If you have a Mac and active App Store membership please test codesign with guest account

Pkeod · September 8, 2019, 8:18pm

Bundle a blank project for Mac
Download appropriate Mac developer team certificate either directly or with xcode (check in keychain)
codesign with
codesign --force --sign "3rd Party Mac Developer Application: Your Team Name" "game.app"
Drag app to /Applications
Login to guest account and see if it runs

This is the most basic setup that should work, but it’s not for me. Could anyone else who has App Store membership and access to a Mac test this?

I’ve tested xcode projects and with this dev setup it works for me on Guest accounts.

With Defold project if I do

spctl -va My.app it’s always rejected even what should be correct entitlements for sandboxing set. I do have “App store and identified developers” set in Security & Privacy. I’m not sure how to figure out why it was rejected.

When I do --verify and --deep-verify on Defold projects it says valid on disk, satisfies requirements.

When I do codesign -dvv My.app it does appear to be correct.

A lot of (random tutorial) sources online say to use “3rd Party Mac Developer Application: …” for uploading to Mac App Store but when I used “Developer ID Application: …” spctl accepted it. However even with this on Guest account I get “The application ‘…’ can’t be opened.”

By default xcode signs with a personal developer cert I think. But even using that one did not help.

dapetcu21 · September 8, 2019, 10:01pm

I’m not sure you’re supposed to be able to run the executable locally if you codesign with the distribution (app store) certificate. That’s what development certs are for. The question should be “does Application Loader accept the app and does it pass review?” instead.

Pkeod · September 8, 2019, 11:18pm

It uploads all fine, but fails on review (after green checkmark and submitting for review). The review team suggested I test running it on a Guest account. Xcode produced projects do work, but not Defold based projects. But I’m not certain on any of this and could use expert help with testing and finding the right way to do this.

This was linked when it first failed review, they didn’t give much other info just said “There was an error when launching the game” and it’s the same generic error I get when attempting to run signed app on guest account https://developer.apple.com/library/archive/qa/qa1778/_index.html

dapetcu21 · November 25, 2019, 9:38pm

This is not a codesigning issue. I stumbled upon this as well. It’s just a plain old permissions issue. Your app’s executable may have execute permissions for your user account and staff group, but it doesn’t have it for “others” (you can check with a ls -l YourAppName.app/Contents/MacOS). chmod +x YourAppName/Contents/MacOS/YourAppName should do the trick.

TLDR: Don’t worry, this doesn’t affect end users, it’s just a permissions thing on your local machine.

In other news, I managed to fully codesign, notarize and staple Interrogation.app and can confirm everything works. Here’s my process:

codesign --force --sign "Developer ID Application: Company Name" --options runtime --deep --timestamp YourApp.app

Apple recommends you don’t use --deep and instead sign each binary individually. I will do so in the final process, but this works for a quick hacky test.

Then, make a app-specific password for your Apple ID and add it to your keychain:

xcrun altool --store-password-in-keychain-item "AC_PASSWORD"  -u "yourappleid@example.com" -p "your--super-secret-app-password"

Then, fetch your team’s ProviderShortname. It should be a number like 12ABC3D456

xcrun altool --list-providers -u yourappleid@example.com -p "@keychain:AC_PASSWORD"

Now to notarise the app:

zip -R YourApp.app.zip YourApp.app
xcrun altool --notarize-app --primary-bundle-id "com.your-company.your-app.zip" --username yourappleid@example.com --password "@keychain:AC_PASSWORD" --asc-provider 12ABC3D456 --file YourApp.app.zip

You’ll get a RequestUUID. Use it to query for progress from time to time:

xcrun altool --notarization-info your-request-uuid -u yourappleid@example.com --password "@keychain:AC_PASSWORD"

When all is done, you’ll get a “Package Approved” status and an URL to a log file (in JSON format).

Finally, staple the notarisation to the app, so that it works offline:

xcrun stapler staple YourApp.app

Pkeod · November 25, 2019, 10:01pm

Nice! I’ll test your steps out soon. Has Apple already approved a build you’ve uploaded with this?

dapetcu21 · November 25, 2019, 10:13pm

I didn’t try to submit anything to the app store, but I did go through all these steps and got a build successfully notarised, which is what you need for Steam.

Pkeod · November 25, 2019, 10:21pm

I’ll try submitting a build to Mac App Store with these steps today and see if it passes review.

dapetcu21 · November 25, 2019, 10:23pm

You don’t need to do this for the Mac App Store. You don’t need to notarise. Just codesign (and not with the Developer ID cert, but with a Mac app distribution cert). And make sure your permissions are right (do a chmod +x).

Pkeod · November 25, 2019, 10:25pm

In that case it might not work still as I believe I did do chmod+x in the past and even though the upload tools said everything was right I could not get it past review/couldn’t get it to run right on guest login. There is probably still a sandbox violation somewhere. If you have the time to could you try uploading to Mac App Store and see if they will approve your build?

dapetcu21 · November 25, 2019, 10:29pm

I will likely not have time to play with this in the near future, unfortunately. My build worked fine on a guest account after doing chmod +x. Maybe you forgot the hardened runtime? (--options runtime). Try with that.

Pkeod · November 25, 2019, 10:30pm

I’ll try again today. It’s completely possible I did miss something.

dapetcu21 · November 28, 2019, 5:41pm

Update: I also had to add some entitlements (add --entitlements entitlements.plist to the codesign command) for it to work:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>
  </dict>
</plist>

britzl · November 28, 2019, 8:21pm

And is this all confirmed to be working now? I’d like to summarise and put it in a manual.

Pkeod · November 28, 2019, 8:25pm

Make sure it’s labeled as for macOS codesign with notarization for non-Mac App Store distribution (such as Steam).

Mac App Store distribution steps still need to be verified working.

dapetcu21 · November 28, 2019, 8:55pm

Yes, confirmed working. We have builds on Steam done like this.

dapetcu21 · November 28, 2019, 8:58pm

As a matter of fact, just got this email:

britzl · January 14, 2020, 9:49am

I have taken a stab at documenting the macOS bundling and distribution process:

I’d appreciate feedback on the document. Is there any step missing? Is something unclear?

dapetcu21 · January 14, 2020, 10:06am

Hi! For distribution outside of the App Store, you still need to add entitlements for it to run (add --entitlements entitlement.plist to the codesign command). See above for the entitlements I used (you probably don’t need com.apple.security.cs.allow-dyld-environment-variables but I didn’t test without).

One extra note is that the Steamworks SDK, if you use that, requires an extra entitlement: com.apple.security.cs.disable-library-validation.

You probably need similar or different entitlements for the App Store as well, but I didn’t publish anything on the App Store, so can’t speak for sure.

britzl · January 14, 2020, 8:51pm

Ah, thanks, missed that! Added to the docs now.

I will try this myself when I have some time.

Pkeod · January 14, 2020, 9:05pm

As soon as you can get working steps I will submit FSR and FSH to the Mac App Store.