Friday, July 26, 2019 [Tweets] [Favorites]

What I Wish I’d Known Before Starting Notarize

Frank Reiff:

Unlike sandboxing, notarization should not have any detrimental effects for most Mac apps.

As always the real trouble starts when you are trying to inject Notarization into the tangled web of modern Mac software development: entitlements, certificates, automated Xcode build chains, build settings, etc..

[…]

In this context, it would have saved me a lot of time if I had known how to find out whether a product has in fact been signed with a secure timestamp. Executing “codesign –verify –deep –strict –verbose=4 –display  -r- /path/to/my/product” will display loads of things. If there is a line with “Signed Time” among it, that means that you did not sign with a secure timestamp. If you have a line with “Timestamp” in it, it means you do have a secure timestamp.

[…]

For most of my products, Sparkle is the only framework that I bundle, so I blame it for the entire dreaded complexity and wasted time of framework signing.. which is a lot of blame. Signing frameworks is hell.. or used to be hell.. and now is hell again.

Previously:

Update (2019-07-26): Rosyna Keller:

This [timestamp issue] is covered on the searchable “Resolving Common Notarization Issues” page.

1 Comment

[…] What I Wish I’d Known Before Starting Notarize […]

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment