I have one Mac Desktop Cocoa based application which i have signed succesfully by mac Certificates.
To generate .pkg installer file i am using the following command:
productbuild --component 'App.app' /Applications --sign '3rd Party Mac
Developer Installer: Some Name' App.pkg
which generates .pkg file succesfully with proper signing. No complaints about it.
But now i want to include some precheck installation scripts in that .pkg which can perform some validations on user's system prioir to installation. How to do it once i have my pkg generated already?
I can easily include such scripts in the package through Package Maker but then how to sign .pkg file with Installer Certificate. As this process does not signs my pkg file and hence unacceptable to upload to AppStore
First, I'm not sure you're allowed to include such scripts in an App Store package in the first place.
But if you are, the manpage for productbuild explains how to generate a package from a custom Distribution file by using the --distribution option instead of --component. And, if you don't know how to write a Distribution file, you can look at the ones inside any package (just "xar xf App.pkg" to extract the contents, and Distribution will be at the top level) and/or use productbuild with the --synthesize option.
Related
I have successfully notarized a plugin via command line for a Mac application i'm developing plugins for. This plugin is intended for distribution outside of Mac appstore.
xcrun altool --notarize-app --primary-bundle-id "com.demo.bundle.id" --username "email#abc.com" --password "xxx-x-xxxx-xx" --file Plugin.zip
Got an email that it has been successfully notarized and the email has instructions on how to export for distribution. However, it's an instruction for XCode UI but I did the notarization via command line so the instructions doesn't apply for me. Is there a commandline to download the notarized file(Plugin.zip) or else how do I get the Plugin.zip file from Apple to distribute it on my website?
UPDATE:
Turns out you can notarize a .zip file but you can't staple it. So I decided to create a .pkg to distribute my plugin instead of distributing via a zip file.
Here's the steps I followed to successfully notarize and staple my plugin, lets say my plugin name is FileConvertor.PluginExtension
Code sign your binaries to be included in your installer. codesign --sign "Developer ID Application: Developer Name" --verbose=4 --deep --force --strict FileConvertor.PluginExtension
Create your installer (.pkg) adding the above code signed .PluginExtension
Now sign your installer with the installer certificate. productsign --sign "Developer ID Installer: Developer Name" ./FileConvertor.pkg ./FileConvertorSigned.pkg
Send the signed installer for notarization xcrun altool --notarize-app --primary-bundle-id "com.demo.plugin" --username xyz#abc.com" --password "xxxx-xxxx-xxxx-xxxx" --file FileConvertorSigned.pkg
If sucessfully notarized, staple your installer xcrun stapler staple FileConvertorSigned.pkg
Distribute your installer on the web
You don't download your plugin.zip from Apple - just work with the same archive you originally uploaded to them. You are the one that actually staples the notarization ticket to whatever you are notarizing.
I haven't tried it myself with a .zip, but this is the process pieced together from the documentation.
Notarizing Your App Before Distribution says:
Notarize Your Preexisting Software
[...]
Upload your software to the Apple notary service, as described in Upload Your App to the Notarization Service.
You've already done this step.
Staple the returned ticket to your existing software, as described in Staple the Ticket to Your Distribution.
You have to attach the notarization ticket to whatever you're distributing, so Gatekeeper can find it even without a network connection. Normally you use the stapler tool to do this:
xcrun stapler staple MyApp.app
However, stapler doesn't support zip files. Customizing the Notarization Workflow says:
While you can notarize a ZIP archive, you can’t staple to it directly. Instead, run stapler against each individual item that you originally added to the archive. Then create a new ZIP file containing the stapled items for distribution.
So; expand your .zip and run stapler staple {filename} against each item contained inside. Then create a new .zip archive of the stapled contents.
Apple do not return anything from Notarization. Your signed file has a unique ID, in the signature, that Apple have stored. Once notarized, the signed file is accepted if downloaded.
I am new to MAC App development and working on project which uses Zoom Mac SDK but that SDK doesn't support archive with Xcode so I need to make archive with other tools suggested by zoom support center. As per their reply app can be archived with pkgbuild/pkgutil/productbuild but I don't know the exact steps to create archive/pkg/dmg file for my Mac App.
