macOS Catalina 10.15. Any solution?

tuarua

See here for single scripts to correctly package, sign, notarize, validate etc either an App Store or Self Distributed Notiarized App (aka Developer ID Application) pkg.
https://github.com/tuarua/WebViewANE/tree/development/example-desktop-complete/mac_packaging

are you using HTMLLoader? If not then you should delete:

Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/WebKit.dylib
Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/Flash Player.plugin
Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/WebKit
Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/__MACOSX

That tutorial has information gaps tbh.

Regarding the errors you get back:

The signature does not include a secure timestamp

You are missing the --timestamp flag on your codesign command

The binary is not signed.

Self explanatory. That binary file is not signed. It is a misconception that --deep signs all parts of the .app. It doesn't.
You will see in my scripts for eg that I run codesign several times at different levels of the app. For example you might not apply the same entitlements to a framework as you do to your main binary.

Make sure you are deleting your .app file each time you run any signing. You might be trying to resign the app multiple times and cause weirdness.

Also, fun fact, even when you choose a temporary self-sign cert in IntelliJ the captive app is not actually signed. The java code for building a macOS captive runtime in adt has NO codesigning code at all. You can see for yourself that no "CodeSignature" folder is output inside the .app

tuarua

psyone "message": "The binary is not signed."

The report is clear as day. It says bin/ffmpeg is not signed. So you need to sign it.
As I said before:

tuarua It is a misconception that --deep signs all parts of the .app. It doesn't.
You will see in my scripts for eg that I run codesign several times at different levels of the app.

Under "echo ${cyn} "Signing..." ${white}" and before the other codesign command

try adding the following:
xcrun codesign -f -s "$APP_KEY" --deep --entitlements "$CHILD_ENTITLEMENTS" --verbose --options runtime --timestamp $APP.app/Contents/Resources/bin/*

psyone

Thanks,

i checked your code and modified by mine things:


#!/bin/bash

# Code Signature invalid error is expected if you try and run your store app on your mac without uploading it.
# See https://developer.apple.com/library/archive/qa/qa1884/_index.html

# Name of your app.
APP="player"
TEAM_ID="XXXXXXXX"

# See https://developer.apple.com/documentation/bundleresources/information_property_list/lsapplicationcategorytype
APP_CATEGORY="public.app-category.games"

# Certificates and signing.
APP_KEY="3rd Party Mac Developer Application: Varadi Gabor (XXXXXXX)"
INSTALLER_KEY="3rd Party Mac Developer Installer: Varadi Gabor (XXXXXXXX)"
PROVISION_PROFILE="DynamicDungeonsplayer.provisionprofile"

# from https://appleid.apple.com/#!&page=signin  > Security > APP-SPECIFIC PASSWORDS > Generate password…
TWO_FAC_UN="XXXXXXXXXXXX"
TWO_FAC_PW="XXXXXXXXXXXX"

############################################################################################################
############################################################################################################
############################################################################################################

red=$'\e[1;31m'
grn=$'\e[1;32m'
blu=$'\e[1;34m'
mag=$'\e[1;35m'
cyn=$'\e[1;36m'
white=$'\e[0m'
PlistBuddy=/usr/libexec/PlistBuddy
pathtome=$0
pathtome="${pathtome%/*}"
cd "$pathtome"

echo ${cyn} "Check Tools Availability" ${white}

if [ ! -d "$(xcrun --show-sdk-path)" ]
then
    echo ${red} "Xcode not configured" ${white}
    exit 72
fi

if [ ! -x "${PlistBuddy}" ]
then
    echo ${red} "Couldn't find PlistBuddy" ${white}
    exit 72
fi

if [ ! -f "$pathtome/$PROVISION_PROFILE" ]; then
    echo ${red} "Can't find $PROVISION_PROFILE. Did you forget to copy it into the packaging folder?" ${white}
    exit 72
fi

echo ${cyn} "Copying $APP.app" ${white}

if [ ! -d "$pathtome/../bin/$APP.app" ]; then
    echo ${red} "Can't find bin-release/$APP.app. Package your AIR app!" ${white}
    exit 72
fi

if [ -d "$APP.app" ]; then
    rm -r "$APP.app"
fi

xattr -cr "../bin/$APP.app"
cp -R "../bin/$APP.app" "$pathtome/"

BUNDLE_ID=$( "${PlistBuddy}" -c "Print CFBundleIdentifier" "$APP.app/Contents/Info.plist" )
APP_VERSION=$( "${PlistBuddy}" -c "Print CFBundleShortVersionString" "$APP.app/Contents/Info.plist" )

echo ${cyn} "Making icons..." ${white}

if [ ! -f "$pathtome/icon-1024.png" ]; then
    echo ${red} "Can't find icon-1024.png. Create a 1024x1024 png." ${white}
    exit
fi

