Xojo2DMG questions

@jotter a couple quick questions about Xojo2DMG if you dont mind

1. when the code is initially signed (the .app bundle) is this done to a temporary copy ? or the the original .app bundle itself ? (Ie/ is the original app that Xojo compiled & built signed ?)

2. once the dmg is built both the app on it & the dmg are signed (correct?)

reason I ask is that I think, for the way the app being built, I’ll need the signed APP bundle so it can be set up as an updater for Kaju AND the signed DMG for brand new installs

Hope that makes sense ?

3. oh and doesnt Apple say much more than “failed” if notarization fails ?

it looks like the answer to #1 is that its code signed in place then packaged into the DMG

The way GitHub: jo-tools/xojo2dmg does it:

1. Xojo builds the .app
2. xojo2dmg.sh is launched via PostBuildScript
   1. Cleans up the built .app
   2. CodeSigns the .app
   3. Put .app into a (customizable) .dmg
   4. CodeSigns the .dmg
   5. Send .dmg to Apple Notarization
   6. once Notarization OK
   7. Staple Notarization Ticket to .dmg
   8. Staple Notarization Ticket to .app
   9. Create a .zip of the .app (which now contains the Notarization info)

and doesnt Apple say much more than “failed” if notarization fails

As far as I remember… you get some GUID/ID, and with a Terminal Command you can get the more detailed information.
Something along these lines:

xcrun notarytool log "${NOTARYTOOL_REQUEST_ID}" --keychain-profile "${NOTARYTOOL_KEYCHAIN_PROFILE}" 2>&1 | tee "${APP_NOTARIZATION_LOG}"

Yup.
I don’t make a temporary copy.
Prep the built .app right away. All steps see above (or read along the comments in xojo2dmg.sh in the GitHub Repo).

Not quite
The .app is signed before being put into the .dmg.

That’s how we’re doing it, yes.
We upload the .zip (containing the .app with the stapled Notarization ticket) for our own Update mechanism. And provide the .dmg (with stapled Notarization ticket) on the Download Page for “new installs”.

OK so I just need to sort out why notarization is failing and things should be good !

That’s why xojo2dmg.sh writes the retrieved Log of a failed Notarization attemp to a file (see command above).
Long time ago I last had to look at such a Notarization Log But as far as I remember it points out quite well where the issue(s) are.

Hmmmm a bunch of errors like

 "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "Dashboard Beta.dmg/Dashboard.app/Contents/Frameworks/AppearancePakCocoa.dylib",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
      "architecture": "x86_64"
    },

plugins dont get signed or resigned ?

hmmmm … seems the dylibs & main app itself arent which is curious as

codesign -vvv --deep --strict <app>

says its all signed OK

only notarization is giving the errors

Don’t use -deep… you need to sign all the bits individually

Does this mean you’re doing the Codesigning with the Xojo IDE?

I don’t know what Xojo’s own “Sign” step internally does (or doesn’t)… I certainly don’t trust it

That’s why xojo2dmg.sh overwrites all included .dylibs and .frameworks again explicitly (so it needs to be placed after Xojo’s Sign Build Step)…
…then you know what you have signed (and how) - and that everything has been signed by the very same Developer ID.
See lines 392 - 406 of xojo2dmg.sh

Alright - the real reason is that Xojo2DMG has existed before Xojo has added their own version of codesigning, so it had to do it all by itself

Nope not using the IDE to sign
I was wondering if the first part of Xojo2DMG signed the app and its internals
Which you confirmed

I think I know why I’m having issue though
Probably the WRONG kind of certificate for what I need to do

I’ll check that tomorrow

Not SIGNING deep
This just checks to see if the signature is applied properly