xcodemacosnotarize

What is the most efficient way to notarize and staple a .zip containing a .app?


Currently, an .app/ folder can't be submitted for notarization and must be packaged first. On the other hand, a ticket can't be stapled to a .zip after notarization is successful. Apple Documentation

This creates a process as below:

  1. Build the application
  2. Zip the .app/
  3. Submit the .zip for notarization
  4. Unzip the the .zip
  5. Staple the ticket to the .app/
  6. Re-zip the .app/ for distribution

Our specific use case is that our application will initially be installed by users from a .dmg while subsequent updates are downloaded through .zip. Notarizing the .dmg is very straightforward. Zipped contents are another story.

Is there a more efficient method than the steps above?


Solution

  • No Dan, you've got it. Your use case is similar to mine and that's how I do it. In my case I'm distributing a .pkg that comprises an app, an uninstaller, a couple of kernel extensions, but the concept is the same for just an app. By the way, like your dmg, I'm distributing the pkg for downloads but then zipping that pkg for Sparkle updates.

    The process only seems bizarre until you think of the zip file as a way of packaging and submitting the app bundle. You want to notarize the app and staple the resulting notarization to the app bundle. You do it like this:

    For more convenience: if you do this in a makefile, the make can automatically wait for the notarizations before stapling. I do it like this:

    notarizationRequestID=$(shell xcrun altool --notarize-app \
                                       --primary-bundle-id com.mycompany.appID \
                                       --username $(DEV_USERNAME)
                                       --password $(DEV_PASSWORD)
                                       --asc-provider $(DEV_PROVIDER) \
                                       --file myApp.app.zip \
                  | awk '/RequestUUID/ { print $$NF; }') ;\
    
    while ! xcrun altool --notarization-info $$notarizationRequestID \
                         --username $(DEV_USERNAME)
                         --password $(DEV_PASSWORD)
                         --asc-provider $(DEV_PROVIDER) \
                         --output-format xml \
                  | grep -q 'https://osxapps-ssl.itunes.apple.com/itunes-assets' ;\
        do sleep 5 ;\
        echo "." ;\
    done ;\
    

    If you're distributing an update via Sparkle, you'll also need to gather the app cast metadata so you can paste it into your app cast.xml. At the end of the makefile:

    @echo "——————————————————————————————————"
    @echo "  Results for Sparkle Update XML  "
    @echo "——————————————————————————————————"
    @echo
    @echo "version:           " `defaults read myApp.app/Contents/Info CFBundleVersion`
    @echo "shortVersionString:" `defaults read myApp.app/Contents/Info CFBundleShortVersionString`
    @echo "dsaSignature:      " `$MyAppSource/Libraries/Sparkle/bin/sign_update myAppInstaller.pkg.zip $MyAppSource/Resources/UpdateSigningKeys/dsa_priv.pem`
    @echo "length:            " `stat -f%z "myApp.pkg`