sips -z 16 16     icon-1024.png --out Assets.xcassets/AppIcon.appiconset/icon_16x16.png > /dev/null 2>&1
sips -z 32 32     icon-1024.png --out Assets.xcassets/AppIcon.appiconset/icon_16x16@2x.png > /dev/null 2>&1
sips -z 32 32     icon-1024.png --out Assets.xcassets/AppIcon.appiconset/icon_32x32.png > /dev/null 2>&1
sips -z 64 64     icon-1024.png --out Assets.xcassets/AppIcon.appiconset/icon_32x32@2x.png > /dev/null 2>&1
sips -z 128 128   icon-1024.png --out Assets.xcassets/AppIcon.appiconset/icon_128x128.png > /dev/null 2>&1
sips -z 256 256   icon-1024.png --out Assets.xcassets/AppIcon.appiconset/icon_128x128@2x.png > /dev/null 2>&1
sips -z 256 256   icon-1024.png --out Assets.xcassets/AppIcon.appiconset/icon_256x256.png > /dev/null 2>&1
sips -z 512 512   icon-1024.png --out Assets.xcassets/AppIcon.appiconset/icon_256x256@2x.png > /dev/null 2>&1
sips -z 512 512   icon-1024.png --out Assets.xcassets/AppIcon.appiconset/icon_512x512.png > /dev/null 2>&1
cp icon-1024.png Assets.xcassets/AppIcon.appiconset/icon_512x512@2x.png
mkdir build
xcrun actool Assets.xcassets --compile build --platform macosx --minimum-deployment-target 10.10 --app-icon AppIcon --output-partial-info-plist build/partial.plist > /dev/null 2>&1
cp -R "build/AppIcon.icns" "$APP.app/Contents/Resources"
cp -R "build/Assets.car" "$APP.app/Contents/Resources"
rm -R "build"

echo ${cyn} "Cleaning up unneeded AIR files" ${white}

xattr -cr "$APP.app"
rm -r "$APP.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/Adobe AIR.vch"
rm -r "$APP.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/WebKit.dylib"
rm -r "$APP.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/Flash Player.plugin"
rm -r "$APP.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/WebKit"
rm -r "$APP.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/__MACOSX"
rm -r "$APP.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/A2712Enabler"
xattr -cr $APP.app

echo ${cyn} "Fixing Info.plist entries" ${white}

$PlistBuddy -c "Add :LSApplicationCategoryType string $APP_CATEGORY" $APP.app/Contents/Info.plist
$PlistBuddy -c "Add :CFBundleVersion string $APP_VERSION" $APP.app/Contents/Info.plist
$PlistBuddy -c "Add :CFBundleIconName string AppIcon" $APP.app/Contents/Info.plist
$PlistBuddy -c "Add :CFBundleIconFile string AppIcon" $APP.app/Contents/Info.plist
$PlistBuddy -c "Add :CFBundleSupportedPlatforms array" $APP.app/Contents/Info.plist
$PlistBuddy -c "Add :CFBundleSupportedPlatforms: string MacOSX" $APP.app/Contents/Info.plist
# Swift requires 10.10 not AIR's 10.6
$PlistBuddy -c "Set :LSMinimumSystemVersion 10.10" $APP.app/Contents/Info.plist

echo ${cyn} "Correct ANE symlinks" ${white}
if [ -d "$APP.app/Contents/Resources/META-INF/AIR/extensions" ]; then
    cd $APP.app/Contents/Resources/META-INF/AIR/extensions
    for ane in *
    do
    IFS='.' read -ra my_array <<< "$ane"
    LEN=${#my_array[@]}
    LAST=$(( $LEN - 1 ))
    ANE_NAME="${my_array[LAST]}"

    if [[ (-d "${ane}/META-INF/ANE/MacOS-x86-64/${ANE_NAME}.framework") && (! -d "${ane}/META-INF/ANE/MacOS-x86-64/${ANE_NAME}.framework/Versions") ]]; then
        # https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPFrameworks/Concepts/FrameworkAnatomy.html
        cd "${ane}/META-INF/ANE/MacOS-x86-64/${ANE_NAME}.framework"
        mkdir Versions
        cd Versions
        mkdir A
        cd ../
        if [ -d Frameworks ]; then
            mv Frameworks Versions/A
        fi
        mv $ANE_NAME Versions/A
        mv Modules Versions/A
        mv Headers Versions/A
        mv Resources Versions/A
        cd Versions
        ln -s A Current
        cd ../
        ln -s Versions/Current/$ANE_NAME $ANE_NAME
        ln -s Versions/Current/Resources Resources
        ln -s Versions/Current/Headers Headers
        ln -s Versions/Current/Modules Modules
        cd "../../../../../"
    fi
    done
fi
cd "$pathtome"

echo ${cyn} "Applying values to Entitlements" ${white}

ROOT_ENTITLEMENTS="Root.entitlements"
CHILD_ENTITLEMENTS="Child.entitlements"

val=$($PlistBuddy -c 'print ":com.apple.developer.team-identifier"' $ROOT_ENTITLEMENTS 2>/dev/null)
exitCode=$?
if (( exitCode == 0 )); then
    $PlistBuddy -c "Set :com.apple.developer.team-identifier $TEAM_ID" $ROOT_ENTITLEMENTS
fi

val=$($PlistBuddy -c 'print ":com.apple.application-identifier"' $ROOT_ENTITLEMENTS 2>/dev/null)
exitCode=$?
if (( exitCode == 0 )); then
    $PlistBuddy -c "Set :com.apple.application-identifier $TEAM_ID.$BUNDLE_ID" $ROOT_ENTITLEMENTS
fi

