« xDev 16.6 Issue | Home | MBS Xojo Plugins, ver… »

Notarize apps for MacOS

While FileMaker runtimes are deprecated, they are still a great tool to give away a test copy of your fabulous solution. Apple now recommends you to notarize your app. This is a step further than normal code signing as the app is actually uploaded to a test system which scans it for malware. Looks like for next year this may be required for apps to launch without a warning dialog.

The following steps work for us with the test.app on Desktop. File paths, names, bundle and Apple IDs will be different for you:
  1. Install Xcode and run it once to get the command line tools installed.
  2. Build a runtime app in FileMaker Pro Advanced.
  3. Adapt our SignScript FM 17 (included with MBS Plugin download).
    Please change name of certificate, the path and the name of the app. For codesign lines, please add --options runtime as command line parameters after the -f command line parameter. Run the script and watch for the last lines saying accepted and Developer ID.
  4. Next build an disk image. With a GUI app or simply via terminal with right path:
    /usr/bin/hdiutil create -imagekey zlib-level=9 -srcfolder /Users/cs/Desktop/Test -fs HFS+ -volname Test /Users/cs/Desktop/Test.dmg
  5. Sign the disk image. e.g. via Terminal:
    codesign -f -vvvv -s "Developer ID Application: Christian Schmitz Software GmbH" /Users/cs/Desktop/Test.dmg
  6. Notarize the app. Run xcrun in terminal. The bundle ID is found in the info.plist file of the runtime app inside the bundle. Please pass your own Apple ID here for your Apple developer account:
    xcrun altool --notarize-app -f /Users/cs/Desktop/Test.dmg --primary-bundle-id com.filemaker.client.runtime12.test -u Developer@monkeybreadsoftware.de -p @keychain:"Application Loader: Developer@monkeybreadsoftware.de"
    This may take a while and return a RequestUUID.
  7. Wait for an email from Apple or periodically check the status of the notarization until it has completed. Please put in again your Apple ID and the request UUID from above.
    xcrun altool --notarization-info 193b7ad2-36e1-45d5-880c-c297250f77b2 -u Developer@monkeybreadsoftware.de -p @keychain:"Application Loader: Developer@monkeybreadsoftware.de"
    This may take a while till this tool returns success and you can run it several times. Otherwise you get an email when the app is done. Once done you get Package Approved in the call above. If you don't have password in keychain, you can alternatively create an application specific password and put it after the -p parameter as value.
  8. Add the staple ticket to the dmg:
    xcrun stapler staple -v /Users/cs/Desktop/Test.dmg
    This will add the notarization to the disk image.
  9. Now you can test the final app in the disk image:
    spctl -a -v /Applications/test.app
    This shows on 10.13.6 only "source=Developer ID", but on 10.14 shows "source=Notarized Developer ID", so it worked!
If you followed all steps, got the paths right and the Apple ID, bundle ID and file names, your app should show the notarized state and run without a warning dialog on MacOS 10.14 Mojave.

MBS is available for paid support to help you getting your app notarized if needed.
02 11 18 - 10:08