Notarizing application for public release

For notarizing, you should use a "Developer ID Application" certificate.

Hey Thanks! So when do I use Distribution one? Do I sign it again using that after notarizing?

Regards Dariusz

So when do I use Distribution one?

When submitting to the App Store. If you’re shipping independently, you only need two types [1] of signing identity:

• Apple Development, for day-to-day development

• Developer ID Application, for distribution

For all the gory details, see:

• Creating Distribution-Signed Code for Mac

• Packaging Mac Software for Distribution

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] There’s a third type, Developer ID Installer, but you only need that if you’re distributing an installer package (.pkg).

Bumping this topic as I'm still a bit lost.

Can any1 wave in what to do if I'm using zips to distribute my app and not image/iso/etc?

You do need to notarize your app. Otherwise users will not be able to start it the first time.

> Bumping this topic

I didn’t reply earlier because I’m not notified about comments. See tip 5 in Quinn’s Top Ten DevForums Tips.

> How to I start new line on this forum

Use a reply rather than post a comment.

> Do I just sign it with my developer ID and send it off? I don't have to notarize that?

Code that you distribute widely must be notarised, otherwise it will run into Gatekeeper problems.

IMPORTANT The exact circumstances under which Gatekeeper checks your code is complex, and has changed over time. I recommend the test procedure described in Testing a Notarised Product.

If you have your own software update mechanism then it’s fine to notarise a zip of the app before you package it up into whatever format you use for distribution. The critical thing is that, after the updater has finished, the final app must be correctly signed and that signature must be covered by a notarised ticket.

To learn more about how this actually, check out the Notarisation Fundamentals and The Pros and Cons of Stapling posts linked to by Notarisation Resources.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hey I remember watching all these notarise videos 1-2 years ago.

Ok so let me just... "bullet point it..."

1. Compile app
2. I get either .app or .plugin
3. Enter the package, go over every file and sign it "--verbose=3", "--force", "--timestamp", "--options", "runtime", "--sign", identity, path # use my developer ID, sign MacOS content last!!
4. Zip the .app/.plugin as xx_NOTATORY.zip (_NOTATORY not needed) ditto -c", "-k", "--keepParent", appPath, zipPath
5. Send it to apple "notarytool", "submit", zipPath, "--keychain-profile", "myFancyKeychainProfileIveNoIdeaHowIMadeItItWasYearsAgo", "--wait"
6. Staple it xscrun "stapler", "staple", appPath - staple the .app/.plugin not zipped Notatory zip ?
7. Zip it again ditto -c", "-k", "--keepParent", appPath, zipReleasePath
8. Send zipped file to clients ?

I don't need to sign it again using Distribution/etc certificate after part 6?

Regards Dariusz

Your steps look pretty good. The only feedback I have is on this one:

> 3. go over every file

You need to sign each code item, not each file. You don’t need to sign a resource file embedded in a bundle. That file is sealed over by the bundle’s code signature.

For more details on this, see the Identify the Code to Sign section of Creating Distribution-Signed Code for Mac.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"