val=$($PlistBuddy -c 'print ":com.apple.security.application-groups"' $ROOT_ENTITLEMENTS 2>/dev/null)
exitCode=$?
if (( exitCode == 0 )); then
    $PlistBuddy -c "Set :com.apple.security.application-groups:0 $TEAM_ID.$BUNDLE_ID" $ROOT_ENTITLEMENTS
fi

echo ${cyn} "Embedding Provisioning Profile" ${white}

cp -R $PROVISION_PROFILE "$APP.app/Contents/embedded.provisionprofile"

echo ${cyn} "Signing..." ${white}

xcrun codesign -f -s "$APP_KEY" --deep --entitlements "$CHILD_ENTITLEMENTS" --options runtime --timestamp $APP.app/Contents/Frameworks/* > /dev/null 2>&1
codesign_result=$?
if [ "${codesign_result}" != "0" ]; then
    echo ${red} "Failed to sign AIR Framework: ${codesign_result}" ${white}
    exit 1
fi
if [ -d "$APP.app/Contents/Resources/META-INF/AIR/extensions" ]; then
    cd $APP.app/Contents/Resources/META-INF/AIR/extensions
    for ane in *
    do
    IFS='.' read -ra my_array <<< "$ane"
    LEN=${#my_array[@]}
    LAST=$(( $LEN - 1 ))
    ANE_NAME="${my_array[LAST]}"
    if [ -d "${ane}/META-INF/ANE/MacOS-x86-64/${ANE_NAME}.framework" ]; then
        xcrun codesign -f -s "$APP_KEY" --deep --entitlements "$pathtome/$CHILD_ENTITLEMENTS" --options runtime --timestamp ${ane}/META-INF/ANE/MacOS-x86-64/${ANE_NAME}.framework > /dev/null 2>&1
        codesign_result=$?
        if [ "${codesign_result}" != "0" ]; then
            echo ${red} "Failed to sign ANE: ${codesign_result}" ${white}
            exit 1
        fi
    fi
    done
    cd "$pathtome"
fi
xcrun codesign -f -s "$APP_KEY" --entitlements "$ROOT_ENTITLEMENTS" --options runtime --timestamp $APP.app
codesign_result=$?
if [ "${codesign_result}" != "0" ]; then
    echo ${red} "Failed to sign main App binary: ${codesign_result}" ${white}
    exit 1
fi

val=$($PlistBuddy -c 'print ":com.apple.developer.team-identifier"' $ROOT_ENTITLEMENTS 2>/dev/null)
exitCode=$?
if (( exitCode == 0 )); then
    $PlistBuddy -c "Set :com.apple.developer.team-identifier XXX" $ROOT_ENTITLEMENTS
fi

val=$($PlistBuddy -c 'print ":com.apple.application-identifier"' $ROOT_ENTITLEMENTS 2>/dev/null)
exitCode=$?
if (( exitCode == 0 )); then
    $PlistBuddy -c "Set :com.apple.application-identifier XXX.x.x.x" $ROOT_ENTITLEMENTS
fi

val=$($PlistBuddy -c 'print ":com.apple.security.application-groups"' $ROOT_ENTITLEMENTS 2>/dev/null)
exitCode=$?
if (( exitCode == 0 )); then
    $PlistBuddy -c "Set :com.apple.security.application-groups:0 XXX.x.x.x" $ROOT_ENTITLEMENTS
fi

echo ${cyn} "Verify codesign" ${white}

xcrun codesign -vvv --deep --strict $APP.app > /dev/null 2>&1
codesign_result=$?
if [ "${codesign_result}" != "0" ]; then
    echo ${red} "Failed to sign App: ${codesign_result}" ${white}
    exit 1
fi
if [ -d "$APP.app/Contents/Resources/META-INF/AIR/extensions" ]; then
    cd $APP.app/Contents/Resources/META-INF/AIR/extensions
    for ane in *
    do
    IFS='.' read -ra my_array <<< "$ane"
    LEN=${#my_array[@]}
    LAST=$(( $LEN - 1 ))
    ANE_NAME="${my_array[LAST]}"
    if [ -d "${ane}/META-INF/ANE/MacOS-x86-64/${ANE_NAME}.framework" ]; then
        xcrun codesign -vvv --deep --strict ${ane}/META-INF/ANE/MacOS-x86-64/${ANE_NAME}.framework > /dev/null 2>&1
        codesign_result=$?
        if [ "${codesign_result}" != "0" ]; then
            echo ${red} "Failed to sign ANE Framework: ${codesign_result}" ${white}
            exit 1
        fi
    fi
    done
fi

cd "$pathtome"
echo ${grn} "Codesign OK" ${white}

echo ${cyn} "Building .pkg" ${white}

if [ -d "$APP.pkg" ]; then
    rm -r "$APP.pkg"
fi

xcrun productbuild --component "$APP.app" /Applications --sign "$INSTALLER_KEY" "$APP.pkg" > /dev/null 2>&1
codesign_result=$?
if [ "${codesign_result}" != "0" ]; then
    echo ${red} "Failed to build pkg: ${codesign_result}" ${white}
    exit 1
fi

echo ${cyn}"Validate app..." ${white}

xcrun altool -t osx -f "$APP.pkg" --primary-bundle-id "$BUNDLE_ID" --validate-app -u "$TWO_FAC_UN" -p "$TWO_FAC_PW" > /dev/null 2>&1
validate_result=$?
if [ "${validate_result}" != "0" ]; then
    echo ${red}"Validation failed: ${validate_result}" ${white}
    exit 1
fi

