries/libGLESv2.dylib”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/WebViewerCEF.bundle/Contents/Frameworks/Chromium Embedded Framework.framework/Libraries/libswiftshader_libEGL.dylib”,
“message”: “The binary is not signed.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/WebViewerCEF.bundle/Contents/Frameworks/Chromium Embedded Framework.framework/Libraries/libswiftshader_libEGL.dylib”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/WebViewerCEF.bundle/Contents/Frameworks/Chromium Embedded Framework.framework/Libraries/libswiftshader_libGLESv2.dylib”,
“message”: “The binary is not signed.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/WebViewerCEF.bundle/Contents/Frameworks/Chromium Embedded Framework.framework/Libraries/libswiftshader_libGLESv2.dylib”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/WebViewerCEF.bundle/Contents/MacOS/WebViewerCEF”,
“message”: “The binary is not signed.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/WebViewerCEF.bundle/Contents/MacOS/WebViewerCEF”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/WebViewerSystem.bundle/Contents/MacOS/WebViewerSystem”,
“message”: “The binary is not signed.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/WebViewerSystem.bundle/Contents/MacOS/WebViewerSystem”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/Write.bundle/Contents/MacOS/Write”,
“message”: “The binary is not signed.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Native Components/Write.bundle/Contents/MacOS/Write”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Plugins/4D InternetCommands.bundle/Contents/MacOS/4D InternetCommands”,
“message”: “The binary is not signed.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Plugins/4D InternetCommands.bundle/Contents/MacOS/4D InternetCommands”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Plugins/Common Crypto.bundle/Contents/MacOS/Common Crypto”,
“message”: “The signature of the binary is invalid.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Resources/php/Mac/php-fcgi-4d”,
“message”: “The executable does not have the hardened runtime enabled.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Resources/php/Mac/php-fcgi-4d”,
“message”: “The binary uses an SDK older than the 10.9 SDK.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Resources/Updater/Updater.app/Contents/Frameworks/libxerces-c_3_2.dylib”,
“message”: “The binary is not signed.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Resources/Updater/Updater.app/Contents/Frameworks/libxerces-c_3_2.dylib”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Resources/Updater/Updater.app/Contents/MacOS/Updater”,
“message”: “The binary is not signed.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Resources/Updater/Updater.app/Contents/MacOS/Updater”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/Resources/Updater/Updater.app/Contents/MacOS/Updater”,
“message”: “The executable does not have the hardened runtime enabled.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/SASL Plugins/libdigestmd5.plugin”,
“message”: “The binary is not signed.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/SASL Plugins/libdigestmd5.plugin”,
“message”: “The signature does not include a secure timestamp.”,
“docUrl”: null,
“architecture”: “x86_64”
}
]

Hi,

It seems that some elements need to be signed, in addition to the main executable, 2 helpers, HelperTool and InstallTool are also present in the MacOS folder. These need to be explicitly signed with hardened runtime entitlements.

“The signature does not include a secure timestamp”

  • Contents";“MacOS”;“HelperTool”

  • Contents";“MacOS”;“InstallTool”

“The executable does not have the hardened runtime enabled”

Enable the hardened runtime capability as described in Enable hardened runtime (macOS). This adds security restrictions to your app by default while allowing you to ask for specific exceptions as needed. If you don’t enable the hardened runtime, notarization fails and reports an issue with the following message:
The executable does not have the hardened runtime enabled

I understand most of the errors.
But all the mentioned elements are parts of 4D, except CommonCrypto.

I must conclude 17R6 is not ready for notarization as is.

: Stanislas CARON

I must conclude 17R6 is not ready for notarization as is.

Yes. Please update to 4D v18. After R6 was designed, there was still changes in the notarization process.

Just use 4D v18 with build in signing and follow blog post for notarization.

Hello,

there is no notarization signature compatibility feature on 17R version.

However, you can use the PHP 64bits from 17R6 with the 17.4 and the notarization should run properly.
(you need to replace it the 17.4 Volume desktop).

The same you can include a compatible version of IC Commands.

I am not saying it is 100% compatible (PHP processes counting method has changed for instance), but it should fix your problem.

Proper communication will be delivered with 17.4 release and as Laurent said you can learn much more details on Summit.

So we’ll wait for the 17.4.

: Stanislas CARON

So we’ll wait for the 17.4.

Stanilas,

I have you checked this post? https://forums.4d.com/Post/DE/33171125/1/33171126
You need macOS Mojave (High Sierra does not work)

And for our TobitProXL Plugin, it is safe if you delete the macOS stub folder from the plugin to avoid notarization errors.

