{"id":19678670,"url":"https://github.com/tillt/notarizer","last_synced_at":"2025-04-29T04:30:44.716Z","repository":{"id":149484063,"uuid":"237246677","full_name":"tillt/notarizer","owner":"tillt","description":"macOS notarization frontend","archived":false,"fork":false,"pushed_at":"2020-08-16T22:29:50.000Z","size":209,"stargazers_count":7,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-05T12:51:14.403Z","etag":null,"topics":["codesigning","macos","notarization","packaging"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tillt.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-01-30T15:47:49.000Z","updated_at":"2021-11-04T17:08:26.000Z","dependencies_parsed_at":null,"dependency_job_id":"da038e7d-0fed-4512-b8b9-3df7769a5c73","html_url":"https://github.com/tillt/notarizer","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tillt%2Fnotarizer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tillt%2Fnotarizer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tillt%2Fnotarizer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tillt%2Fnotarizer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tillt","download_url":"https://codeload.github.com/tillt/notarizer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251432623,"owners_count":21588617,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["codesigning","macos","notarization","packaging"],"created_at":"2024-11-11T17:39:10.003Z","updated_at":"2025-04-29T04:30:44.710Z","avatar_url":"https://github.com/tillt.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# notarizer\n\nmacOS binary packaging and notarization frontend.\n\nDepends on Xcode commandline tools as well as [gon](https://github.com/mitchellh/gon), a tool that allows us to poll the notarizing session status easily. Wraps gon by adding steps needed for codesigning and packaging into a macOS package `pkg` installer.\n\nThe input is a tarball containing the files for distribution. The resulting macOS installer package will be entirely signed and notarized. The notarizing results are stapled towards the package, allowing for airgapped installations.\n\n\n## Preparation\n\n### Application Specific Password\n\nThe password this document later on refers to is not the developer account password as entered into the developer portal. Instead it is an application specific password one can create via the [Apple account management](https://appleid.apple.com/account/manage).\n\n### Code \u0026 Installer Signing Identity\n\nCheck whether the application and installer signing certificates were properly installed and get their names;\n\n```bash\nsecurity find-identity\n```\n\nExample\n```\nPolicy: X.509 Basic\n Matching identities\n 1) 04061D266E3097D4FEC9682C48CC1676923CA72D \"Mac Developer: Till Toenshoff (359X484G5G)\" (CSSMERR_TP_CERT_EXPIRED)\n 2) 1CA595637509E3414FCBBC04CC70AF8A25CA3AE9 \"Developer ID Application: Till Toenshoff (YK4D72U3YW)\"\n 3) BB89DE48FF589E465081CB0FBBECB863F8424F31 \"Developer ID Installer: Till Toenshoff (YK4D72U3YW)\"\n 4) F55A517E699593F7CCBDBF8F2A9D78FD68ED44A5 \"Apple Development: Till Toenshoff (359X484G5G)\"\n 4 identities found\n\nValid identities only\n 1) 1CA595637509E3414FCBBC04CC70AF8A25CA3AE9 \"Developer ID Application: Till Toenshoff (YK4D72U3YW)\"\n 2) BB89DE48FF589E465081CB0FBBECB863F8424F31 \"Developer ID Installer: Till Toenshoff (YK4D72U3YW)\"\n 3) F55A517E699593F7CCBDBF8F2A9D78FD68ED44A5 \"Apple Development: Till Toenshoff (359X484G5G)\"\n 3 valid identities found\n```\n\n### iTunes Provider\n\nIf the signing developer account is member of multiple developer teams, the provider is needed to identify the iTunes account / team. In case the below returns only one line, we won't need to specify the provider later on. `DEVELOPER_ACCOUNT_USER` is the account user name as used for an account login at https://developer.apple.com.