cd "$pathtome"
echo ${grn} "Validation OK" ${white}
echo ${grn} "All Done!" ${white}

but the output is:

devmacpro:osx varadig$ ./sign_store.sh
 Check Tools Availability
 Copying player.app
 Making icons...
cp: Assets.xcassets/AppIcon.appiconset/icon_512x512@2x.png: Not a directory
cp: build/AppIcon.icns: No such file or directory
cp: build/Assets.car: No such file or directory
 Cleaning up unneeded AIR files
 Fixing Info.plist entries
Add: ":CFBundleIconFile" Entry Already Exists
 Correct ANE symlinks
 Applying values to Entitlements
 Embedding Provisioning Profile
 Signing...
 Failed to sign AIR Framework: 1

I don't understand what Failed to sign AIR Framework: 1 mean

psyone

Ok I went a little further:

devmacpro:osx varadig$ ./sign_store.sh
 Check Tools Availability
 Copying player.app
 Making icons...
cp: Assets.xcassets/AppIcon.appiconset/icon_512x512@2x.png: Not a directory
cp: build/AppIcon.icns: No such file or directory
cp: build/Assets.car: No such file or directory
 Cleaning up unneeded AIR files
 Fixing Info.plist entries
Add: ":CFBundleIconFile" Entry Already Exists
 Correct ANE symlinks
 Applying values to Entitlements
 Embedding Provisioning Profile
 Signing...
 Verify codesign
 Codesign OK
 Building .pkg
Validate app...
hu.devinflow.dynamic.dungeons.player
Validation failed: 166

#!/bin/bash

# Code Signature invalid error is expected if you try and run your store app on your mac without uploading it.
# See https://developer.apple.com/library/archive/qa/qa1884/_index.html

# Name of your app.
APP="player"
TEAM_ID="XXXXXXXXX"

# See https://developer.apple.com/documentation/bundleresources/information_property_list/lsapplicationcategorytype
APP_CATEGORY="public.app-category.games"

# Certificates and signing.

APP_KEY="3rd Party Mac Developer Application: Varadi Gabor (XXXXXXXX)"
INSTALLER_KEY="3rd Party Mac Developer Installer: Varadi Gabor (XXXXXXXX)"
PROVISION_PROFILE="DynamicDungeonsplayer.provisionprofile"

# from https://appleid.apple.com/#!&page=signin  > Security > APP-SPECIFIC PASSWORDS > Generate password…
TWO_FAC_UN="XXXXXXXXXXXXX"
TWO_FAC_PW="XXXXXXXXXXXXX"

############################################################################################################
############################################################################################################
############################################################################################################

red=$'\e[1;31m'
grn=$'\e[1;32m'
blu=$'\e[1;34m'
mag=$'\e[1;35m'
cyn=$'\e[1;36m'
white=$'\e[0m'
PlistBuddy=/usr/libexec/PlistBuddy
pathtome=$0
pathtome="${pathtome%/*}"
cd "$pathtome"

echo ${cyn} "Check Tools Availability" ${white}

if [ ! -d "$(xcrun --show-sdk-path)" ]
then
    echo ${red} "Xcode not configured" ${white}
    exit 72
fi

if [ ! -x "${PlistBuddy}" ]
then
    echo ${red} "Couldn't find PlistBuddy" ${white}
    exit 72
fi

if [ ! -f "$pathtome/$PROVISION_PROFILE" ]; then
    echo ${red} "Can't find $PROVISION_PROFILE. Did you forget to copy it into the packaging folder?" ${white}
    exit 72
fi

echo ${cyn} "Copying $APP.app" ${white}

if [ ! -d "$pathtome/../bin/$APP.app" ]; then
    echo ${red} "Can't find ../bin/$APP.app. Package your AIR app!" ${white}
    exit 72
fi

if [ -d "$APP.app" ]; then
    rm -r "$APP.app"
fi

xattr -cr "../bin/$APP.app"
cp -R "../bin/$APP.app" "$pathtome/"

BUNDLE_ID=$( "${PlistBuddy}" -c "Print CFBundleIdentifier" "$APP.app/Contents/Info.plist" )
APP_VERSION=$( "${PlistBuddy}" -c "Print CFBundleShortVersionString" "$APP.app/Contents/Info.plist" )

echo ${cyn} "Making icons..." ${white}

if [ ! -f "$pathtome/icon-1024.png" ]; then
    echo ${red} "Can't find icon-1024.png. Create a 1024x1024 png." ${white}
    exit
fi

