Code signing and getting an app to the AppStore (Mac or iOS) via Xcode

[ap4499]

Hi everyone,

I have created a .app file on Mac (destination Mac AppStore), using Flet build.

What is the recommended way of creating an AppStore app from this? Bearing in mind the signing of the package, and launching in a seamless way.

I have been trying to follow the steps in the Flutter documentation, but these don't seem applicable (or at least, my inexperience in Xcode is hurting me).

Has anyone else done this? What are the steps to get an app into TestFlight? I'd be incredibly grateful if anyone has learnt any pain points or has pointers (I'm an Xcode noob...)

So far, I have managed to get XCode to package my Python app (using XIB), but I come unstuck on the code signing.

[ap4499]

Part 1/2: signing
Just wanted to share the process. I have got a Flet app containing Torch to a point of passing notarisation, and through Xcode (although, no sandboxing).

Within the signing script, there are additional steps to sign a a Torch.zip folder that contains a Monkey Patch for Torch (and is unzipped), along with other .dylib files. Please see #3060 as to why a patch is needed. If you are not doing this, I suggest using the example from @m00sey (thank you btw), which I have built from (see #3326).

It adds in steps that I needed to get this past notarisation, which included: timestamps, dylib signing, and unzipping that Torch.zip patch.

APP_NAME="USERAPPNAME" #Enter name here 
APP_IDENTIFIER="com.example.example"  #Enter name here 
APP_VERSION="1.0.0"
APP_DISPLAY_NAME="NAME" #Enter name here 
BUILD_DIR="build"
MACHINE_OS=$(sw_vers -buildVersion)
APP_ICON="AppIcon"
DMG_NAME="$APP_NAME.dmg"
DEVELOPER_ID_APP_CERT="Developer ID Application: First Last (ZX12356Y)" # Developer certificate. Should be of type: "Developer ID Application". Obtain this from KeyChain Access
KC_PROFILE="a-keychain-profile"
WORKING_DIR=$(pwd)

# Get the build machine OS build version
BUILD_MACHINE_OS_BUILD=$(sw_vers -buildVersion)

# Create Info.plist
cat <<EOF > "$BUILD_DIR/$APP_NAME.app/Contents/Info.plist"
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>CFBundleName</key>
    <string>$APP_NAME</string>
	<key>CFBundleExecutable</key>
	<string>$APP_NAME</string>    
    <key>CFBundleDisplayName</key>
    <string>$APP_DISPLAY_NAME</string>
    <key>CFBundleIdentifier</key>
    <string>$APP_IDENTIFIER</string>
    <key>CFBundleVersion</key>
    <string>$APP_VERSION</string>
    <key>CFBundleShortVersionString</key>
    <string>$APP_VERSION</string>
	<key>BuildMachineOSBuild</key>
	<string>$MACHINE_OS</string>    
	<key>CFBundleIconFile</key>
	<string>$APP_ICON</string>
	<key>CFBundleIconName</key>
	<string>$APP_ICON</string>    
	<key>CFBundleDevelopmentRegion</key>
	<string>en</string>
	<key>CFBundleInfoDictionaryVersion</key>
	<string>6.0</string>
	<key>CFBundlePackageType</key>
	<string>APPL</string>    
	<key>CFBundleSupportedPlatforms</key>
	<array>
		<string>MacOSX</string>
	</array>    
</dict>
</plist>
EOF

cat <<EOF > "$APP_NAME.entitlements"
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
	<key>com.apple.security.files.user-selected.read-write</key>
	<true/>

	<key>com.apple.security.app-sandbox</key>
	<false/>

</dict>
</plist>
EOF

# Unpack, sign, and repack the zip file within the framework
cd "$BUILD_DIR/$APP_NAME.app/Contents/Frameworks/App.framework/Versions/A/Resources/flutter_assets/app/"
unzip -q app.zip -d tmp

cat <<EOF > "torch.entitlements"
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
	<key>com.apple.security.files.user-selected.read-write</key>
	<true/>

	<key>com.apple.security.app-sandbox</key>
	<false/>


</dict>
</plist>
EOF

# ********************* Handle nested torch.zip *********************
# Change directory to where torch.zip is located
cd "tmp/RunTime_resources" 

# Unzip torch.zip
unzip -q torch.zip 

# Delete the original torch.zip 
rm torch.zip

# Remove extended attributes from the unzipped torch folder's contents
find "torch" -type f -exec xattr -c {} \; 

# Sign .so and .dylib files within the unzipped torch folder
find "torch" -type f \( -name "*.so" -o -name "*.dylib" \) -exec codesign --timestamp --force --verify --verbose --sign "$DEVELOPER_ID_APP_CERT" {} \;

