@jotter a couple quick questions about Xojo2DMG if you dont mind
when the code is initially signed (the .app bundle) is this done to a temporary copy ? or the the original .app bundle itself ? (Ie/ is the original app that Xojo compiled & built signed ?)
once the dmg is built both the app on it & the dmg are signed (correct?)
reason I ask is that I think, for the way the app being built, I’ll need the signed APP bundle so it can be set up as an updater for Kaju AND the signed DMG for brand new installs
Hope that makes sense ?
oh and doesnt Apple say much more than “failed” if notarization fails ?
Yup.
I don’t make a temporary copy.
Prep the built .app right away. All steps see above (or read along the comments in xojo2dmg.sh in the GitHub Repo).
Not quite
The .app is signed before being put into the .dmg.
That’s how we’re doing it, yes.
We upload the .zip (containing the .app with the stapled Notarization ticket) for our own Update mechanism. And provide the .dmg (with stapled Notarization ticket) on the Download Page for “new installs”.
That’s why xojo2dmg.sh writes the retrieved Log of a failed Notarization attemp to a file (see command above).
Long time ago I last had to look at such a Notarization Log But as far as I remember it points out quite well where the issue(s) are.
"issues": [
{
"severity": "error",
"code": null,
"path": "Dashboard Beta.dmg/Dashboard.app/Contents/Frameworks/AppearancePakCocoa.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "x86_64"
},
plugins dont get signed or resigned ?
hmmmm … seems the dylibs & main app itself arent which is curious as
Does this mean you’re doing the Codesigning with the Xojo IDE?
I don’t know what Xojo’s own “Sign” step internally does (or doesn’t)… I certainly don’t trust it
That’s why xojo2dmg.sh overwrites all included .dylibs and .frameworks again explicitly (so it needs to be placed after Xojo’s Sign Build Step)…
…then you know what you have signed (and how) - and that everything has been signed by the very same Developer ID. See lines 392 - 406 of xojo2dmg.sh
Alright - the real reason is that Xojo2DMG has existed before Xojo has added their own version of codesigning, so it had to do it all by itself