Friday, July 26, 2019

What I Wish I’d Known Before Starting Notarize

Frank Reiff:

Unlike sandboxing, notarization should not have any detrimental effects for most Mac apps.

As always the real trouble starts when you are trying to inject Notarization into the tangled web of modern Mac software development: entitlements, certificates, automated Xcode build chains, build settings, etc..


In this context, it would have saved me a lot of time if I had known how to find out whether a product has in fact been signed with a secure timestamp. Executing “codesign –verify –deep –strict –verbose=4 –display  -r- /path/to/my/product” will display loads of things. If there is a line with “Signed Time” among it, that means that you did not sign with a secure timestamp. If you have a line with “Timestamp” in it, it means you do have a secure timestamp.


For most of my products, Sparkle is the only framework that I bundle, so I blame it for the entire dreaded complexity and wasted time of framework signing.. which is a lot of blame. Signing frameworks is hell.. or used to be hell.. and now is hell again.


Update (2019-07-26): Rosyna Keller:

This [timestamp issue] is covered on the searchable “Resolving Common Notarization Issues” page.

2 Comments RSS · Twitter

[…] What I Wish I’d Known Before Starting Notarize […]

It seems like making an application for macOS is akin to rocket science, requiring a lot of hardwork before actually getting to the app making part.

Leave a Comment