Miyako teached me, that plugin stubs are obsolet since 4D v14, cause 4D gets the information for cross plattform development fom the manifest.json.

Regards Armin

Hi all,

I saw that 17.4 had been discreetly put online. So I made new attempts taking into account your different advice.

After resolving several errors, the ones below remain. I’ll wait until the summit session unless someone knows of a simple solution
.
I downloaded the Keisuke Myako tool, but I didn’t understand which way to take it.

“issues”: [
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/MacOS/HelperTool”,
“message”: “The executable does not have the hardened runtime enabled.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/MacOS/InstallTool”,
“message”: “The executable does not have the hardened runtime enabled.”,
“docUrl”: null,
“architecture”: “x86_64”
},
{
“severity”: “error”,
“code”: null,
“path”: “Appli.dmg/Appli.app/Contents/MacOS/Appli”,
“message”: “The executable does not have the hardened runtime enabled.”,
“docUrl”: null,
“architecture”: “x86_64”
}
]

I’m adding this here since it made the most sense to add on to the esiting issue instead of creating a new one and confusing people looking for answers later.

I am actually seeing this same issue when building with 18.1. The same error “The executable does not have the hardened runtime enabled.”,

As of now, I have just been trying to get the InstallTool signed properly since its a self contained application within the Parent project. I am guessing that things have changed again now that Mac OS Catalina is at 10.15.5.

Using the following to codesign seems to eliminate all the errors but the Hardened Runtime fixed.

codesign -fs “DeveloperCertCode” --deep --verbose=4 --options=hard,expires,runtime <Path to compiled 4DApp>/Contents/MacOS/InstallTool.app

I then go to check the signature to see if anything else is angry with me and I use

codesign -vvv --deep --strict ./InstallTool.app/Contents/MacOS/InstallTool

I get the following back as an answer

./InstallTool.app/Contents/MacOS/InstallTool: a sealed resource is missing or invalid
I even tried to add an entitlements file to the Contents next to the info.plist but still no luck.

Any suggestions would be helpful to get this to play nicely.

Can you have a try with the $20 Canvas DMG? I spent time to watch the summit 2020 session in order to understand what was under the hood before taking Canvas DMG to automate. Piece of cake and ready to deliver.

You may want to check again. Inder 10.15.5 things have changed. I followed along with the summit 2020 session and found that the directions given under the summit now fail.

After building the app in v18.1 following the instructions from Erick Lui I found that I get the following Error.

spctl -avvvv MyDatabase.app
MyDatabase.app: rejected
origin=Apple Development: Eric Naujock (xxxxxxxx)

This may have worked in earlier versions of the system software but I think that the expected changes coming from apple in 10.15.5 and later have broken the old workflow. Ironically I also get the same errors in 10.14.6.

Just to check things out I downloaded your App and ran the same tests against it.

Erics-MacBook-Pro:MacOS naujocke$ codesign -vvv --deep --strict /Volumes/DMG\ Canvas\ 3.0.10/DMG\ Canvas.app
–prepared:/Volumes/DMG Canvas 3.0.10/DMG Canvas.app/Contents/Frameworks/AraeliumAppKit.framework/Versions/Current/.
–validated:/Volumes/DMG Canvas 3.0.10/DMG Canvas.app/Contents/Frameworks/AraeliumAppKit.framework/Versions/Current/.
–prepared:/Volumes/DMG Canvas 3.0.10/DMG Canvas.app/Contents/Frameworks/AraeliumFeedback.framework/Versions/Current/.
–validated:/Volumes/DMG Canvas 3.0.10/DMG Canvas.app/Contents/Frameworks/AraeliumFeedback.framework/Versions/Current/.
–prepared:/Volumes/DMG Canvas 3.0.10/DMG Canvas.app/Contents/Frameworks/AraeliumFoundation.framework/Versions/Current/.
–validated:/Volumes/DMG Canvas 3.0.10/DMG Canvas.app/Contents/Frameworks/AraeliumFoundation.framework/Versions/Current/.
–prepared:/Volumes/DMG Canvas 3.0.10/DMG Canvas.app/Contents/Frameworks/AraeliumUpdate.framework/Versions/Current/.
–validated:/Volumes/DMG Canvas 3.0.10/DMG Canvas.app/Contents/Frameworks/AraeliumUpdate.framework/Versions/Current/.
–prepared:/Volumes/DMG Canvas 3.0.10/DMG Canvas.app/Contents/Frameworks/libAraeliumLogging.dylib
–validated:/Volumes/DMG Canvas 3.0.10/DMG Canvas.app/Contents/Frameworks/libAraeliumLogging.dylib
/Volumes/DMG Canvas 3.0.10/DMG Canvas.app: valid on disk
/Volumes/DMG Canvas 3.0.10/DMG Canvas.app: satisfies its Designated Requirement