sips -z 16 16     icon-1024.png --out Assets.xcassets/AppIcon.appiconset/icon_16x16.png > /dev/null 2>&1
sips -z 32 32     icon-1024.png --out Assets.xcassets/AppIcon.appiconset/icon_16x16@2x.png > /dev/null 2>&1
sips -z 32 32     icon-1024.png --out Assets.xcassets/AppIcon.appiconset/icon_32x32.png > /dev/null 2>&1
sips -z 64 64     icon-1024.png --out Assets.xcassets/AppIcon.appiconset/icon_32x32@2x.png > /dev/null 2>&1
sips -z 128 128   icon-1024.png --out Assets.xcassets/AppIcon.appiconset/icon_128x128.png > /dev/null 2>&1
sips -z 256 256   icon-1024.png --out Assets.xcassets/AppIcon.appiconset/icon_128x128@2x.png > /dev/null 2>&1
sips -z 256 256   icon-1024.png --out Assets.xcassets/AppIcon.appiconset/icon_256x256.png > /dev/null 2>&1
sips -z 512 512   icon-1024.png --out Assets.xcassets/AppIcon.appiconset/icon_256x256@2x.png > /dev/null 2>&1
sips -z 512 512   icon-1024.png --out Assets.xcassets/AppIcon.appiconset/icon_512x512.png > /dev/null 2>&1
cp icon-1024.png Assets.xcassets/AppIcon.appiconset/icon_512x512@2x.png
mkdir build
xcrun actool Assets.xcassets --compile build --platform macosx --minimum-deployment-target 10.10 --app-icon AppIcon --output-partial-info-plist build/partial.plist > /dev/null 2>&1
cp -R "build/AppIcon.icns" "$APP.app/Contents/Resources"
cp -R "build/Assets.car" "$APP.app/Contents/Resources"
rm -R "build"

echo ${cyn} "Cleaning up unneeded AIR files" ${white}

xattr -cr "$APP.app"
rm -r "$APP.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/Adobe AIR.vch"
rm -r "$APP.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/WebKit.dylib"
rm -r "$APP.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/Flash Player.plugin"
rm -r "$APP.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/WebKit"
rm -r "$APP.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/__MACOSX"
rm -r "$APP.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/A2712Enabler"
xattr -cr $APP.app

echo ${cyn} "Fixing Info.plist entries" ${white}

$PlistBuddy -c "Add :LSApplicationCategoryType string $APP_CATEGORY" $APP.app/Contents/Info.plist
$PlistBuddy -c "Add :CFBundleVersion string $APP_VERSION" $APP.app/Contents/Info.plist
$PlistBuddy -c "Add :CFBundleIconName string AppIcon" $APP.app/Contents/Info.plist
$PlistBuddy -c "Add :CFBundleIconFile string AppIcon" $APP.app/Contents/Info.plist
$PlistBuddy -c "Add :CFBundleSupportedPlatforms array" $APP.app/Contents/Info.plist
$PlistBuddy -c "Add :CFBundleSupportedPlatforms: string MacOSX" $APP.app/Contents/Info.plist
# Swift requires 10.10 not AIR's 10.6
$PlistBuddy -c "Set :LSMinimumSystemVersion 10.10" $APP.app/Contents/Info.plist

echo ${cyn} "Correct ANE symlinks" ${white}
if [ -d "$APP.app/Contents/Resources/META-INF/AIR/extensions" ]; then
    cd $APP.app/Contents/Resources/META-INF/AIR/extensions
    for ane in *
    do
    IFS='.' read -ra my_array <<< "$ane"
    LEN=${#my_array[@]}
    LAST=$(( $LEN - 1 ))
    ANE_NAME="${my_array[LAST]}"

    if [[ (-d "${ane}/META-INF/ANE/MacOS-x86-64/${ANE_NAME}.framework") && (! -d "${ane}/META-INF/ANE/MacOS-x86-64/${ANE_NAME}.framework/Versions") ]]; then
        # https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPFrameworks/Concepts/FrameworkAnatomy.html
        cd "${ane}/META-INF/ANE/MacOS-x86-64/${ANE_NAME}.framework"
        mkdir Versions
        cd Versions
        mkdir A
        cd ../
        if [ -d Frameworks ]; then
            mv Frameworks Versions/A
        fi
        mv $ANE_NAME Versions/A
        mv Modules Versions/A
        mv Headers Versions/A
        mv Resources Versions/A
        cd Versions
        ln -s A Current
        cd ../
        ln -s Versions/Current/$ANE_NAME $ANE_NAME
        ln -s Versions/Current/Resources Resources
        ln -s Versions/Current/Headers Headers
        ln -s Versions/Current/Modules Modules
        cd "../../../../../"
    fi
    done
fi
cd "$pathtome"

echo ${cyn} "Applying values to Entitlements" ${white}

ROOT_ENTITLEMENTS="Root.entitlements"
CHILD_ENTITLEMENTS="Child.entitlements"

val=$($PlistBuddy -c 'print ":com.apple.developer.team-identifier"' $ROOT_ENTITLEMENTS 2>/dev/null)
exitCode=$?
if (( exitCode == 0 )); then
    $PlistBuddy -c "Set :com.apple.developer.team-identifier $TEAM_ID" $ROOT_ENTITLEMENTS
fi

val=$($PlistBuddy -c 'print ":com.apple.application-identifier"' $ROOT_ENTITLEMENTS 2>/dev/null)
exitCode=$?
if (( exitCode == 0 )); then
    $PlistBuddy -c "Set :com.apple.application-identifier $TEAM_ID.$BUNDLE_ID" $ROOT_ENTITLEMENTS
fi

val=$($PlistBuddy -c 'print ":com.apple.security.application-groups"' $ROOT_ENTITLEMENTS 2>/dev/null)
exitCode=$?
if (( exitCode == 0 )); then
    $PlistBuddy -c "Set :com.apple.security.application-groups:0 $TEAM_ID.$BUNDLE_ID" $ROOT_ENTITLEMENTS
fi

