How to sign and notarize a non-App application

Code Signing Notarization
tsmortenson OP
Created Jun ’20
Replies 1
Boosts 0
Views 812
Participants 2
We have been releasing an application on MacOSX for many years which is integrated with installed Java applications by users.
To date, we have been distributing a tar.gz file on MacOSX with the following structure (simplified)
app_home
. bin
. . myapp (binary)
. . myappcmd.sh
. lib
. . libapp.jnilib (binary)
. . app.jar (jar file)
. conf
. . app.conf (text file)

When this is downloaded by users the entire tar.gz and extracted files are quarantined.

I have figured out how to use codesign to sign our binaries (myapp and libapp.jnilib) and that of course can be placed into the tar.gz.

I see that the notarization process allows for the upload of zip, dmg, or pkg files.  But all of the documentation that I can find says that internally it needs to be structured as an App bundle.

Our application does not work that way.  We are fine with moving over to another bundle format.  But how can we set things up to let a user download unquarantined files and then copy them into their own application?

We know how to manually remove the quarantine attributes on all the files, but that is not a good solution.

Thanks in advance.
Replies  1
Boosts  0
Views  812
Participants  2
DTS Engineer OP
Apple
Jun ’20
Notarising your current structure should be easy:

  1. Temporarily convert your tar archive to a zip archive.

  2. Notarise the zip archive.

  3. There is no step 3 (-:

There’s normally an extra step here, which is to staple the ticket to your product, but in your case that’s not possible because you can’t staple to a tar archive (or a zip archive for that matter). This means that, if the Mac is offline when the user first runs your code, it may end up being blocked by Gatekeeper.


Having said that, I’m concerned about the security of your product. A key goal of all this code signing stuff is to prevent users from running unsigned code. That’s only partially the case here because, while your native code is signed, your Java code, shell scripts, and so on aren’t.

How you fix this depends on your target market. I presume that you’re not actually shipping an app here, that is, something that users double click in the Finder? Rather, your users expect to run your code from Terminal?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
1
How to sign and notarize a non-App application
First post date Last post date
 
 
Q