\n\nNote how we make use of an [Application Specific Password](#application-specific-password) here - provided as `AC_PASSWORD`.\n\n```bash\nxcrun iTMSTransporter -m provider -u DEVELOPER_ACCOUNT_USER -p AC_PASSWORD\n```\n\nExample\n```\nProvider listing:\n - Long Name - - Short Name -\n1 Mesosphere Inc. JQJDUUPXFN\n2 Till Toenshoff|1054576390 YK4D72U3YW\n```\n\n### gon\n\nMake sure you are using a gon version \u003e 0.2.2. Currently the latest release is 0.2.2 which forces us to get the latest master version instead which has support for the `provider` parameter via https://github.com/mitchellh/gon/commit/8fd67c663c53c0763b27eb9169ab3f5324cfcb75.\n\n## Usage\n\n|    |                          |                                                      |\n|----|--------------------------|------------------------------------------------------|\n| -a | --archive                | tarball containing all contents for distribution     |\n| -i | --app_id                 | unique application identifier                        |\n| -v | --app_version \t        | application version                                  |\n| -c | --codesign_identity      | certificate identity usable for signing code         |\n| -p | --productsign_identity   | certificate identity usable for signing installer    |\n| -d | --destination            | installation destination folder - [\"/usr/local/bin\"] |\n| -u | --developer_account_user | apple developer account user name                    |\n| -r | --provider               | apple developer account team identifier - [\"\"].      |\n| -o | --package_name           | output package name - [\"package\"]                    |\n| -h | --help                   |                                                      |\n\nMake sure you provide the [Application Specific Password](#application-specific-password) using the environment variable `AC_PASSWORD`.\n\nExample\n```bash\nAC_PASSWORD=XXXXX notarizer.sh \\\n    -a test.tar.gz \\\n    -i org.foo.bar \\\n    -v 0.0.1 \\\n    -c \"Developer ID Application: Till Toenshoff (YK4D72U3YW)\" \\\n    -p \"Developer ID Installer: Till Toenshoff (YK4D72U3YW)\" \\\n    -u tills@email.com \\\n    -r \"YK4D72U3YW\" \\\n    -o \"test\"\n```\n\nThe first steps will be processed quickly;\n- extracting the given tarball\n- signing all the executables found\n- packaging\n- signing the package\n\nThen comes the notarizing step which may take minutes or even hours, be very careful with tight timeouts. During notarizing, the process will frequently poll Apple's services for a result.\n\nThe output will end with something like this;\n```\n[...]\n2020-01-30T16:27:58.290+0100 [INFO]  notarize: notarization info: uuid=cf837823-63af-4e19-aaaf-700b711053b8 info=\"\u0026{cf837823-63af-4e19-aaaf-700b711053b8 2020-01-30 15:25:26 +0000 UTC b69e187699d6d4fb23f3a4c6b0a24010ef243c7e91c2c7679cd13229c552f404 https://osxapps-ssl.itunes.apple.com/itunes-assets/Enigma113/v4/7f/b1/c4/7fb1c4ea-1ed6-108c-3ca8-8db3fc0bc63b/developer_log.json?accessKey=1580592478_3772319710354698879_k8BNI0T0xSt33Seeyf5%2BwzUTJWX18tWozLqYGt%2F9gb5fTsCOgUyyCFTzmdKRw3KCltmHb10UDLNjaC9%2FPDc0oJc7ILMJRg9uPBvMe5VTvebINlI9VC10jRpAfi4i0riw8G8GibAD0sdSxAWtM7bOOyAeoZOPvcuhj2tGWCFTINY%3D success Package Approved}\"\n    Status: success\n2020-01-30T16:27:58.290+0100 [INFO]  downloading log file for notarization: request_uuid=cf837823-63af-4e19-aaaf-700b711053b8 url=https://osxapps-ssl.itunes.apple.com/itunes-assets/Enigma113/v4/7f/b1/c4/7fb1c4ea-1ed6-108c-3ca8-8db3fc0bc63b/developer_log.json?accessKey=1580592478_3772319710354698879_k8BNI0T0xSt33Seeyf5%2BwzUTJWX18tWozLqYGt%2F9gb5fTsCOgUyyCFTzmdKRw3KCltmHb10UDLNjaC9%2FPDc0oJc7ILMJRg9uPBvMe5VTvebINlI9VC10jRpAfi4i0riw8G8GibAD0sdSxAWtM7bOOyAeoZOPvcuhj2tGWCFTINY%3D\n    File notarized!\n    Stapling...