C-Command Software Forum

Do I have to notarize my .dmg AND my .app when distributing?

This is my first Mac app.
When I ditributed for Windows I just “signed” (aka notarized - I presume notarize and sign are the same thing) my installer.exe only. Not the .zip file it downloaded in.

With Mac do I notarize the .dmg file, or just the .app file ?

Notarizing and signing are completely different. I discuss this more here, but the summary is that you want to sign your app, sign your installer (if any), sign your disk image, and notarize your disk image. You can optionally also notarize the app.

1 Like

thanks…
Is the ability to Notarize and Sign included in the $99 Apple Developer account fee ?

Yes.

1 Like

thanks, so the process of signing and notarizing an app is, in this following order?

Step 1) Sign your .app
2) Notarize the .app
3) Make the .DMG with DropDMG (and sign it in DropDMG)
4) Notarize this .DMG

Correct, with Step 2 being optional.

1 Like

thanks… I am generating a certificate now.
Apple is giving me a list below of different types of certificates.
Am I right in thinking:

  1. The .DMG gets the Developer ID Installer certificate
  2. The .APP gets the Developer ID Application certificate

?

*Create a new certificate

⬤ Apple Development
Sign development versions of your iOS, macOS, tvOS, and watchOS apps. For use in Xcode 11 or later.
⬤ Apple Distribution
Sign your apps for submission to the App Store or for Ad Hoc distribution. For use with Xcode 11 or later.
⬤ iOS App Development
Sign development versions of your iOS app.
⬤ iOS Distribution (App Store and Ad Hoc)
Sign your iOS app for submission to the App Store or for Ad Hoc distribution.
⬤ Mac Development
Sign development versions of your Mac app.
⬤ Mac App Distribution
This certificate is used to code sign your app and configure a Distribution Provisioning Profile for submission to the Mac App Store.
⬤ Mac Installer Distribution
This certificate is used to sign your app’s Installer Package for submission to the Mac App Store.
Developer ID Installer
This certificate is used to sign your app’s Installer Package for distribution outside of the Mac App Store.
Developer ID Application
This certificate is used to code sign your app for distribution outside of the Mac App Store.

Developer ID Application is for both the .app and the .dmg.

:+1:
I know I next have to make an “Identifier”, and I know which one to choose.
I don’t think I need to touch “Profiles” or “Keys” - but the next step, before I download XCode, is to get a Developer ID.
How do I get a Developer ID - do I make that myself within XCode?
image

I think you can do it by clicking the blue + button in your screenshot next to Certificates. There may also be a way to do it in Xcode’s Accounts preferences.

:+1:
I made a Certificate and downloaded that to my Mac. I’ll use codesign to sign my app, and DropDMG I know will sign the dmg if I load that same certificate in.

In the Apple Developer control panel, I made an Identifier.
Description: myappname
Bundle ID, explicit: com.myappname.ios

When is the Identifier used in the signing process ?

Its should be in your app’s Info.plist file, but I think in most cases you don’t need to enter it directly when signing.

thanks!
When I first created my Certificate in my Apple Developer control panel, I downloaded it, and double-clicked it to add it to my keychain.
It then asked me if I’d like to add this certificate to my “Login”, “System”, and I think there was one more option which I can’t recall. Anyway, I added the certificate to “Login”. Was that the correct decision?

I’m asking because I’m trying to sign my app and getting this error, " unable to build chain to self-signed root for signer -myname-"

Any ideas?

edit: I found out that when I clicked on my certificate in the Keychain, it says “Developer ID Application: My Name (My code)” not trusted. I thought it was automatically trusted when I added it. Maybe this is my problem?

I would expect it to work in the “login” keychain.

That sounds like you don’t have signing identity selected in Xcode.

I’m not sure why your Developer ID certificate wouldn’t be trusted. Maybe you are missing one of the certificates that’s part of the chain of trust and need to add it via Xcode.

1 Like

:+1: I managed to sign my app. I had to choose the right certificate type “Previous GA Sub” is the one I chose.

Do you know if its possible to install altool without having to install the full Xcode package?
Many other command line tools come pre-installed on a Mac such as staple but altool is missing.

altool needs Xcode, but the newer notarytool is standalone.

I’m eager to use notarytool , and I am looking online everywhere for a download for it. I understand that I can download it as a standalone, I don’t think I need to install the whole Xcode package.
I tried this:

sudo rm -rf /Library/Developer/CommandLineTools
sudo xcode-select --install

But I don’t think it installed notarytool - I can’t find it. I typed xcrun --find notarytool but it didn’t find it.

Any ideas where I can get standalone notarytool from?

@Michael_Tsai edit: actually I think its here. Do you know how I would extract notarytool from this dmg?


https://developer.apple.com/download/all/
The earliest it can run on is 10.15.7 - which is actually exactly my ver OS.

I think you have to get it as part of Xcode, but then you can extract the actual file from the .app package and use it on a Mac that doesn’t have the rest of Xcode.

1 Like