Also please let me know which file extension I need to create for downloading my app from website for users.
I am using "Developer ID Application" and "Developer ID Installer" certificates for sign my build but don't know how to create build without using Xcode because with Xcode I am getting error for third party framework as "code object is not signed at all".
Appreciated your great help.
First, you need pkgbuild AND productbuild, to do something productive.
Here you specify a root folder, identifier, version, install-location, signage, and post-install scripts.
For example:
pkgbuild --root "${ROOTFOLDER}" \
--identifier "${IDENTIFIER}" \
--version ${VERSION} \
--install-location "/" \
--sign "${IDENTITY}" \
--scripts '${SCRIPT}' \
"${PKGNAME}.pkg"
In your ${ROOTFOLDER}, you can control files/folders like it would be on your local machine after "/".
For example, if you want to put "xy.app" into /Applications, you would create inside your ${ROOTFOLDER} a "Applications" folder and put xy.app into that. When you install the package, inside your "/Applications" folder on your machine, there will be xy.app.
You can also copy files to /Library or whatever, just by creating the folder inside your specified rootfolder.
When you want any .pkg / .dmg or .sdk's installed, you would create a scripts folder that you specify under --scripts ${SCRIPTSFOLDER}, and inside there you create a "postinstall" file.
The postinstall file will contain stuff that will be execute with your package, for example installing another .pkg or .sdk, that will be inside your ${ROOTFOLDER}.
So put multiple .pkg' files into ${ROOTFOLDER}/Packages for example. On your root folder, the /Packages folder will be created. Means, in your postinstall you can say:
sudo installer -pkg /Packages/anotherPackageOrApp.pkg target /
After you've done that, you got a simple package. However, you don't really want only that.
With productbuild, you can create a distribution file: it includes all the configuration of the product archive, including a product license, product README file, the list of component packages, constraints (such as minimum OS version).
Go ahead and do the following:
productbuild --synthesize --package "${PKGNAME}.pkg" distribution.dist
Now that you got your distribution.dist out of your package, you can edit it however you want.
Build it back together:
productbuild --distribution distribution.dist --scripts "${SCRIPTS}" --sign "${IDENTITY}" --package-path "${PKGNAME}.pkg" --resources . --version ${VERSION} "${PKGNAME}_New.pkg"
Now you got your final signed Package. Containing the locations for your .sdk's, .pkg's and .dmg's that can be installed via the postinstall file, or just copied to a directory on the machine that the pkg will be installed on.
Greets
Currently I am working on submitting an app to the mac app store. I have gone through several steps but am stuck on the last one. This is as I am trying to build my .app file (made in unity) into a .pkg so I am able to Deliver it to iTunes connect via application loader.
I am entering this command into terminal:
productbuild --component GAMENAME.app /Applications --sign "3rd Party Mac Developer Installer: DEVELOPER NAME" GAMENAME.pkg
For some reason though, after entering even though I don not get an error:
Usage: productbuild [--product <requirements-plist>] {--component <component-path> <install-path>} <product-output-path>
Build product with a self-contained bundle, e.g. for the Mac App Store
Usage: productbuild {--content <content-path>} <product-output-path>
Build product with in-app content
Usage: productbuild [--product <requirements-plist>] {--root <root-path> <install-path>} <product-output-path>
Build product with an xcodebuild destination root
Usage: productbuild [options] --distribution <dist-path> [--package-path <search-path>] <product-output-path>
Build product with a distribution and the packages it references
Usage: productbuild --synthesize [--product <requirements-plist>] {--package <pkg-path>} <distribution-output-path>
Synthesize and write a distribution from component packages
See productbuild(1) for details.
I cannot find the .pkg file that has just been built...
I am not sure if this is because it is hidden somewhere or if I have made a mistake I'm unaware of, but any help would be appreciated
So, in short This question basically is how to make a .app to a .pkg which can be using application loader uploaded to iTunes connect...
EDIT:
Ok as someone suggested I might have gotten the initial terminal command wrong after all so any suggestions on where I went wrong would be appreciated.
