Hello,
I am new to the apple developer program. I, and my team, are working on porting some medical software that we have written from Windows to MacOS. We obviously want to notarize our app to make it easy for professionals and colleagues to use. The software is entirely written in python and includes ffmpeg for one of the features to export the medical data to video and compiled to a single file with pyinstaller, like so:
pyinstaller app_name.py --noconfirm --onefile --add-data "ffmpeg:ffmpeg"
chmod +x dist/app_name*
We are currently adding the signing and notarization of the app to our github workflow. The workflow build a successful app with the correct structure and is able to be run if we allow it past the MacOS firewall. We are signing the app like so:
run: |
BINARY_PATH="dist/app_name"
IDENTITY=$(security find-identity -p codesigning -v | grep -E 'Developer ID Application|Mac Developer' | head -n1 | awk -F\" '{print $2}')
echo "Using identity: $IDENTITY"
security unlock-keychain -p "" build.keychain
codesign --verbose=4 --force --options runtime --timestamp --entitlements .github/mac_build_tools/entitlements.plist --sign "$IDENTITY" "$BINARY_PATH"
codesign --verify --verbose=4 "$BINARY_PATH"
We then also move the binary around into an app structure and sign that as well like so
echo "Moving contents to SedPlot.app"
mkdir -p dist/app_name.app/Contents/MacOS
mv "$BINARY_PATH" dist/app_name.app/Contents/MacOS
cp .github/mac_build_tools/Info.plist dist/app_name.app/Contents
echo -n "APPL????" > dist/app_name.app/Contents/PkgInfo
echo "Signing App"
codesign --verbose=4 --force --options runtime --timestamp --entitlements .github/mac_build_tools/entitlements.plist --sign "$IDENTITY" dist/app_name.app
codesign --verify --verbose=4 dist/app_name.app
codesign --display --entitlements :- dist/app_name.app
If I upload the artifact and check its properties, everything looks good. It has the correct ID associated with it and shows as valid when I use codesign --verify on it. I start having issues when I move onto notarization, like so:
cd dist
echo "Zipping and checking the zip"
ditto -c -k --keepParent app_name.app app_name.zip
zipinfo -1 app_name.zip | head
echo "$AC_API_KEY" > AuthKey.p8
SUBMISSION_ID=$(xcrun notarytool submit app_name.zip \
--key AuthKey.p8 \
--key-id "$AC_KEY_ID" \
--issuer "$AC_ISSUER_ID" \
--team-id "TEAM_ID" \
--output-format json | jq -r '.id')
echo "Submitted notarization with ID: $SUBMISSION_ID"
All of the print statements for errors look good at this point, and the submission ID shows up in my history when I query it. However, all 7 attempts that I have made to notarize this app hang for indefinite amounts of time. We are hoping to submit our tool for publication soon, and it would be helpful to know if there is an issue causing the hang on our end or if this is an issue with new developers.
I have been reading around the forums and see some notes about this taking about a week until the system start to "learn" about our development team and our attempts to notarize. I also know that there is limited amounts that can be said about the backend of the notarizations step. What would be helpful is a few things:
- I would like feedback about if there is a fundamental flaw in our approach for signing and notarizing our application, so that we can identify it.
- I would appreciate some guidelines about how long to expect this notarization step to take until we can get notarization to finish within 10s of minutes, as we have a hard-coded 30 min wait time for the completion of the notarization in our workflow right now.
- It would be helpful to know how to check our logs, as requesting the logs for any of our attempts results in being told that the logs are not available yet.
In case someone from apple is interested in this and wants to check, the most-recent submission ID (the one that I believe should be most-likely correct and valid) is 9ef24966-42a5-47db-a7e0-c6baf0310ac4
Thank you in advance!