[Question] Signing for MacOS

[m00sey]

Question

Hello,

I have a developed a Flet app and we're attempting to sign and notarize for distribution outside the Apple Store.

However I get a plethora of errors back from notarization, and this discussion is to ask, have other people successfully signed and notarized a Flet application, and if so, how?

# Sign inner most binary
codesign --force --verify --verbose -s SHA --timestamp -i one.keri.citadel --entitlements entitlements.plist --options=runtime citadel.app/Contents/MacOS/citadel

# Sign generated .app directory
codesign --force --verify --verbose -s SHA --timestamp -i one.keri.citadel --options=runtime citadel.app

# create dmg
hdiutil create -volname "Citadel" -srcfolder citadel.app -ov -format UDZO citadel.dmg

# sign dmg
codesign --force --verify --verbose -s SHA --timestamp -i one.keri.citadel --options=runtime citadel.dmg

# submit for notary
xcrun notarytool submit citael.dmg --keychain-profile "citadel-notary" --wait
	
# xcrun stapler citadel.dmg
# spctl -a -vv citadel.dmg

I'll one happy to add to the Flet docs/tooling once we're successful.

Cheers,

Code sample

None

Error message

None

------------------------------------------------------

• I have searched for answers to my question both in the issues and in previous discussions.

[m00sey]

OK, so one set of common errors - not signing everything in our Frameworks directory.

I'll update the sample.

[m00sey]

I gave up and asked ChatGPT

To ensure your macOS app is properly signed and ready for distribution, you need to follow a specific order of operations when applying the --options runtime flag. This flag should be applied to the entire .app bundle, as this is necessary for the hardened runtime required by Apple for notarization.

Correct Order for Signing a Flet App
Sign the Main Executable:
Sign the main executable within the .app bundle. Do not use the --options runtime flag here.

sh
Copy code
codesign --force --verify --verbose --sign "Developer ID Application: Your Name (Team ID)" --entitlements /path/to/entitlements.plist /path/to/YourApp.app/Contents/MacOS/YourExecutable
Sign Frameworks:
Sign any frameworks included in the .app bundle.

sh
Copy code
codesign --force --verify --verbose --sign "Developer ID Application: Your Name (Team ID)" /path/to/YourApp.app/Contents/Frameworks/YourFramework.framework
Sign Plugins:
Sign any plugins included in the .app bundle.

sh
Copy code
codesign --force --verify --verbose --sign "Developer ID Application: Your Name (Team ID)" /path/to/YourApp.app/Contents/PlugIns/YourPlugin.plugin
Sign Helper Tools and Other Binaries:
Sign any additional binaries or helper tools.

sh
Copy code
codesign --force --verify --verbose --sign "Developer ID Application: Your Name (Team ID)" /path/to/YourApp.app/Contents/Helpers/YourHelperTool
Sign the Entire .app Bundle with --options runtime:
Apply the hardened runtime option to the entire .app bundle.

sh
Copy code
codesign --force --verify --verbose --sign "Developer ID Application: Your Name (Team ID)" --options runtime /path/to/YourApp.app
Create the .dmg File:
Package the signed .app into a .dmg file using create-dmg or hdiutil.

Using create-dmg:

sh
Copy code
create-dmg /path/to/YourApp.app
Using hdiutil:

sh
Copy code
hdiutil create -volname "YourApp" -srcfolder /path/to/YourApp.app -ov -format UDZO /path/to/yourapp.dmg
Sign the .dmg File:
Sign the .dmg file itself.

sh
Copy code
codesign --force --verify --verbose --sign "Developer ID Application: Your Name (Team ID)" /path/to/yourapp.dmg
Notarize the .dmg File:

Authenticate with the App Store Connect API using an API key:

sh
Copy code
xcrun notarytool store-credentials "AC_Credential" --apple-id "your-apple-id" --team-id "your-team-id" --key-id "your-key-id" --private-key-path "/path/to/AuthKey_XXXXXXXXXX.p8"
Submit your .dmg for notarization:

sh
Copy code
xcrun notarytool submit /path/to/yourapp.dmg --keychain-profile "AC_Credential" --wait
Staple the notarization ticket to your .dmg file:

sh
Copy code
xcrun stapler staple /path/to/yourapp.dmg
Verify the notarization:

sh
Copy code
xcrun stapler validate /path/to/yourapp.dmg
Sources
Apple's Technical Note TN2206: macOS Code Signing In Depth​ ([Apple Developer](https://developer.apple.com/library/archive/technotes/tn2206/_index.html))​
Free Pascal Wiki on Hardened Runtime​ ([Free Pascal Wiki](https://wiki.freepascal.org/Hardened_runtime_for_macOS))​
Practical guides and examples from developer forums​ ([Xojo Programming Forum](https://forum.xojo.com/t/how-to-codesign-and-notarise-your-app-for-macos-10-14-and-higher/45879))​
By following these steps and correctly applying the --options runtime flag to the entire .app bundle, you will ensure that your app meets the security requirements for macOS and is ready for notarization and distribution.

[m00sey]

This doesn't work either.

[m00sey]

Current error:

    {
      "severity": "error",
      "code": null,
      "path": "citadel.dmg/citadel.app/Contents/Frameworks/App.framework/Versions/A/Resources/flutter_assets/app/app.zip/__pypackages__/_cffi_backend.cpython-311-darwin.so",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
      "architecture": "arm64"
    },

[m00sey]

what's interesting is it starting with citadel.dmg

[m00sey]

I've created a shell script to brute force signing.

It passes notarization.

https://gist.github.com/m00sey/4708e9a6df55449a9c12d486ac69e8ab

[kentbull]

It appears that with the separation out of flet-desktop from flet that there is now a need to include a signing step for the flet-desktop package within the serious-python-darwin.framework Framework. This is shown below in the sign_flet_desktop_package function:

# Sign the flet-desktop app package in serious-python
function sign_flet_desktop_package() {
  echo "Signing Flet executable and its dependent framework executables..."
  cd "$BUILD_DIR/$APP_NAME.app/Contents/Frameworks/serious_python_darwin.framework/Versions/A/Resources/python.bundle/Contents/Resources/site-packages/flet_desktop/app/" || exit 1
  mkdir -p tmp
  tar -xzf flet-macos.tar.gz -C tmp
  # sign Flet executable and its dependent framework executables
  FILES=(
    "Flet"
    "wakelock_plus"
    "Avfilter"
    "screen_brightness_macos"
    "FlutterMacOS"
    "Avformat"
    "Png16"
    "media_kit_libs_macos_video"
    "Dav1d"
    "Mbedcrypto"
    "Freetype"
    "Ass"
    "media_kit_native_event_loop"
    "Swresample"
    "window_to_front"
    "Harfbuzz"
    "media_kit_video"
    "Mpv"
    "App"
    "Mbedtls"
    "Avcodec"
    "device_info_plus"
    "path_provider_foundation"
    "audioplayers_darwin"
    "Fribidi"
    "Avutil"
    "geolocator_apple"
    "Swscale"
    "package_info_plus"
    "shared_preferences_foundation"
    "Uchardet"
    "window_manager"
    "Mbedx509"
    "screen_retriever_macos"
    "webview_flutter_wkwebview"
    "Xml2"
    "rive_common"
    "record_darwin"
    "url_launcher_macos"
  )
  NAME_ARGS=()
  for file in "${FILES[@]}"; do
      NAME_ARGS+=(-name "$file" -o)
  done
  unset 'NAME_ARGS[-1]' || exit 1

  find "tmp" -type f \( ${NAME_ARGS} \) \
    -exec codesign --force --verify --verbose --timestamp --options runtime --sign "$DEVELOPER_ID_APP_CERT" {} \;

  # Repack Flet and its dependencies
  rm flet-macos.tar.gz
  tar czf flet-macos.tar.gz -C tmp .
  rm -rf tmp
}
sign_flet_desktop_package