Stapling a compressed DMG image

Question

Created Oct ’22

Replies 6

Boosts 0

Views 1.7k

Participants 2

I have successfully signed my app for Mac OS, create a dmg image and convert it to compressed file. Signed and notarized the dmg file. Then I staple the dmg file as recommended by 'Signing a Mac Product For Distribution'.

I tested the dmg is stapled. However, the app inside the dmg is not.

% xcrun stapler validate 'My App.app'
Processing: /Volumes/My App Install/My App.app
My App.app does not have a ticket stapled to it.

The dmg is compressed and read only. I can't staple the app directly. I can also staple the app before compression. But after compression I cannot staple the dmg any more.

My question is:

I have already stapled my compressed DMG file, do I need to staple my app?
If that is necessary, do I notarize the app, staple it. Then create the dmg file, sign it, notalize the dmg and staple the dmg?
If that is not the right workflow, can give me some pointers how to do this?

Thank you in advance.

Boost

Answer 1

chanbangyuan OP

Oct ’22

By the way, in my second question, does it still make sense by using the same app-specific password stored in the keychain to notarize both the dmg and the app? Or should I generate another app-specific password to notarise the dmg file. So we are treating the dmg and the app as two specific programs?

0

Answer 2

DTS Engineer OP

Apple

Oct ’22

1. I have already stapled my compressed DMG file, do I need to staple my app?

No. When the user mounts the disk image Gatekeeper will ingest the ticket attached to the disk image, which covers both the disk image and the app.

does it still make sense by using the same app-specific password stored in the keychain to notarize both the dmg and the app?

Yes. The app in app-specific password is referring to notarytool, not the app you’re publishing.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 3

chanbangyuan OP

Oct ’22

Quinn,

Thanks for your fast response.

Let me get this right, so the Gatekeeper only need to ingest the ticket once and registered both the dmg and the app on the user's Mac? From there on the Gatekeeper will recognise both files and do not need to read the ticket anymore?

So it means as long as the disk image is properly signed, notarized and stapled, after the user mount the disk image and install the app by dragging the app to the applications folder, then the app can run by itself without the ticket and do not need the present of the disk image?

If this is true, I think I am ready to distribute my app already!

0

Answer 4

chanbangyuan OP

Oct ’22

Quinn,

I have a misimpression that the Gatekeeper will check any app whenever they are launched. The Apple documents I read have not mentioned explicitly the Gatekeeper only check quarantined files and not the installed app. But in Wikipedia Gatekeeper (macOS):

Once an application has passed File Quarantine or Gatekeeper, it will be allowed to run normally and will not be verified again.

Is the statement true up to Monterey 12?

Regards

0

Answer 5

DTS Engineer OP

Apple

Oct ’22

Let me get this right …

Your summary is correct.

But don’t take my word for it. I encourage you to test your Gatekeeper compliance before shipping your product. For specific advice, see Testing a Notarised Product.

I have a misimpression that the Gatekeeper will check any app whenever they are launched.

This story here is a complex one, and it’s evolved over time. However:

Gatekeeper always checks quarantined apps.
Starting with macOS 10.15, Gatekeeper checks other forms of quarantined code.
It may check high-security code, like kexts, more regularly.
macOS 13 adds bundle tamper protection, as discussed in the WWDC session linked to by the Trusted Execution Resources pinned post.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 6

chanbangyuan OP

Oct ’22

Quinn,

Got it, I followed the Testing a Notarised Product. and everything works fine on a clean Mac without the internet.

Thanks again, I get passed the beginner level and is now distributing the app to my users.

0