Hello,
we have a product package which is structured like this:
/ Installer.pkg
/ Distribution
/ Main Component.pkg
/ Scripts
/ preinstall
/ postinstall
/ helper [ Mach-O executable ]
/ Payload
/ Application Bundle.app
/ Another Component.pkg
...
The helper is our custom CLI helper tool which we build and sign and plan to use it in pre/post install scripts.
I'd like to ask if we need to independently notarize and staple the helper executable or just the top level pkg notarization is sufficient in this case?
We already independently notarize and staple the Application Bundle.app so it has ticket attached. But that's because of customers who often rip-open the package and pick only the bundle. We don't plan to have helper executable used outside of installation process.
Thank you, o/
In general, the notary service should include all Mach-O images in your submission in the ticket that it issues. Thus, you shouldn’t have to notarise helper independently, or Application Bundle.app for that matter [1].
However, I recommend that you check this, just to be sure. To do that:
- Submit your package for notarisation.
- On successful notarisation, fetch the notary log.
- See if it lists the cdhash values for
helper.
IMPORTANT If your helper has multiple architectures, check that both cdhash values are present.
For more on cdhash values, see TN3126 Inside Code Signing: Hashes. For more background on how this stuff works, see Notarisation Fundamentals. For links to lots of other notarisation info, see Notarisation Resources.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] Although it’s fine to do that if, for example, you also distribute the app via some other channel that doesn’t involve this installer package.