\n2020-01-30T16:27:59.351+0100 [INFO]  staple: executing stapler: file=/var/folders/66/mgr662nx7t90lspb7wjg8ctr0000gn/T/notarizer.e6pKWgtF/test.pkg command_path=/usr/bin/xcrun command_args=[xcrun, stapler, staple, /var/folders/66/mgr662nx7t90lspb7wjg8ctr0000gn/T/notarizer.e6pKWgtF/test.pkg]\n2020-01-30T16:27:59.734+0100 [INFO]  staple: stapling complete: file=/var/folders/66/mgr662nx7t90lspb7wjg8ctr0000gn/T/notarizer.e6pKWgtF/test.pkg\n    File notarized and stapled!\n\nNotarization complete! Notarized files:\n  - /var/folders/66/mgr662nx7t90lspb7wjg8ctr0000gn/T/notarizer.e6pKWgtF/test.pkg (notarized and stapled)\n```\n\nThe resulting package file should now be found in the location where the script was invoked.\n\nExample\n```\n-rw-r--r--  1 till staff 42518342 Jan 30 16:27 test.pkg\n```\n\n\n## Background\n\nThe process of notarization does currently appear to only check a few things and from the common issues error message page we can deduct;\n\n\u003e The signature of the binary is invalid.\n\u003e The binary is not signed with a valid Developer ID certificate.\n\u003e The signature does not include a secure timestamp.\n\n- checks for proper signatures\n\n\u003e The executable requests the com.apple.security.get-task-allow entitlement.\n\n- checks for widened debugging rights not being embedded\n\n\u003e The binary uses an SDK older than the 10.9 SDK.\n\u003e The executable does not have the hardened runtime enabled.\n\n- checks for safe use of linked system libraries version higher than 10.9\n\t+ safe use in this context means that e.g. we don't do JIT compilation via system functions\n\n\n## User Experience: Commandline Tools\n\n### macOS 10.15.3 (19D76)\n\n* Downloaded unsigned and unnotarized content, now trying to run\n    - Will not work at all\n\nThe user will be told that the app was from an unknown developer and the only sane solution was to delete it.\n![Not even signed](site/images/raw_download.png)\n\n\n* Downloaded signed but unnotarized content, now trying to run\n    - Will not work at all\n\nThe user will get informed that the app needs an update. Note how here we are not asked to delete. That in itself does actually make a lot of sense considering the fact that notarizing without stapling does not mutate the binary (or bundle);\n![Not notarized](site/images/signed_not_notarized.png)\n\n\n* Downloaded signed and notarized content (via ZIP or raw), now trying to run it\n    - Will work fine when run from the terminal while connected to the interwebs, will **not** work when using Finder. Finder bug?\n\nFinder will still claim unknown developer sources:\n![Notarized not stapled](site/images/notarized_not_stapled.png)\n\n\n* Downloaded signed, bundled, notarized and stapled content, installed that and now trying to run\n    - Will work with and without interwebs-connection -- works when started via terminal or Finder.\n\nThings behave in all scenarios. Nothing to show.\n\n\n## Links\n\n- [building-and-delivering-command-tools-for-catalina](https://eclecticlight.co/2019/06/13/building-and-delivering-command-tools-for-catalina/)\n- [teleport build system patch](https://github.com/gravitational/teleport/commit/a679d3e6b4c6d6a44c3ef1b5f58ad14fc53a2820)\n- [notarizing_macos_software_before_distribution](https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution?language=objc)\n- [resolving_common_notarization_issues](https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/resolving_common_notarization_issues?language=objc)\n- [hardened_runtime_entitlements](https://developer.apple.com/documentation/security/hardened_runtime_entitlements?language=objc)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftillt%2Fnotarizer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftillt%2Fnotarizer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftillt%2Fnotarizer/lists"}