echo ${cyn} "Embedding Provisioning Profile" ${white}

cp -R $PROVISION_PROFILE "$APP.app/Contents/embedded.provisionprofile"

echo ${cyn} "Signing..." ${white}

xcrun codesign -f -s "$APP_KEY" --deep --entitlements "$CHILD_ENTITLEMENTS" --options runtime --timestamp $APP.app/Contents/Frameworks/* > /dev/null 2>&1
codesign_result=$?
if [ "${codesign_result}" != "0" ]; then
    echo ${red} "Failed to sign AIR Framework: ${codesign_result}" ${white}
    exit 1
fi
if [ -d "$APP.app/Contents/Resources/META-INF/AIR/extensions" ]; then
    cd $APP.app/Contents/Resources/META-INF/AIR/extensions
    for ane in *
    do
    IFS='.' read -ra my_array <<< "$ane"
    LEN=${#my_array[@]}
    LAST=$(( $LEN - 1 ))
    ANE_NAME="${my_array[LAST]}"
    if [ -d "${ane}/META-INF/ANE/MacOS-x86-64/${ANE_NAME}.framework" ]; then
        xcrun codesign -f -s "$APP_KEY" --deep --entitlements "$pathtome/$CHILD_ENTITLEMENTS" --options runtime --timestamp ${ane}/META-INF/ANE/MacOS-x86-64/${ANE_NAME}.framework > /dev/null 2>&1
        codesign_result=$?
        if [ "${codesign_result}" != "0" ]; then
            echo ${red} "Failed to sign ANE: ${codesign_result}" ${white}
            exit 1
        fi
    fi
    done
    cd "$pathtome"
fi
xcrun codesign -f -s "$APP_KEY" --entitlements "$ROOT_ENTITLEMENTS" --options runtime --timestamp $APP.app
codesign_result=$?
if [ "${codesign_result}" != "0" ]; then
    echo ${red} "Failed to sign main App binary: ${codesign_result}" ${white}
    exit 1
fi

val=$($PlistBuddy -c 'print ":com.apple.developer.team-identifier"' $ROOT_ENTITLEMENTS 2>/dev/null)
exitCode=$?
if (( exitCode == 0 )); then
    $PlistBuddy -c "Set :com.apple.developer.team-identifier XXX" $ROOT_ENTITLEMENTS
fi

val=$($PlistBuddy -c 'print ":com.apple.application-identifier"' $ROOT_ENTITLEMENTS 2>/dev/null)
exitCode=$?
if (( exitCode == 0 )); then
    $PlistBuddy -c "Set :com.apple.application-identifier XXX.x.x.x" $ROOT_ENTITLEMENTS
fi

val=$($PlistBuddy -c 'print ":com.apple.security.application-groups"' $ROOT_ENTITLEMENTS 2>/dev/null)
exitCode=$?
if (( exitCode == 0 )); then
    $PlistBuddy -c "Set :com.apple.security.application-groups:0 XXX.x.x.x" $ROOT_ENTITLEMENTS
fi

echo ${cyn} "Verify codesign" ${white}

xcrun codesign -vvv --deep --strict $APP.app > /dev/null 2>&1
codesign_result=$?
if [ "${codesign_result}" != "0" ]; then
    echo ${red} "Failed to sign App: ${codesign_result}" ${white}
    exit 1
fi
if [ -d "$APP.app/Contents/Resources/META-INF/AIR/extensions" ]; then
    cd $APP.app/Contents/Resources/META-INF/AIR/extensions
    for ane in *
    do
    IFS='.' read -ra my_array <<< "$ane"
    LEN=${#my_array[@]}
    LAST=$(( $LEN - 1 ))
    ANE_NAME="${my_array[LAST]}"
    if [ -d "${ane}/META-INF/ANE/MacOS-x86-64/${ANE_NAME}.framework" ]; then
        xcrun codesign -vvv --deep --strict ${ane}/META-INF/ANE/MacOS-x86-64/${ANE_NAME}.framework > /dev/null 2>&1
        codesign_result=$?
        if [ "${codesign_result}" != "0" ]; then
            echo ${red} "Failed to sign ANE Framework: ${codesign_result}" ${white}
            exit 1
        fi
    fi
    done
fi

cd "$pathtome"
echo ${grn} "Codesign OK" ${white}

echo ${cyn} "Building .pkg" ${white}

if [ -d "$APP.pkg" ]; then
    rm -r "$APP.pkg"
fi

xcrun productbuild --component "$APP.app" /Applications --sign "$INSTALLER_KEY" "$APP.pkg" > /dev/null 2>&1
codesign_result=$?
if [ "${codesign_result}" != "0" ]; then
    echo ${red} "Failed to build pkg: ${codesign_result}" ${white}
    exit 1
fi

echo ${cyn}"Validate app..." ${white}
echo "$BUNDLE_ID"
xcrun altool -t osx -f "$APP.pkg" --primary-bundle-id "$BUNDLE_ID" --validate-app -u "$TWO_FAC_UN" -p "$TWO_FAC_PW" > /dev/null 2>&1
validate_result=$?
if [ "${validate_result}" != "0" ]; then
    echo ${red}"Validation failed: ${validate_result}" ${white}
    exit 1
fi

cd "$pathtome"
echo ${grn} "Validation OK" ${white}
echo ${grn} "All Done!" ${white}

tuarua

That means the app is not quite valid.
There can be different reasons for this; missing icons, missing infoplist entries...

