GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → akeru-inc → Xcnotary

akeru-inc / Xcnotary

Licence: mit
the missing macOS app notarization helper, built with Rust

Programming Languages

swift
15916 projects
rust
11053 projects
objc
23 projects

Labels

macososx

Projects that are alternatives of or similar to Xcnotary

Luascriptcore
一款简单易用的多平台Lua桥接器,目前支持在iOS、Mac OS X、Android以及Unity3D中使用,让原生环境与Lua无障碍沟通。
Stars: ✭ 463 (-21.39%)
Mutual labels:  osx
Assetsextractor
『Assets提取工具』是一款OSX平台上用于将Assets.car或xxx.app中打包的png图片、pdf等资源重新提取出来的开发者工具。Assets.car常见于iOS/Mac/Unity等开发中的资源打包。
Stars: ✭ 486 (-17.49%)
Mutual labels:  osx
Xcake
🍰 Describe Xcode projects in a human readable format and (re)generate one on demand.
Stars: ✭ 549 (-6.79%)
Mutual labels:  osx
Sloth
Mac app that shows all open files, directories, sockets, pipes and devices in use by all running processes. Nice GUI for lsof.
Stars: ✭ 4,549 (+672.33%)
Mutual labels:  osx
Hopper Swift Demangle
A Hopper plugin for demangle Swift symbols
Stars: ✭ 476 (-19.19%)
Mutual labels:  osx
Macforge
📦 Plugin, App, and Theme store which includes plugin injection for macOS
Stars: ✭ 536 (-9%)
Mutual labels:  osx
Ergo
The management of multiple apps running over different ports made easy
Stars: ✭ 452 (-23.26%)
Mutual labels:  osx
Tools Osx
A small collection of command line tools for Mac OS X, incl.: clipcat, dict, eject, launch, ql, swuser, trash & with.
Stars: ✭ 576 (-2.21%)
Mutual labels:  osx
Get It
A macOS GUI for youtube-dl
Stars: ✭ 483 (-18%)
Mutual labels:  osx
Bulllord Engine
lightspeed lightweight elegant game engine in pure c
Stars: ✭ 539 (-8.49%)
Mutual labels:  osx
Picolove
PICO-8 Reimplementation in Love2D
Stars: ✭ 467 (-20.71%)
Mutual labels:  osx
Swindler
macOS window management library for Swift
Stars: ✭ 474 (-19.52%)
Mutual labels:  osx
Zsc
OWASP ZSC - Shellcode/Obfuscate Code Generator
Stars: ✭ 536 (-9%)
Mutual labels:  osx
Blueutil
CLI for bluetooth on OSX: power, discoverable state, list, inquire devices, connect, info, …
Stars: ✭ 464 (-21.22%)
Mutual labels:  osx
Objectivepgp
OpenPGP library for iOS and macOS
Stars: ✭ 557 (-5.43%)
Mutual labels:  osx
Github Matrix Screensaver
The GitHub Matrix Screensaver for Mac OSX
Stars: ✭ 453 (-23.09%)
Mutual labels:  osx
Midi2lr
An application and plugin to remotely control Lightroom with a MIDI controller
Stars: ✭ 485 (-17.66%)
Mutual labels:  osx
Strongbox
A KeePass/Password Safe Client for iOS and OS X
Stars: ✭ 586 (-0.51%)
Mutual labels:  osx
Nmap
Nmap - the Network Mapper. Github mirror of official SVN repository.
Stars: ✭ 5,792 (+883.36%)
Mutual labels:  osx
Mbicons
MBIcons contains over 200 icons that can be resized to any dimensions as they are drawn using NSBezierPath.
Stars: ✭ 537 (-8.83%)
Mutual labels:  osx
View All Similar Projects ➔

logo

the missing macOS app notarization helper, built with Rust

About

Notarizing a macOS app involves a series of manual steps, including zipping a bundle, uploading it to to Apple, and polling the notarization service.

xcnotary automates these steps for you. It:

  • Attempts to fail fast if necessary, performing several checks on your target before uploading it to Apple.
  • Zips the input if it is an .app bundle.
  • Submits the input to the notarization service, and polls until completion. This step typically takes a few minutes.
  • In case of success, attaches the notarization ticket to the target, enabling the app to pass Gatekeeper on first run even without an Internet connection.
  • In case of failure, fetches the error log from Apple and outputs it to stderr.
  • Return a zero/non-zero code for easy CI integration.

