macOS App Store signing + notarization

#1

The last time I tried to upload to the Mac App Store somewhere in the process it didn’t work, possibly due to a sandbox violation that I could not see or figure out, or maybe I did something else wrong.

Could anyone else who has an active Apple program try to go through the process of uploading and submitting one of their games? Uploading worked for me, passed all checks, but failed at review, and none of the Defold apps I signed I could get to work on a guest account (but other software I could).

Valve is also now requiring notarization due to Apple’s requirement, and it’s a bit of a pain. It also seems to have the same problem. So without this solved it also means no more macOS builds for Steam.

0 Likes

#2

Have you tried this “pain-in-the-ass” notarization workflow?
https://developer.apple.com/documentation/xcode/notarizing_your_app_before_distribution/customizing_the_notarization_workflow#3087720

1 Like

#3

Notarization can be done without xcode, just from the CLI if you want to. And anyway, notarization shouldn’t affect if an app runs or not. It just tells Gatekeeper to shut up and not warn the user before opening the app.

What you want to make sure it’s working is code signing. And honestly, I’m a bit worried. Since the native extensions don’t support dynamic libraries, the current dlopen()/dlsym() workarounds might count as a sandbox violation. I will test the whole process in the near future, but for now I’m busy with other things.

2 Likes

#4

For me notarization failed with:

*** Error: Unable to validate your application. We are unable to create an authentication session.

1 Like

#5

What’s your macOS/xcode version just for reference?

0 Likes

#6

Mojave 10.14.4
Xcode 11.0

1 Like

#7

As I just noticed in Apple docs:

So the question is, how to enable this for defold app?

0 Likes

#8

via https://www.reddit.com/r/gamedev/comments/di61ms/have_a_mac_game_on_steam_heres_a_guide_to_signing/

--options runtime

Is what should be enabling hardened runtime.

codesign -s "Developer ID Application: <YourName>" --timestamp --options runtime -f --entitlements entitlements.plist --deep YourApp.app

Check with

codesign -d -vvvv YourApp.app

Compress

/usr/bin/ditto -c -k --keepParent YourApp.app YourApp.zip

Submit

xcrun altool --notarize-app --primary-bundle-id "<id>" -u "<appleid>" -p "<app-specific password>" --file YourApp.zip

Check submission status

xcrun altool --notarization-info <RequestUUID> -u -u "<appleid>" -p "<app-specific password>"

Staple approval

xcrun stapler staple "YourApp.app"

4 Likes

#9

thanks!
some good news:

3 Likes