If you have a Mac and active App Store membership please test codesign with guest account

#1
  1. Bundle a blank project for Mac
  2. Download appropriate Mac developer team certificate either directly or with xcode (check in keychain)
  3. codesign with
    codesign --force --sign "3rd Party Mac Developer Application: Your Team Name" "game.app"
  4. Drag app to /Applications
  5. Login to guest account and see if it runs

This is the most basic setup that should work, but it’s not for me. Could anyone else who has App Store membership and access to a Mac test this?

I’ve tested xcode projects and with this dev setup it works for me on Guest accounts.

With Defold project if I do

spctl -va My.app it’s always rejected even what should be correct entitlements for sandboxing set. I do have “App store and identified developers” set in Security & Privacy. I’m not sure how to figure out why it was rejected.

When I do --verify and --deep-verify on Defold projects it says valid on disk, satisfies requirements.

When I do codesign -dvv My.app it does appear to be correct.


A lot of (random tutorial) sources online say to use “3rd Party Mac Developer Application: …” for uploading to Mac App Store but when I used “Developer ID Application: …” spctl accepted it. However even with this on Guest account I get “The application ‘…’ can’t be opened.”


By default xcode signs with a personal developer cert I think. But even using that one did not help.

0 Likes

#2

I’m not sure you’re supposed to be able to run the executable locally if you codesign with the distribution (app store) certificate. That’s what development certs are for. The question should be “does Application Loader accept the app and does it pass review?” instead.

2 Likes

#3

It uploads all fine, but fails on review (after green checkmark and submitting for review). The review team suggested I test running it on a Guest account. Xcode produced projects do work, but not Defold based projects. But I’m not certain on any of this and could use expert help with testing and finding the right way to do this.

This was linked when it first failed review, they didn’t give much other info just said “There was an error when launching the game” and it’s the same generic error I get when attempting to run signed app on guest account https://developer.apple.com/library/archive/qa/qa1778/_index.html

1 Like

#4

This is not a codesigning issue. I stumbled upon this as well. It’s just a plain old permissions issue. Your app’s executable may have execute permissions for your user account and staff group, but it doesn’t have it for “others” (you can check with a ls -l YourAppName.app/Contents/MacOS). chmod +x YourAppName/Contents/MacOS/YourAppName should do the trick.

TLDR: Don’t worry, this doesn’t affect end users, it’s just a permissions thing on your local machine.

In other news, I managed to fully codesign, notarize and staple Interrogation.app and can confirm everything works. Here’s my process:

codesign --force --sign "Developer ID Application: Company Name" --options runtime --deep --timestamp YourApp.app

Apple recommends you don’t use --deep and instead sign each binary individually. I will do so in the final process, but this works for a quick hacky test.

Then, make a app-specific password for your Apple ID and add it to your keychain:

xcrun altool --store-password-in-keychain-item "AC_PASSWORD"  -u "yourappleid@example.com" -p "your--super-secret-app-password"

Then, fetch your team’s ProviderShortname. It should be a number like 12ABC3D456

xcrun altool --list-providers -u yourappleid@example.com -p "@keychain:AC_PASSWORD"

Now to notarise the app:

zip -R YourApp.app.zip YourApp.app
xcrun altool --notarize-app --primary-bundle-id "com.your-company.your-app.zip" --username yourappleid@example.com --password "@keychain:AC_PASSWORD" --asc-provider 12ABC3D456 --file YourApp.app.zip

You’ll get a RequestUUID. Use it to query for progress from time to time:

xcrun altool --notarization-info your-request-uuid -u yourappleid@example.com --password "@keychain:AC_PASSWORD"

When all is done, you’ll get a “Package Approved” status and an URL to a log file (in JSON format).

Finally, staple the notarisation to the app, so that it works offline:

xcrun stapler staple YourApp.app
5 Likes

#5

Nice! I’ll test your steps out soon. Has Apple already approved a build you’ve uploaded with this?

0 Likes

#6

I didn’t try to submit anything to the app store, but I did go through all these steps and got a build successfully notarised, which is what you need for Steam.

1 Like

#7

I’ll try submitting a build to Mac App Store with these steps today and see if it passes review.

0 Likes

#8

You don’t need to do this for the Mac App Store. You don’t need to notarise. Just codesign (and not with the Developer ID cert, but with a Mac app distribution cert). And make sure your permissions are right (do a chmod +x).

0 Likes

#9

In that case it might not work still as I believe I did do chmod+x in the past and even though the upload tools said everything was right I could not get it past review/couldn’t get it to run right on guest login. There is probably still a sandbox violation somewhere. If you have the time to could you try uploading to Mac App Store and see if they will approve your build?

0 Likes

#10

I will likely not have time to play with this in the near future, unfortunately. My build worked fine on a guest account after doing chmod +x. Maybe you forgot the hardened runtime? (--options runtime). Try with that.

1 Like

#11

I’ll try again today. It’s completely possible I did miss something.

1 Like

#12

Update: I also had to add some entitlements (add --entitlements entitlements.plist to the codesign command) for it to work:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>
  </dict>
</plist>
1 Like

#13

And is this all confirmed to be working now? I’d like to summarise and put it in a manual.

1 Like

#14

Make sure it’s labeled as for macOS codesign with notarization for non-Mac App Store distribution (such as Steam).

Mac App Store distribution steps still need to be verified working.

0 Likes

#15

Yes, confirmed working. We have builds on Steam done like this. :smiley:

1 Like

#16

As a matter of fact, just got this email:

5 Likes