Support for notarization for apple code signing

[ibotty]

It would be great to have a means to notarize on non-mac platforms.

[indygreg]

Yes, it would be nice!

The main blocker to this is I'm unsure the technical mechanism at play. It appears adding notarization to a bundle is as simple as writing the Apple-produced notarization ticket/file to the bundle. However, getting that ticket is a bit more complicated.

I think notarization is effectively uploading an archive to Apple servers and then waiting for them to notarize it. It appears that under the hood notarization is using Apple's Transporter app for doing the remote server interactions (https://help.apple.com/itc/transporteruserguide/#/apdA17fcd7d1).

But this is as far as I've gotten. I'm not sure what the HTTP requests look like and how much effort is required to re-implement this functionality outside of Transporter. I believe Transporter is Java and can run on other platforms. So worst case we could instruct people to install that program and script its execution. Although I'd prefer to implement functionality in pure Rust to keep things simpler.

If anyone could help by providing details of how notarization works at a technical level, it would be greatly appreciated. Pointers to other open source tools implementing the functionality would also help.

[ibotty]

Unfortunately I only know about the (Mac) command line incarnations like xcrun altool --notarize-app .... That's even further away from the wire than the link you posted. Hopefully someone has more insight.

[indygreg]

I just pushed code to main (look at commit 386f5d2 and preceding commits) that implements notarization and stapling for macOS .app bundles. Just run rcodesign notarize --staple --api-issuer <UUID> --api-key <API KEY ID> /path/to/MyApp.app against a signed macOS .app bundle and it should do the rest.

It currently relies on Apple Transporter to upload an asset to Apple for notarization. But that tool is available for Linux and Windows. So in effect this means that it is now possible to sign, notarize, and staple from !macOS using this crate.

I think that modern Apple tools like notarytool use a separate endpoint for uploads and it might be possible to eliminate the dependency on Transporter and do everything in pure Rust. But that's a yak shave for another time.

There are currently a ton of rough edges. No support for non-macOS .app bundles (I'm guessing the market for iOS bundle signing would be huge). No support for .pkg files (looks pretty easy to implement). No support for .dmg (this might be hard if it requires parsing filesystems within DMG - I'm not sure if code signature data is in the plist in DMGs or what). No support for stapling a ticket inside a binary (just to the bundle). And the documentation is overall pretty poor. I need to set aside time to fill in the missing features and make the documentation much more usable...

[indygreg]

Example output (from a Linux machine):

$ cargo run --bin rcodesign -- notarize --api-issuer <redacted> --api-key <redacted>~/tmp/PyOxidizer.app --staple
[2022-03-22T01:37:10Z WARN  rcodesign::notarization] writing App Store Package to /tmp/apple-codesign-fsWtgj/49f8079c-a332-4e29-a47a-09756e908055.itmsp
[2022-03-22T01:37:10Z INFO  rcodesign::notarization] primary bundle identifier: com.gregoryszorc.pyox
[2022-03-22T01:37:10Z INFO  rcodesign::notarization] app platform: osx
[2022-03-22T01:37:10Z INFO  rcodesign::notarization] asset type: developer-id-package
[2022-03-22T01:37:10Z WARN  rcodesign::notarization] producing zip file containing /home/gps/tmp/PyOxidizer.app
[2022-03-22T01:37:13Z INFO  rcodesign::notarization] writing /tmp/apple-codesign-fsWtgj/49f8079c-a332-4e29-a47a-09756e908055.itmsp/PyOxidizer.app.zip
[2022-03-22T01:37:13Z INFO  rcodesign::notarization] writing /tmp/apple-codesign-fsWtgj/49f8079c-a332-4e29-a47a-09756e908055.itmsp/metadata.xml
[2022-03-22T01:37:13Z WARN  rcodesign::notarization] invoking /usr/local/itms/bin/iTMSTransporter with args: ["-m", "upload", "-apiIssuer", "<redacted>", "-apiKey", "<redacted>", "-f", "/tmp/apple-codesign-fsWtgj/49f8079c-a332-4e29-a47a-09756e908055.itmsp", "-vp", "json"]
[2022-03-22T01:37:13Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:13 PDT] <main> DEBUG: Setting System property: DataCenters = contentdelivery01.itunes.apple.com,contentdelivery02.itunes.apple.com
[2022-03-22T01:37:13Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:13 PDT] <main> DEBUG: Setting System property: DataCenters.host = contentdelivery01.itunes.apple.com
[2022-03-22T01:37:13Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:13 PDT] <main> DEBUG: Setting System property: DataCenters.setBy = Defaults.properties
[2022-03-22T01:37:14Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:14 PDT] <main>  INFO: Configuring logging...
[2022-03-22T01:37:14Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:14 PDT] <main>  INFO: Logging level set to eXtreme
...
[2022-03-22T01:37:29Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:29 PDT] <main>  INFO: Setting transport log file: /tmp/49f8079c-a332-4e29-a47a-09756e908055-20220321183728-090.itmsp16632352782833886474.log
[2022-03-22T01:37:29Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:29 PDT] <main>  INFO: Starting upload for packageName: 49f8079c-a332-4e29-a47a-09756e908055-20220321183728-090.itmsp
[2022-03-22T01:37:29Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:29 PDT] <main>  INFO: Thread Pool Configuration: {rateLimit=100000000000 KBs, minConnections=6, coreThreads=6, perCoreThreadMultiplier=1.65, processors=32, maxThreads=14, maxConnections=13}
[2022-03-22T01:37:29Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:29 PDT] <main>  INFO: Reservation CPUSource125/v4/75/c4/f2/75c4f219-63a7-4b6c-a191-44be97841860/metadata.xml created for file: (metadata.xml), part count:(1), file size: (475)
[2022-03-22T01:37:29Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:29 PDT] <main>  INFO: Reservation CPUSource125/v4/75/c4/f2/75c4f219-63a7-4b6c-a191-44be97841860/PyOxidizer.app.zip created for file: (PyOxidizer.app.zip), part count:(5), file size: (21957298)
[2022-03-22T01:37:29Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:29 PDT] <main>  INFO: Computing total size of files to upload ...
[2022-03-22T01:37:29Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:29 PDT] <main> DBG-X:   adding file for % complete logging: metadata.xml , size: 475
[2022-03-22T01:37:29Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:29 PDT] <main> DBG-X:   adding file for % complete logging: PyOxidizer.app.zip , size: 21957298
[2022-03-22T01:37:29Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:29 PDT] <main> DEBUG: Setting total size of files for upload to: 21957773
[2022-03-22T01:37:29Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:29 PDT] <main>  INFO: Done computing total size of files to upload.
[2022-03-22T01:37:29Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:29 PDT] <RLT-004>  INFO: Starting upload for reservation: (CPUSource125/v4/75/c4/f2/75c4f219-63a7-4b6c-a191-44be97841860/PyOxidizer.app.zip) file: (PyOxidizer.app.zip/4) size: 5242880
[2022-03-22T01:37:29Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:29 PDT] <RLT-002>  INFO: Starting upload for reservation: (CPUSource125/v4/75/c4/f2/75c4f219-63a7-4b6c-a191-44be97841860/metadata.xml) file: (metadata.xml/1) size: 475
[2022-03-22T01:37:29Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:29 PDT] <RLT-003>  INFO: Starting upload for reservation: (CPUSource125/v4/75/c4/f2/75c4f219-63a7-4b6c-a191-44be97841860/PyOxidizer.app.zip) file: (PyOxidizer.app.zip/5) size: 985778
[2022-03-22T01:37:29Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:29 PDT] <RLT-005>  INFO: Starting upload for reservation: (CPUSource125/v4/75/c4/f2/75c4f219-63a7-4b6c-a191-44be97841860/PyOxidizer.app.zip) file: (PyOxidizer.app.zip/3) size: 5242880
[2022-03-22T01:37:29Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:29 PDT] <RLT-007>  INFO: Starting upload for reservation: (CPUSource125/v4/75/c4/f2/75c4f219-63a7-4b6c-a191-44be97841860/PyOxidizer.app.zip) file: (PyOxidizer.app.zip/1) size: 5242880
[2022-03-22T01:37:29Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:29 PDT] <RLT-006>  INFO: Starting upload for reservation: (CPUSource125/v4/75/c4/f2/75c4f219-63a7-4b6c-a191-44be97841860/PyOxidizer.app.zip) file: (PyOxidizer.app.zip/2) size: 5242880
[2022-03-22T01:37:29Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:29 PDT] <RLT-003>  INFO:      File: PyOxidizer.app.zip 16384/21957298, 0.07% completed
[2022-03-22T01:37:29Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:29 PDT] <RLT-002>  INFO:      File: metadata.xml 475/475, 100.00% completed
[2022-03-22T01:37:29Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:29 PDT] <RLT-006>  INFO:      File: PyOxidizer.app.zip 49152/21957298, 0.22% completed
[2022-03-22T01:37:29Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:29 PDT] <RLT-007>  INFO: Package upload progress: 0.15% completed
[2022-03-22T01:37:29Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:29 PDT] <RLT-006>  INFO:      File: PyOxidizer.app.zip 81920/21957298, 0.37% completed
[2022-03-22T01:37:29Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:29 PDT] <RLT-003>  INFO: Package upload progress: 0.30% completed
[2022-03-22T01:37:29Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:29 PDT] <RLT-003>  INFO:      File: PyOxidizer.app.zip 114688/21957298, 0.52% completed
...
[2022-03-22T01:37:29Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:29 PDT] <RLT-004>  INFO: Package upload progress: 99.93% completed
[2022-03-22T01:37:29Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:29 PDT] <RLT-004>  INFO:      File: PyOxidizer.app.zip 21957298/21957298, 100.00% completed
[2022-03-22T01:37:29Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:29 PDT] <RLT-004>  INFO: Package upload progress: 100.00% completed
[2022-03-22T01:37:30Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:30 PDT] <RLT-004>  INFO: Finished part upload for: (PyOxidizer.app.zip/4) 12.85 MB/s in 0 seconds
[2022-03-22T01:37:30Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:30 PDT] <RLT-006>  INFO: Finished part upload for: (PyOxidizer.app.zip/2) 12.73 MB/s in 0 seconds
[2022-03-22T01:37:30Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:30 PDT] <RLT-005>  INFO: Finished part upload for: (PyOxidizer.app.zip/3) 12.54 MB/s in 0 seconds
[2022-03-22T01:37:30Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:30 PDT] <RLT-007>  INFO: Finished part upload for: (PyOxidizer.app.zip/1) 11.83 MB/s in 0 seconds
[2022-03-22T01:37:30Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:30 PDT] <RLT-007>  INFO: Finished upload for reservation: (CPUSource125/v4/75/c4/f2/75c4f219-63a7-4b6c-a191-44be97841860/PyOxidizer.app.zip) file: (PyOxidizer.app.zip)
[2022-03-22T01:37:30Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:30 PDT] <main>  INFO: Waiting on reservation commit(s) to finish.
...
[2022-03-22T01:37:33Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:33 PDT] <main> DBG-X: JSON-START>>{"dev-id-results":{"upload_id":"901cebdc-5355-4134-b665-0c139962f7a0"}}<<JSON-END
[2022-03-22T01:37:33Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:33 PDT] <main> DBG-X: Unlocking token at path /home/gps/.itmstransporter/UploadTokens/ubuntu-vm-main_MK22MZP987_49f8079c-a332-4e29-a47a-09756e908055.itmsp.token
[2022-03-22T01:37:33Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:33 PDT] <main> DBG-X: Releasing token file lock
[2022-03-22T01:37:33Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:33 PDT] <main> DBG-X: Removing token at path /home/gps/.itmstransporter/UploadTokens/ubuntu-vm-main_MK22MZP987_49f8079c-a332-4e29-a47a-09756e908055.itmsp.token
[2022-03-22T01:37:33Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:33 PDT] <main>  INFO: Done performing uploadDone notification to Apple.
[2022-03-22T01:37:33Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:33 PDT] <main>  INFO: Transporter's command line arguments are: -m upload -apiIssuer <redacted> -apiKey <redacted>-f /tmp/apple-codesign-fsWtgj/49f8079c-a332-4e29-a47a-09756e908055.itmsp -vp json
[2022-03-22T01:37:33Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:33 PDT] <main>  INFO: The package: /tmp/apple-codesign-fsWtgj/49f8079c-a332-4e29-a47a-09756e908055.itmsp has been successfully uploaded.
[2022-03-22T01:37:33Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:33 PDT] <main>  INFO: JSON:{"msg":{"phase":"Upload","count":2,"description":"Operation completed","index":2},"messageType":"VerifyProgress"}
[2022-03-22T01:37:33Z INFO  rcodesign::notarization] transporter output>
[2022-03-22T01:37:33Z INFO  rcodesign::notarization] transporter output>
[2022-03-22T01:37:33Z INFO  rcodesign::notarization] transporter output>
[2022-03-22T01:37:33Z INFO  rcodesign::notarization] transporter output> Package Summary:
[2022-03-22T01:37:33Z INFO  rcodesign::notarization] transporter output>
[2022-03-22T01:37:33Z INFO  rcodesign::notarization] transporter output> 1 package was uploaded successfully:
[2022-03-22T01:37:33Z INFO  rcodesign::notarization] transporter output>        /tmp/apple-codesign-fsWtgj/49f8079c-a332-4e29-a47a-09756e908055.itmsp
[2022-03-22T01:37:33Z INFO  rcodesign::notarization] transporter output> [2022-03-21 18:37:33 PDT] <main> DBG-X: Returning 0
[2022-03-22T01:37:33Z WARN  rcodesign::notarization] transporter upload ID: 901cebdc-5355-4134-b665-0c139962f7a0
[2022-03-22T01:37:33Z WARN  rcodesign::notarization] waiting up to 600s for package upload 901cebdc-5355-4134-b665-0c139962f7a0 to finish processing
[2022-03-22T01:37:34Z INFO  rcodesign::notarization] poll state after 0s: 4/5 have status code (0); waiting on log URL
[2022-03-22T01:37:37Z INFO  rcodesign::notarization] poll state after 3s: 2/5 some metadata; waiting on hash to appear
[2022-03-22T01:37:40Z INFO  rcodesign::notarization] poll state after 6s: 2/5 some metadata; waiting on hash to appear
[2022-03-22T01:37:43Z INFO  rcodesign::notarization] poll state after 9s: 2/5 some metadata; waiting on hash to appear
[2022-03-22T01:37:46Z INFO  rcodesign::notarization] poll state after 12s: 2/5 some metadata; waiting on hash to appear
[2022-03-22T01:37:49Z INFO  rcodesign::notarization] poll state after 15s: 2/5 some metadata; waiting on hash to appear
[2022-03-22T01:37:52Z INFO  rcodesign::notarization] poll state after 18s: 2/5 some metadata; waiting on hash to appear
[2022-03-22T01:37:55Z INFO  rcodesign::notarization] poll state after 22s: 2/5 some metadata; waiting on hash to appear
[2022-03-22T01:37:59Z INFO  rcodesign::notarization] poll state after 25s: 2/5 some metadata; waiting on hash to appear
[2022-03-22T01:38:02Z INFO  rcodesign::notarization] poll state after 28s: 2/5 some metadata; waiting on hash to appear
[2022-03-22T01:38:05Z INFO  rcodesign::notarization] poll state after 31s: 2/5 some metadata; waiting on hash to appear
[2022-03-22T01:38:08Z INFO  rcodesign::notarization] poll state after 34s: 2/5 some metadata; waiting on hash to appear
[2022-03-22T01:38:11Z INFO  rcodesign::notarization] poll state after 37s: 2/5 some metadata; waiting on hash to appear
[2022-03-22T01:38:14Z INFO  rcodesign::notarization] poll state after 41s: 3/5 have hash (78e578c06eb5657ca4a0ce2b47aba429051f5b1b7db5360dfb053d50046a1d44); waiting on status code
[2022-03-22T01:38:17Z INFO  rcodesign::notarization] poll state after 44s: 3/5 have hash (78e578c06eb5657ca4a0ce2b47aba429051f5b1b7db5360dfb053d50046a1d44); waiting on status code
[2022-03-22T01:38:21Z INFO  rcodesign::notarization] poll state after 47s: 3/5 have hash (78e578c06eb5657ca4a0ce2b47aba429051f5b1b7db5360dfb053d50046a1d44); waiting on status code
[2022-03-22T01:38:24Z INFO  rcodesign::notarization] poll state after 50s: 3/5 have hash (78e578c06eb5657ca4a0ce2b47aba429051f5b1b7db5360dfb053d50046a1d44); waiting on status code
[2022-03-22T01:38:27Z INFO  rcodesign::notarization] poll state after 53s: 3/5 have hash (78e578c06eb5657ca4a0ce2b47aba429051f5b1b7db5360dfb053d50046a1d44); waiting on status code
[2022-03-22T01:38:30Z INFO  rcodesign::notarization] poll state after 56s: 3/5 have hash (78e578c06eb5657ca4a0ce2b47aba429051f5b1b7db5360dfb053d50046a1d44); waiting on status code
[2022-03-22T01:38:33Z INFO  rcodesign::notarization] poll state after 59s: 3/5 have hash (78e578c06eb5657ca4a0ce2b47aba429051f5b1b7db5360dfb053d50046a1d44); waiting on status code
[2022-03-22T01:38:36Z INFO  rcodesign::notarization] poll state after 62s: 3/5 have hash (78e578c06eb5657ca4a0ce2b47aba429051f5b1b7db5360dfb053d50046a1d44); waiting on status code
[2022-03-22T01:38:39Z INFO  rcodesign::notarization] poll state after 66s: 3/5 have hash (78e578c06eb5657ca4a0ce2b47aba429051f5b1b7db5360dfb053d50046a1d44); waiting on status code
[2022-03-22T01:38:42Z INFO  rcodesign::notarization] poll state after 69s: 3/5 have hash (78e578c06eb5657ca4a0ce2b47aba429051f5b1b7db5360dfb053d50046a1d44); waiting on status code
[2022-03-22T01:38:46Z INFO  rcodesign::notarization] poll state after 72s: 3/5 have hash (78e578c06eb5657ca4a0ce2b47aba429051f5b1b7db5360dfb053d50046a1d44); waiting on status code
[2022-03-22T01:38:49Z INFO  rcodesign::notarization] poll state after 75s: 3/5 have hash (78e578c06eb5657ca4a0ce2b47aba429051f5b1b7db5360dfb053d50046a1d44); waiting on status code
[2022-03-22T01:38:52Z INFO  rcodesign::notarization] poll state after 78s: 3/5 have hash (78e578c06eb5657ca4a0ce2b47aba429051f5b1b7db5360dfb053d50046a1d44); waiting on status code
[2022-03-22T01:38:55Z INFO  rcodesign::notarization] poll state after 81s: 3/5 have hash (78e578c06eb5657ca4a0ce2b47aba429051f5b1b7db5360dfb053d50046a1d44); waiting on status code
[2022-03-22T01:38:58Z INFO  rcodesign::notarization] poll state after 84s: 4/5 have status code (0); waiting on log URL
[2022-03-22T01:39:01Z INFO  rcodesign::notarization] poll state after 87s: 4/5 have status code (0); waiting on log URL
[2022-03-22T01:39:04Z INFO  rcodesign::notarization] poll state after 91s: 4/5 have status code (0); waiting on log URL
[2022-03-22T01:39:08Z INFO  rcodesign::notarization] poll state after 94s: 4/5 have status code (0); waiting on log URL
[2022-03-22T01:39:11Z INFO  rcodesign::notarization] poll state after 97s: 5/5 have log URL; operation complete
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload operation complete
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log> {
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>   "logFormatVersion": 1,
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>   "jobId": "901cebdc-5355-4134-b665-0c139962f7a0",
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>   "status": "Accepted",
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>   "statusSummary": "Ready for distribution",
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>   "statusCode": 0,
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>   "archiveFilename": "PyOxidizer.app.zip",
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>   "uploadDate": "2022-03-22T01:37:34Z",
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>   "sha256": "78e578c06eb5657ca4a0ce2b47aba429051f5b1b7db5360dfb053d50046a1d44",
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>   "ticketContents": [
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>     {
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>       "path": "PyOxidizer.app.zip/PyOxidizer.app",
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>       "digestAlgorithm": "SHA-256",
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>       "cdhash": "781036a01c45b71c9626c522d523b5bac55b5907",
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>       "arch": "x86_64"
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>     },
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>     {
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>       "path": "PyOxidizer.app.zip/PyOxidizer.app",
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>       "digestAlgorithm": "SHA-256",
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>       "cdhash": "1b747faf223750de74febed7929f14a73af8c933",
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>       "arch": "arm64"
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>     },
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>     {
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>       "path": "PyOxidizer.app.zip/PyOxidizer.app/Contents/MacOS/pyoxidizer",
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>       "digestAlgorithm": "SHA-256",
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>       "cdhash": "781036a01c45b71c9626c522d523b5bac55b5907",
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>       "arch": "x86_64"
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>     },
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>     {
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>       "path": "PyOxidizer.app.zip/PyOxidizer.app/Contents/MacOS/pyoxidizer",
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>       "digestAlgorithm": "SHA-256",
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>       "cdhash": "1b747faf223750de74febed7929f14a73af8c933",
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>       "arch": "arm64"
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>     }
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>   ],
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log>   "issues": null
[2022-03-22T01:39:11Z WARN  rcodesign::notarization] upload log> }
[2022-03-22T01:39:11Z WARN  rcodesign::stapling] attempting to staple /home/gps/tmp/PyOxidizer.app
[2022-03-22T01:39:11Z WARN  rcodesign::stapling] activating bundle stapling mode
[2022-03-22T01:39:11Z WARN  rcodesign::stapling] attempting to find notarization ticket for bundle at /home/gps/tmp/PyOxidizer.app
[2022-03-22T01:39:11Z INFO  rcodesign::stapling] resolving bundle's record name from /home/gps/tmp/PyOxidizer.app/Contents/MacOS/pyoxidizer
[2022-03-22T01:39:11Z WARN  rcodesign::ticket_lookup] looking up notarization ticket for 2/2/1b747faf223750de74febed7929f14a73af8c933
[2022-03-22T01:39:11Z WARN  rcodesign::stapling] writing notarizsation ticket to /home/gps/tmp/PyOxidizer.app/Contents/CodeResources