My guess is you haven't included all the required AppIcons (you are missing Assets.xcassets/AppIcon.appiconset/Contents.json according to the early script messages )
Don't include any icons when you export the AIR app. Let the script handle them all for you.

If you change this line to include log output it'll tell you what is the issue.
xcrun altool -t osx -f "$APP.pkg" --primary-bundle-id "$BUNDLE_ID" --validate-app -u "$TWO_FAC_UN" -p "$TWO_FAC_PW" > /dev/null 2>&1

to
xcrun altool -t osx -f "$APP.pkg" --primary-bundle-id "$BUNDLE_ID" --verbose --validate-app -u "$TWO_FAC_UN" -p "$TWO_FAC_PW"

Hint: Don't paste the full bash script in your replies It's overkill.

psyone

Thank you @tuarua , I think I'm pretty close to solve notarizing hell:
I got error about missing icons (in ICNS format):

2020-02-11 11:43:42.618 altool[9985:691502] Deallocating <ITunesSoftwareServiceWorkSeriesFactory: 0x7fc5c9e027c0>
2020-02-11 11:43:42.618 altool[9985:691502] *** Error: Unable to validate archive 'player.pkg': (
    "Error Domain=ITunesConnectionOperationErrorDomain Code=1091 \"Missing required icon. The application bundle does not contain an icon in ICNS format, containing both a 512x512 and a 512x512@2x image. For further assistance, see the Apple Human Interface Guidelines at https://developer.apple.com/macos/human-interface-guidelines/icons-and-images/app-icon\" UserInfo={NSLocalizedRecoverySuggestion=Missing required icon. The application bundle does not contain an icon in ICNS format, containing both a 512x512 and a 512x512@2x image. For further assistance, see the Apple Human Interface Guidelines at https://developer.apple.com/macos/human-interface-guidelines/icons-and-images/app-icon, NSLocalizedDescription=Missing required icon. The application bundle does not contain an icon in ICNS format, containing both a 512x512 and a 512x512@2x image. For further assistance, see the Apple Human Interface Guidelines at https://developer.apple.com/macos/human-interface-guidelines/icons-and-images/app-icon, NSLocalizedFailureReason=App Store operation failed.}"
)
Validation failed: 67

psyone

Ok i'm done the notarizing (because I dont need to upload to the app store, I share outside of that), so I need to use th sign_developerId.sh

I have another problem, with nested ffmpeg binary:

{
  "logFormatVersion": 1,
  "jobId": "831c4434-ff0e-4176-8d14-383d8898c765",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "manager.pkg",
  "uploadDate": "2020-02-11T23:51:45Z",
  "sha256": "9426dccaf3ac48fc8b2d4d04c5dc5c7807371700f518dd5b9e512b6c7c34073c",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "manager.pkg/hu.devinflow.dynamic.dungeons.manager.pkg Contents/Payload/Applications/manager.app/Contents/Resources/bin/ffmpeg",
      "message": "The binary is not signed.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "manager.pkg/hu.devinflow.dynamic.dungeons.manager.pkg Contents/Payload/Applications/manager.app/Contents/Resources/bin/ffmpeg",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "manager.pkg/hu.devinflow.dynamic.dungeons.manager.pkg Contents/Payload/Applications/manager.app/Contents/Resources/bin/ffmpeg",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": null,
      "architecture": "x86_64"
    }
  ]
}

I think I need to add something to the Child.entitlements file.

psyone

Thank you @tuarua, the application is successfully notarized!

kxk

Hi,

I need a help. It's urgent for me. I notarized my app successfully with @tuarua's script (for developer id not for mac store). There is no problem so far.
But after notarizing process, the app cannot load files. I know there is a "com.apple.security.files.user-selected.read-write" key in entitlements. But weird thing is that if i copy my app and files folder into Application folder, it loads files and works correct.
My app doesn't need installation. It must work without installation. Because my app uses too much files, i cant embed files into the app. (I am using macOS High Sierra).

Thanks.

tuarua

Root.entitlements has set com.apple.security.app-sandbox to true which means your app is in a sandbox and is restricted to files it can load.

App Sandbox provides protection to system resources and user data by limiting your app’s access to resources requested through entitlements.

https://github.com/tuarua/WebViewANE/blob/master/mac_installer/Root.entitlements#L5

This is required for App Store submissions but not Notarized apps.

Try setting it to false

kxk

tuarua Thanks for the reply. I am already done that. It works but I have a different problem now.

The application is successfully notarized. And I compressed my app file like this

... ditto -c -k --sequesterRsrc --keepParent "$APP.app" "$APP.app.zip" xcrun altool -t osx -f "$APP.app.zip" --primary-bundle-id "$BUNDLE_ID" --notarize-app -u "$TWO_FAC_UN" -p "$TWO_FAC_PW" --output-format xml > "notarize_result.plist" ...