Notarization

Installation

Homebrew

# Install
brew install akeru-inc/tap/xcnotary

# Upgrade
brew update
brew upgrade akeru-inc/tap/xcnotary

Usage

To perform various code signing checks on the input without submitting:

xcnotary precheck <input path>

To perform code signing checks, submit to the notarization service, and block waiting for response:

xcnotary notarize <input path> \
  --developer-account <Apple Developer account> \
  --developer-password-keychain-item <name of keychain item, see below> \
  [--provider <provider short name>]

Supported inputs:

  • ✅ .app bundles
  • ✅ .dmg disk images
  • ✅ .pkg installer packages

Specifying the password keychain item

This tool does not handle your Apple Developer password. Instead, Xcode's helper altool reads an app-specific Apple Developer ID password directly from the keychain. See the documentation for xcrun altool --store-password-in-keychain-item to set up a suitable keychain item.

Specifying the developer team

The optional --provider argument should be specified if the developer account is associated with more than one team. This value can be obtained by running the following command and noting the "ProviderShortname" displayed.

xcrun altool --list-providers  -u "$DEVELOPER_ACCOUNT_USERNAME" -p "@keychain:$PASSWORD_KEYCHAIN_ITEM"

Required network access

  • Xcode's altool will connect to several Apple hosts as outlined in the documentation.

  • When notarization fails, xcnotary will connect to https://osxapps-ssl.itunes.apple.com/ on port 443 to retrieve the failure log.

Bundle pre-checks

xcnotary attempts to check the input for some common notarization issues before uploading it to Apple. While not foolproof, these checks may potentially save you minutes waiting for a response only to fail due to an incorrect code signing flag.

Bundle pre-check

When the input is an app bundle, the following checks will be performed:

  • ✅ Bundle being signed with a Developer ID certificate and not containing unsigned items.
  • ✅ Bundle being signed with a secure timestamp.
  • ✅ Bundle not having the get-task-allow entitlement.
  • ✅ Bundle having hardened runtime enabled.

When the input is a .dmg or a .pkg, only the Developer ID signing check is performed, i.e. the only check that can be performed at the moment without extracting the contents. In your workflow, you may want to run xcnotary precheck on your bundle target before packaging it.

Building for notarization

The following examples set various necessary build flags, such as code signing with a "secure timestamp."

Bundles

xcodebuild \
   -target <target> \
   -scheme <scheme> \
   -configuration Release \
   -derivedDataPath .xcodebuild \
   "CODE_SIGN_IDENTITY=Developer ID Application: <team name>" \
   "OTHER_CODE_SIGN_FLAGS=--timestamp --options=runtime" \
   CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO \
   CODE_SIGN_STYLE=Manual

CODE_SIGN_IDENTITY should match the corresponding Keychain certificate.

Note that --options=runtime will have the effect of opting in your binary to the hardened runtime environment. You most likely want to first manually enable the "Hardened Runtime" capability in Xcode's target settings > "Signing and Capabilities" and make sure your application functions as expected. There, you may also add any entitlements to relax the runtime restrictions.

Packages

pkgbuild \
   --component <path to bundle built according to above specs>
   --sign "Developer ID Installer: <team name>" \
   --timestamp \
   <output_pkg_name.pkg>

Disk images

Codesign after creating the DMG:

codesign -s "Developer ID Application: <team>" <dmg>

Additional Information

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].