macOS App Store signing + notarization

Pkeod · September 24, 2019, 10:54pm

The last time I tried to upload to the Mac App Store somewhere in the process it didn’t work, possibly due to a sandbox violation that I could not see or figure out, or maybe I did something else wrong.

Could anyone else who has an active Apple program try to go through the process of uploading and submitting one of their games? Uploading worked for me, passed all checks, but failed at review, and none of the Defold apps I signed I could get to work on a guest account (but other software I could).

Valve is also now requiring notarization due to Apple’s requirement, and it’s a bit of a pain. It also seems to have the same problem. So without this solved it also means no more macOS builds for Steam.

Ivan_Lytkin · September 25, 2019, 9:13am

Have you tried this “pain-in-the-ass” notarization workflow?
https://developer.apple.com/documentation/xcode/notarizing_your_app_before_distribution/customizing_the_notarization_workflow#3087720

dapetcu21 · September 25, 2019, 9:37am

Notarization can be done without xcode, just from the CLI if you want to. And anyway, notarization shouldn’t affect if an app runs or not. It just tells Gatekeeper to shut up and not warn the user before opening the app.

What you want to make sure it’s working is code signing. And honestly, I’m a bit worried. Since the native extensions don’t support dynamic libraries, the current dlopen()/dlsym() workarounds might count as a sandbox violation. I will test the whole process in the near future, but for now I’m busy with other things.

Ivan_Lytkin · September 26, 2019, 5:52pm

For me notarization failed with:

*** Error: Unable to validate your application. We are unable to create an authentication session.

Pkeod · September 26, 2019, 5:56pm

What’s your macOS/xcode version just for reference?

Ivan_Lytkin · September 26, 2019, 6:37pm

Mojave 10.14.4
Xcode 11.0

Ivan_Lytkin · October 16, 2019, 6:29am

As I just noticed in Apple docs:

So the question is, how to enable this for defold app?

Pkeod · October 16, 2019, 6:52am

via https://www.reddit.com/r/gamedev/comments/di61ms/have_a_mac_game_on_steam_heres_a_guide_to_signing/

--options runtime

Is what should be enabling hardened runtime.

codesign -s "Developer ID Application: <YourName>" --timestamp --options runtime -f --entitlements entitlements.plist --deep YourApp.app

Check with

codesign -d -vvvv YourApp.app

Compress

/usr/bin/ditto -c -k --keepParent YourApp.app YourApp.zip

Submit

xcrun altool --notarize-app --primary-bundle-id "<id>" -u "<appleid>" -p "<app-specific password>" --file YourApp.zip

Check submission status

xcrun altool --notarization-info <RequestUUID> -u -u "<appleid>" -p "<app-specific password>"

Staple approval

xcrun stapler staple "YourApp.app"

Ivan_Lytkin · October 16, 2019, 8:52am

thanks!
some good news: