Mac app - check App Store receipt - cocoa

Many of the possible duplicates seem to address methods of updating apps both normally and via App Store.
This one mentions a few working solutions:
Mac App Store Receipt Validation Code?
for programmers like me who want to not reinvent the wheel from the Apple Docs:
https://developer.apple.com/library/mac/#releasenotes/General/ValidateAppStoreReceipt/_index.html
My problem is that I'm having a hard time finding finished "libraries" that work.
I would simply like to know if anyone has had success with any of these open-source projects and whether any of them are particularly easy to use.

Related

Is it still possible to publish an Electron app to the Mac Store?

I'm trying to successfully submit my Electron app to the Mac Store. I want to put it into TestFlight, similar to how I am submitting the corresponding iOS app. Ultimately, I want both of these processes to be part of a CI pipeline. The iOS version of this is ready to go.
For the Electron app, I'm using Electron-Builder to do the packaging and signing, and leveraging electron-builder-notarize to get past the Apple notarization step. After about a week of diving down several rabbit holes that became full-fledged rabbit warren metropolises, I finally have a working combination of configuration settings, certificates, plists, and pixie dust in place that my pipeline successfully builds and notarizes my "mas" target package.
I thought that once I had gotten past the rather hellish notarization step, I would be pretty much out of the woods -- after all, Apple 'notarized' it (and sent me an email to prove it). But when I use the Apple Transporter app to post it to the App Store (I'm using this manually for now until I prove this works, then later I'll use the CLI commands for it to complete my CI implementation) it reports the app is rejected with 5 issues. These are actually variations of the same thing:
Electron.app' is already in use by another application.
Electron.app/Contents/Frameworks/Electron Helper (GPU).app' is already in use by another application.
/Electron.app/Contents/Frameworks/Electron Helper (Plugin).app' is already in use by another application.
Electron.app/Contents/Frameworks/Electron Helper (Renderer).app' is already in use by another application.
Electron.app/Contents/Frameworks/Electron Helper.app' is already in use by another application.
I thought Electron-Builder was supposed to deal with these internal ids. My "mas" block of the config looks like
"mas": {
"type": "distribution",
"hardenedRuntime": false,
"provisioningProfile": "embedded.provisionprofile",
"entitlements": "build/entitlements.mas.plist",
"entitlementsInherit": "build/entitlements.mas.inherit.plist",
"entitlementsLoginHelper": "build/entitlements.mas.loginhelper.plist",
"publish": null
},
which I believe is what is needed to specify that these inner binaries are signed. Perhaps not. Copying others who also had to abandon the docs is not necessarily a guarantee of success. But these things did get me this far.
I've scoured SO and other Internet sites, and of course the poorly written and often obscure official documentation sources, but I can't find the answer to this.
In my travels, I happened across this blog which makes me think that even if I get past this part, there may still be a long bumpy road ahead, and it may turn out to be a dead end.
I notice a lot of developers have commented they chose to abandon the Mac store and instead simply self-publish with their own URL link for download. That seems to be a shame, at the very least, and certainly not my preference.
It makes we wonder if this is even possible. Many of the posts (not to mention the docs) contain outdated information, and few posts are more recent than more than a year. Many things have changed. Maybe everyone threw in the towel. Am I on a futile quest?
I believe I found the answer to the main question of "is it possible?" I may still run into other issues, but I've discovered the main problem.
My Electron project is in a different construction than that of the "Electron-quick-start" template, so the Electron-builder packaging and signing steps do not find what they are looking for in all the normal places.
I am not 100% sure I can successfully reconstruct my project into the 'canonical' format, but that appears to be the solution.
I was able to create a basic quick-start app and upload it to the App Store in a matter of minutes, so all the parts do in fact work. The project just need to be of the right construction.

Is there a way to detect if a macOS app running is from the Mac App Store or not?

I have this app of mine that is distributed on the Mac App Store and outside it, from my own site.
I need to detect, at run time, what version is running, so I can do some decisions inside the code.
Is there a way to detect that? How can I differentiate that? Is there a way to know if the app is signed for the App Store or not?
Edit: I have found this library but this is not good because it tells the app is not from the app store simply if the receipt is missing. But the receipt may be missing for other reasons. The lack of receipt is not a good enough reason.
I see two ways to do this:
Make a compile-time flag. Compile it one way for submission to the App Store, the other way for distribution outside the App Store.
Rather than just checking your app's code signature validity (as the library you found does), call SecCodeCopySigningInformation to get signature details, and look at the kSecCodeInfoCertificates array to see whether it includes your Developer ID cert or the "Apple Mac OS Application Signing" cert used by the App Store.
IMO the second option is significantly more complex and fragile; for example, if Apple changes how they sign App Store apps, your code may break. I'd go with the first option.

Mac App Store, what DRM exists and how to authenticate purchases?

I have an app on the Mac App Store.
To meet the store requirements I had to remove my own serial code requirement at startup and then use apples purchase mechanism.
This raises some issues.
I have no way of knowing if a user has paid or not.
The /MASReciept/receipt data appears to only guarantee that the original purchase was genuine.
So whats stopping someone simply copying the .app to another mac?
I tried this and it worked.
As I am in a sandbox and can not see the actual mac how can I differentiate between the purchase mac and the mac the app is used on?
I am actually happy for the user to install on many macs that are using the same itunes account or part of family sharing.
You can validate the receipt either locally or through the App Store.
See the Receipt Validation Programming Guide
This is basically just a deterrent like most any other protection; a clever person can generally pirate an app at will, and there's not a whole lot you can honestly do. I would recommend focusing on making your app better — if it's worth buying then usually people are willing to pay for it.

Do I need to protect my desktop app if distributed over AppStore?

I have made a simple desktop app that I want to sell through the AppStore. Of course I want to be protected against piracy. Does AppStore give any protection? How does that process work?
For instance, what prevents a dishonest person from buying my app and then upload it on a torrent and share it with others. If these other people download my app, will they automatically be asked for their identity check (Apple ID and password), the first time they try to use my app, thus preventing them from using it if they have not bought it legally.
If this identity check does not happen automatically, then do I need to add some code in my app that will ask for the identity check. If so, where can I find info about how to do that?
I'm not entirely sure how this process works. Could somebody shed some light on it?
Mac App Store slips a receipt each time it is downloaded into the bundle. The receipt contains information about the computer used (the so called GUID) and the user logged into the App Store.
See here how you should validate the receipt:
https://developer.apple.com/library/mac/releasenotes/General/ValidateAppStoreReceipt/Introduction.html#//apple_ref/doc/uid/TP40010573
If you implement the GUID validation as described in the document, the app will not run on any other computer.
Also check the signature of your code to make sure it has not been tampered:
Verifying app's signature by code
Your application, when downloaded from the App Store, contains a receipt. The receipt contains proof that it was downloaded onto this computer from the App Store, and the ID of the application. There are instructions somewhere on Apple's website that tell you how to verify the receipt and what to do if the verification fails.
That said, you are much better off concentrating on writing an app that people actually want to buy. People who pirate your app wouldn't hand over money if it couldn't be pirated. They would do without it, pick some free app, or pick a different app that they can pirate.
And I'm quite sure that any copy protection you build into your app yourself will get it rejected from the App Store.
Even though the answers I've got were helpful, they didn't quite provide the answer I needed. Looking around I found a software called Receigen from Laurent Etiemble, and the FAQ on his site (http://receigen.etiemble.com/faq.html) gave many answers for what I was looking for. For instance
What is an App Store receipt validation ? Why is it needed ?
Basically, an App Store receipt is what an application must check to ensure that the copy is genuine and can be run.
What happens if I don't check the App Store receipt ?
Well, anybody with a copy of your application can run it, with or without proper authorization.
Is the code receipt validation easy to write?
No because it requires deep understanding of cryptography and secure coding techniques.
It didn't hurt either that Receigen generated code that freed me from dealing with receipt validation code. Receigen takes care of this part so I can focus on what is really important for me: my application.
Yes, it costs money but personally I am more than glad to pay it, because I find this part of the development tedious, boring and complex.
TPInAppReceipt is a great package for this.
I was able to easily add local receipt validation after trying many others solutions less successfully:
https://github.com/tikhop/TPInAppReceipt

Is the mac app store required?

If I make an application for Mac OS X am I required to put it on the Mac app store or can I distribute it, on my website, for free?
And what about Windows?
Thanks
No there is no such requirement you are free to distribute your program however you want.
You may wish to use the App store as a method of distribution, but to do that you have to conform to various apple requirements.
I'm not sure what the equivalent would be for Windows, but again, there is no such requirement. Think of the millions of independent apps that have no affiliation to any centralized store, I would say the majority still fall in this category.
2018 Update - With increasing security concerns, and a desire to replicate the success of the iOS App Store, Apple have been making it harder and harder to run apps from outside the store. You can get digital certificates, and become a trusted developer, but it’s clear the future is the AppStore or broke if you want users to be able to easily run your app. Note that it remains, and likely always will, very possible to install and run any unauthorised app with a simple trip to settings, it’s just that’s clearly a big deterrent for many users, as it should be.
You dont have to distribute it over the Mac App Store right now but that might change with the next OS X, make sure to check this out: https://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html
you can distribute it however you'd like. It does not need to be in the Mac App store. Same thing for Windows.

Resources