(Transporter's output is very verbose. I should find a way to make it quieter.)

The notarized and stapled .app bundle passes spctl --assess -t execute on my macOS 12.3 devices.

[dvc94ch]

Great work, thanks! Really exciting new feature. The developerIDPlusInfoForPackageWithArguments api is undocumented right? looking at the app store connect api documentation I can't find it.

[indygreg]

Great work, thanks! Really exciting new feature. The developerIDPlusInfoForPackageWithArguments api is undocumented right? looking at the app store connect api documentation I can't find it.

I suppose it isn't. 🤷‍♂️

[indygreg]

I just pushed support for stapling XAR archives (.pkg files) in commit 0f5cf23.

Still no support for signing or notarizing them. The latter is likely trivial. The former is a much thornier problem.

[indygreg]

And 43fbf29 adds support for notarizing (some) .pkg installers. I haven't tested this much at all. But if it doesn't work, it should hopefully be close to work.

This repo also now has an apple-flat-package crate for parsing .pkg files in case that is useful to anyone. I have some commits sitting around for writing .pkg files. But in order to do this you need to support the Bom file, which is a gnarly file format. Attempting to implement this last year and produce a valid code signature over a .pkg I create from scratch is where I lost several days.

[indygreg]

I forgot to mention it, but the 0.10 release included support for signing .pkg installers as well.

I believe at this point the main branch is able to sign, notarize, and staple all the main distribution formats. Bundles. .pkg installers. DMGs. The only feature on main not in the latest 0.14 release is a pretty major bug fix related to handling of symlinks in bundles. We'd sign the bundles correctly but notarization would fail because we stored symlinks in the zip file incorrectly.

I'm going to consider this issue closed. If there are remaining bugs or feature gaps in notarization/stapling, please file new issues.

https://pyoxidizer.readthedocs.io/en/latest/apple_codesign_debugging.html contains instructions for filing good bug reports regarding signing.