# Re-zip the signed torch folder
zip -q -r torch.zip torch

# Remove the unzipped torch folder
rm -rf torch

# Change back to the root of the project directory. Likely redundant given the next line, but this script has been so painful I don't want to change something so obvious given it's working. 
cd "$WORKING_DIR" 
# *******************************************************************
cd "$BUILD_DIR/$APP_NAME.app/Contents/Frameworks/App.framework/Versions/A/Resources/flutter_assets/app/"


# Remove extended attributes from files within the zip
find "tmp" -type f -exec xattr -c {} \; 

codesign --timestamp --force --verify --verbose --sign "$DEVELOPER_ID_APP_CERT" --entitlements "torch.entitlements" --options runtime "tmp/RunTime_resources/bin_c/protoc-3.13.0.0"
codesign --timestamp --force --verify --verbose --sign "$DEVELOPER_ID_APP_CERT" --entitlements "torch.entitlements" --options runtime "tmp/RunTime_resources/bin_c/torch_shm_manager"
codesign --timestamp --force --verify --verbose --sign "$DEVELOPER_ID_APP_CERT" --entitlements "torch.entitlements" --options runtime "tmp/RunTime_resources/bin_c/protoc"


find "tmp" -type f -name "*.so" -exec codesign --timestamp --force --verify --verbose --sign "$DEVELOPER_ID_APP_CERT" {} \;
find "tmp" -type f -name "*.dylib" -exec codesign --timestamp --force --verify --verbose --sign "$DEVELOPER_ID_APP_CERT" {} \;

# Find the file and codesign it within the 'tmp' folder
find "tmp" -type f -name "_multiarray_umath.cpython-311-darwin.so" -exec codesign --timestamp --force --verify --verbose --sign "$DEVELOPER_ID_APP_CERT" {} \;
find "tmp" -type f -name "_multiarray_umath.cpython-311-darwin.so" -exec codesign --timestamp --force --verify --verbose --sign "$DEVELOPER_ID_APP_CERT" --options runtime --entitlements "torch.entitlements" {} \;

cd tmp
zip -q -r ../app.zip .
cd ..
rm -rf tmp

cd "$WORKING_DIR"


# Remove extended attributes from all files before signing
find "$BUILD_DIR/$APP_NAME.app" -type f -exec xattr -c {} \; 
# Sign all .so files
find "$BUILD_DIR/$APP_NAME.app" -name "*.so" -exec codesign --timestamp --force --verify --verbose --sign "$DEVELOPER_ID_APP_CERT" {} \;
find "$BUILD_DIR/$APP_NAME.app" -name "*.dylib" -exec codesign --timestamp --force --verify --verbose --sign "$DEVELOPER_ID_APP_CERT" {} \;


# Sign the main executable
codesign  --verify --verbose --sign "$DEVELOPER_ID_APP_CERT" --timestamp --force --entitlements "$APP_NAME.entitlements" "$BUILD_DIR/$APP_NAME.app/Contents/MacOS/$APP_NAME"

# Sign any frameworks
find "$BUILD_DIR/$APP_NAME.app/Contents/Frameworks" -name "*.framework" -exec codesign --timestamp --force --verify --verbose --sign "$DEVELOPER_ID_APP_CERT" {} \;

# Sign the entire .app bundle
codesign  --verify --verbose --sign "$DEVELOPER_ID_APP_CERT" --options runtime "$BUILD_DIR/$APP_NAME.app" --timestamp

codesign --verify --verbose --sign "$DEVELOPER_ID_APP_CERT" --options runtime  --entitlements "$APP_NAME.entitlements" "$BUILD_DIR/$APP_NAME.app"  --force --timestamp

echo "Checking for unsigned components..."
codesign --verify --deep --verbose=4 "$BUILD_DIR/$APP_NAME.app"

echo "Verifying entitlements..."
codesign --display --entitlements :- "$BUILD_DIR/$APP_NAME.app"

[ap4499]

Part 2/2:
Xcode steps:

Create a blank Storyboard application in Xcode (XIB might also work).