Your developer name must be followed by the team ID.
Like - "DEVELOPER NAME (ABC123456)"
I am building and packaging a mac store app from the command line. This results in a .dSYM file I have extracted from the binary within the app using dsymutil, then we codesign the .app, then package it using productbuild.
Passing this .pkg around our team it installs successfully, and is accepted by Application Loader's pre-checks and it appears in itunes connect builds list.
The problem is that on the build details in itunes connect 'Includes Symbols' is 'No'.
Using Application Loader there doesn't appear to be any option to upload the .dSYM debug symbols.
So, any ideas on how we can upload a build to iTunes Connect where
'Includes Symbols' is 'Yes'?
Looking at xcode, it seems to create a .pkg file with a folder inside called 'Symbolication' which seems to indicate that it is the responsibility of productbuild, rather than Application Loader.
XCode posts out logs for each build and archive it does, by inspecting these we can see that it uses the 'symbols' tool to extract symbols from the dSYM output, then packages these with productbuild using the (undocumented) --symbolication flag.
The log files are called:
IDEDistribution.critical.log
IDEDistribution.standard.log
IDEDistribution.verbose.log
within a directory ending in 'xcdistributionlogs' within /var/folders/
So you want to do something like:
dsymutil myapp.app/Contents/MacOS/myapp -o myapp.app.dSYM
# TargetSymbolFolder must exist prior to calling symbols
mkdir TargetSymbolFolder
# Args are lifted from the xcode logs
symbols -noTextInSOD -noDaemon -arch all -symbolsPackageDir TargetSymbolFolder myapp.app.dSYM/Contents/Resources/Dwarf/myapp
...other build steps, codesign and such
# symbolication is undocumented, again it is from xcode logs
productbuild --symbolication TargetSymbolFolder --component myapp.app /Applications myapp.pkg
If you now use pkgutil to open up the created .pkg you can see the Sybolication folder within the pkg
pkgutil --expand myapp.pkg myapp.pkg.expanded
My installer is created using PackageMaker. After that I codesigned the installer using the following command.
productsign --sign 'Blah, Inc.' Install.mpkg/ CS/Install.mpkg
This seem to work pretty well and I could see that it is signed using the following command.
pkgutil --check-signature Install.mpkg
Since the certificate is installed on my system in keychain, the installer seem to show a little lock on top right corner. Clicking this opens up the certificate.
If the installer is placed in a system without the certificate installed the lock is no longer seen. However I could still run the command to check for certificate.
1) Is there a graphical way to check for code signing before installing? (I do not want to run command line)
2) I removed a folder from the mpkg file using finder to see if the installer will complain of tampering. But that does not happen. Is there a way the installer can stop install if it is tampered?
3) I also code signed all the binaries in my package (mostly daemons) using xcode's option to use certificate. Again I am able to see the binary as signed, however I do get a message
kernel[0]: CODE SIGNING: cs_invalid_page(0x1000): p=224[MyDaemon] clearing CS_VALID.
Googling, I found http://feedback.photoshop.com/photoshop_family/topics/photoshop_13_0_4_x64_how_can_i_get_rid_of_the_could_not_complete_your_request_because_of_a . However I am still not very clear what they are getting at. Could someone help me?
You can sign .mpkg packages but you must sign it with the Developer ID Application cert and not the Developer ID Installer cert.
When you sign the .mpkg you get a number a warnings that the inner packages must be signed but the signing seems to be valid with or without the inner .pkg signed.
I have tested that modifying an internal .pkg causes the .mpkg to fail the Gatekeeper check
So for the each internal .pkg files you should:
sudo productsign --sign "<Developer ID Installer: Cert>" "<source.mpkg>/Contents/Packages/<source.pkg>" "<destination.mpkg>/Contents/Packages/<source.pkg>"
for then for the .mpkg do:
sudo productsign --sign "<Developer ID Application: Cert>" "<Source .mpkg>" "<Destination .mpkg>"
You can sign only flat packages. Your package has extension .mpkg which I believe is the older bundle format. Make sure you are using flat packages if you want to sign them.