After successfully mail arrived

rm -r "$APP.app.zip" xcrun stapler staple -q "$APP.app" ditto -c -k --sequesterRsrc --keepParent "$APP.app" "$APP.app.zip"

I checked like this

`xcrun stapler validate kk.app
Processing: /Users/kk/Desktop/test/kk.app
The validate action worked!

spctl -a -vvv kk.app
kk.app/: accepted
source=Developer ID - (Notarized Developer ID on macOS Catalina)
override=security disabled
origin=Developer ID Application: xxxxxxxxxxxxx`

Now I want to distribute my zip file. I sent it to someone who has macOS 10.15.3 Catalina to try the app. He downloaded and unzip the zip file. The app runs but still doesn't load files.

Do you have any idea? What am I missing?

zwetan

kxk Do you have any idea? What am I missing?

because you don't install a mac app from a zip file
you HAVE TO provide an installer, either DMG or PKG

see App Translocation

Starting with macOS Sierra, running a newly-downloaded app from a disk image, archive, or the Downloads directory will cause Gatekeeper to isolate that app at a unspecified read-only location in the filesystem. This will prevent the app from accessing code or content using relative paths.

kxk

@zwetan It's interesting because my apps work on High Sierra and some Catalina machines. I distributed my apps in zip files. But some machines that contain Catalina doesn't run the apps. I didn't have any problem until now.

But you are right. I should use the dmg. But my app needs 4GB external resources. Should I notarize my dmg with whole assets or is it enough to notarize just .app file and after then create dmg file?

zwetan

kxk But my app needs 4GB external resources. Should I notarize my dmg with whole assets or is it enough to notarize just .app file and after then create dmg file?

it should be enough to sign/notarize an app and sync the assets later
but that's probably depends on where you store the assets, you will need to test it

kxk

@zwetan Okay thank you.

wak932

tuarua Hi, nice to get some more detail, thanks. Those permissions are particular to my app but it was unclear to me which ones were needed to make it work because of the webview and what was due to other aspects. Just wanted to flag to folks that the permissions were a big issue.

I, of course, have now hit the wall of the binaries not being signed (as you've point out "--deep" doesn't mean what I think it means)

think I should be able muddle through with the stuff you've posted for psyone, just wanted to say thanks!

2dguy

hmm... looking over this thread, wouldn't it be easier to buy a cheap PC for just the build process?

tuarua

2dguy wouldn't it be easier to buy a cheap PC for just the build process?

That makes no sense. Why would you buy a PC to build a macOS app for the App Store?

2dguy

tuarua sorry... my bad... that part went completely over my head and just never looked back.

Gene_Pavlovsky

@tuarua Thanks to your script, I was able to notarize a client's AIR/Flex application for macOS. They are distributing their app outside the App Store, so I used a Developer ID Application certificate for signing.
I did some modifications to your script, and have a few questions.

What is the icon building code for?
We already had icons as part of the Adobe AIR app, and those seem to be working fine.

Our app is using WebKit to run a 3rd party JS library, so I had to keep the WebKit-related files your script deletes.
I kept the A2712Enabler, perhaps this can be deleted, but I didn't bother trying.

With all of this done, I still had some notarization errors regarding missing signatures and timestamps on some AIR-related files. I've had to add this code to fix those errors:

for bin in WebKit.dylib A2712Enabler; do
	xcrun codesign -f -s "$CERT" --entitlements "$ENTITLEMENTS" --timestamp -o runtime "$APP/Contents/Frameworks/Adobe AIR.framework/Resources/$bin" ||
		die "Failed to sign AIR Framework binary: $bin"
done
for plugin in "Flash Player.plugin"; do
	xcrun codesign -f -s "$CERT" --entitlements "$ENTITLEMENTS" --deep --timestamp -o runtime "$APP/Contents/Frameworks/Adobe AIR.framework/Resources/$plugin" ||
		die "Failed to sign AIR Framework plugin: $plugin"
done

Another problem I've had: the app is using NativeProcess to run a bundled command-line executable, which is a driver for my client's USB HID device. I've had to do some experimenting to manage to have this driver properly signed (such that notarization is happy), and also operating. If you're curious, the driver (a C++ program based on open-source hidapi library) needed an entitlements file with just this com.apple.security.cs.allow-dyld-environment-variables key set to true. Initially I tried to enable the app sandbox and give it USB hardware access entitlement. But the binary then gave me an Illegal instruction: 4 error. Anyway, the thusly signed driver runs by itself on the command line, however when our AIR app is signed, it is unable to run the driver. To make it work I had to set com.apple.security.app-sandbox to false. Since we don't submit this app to the App Store, perhaps this is completely fine. But maybe it would be possible to do something else to make it work without disabling the app sandbox?

tuarua

Gene_Pavlovsky What is the icon building code for?

adt doesn't build a complete set of icons for the App Store. It is missing 512@2x which was added in recent years. A macOS Assets.car is also now expected. A notarized app maybe doesn't need these.

com.apple.security.app-sandbox is a requirement for App Store apps but not for Notarized apps.

To distribute a macOS app through the Mac App Store, you must enable the App Sandbox capability.

Given that you are running a Native Process (which is in effect the Terminal) you are operating outside the sandbox so you will need to disable it.
https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_app-sandbox

A Boolean value that indicates whether the app may use access control technology to contain damage to the system and user data if an app is compromised.

There's no secret magic to any of these entitlement settings. Read the descriptions to determine which ones you do/don't need to use.

https://developer.apple.com/documentation/security/app_sandbox
https://developer.apple.com/documentation/security/hardened_runtime

« Previous Page Next Page »