Erics-MacBook-Pro:MacOS naujocke$ spctl -avvvv /Volumes/DMG\ Canvas\ 3.0.10/DMG\ Canvas.app
/Volumes/DMG Canvas 3.0.10/DMG Canvas.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: Seth Willits (28488A87JB)

Everything checked out OK there. I am wonrdering if somthing changed under 18.1 that is causing the build to fail to validate. Since I did follow the script of using the right (Paid) Developer ID to build the database. Maybe I should try either 18r2 or 18.0.

I’ve been able to notarise v17 (using newer Internet Commands) all the way up to 18.2 and 18 R3 beta using this approach:

…but I am still on Catalina 10.15.3, so it might not work anymore with the latest update.

If you can use the built-in signing on v18.1, that will be your easiest option. If you must sign/notarize manually, here’s a sample script that can perform all the steps. You can look in the 4D.app package to get a copy of the entitlements file. The two commented commands at the bottom are examples for saving a password to the keychain and stapling the app once notarized. You’ll need to generate a signing password following Apple’s documentation for Customizing the Notarization Workflow.

#!/bin/bash

cd "${BASH_SOURCE%/*}" || exit
echo "current directory: `pwd`"

devID="Developer ID Application: Me, myself, & I (ABCD1234)"
appPath="./Travel.app"

filename=$(basename -- "$appPath")
appName="${filename%.*}"

if [[ -d $appPath ]]
then
  echo "signing $appPath"
  # clean up by removing file system extended attributes
  xattr -cr "$appPath"
  
  # set up $IFS for find to handle spaces
  OIFS="$IFS"
  IFS=$'\n'
  
  # sign items in directories codesign --deep doesn't handle
  entPath="./signing.entitlements"
  extraDirs=("Plugins" "SASL Plugins" "Native Components")
  for extraDir in ${extraDirs[@]}; do
    for item in $(find "${appPath}/Contents/${extraDir}" -depth \( -iname "*.bundle" -o -iname "*.plugin" -o -iname "*.dylib" \)); do
      echo "signing \"${item}\""
      codesign --force --deep --verbose --options=runtime --entitlements ${entPath} --sign "$devID" "${item}"
    done
  done
  IFS="$OIFS" # restore $IFS
  
  # php, the Updater app, and anything else missed above
  codesign --force --deep --verbose --options=runtime --entitlements ${entPath} --sign "$devID" "${appPath}/Contents/Resources/php/Mac/php-fcgi-4d"
  codesign --force --deep --verbose --options=runtime --entitlements ${entPath} --sign "$devID" "${appPath}/Contents/Resources/Updater/Updater.app"
  
  # and the base app
  entPath="./signing.entitlements"
  codesign --force --deep --verbose --options=runtime --entitlements ${entPath} --sign "$devID" "${appPath}"
  
  # check code-signing
  echo "checking signing"
  spctl -av "$appPath"
  codesign --verify -v "$appPath"
  
  # zip with versioned name
  version=$(/usr/libexec/PlistBuddy "${appPath}/Contents/Info.plist" -c 'Print CFBundleShortVersionString')
  zipName="./${appName}-${version}.app.zip"
  echo "zipping to ${zipName}"
  rm "$zipName"
  ditto -c -k --sequesterRsrc --keepParent "$appPath" "$zipName"
  
  echo "uploading for notarization"
  xc_output=$( \
    xcrun altool --notarize-app --primary-bundle-id "com.quevivadev.Travel.zip" \
      --username "jim@quevivadev.com" --password "@keychain:AC_PASSWORD_Travel" \
      --file $zipName \
  )
  echo "${xc_output}"
  echo "finished uploading, watch for result email"
  
  # get request UUID, in results in line, using bash regular expressions
  # RequestUUID = 19ac980c-5a07-4584-9b57-e705b2d946e3
  regex="RequestUUID = ([0-9a-z\-]+)"
  [[ $xc_output =~ $regex ]]
  request_uuid=${BASH_REMATCH[1]}

  echo "run the following command for request status:"
  echo "xcrun altool --notarization-info ${request_uuid} -u \"jim@quevivadev.com\" --password \"@keychain:AC_PASSWORD_Travel\""
  
fi

# xcrun altool --store-password-in-keychain-item "AC_PASSWORD_Travel" -u "jim@quevivadev.com" -p "the-password"
# xcrun stapler staple Travel.app