You will need to:

1. Import your application. Go to Targets, then build phases -> copy bundle resources > "+" > add your app (can copy || reference)
2. Setup yout signing capabilities in the tab. You may also need to create the relevant entries within your Apple Developer centre (create app and bundle ID etc.)
3. Within Project > Build Settings > search "LSUI" > Application is agent == True
4. Within AppDelegate, set the following code:

import Cocoa

@main
class AppDelegate: NSObject, NSApplicationDelegate {

    
    func applicationDidFinishLaunching(_ aNotification: Notification)
 {
        // Launch the embedded app
        let appBundlePath = Bundle.main.path(forResource: "YourAppName", ofType: "app") // Replace "YourAppName" with the actual name of your .app file (without the .app extension)

        if let appBundlePath = appBundlePath {
            let url = URL(fileURLWithPath: appBundlePath)

            // Check if the app can be launched
            if NSWorkspace.shared.urlForApplication(toOpen: url) != nil {
                // Create an empty NSWorkspace.OpenConfiguration object
                let configuration = NSWorkspace.OpenConfiguration()

                // Launch the app using the updated method with the configuration object
                NSWorkspace.shared.openApplication(at: url, configuration: configuration) { (app, error) in
                    if let error = error {
                        // Handle errors if the app fails to launch
                        print("Error launching app: \(error)")
                        // You might want to display an error message to the user here
                    } else {
                        // Hide the main window after launching the embedded app
                        DispatchQueue.main.async {
                            NSApp.mainWindow?.orderOut(nil)
                        }
                    }
                }
            } else {
                // Handle the case where the app cannot be launched
                print("App cannot be launched")
                // You might want to display an error message to the user here
            }
        } else {
            // Handle the case where the .app bundle is not found
            print(".app bundle not found")
            // You might want to display an error message to the user here
        }
    }

    func applicationWillTerminate(_ aNotification: Notification) {
        // Insert code here to tear down your application
    }

    func applicationSupportsSecureRestorableState(_ app: NSApplication) -> Bool {
        return true
    }


}

5. Then Build your app, hopefully it runs.
6. Product (main bar at the top) -> Archive -> Distribute app - > Direct distribution

I have found that submitting an app for notarization has taken a very, very long time. The first time, it was around 24h. After that, and I resolved a lot of the errors, it came down to 6h, and after that.. with only minor changes, it is around 15minutes. So it does look like there is some kind of delta check they are operating.

Following that.. your app should be good to go and past Apple's notarization process.

Please note, I have tried to Sandbox my app and continually run into issues. I have Numpy bundled (fairly ubiquitous library), and Gatekeeper throws errors for "_multiarray_umath.cpython-311-darwin.so", saying that Apple cannot verify that it is free of malware. I have been unable to resolve this issue, and so have decided to ditch the Mac AppStore and Sandboxing altogether (a lot of effort to accept a 30% tax..).

Honestly.. the most painful process possibly imaginable from Apple. Their entire documentation leaves a lot to be desired, and the process is in general, unnecessarily convoluted and complex..

[kentbull]

It appears that with the separation out of flet-desktop from flet that there is now a need to include a signing step for the flet-desktop package within the serious-python-darwin.framework Framework. This is shown below in the sign_flet_desktop_package function:

# Sign the flet-desktop app package in serious-python
function sign_flet_desktop_package() {
  echo "Signing Flet executable and its dependent framework executables..."
  cd "$BUILD_DIR/$APP_NAME.app/Contents/Frameworks/serious_python_darwin.framework/Versions/A/Resources/python.bundle/Contents/Resources/site-packages/flet_desktop/app/" || exit 1
  mkdir -p tmp
  tar -xzf flet-macos.tar.gz -C tmp
  # sign Flet executable and its dependent framework executables
  FILES=(
    "Flet"
    "wakelock_plus"
    "Avfilter"
    "screen_brightness_macos"
    "FlutterMacOS"
    "Avformat"
    "Png16"
    "media_kit_libs_macos_video"
    "Dav1d"
    "Mbedcrypto"
    "Freetype"
    "Ass"
    "media_kit_native_event_loop"
    "Swresample"
    "window_to_front"
    "Harfbuzz"
    "media_kit_video"
    "Mpv"
    "App"
    "Mbedtls"
    "Avcodec"
    "device_info_plus"
    "path_provider_foundation"
    "audioplayers_darwin"
    "Fribidi"
    "Avutil"
    "geolocator_apple"
    "Swscale"
    "package_info_plus"
    "shared_preferences_foundation"
    "Uchardet"
    "window_manager"
    "Mbedx509"
    "screen_retriever_macos"
    "webview_flutter_wkwebview"
    "Xml2"
    "rive_common"
    "record_darwin"
    "url_launcher_macos"
  )
  NAME_ARGS=()
  for file in "${FILES[@]}"; do
      NAME_ARGS+=(-name "$file" -o)
  done
  unset 'NAME_ARGS[-1]' || exit 1

  find "tmp" -type f \( ${NAME_ARGS} \) \
    -exec codesign --force --verify --verbose --timestamp --options runtime --sign "$DEVELOPER_ID_APP_CERT" {} \;

  # Repack Flet and its dependencies
  rm flet-macos.tar.gz
  tar czf flet-macos.tar.gz -C tmp .
  rm -rf tmp
}
sign_flet_desktop_package