Adding App Notarization For Macs To Your Build Train

Apple sent the following message out to developers yesterday:

Dear Developer, 

We’re working with developers to create a safer Mac user experience through a process where all software, whether distributed on the App Store or outside of it, is signed or notarized by Apple. With the public release of macOS 10.14.5, we require that all developers creating a Developer ID certificate for the first time notarize their apps, and that all new and updated kernel extensions be notarized as well. This will help give users more confidence that the software they download and run, no matter where they get it from, is not malware by showing a more streamlined Gatekeeper interface. In addition, we’ve made the following enhancements to the notarization process.
Legacy code is fully supported, even if it contains unsigned binaries. While new software and updates require proper signatures in order to be notarized, you can upload your existing software as-is.Apps with plugin ecosystems are better supported.Stapler supports all types of bundles and plugins.Xcode 10.2 adds secure timestamps and other code signing options required by the notary service.Related documentation has also been improved. We encourage you to take look at Notarizing Your Apps Before Distribution and Hardened Runtime Entitlements.

If you have any questions, contact us

Best regards,
Apple Developer RelationsTM and © 2019 Apple Inc.
One Apple Park Way, MS 301-1TEV, Cupertino, CA 95014.

All Rights Reserved | Privacy Policy | Account 

If you would prefer not to receive future communications from Apple Developer, you may unsubscribe.

Many organizations have a solution to automate their build process for software and will need to now add submitting an app for notarization to this process. Before you start, there are a few things you should know:

  • This is an automated scan that usually takes about 20 minutes and requires at least the 10.9 macOS SDK.
  • Before submitting, make sure code-signing has been enabled for all executables and that you enabled the Hardened Runtime option.
  • Find a workaround if you’re setting com.apple.security.get-task-allow to true for any reason.
  • Make sure to use an Apple Developer ID instead of a local cert from Xcode for apps and kexts. And make sure all code-signing certs have a timestamp when running your distribution workflows in Xcode or if using codesign make sure to add –timestamp.

You can use any tools for the next steps. Because I have a Bamboo setup on my desk, next I’m going to open it and create a command task. To do so:

  • Open the Tasks configuration tab for a job (or default job in a new plan).
  • Click Add Task.
  • Add a Task Description, which is just how the task is described in the Bamboo interface.
  • Uncheck the box to “Disable this task”
  • Provide a path to the command executable, which in this case will be a simple bash script that we’ll call /usr/bambooscripts/notarize.sh. If you’re stringing workflows together you might add other scripts as well (e.g. a per-product script as opposed to a generic script that takes positional parameters for arguments).
  • Provide any necessary Arguments. In this case it’ll just be a simple job but you can reduce the work by adding arguments for processing paths of different products.
  • Provide any necessary Environment Variables. We won’t use any in this project.
  • Provide any necessary “Working Sub Directory” settings, which is an alternative directory rather than using a relative path. If you don’t provide a working sub directory, note that Bamboo looks for build files in the root directory.
  • Click the Save button (as you can see below).

Now we’ll need to use scrub with the altool. Here, we’ll use the –notarize-app option and then define the bundle (using the reverse naming convention you’ve always used for the –primary-bundle-id option and then the username and password from your Apple ID linked to your Developer ID and finally the –file which is the zipped output from Xcode.

#!/bin/bash /usr/bin/xcrun/xcrun altool --notarize-app --primary-bundle-id "com.myorg.myproduct” --username “krypted@myorg.com” --password “icky_passwords“ --file "/Users/krypted/Documents/myproduct.zip"

We'll call this script /usr/bambooscripts/notarize.sh and then let the job pick it up and process it.

Oh funny. I just noticed Rich Trouton posted a writeup on Notarization at https://derflounder.wordpress.com/2019/04/10/notarizing-automator-applications/. I'd read that as well.

Apple Development Conferences

There are a lot of Apple developers out there these days. And it often seems like few groups like to share information more than those who work in the Apple space. So where can you go to learn more about Apple development? There are a lots of websites and code camps, but what about annual conferences?
  • WWDC: San Jose, CA – This is the grandaddy of them all. Hear from the people who build the frameworks and IDEs directly! But registration is limited and no everyone can go to that one place at that one date and time of the year. Also, different conferences can give different perspectives, so even if you go to WWDC every year, it’s worth looking at some of these other conferences as a +1!
  • AltConf: San Jose – Everything from iBeacons to how to name a product. The big thing is that it’s held alongside WWDC so I mention it first. By developers for developers – but not really connected to Apple’s developer relations. 
  • Mac Admin & Developer Conference UK: MacADUK is a great intersection between administration and development. A little bit of everything and a lot of smart. Grows every year. 
  • DevWorld: 
  • MacTech: This is more of an 
  • Appdevcon: Amsterdam – I like conferences for and by developers. And I like Amsterdam. 
  • Objective By The Sea: Hawaii!!! – Who doesn’t love a conference in Hawaii?!?! But more importantly, some of the top security minds in the Apple world have signed up for the inaugural conference to 
  • dot Swift: Paris – A Swift conference in Paris. I prefer how to write code type of conferences, or why pick a framework. So there ya’ go. In Paris.
  • RWdevCon: Washington, DC – I love the format of a tutorial-driven conference (and will likely emulate that in the future. Nothing gets rid of the silly touchy-feely stuff in tech conferences more than how-tos!
  • Swift by Northwest
  • iOSCon 2018: London – Any conference Aaron Hillegass ends up at is gonna’ be good. Especially if you live close. 
  • iosdevukAberystwyth, Wales, UK – iOS Development
  • forwardSwift: San Francisco – Talk about new Swifty-bits!
  • FunSwiftConf: New York – Fun is for Functional Swift!
  • App Builders: Switzerland – My and for app developers. 
  • try! Swift: New York and Tokyo
  • DeveloperWeek: Oakland, CA – More of an overall development conference
  • IndieDevStock
  • Playgrounds: Australia – No dates or location for next year, but it’ll be good.
  • Swift Summit
  • MobileWorld Congress: Barcelona – More upper level but with good dev sessions. Warning, developers sent here might end up writing their own games long term! 😉
  • UIKonf: Berlin – I love these videos, test driven development, specific information about frameworks (often from the people that wrote the frameworks. Awesome.
  • Teki-Con: Atlanta – Any conference Aaron Hillegass ends up at is gonna’ be good. Especially if you live close. 
  • 360 iDev: Denver – Good technical workshops that focus on metal and frameworks and all the fun stuffs.
  • Game Developers Conference: San Francisco – Guess what? Everything you learn building games translates to building any kind of app you could imagine. 
  • ADDC: Barcelona – More of a focus on design than hard core coding techniques. Some people are into that!
  • OSCON: Portland – Learn about all the latest and greatest open source languages and projects.
  • QCon New York – A bit more about organizing software teams and team structure.
  • Microsoft Ignite: Orlando – If you build enterprise software, you likely leverage the Active Directory, Azure identity, or even host on Azure, meaning Ignite is very pertinent to what you’re doing. While you might not see sessions on how to drop a specific Swift framework into a project, you might.
  • Google I/O: San Francisco – What I said above but for s/Microsoft/Google.
  • Facebook F8: San Jose – What I said above but for s/Microsoft/Facebook.
  • AWS reInvent: Las Vegas – What I said above but for s/Microsoft/Amazon
  • IT/Dev Connections: Dallas – When you deploy software, you likely need to automate the build process. When you get into that intersection between IT and DevOps, you should at least read the session descriptions for this conference to see if it’s something you’re into. 
  • DockerCon: San Francisco – If you devop (yes, I made up a verb) in Docker all day then this is your conference. 
  • DevOps Con: Berlin – More on DevOps, but in Germany!
  • MacDevOps YVR: Vancouver – More on Devops, but for Macs!
  • Jax DevOps: London – Devops, but a little more businessy and processy.
  • PowerShell and DevOps Global Summit: Bellevue (Seattleish) – Devops, but more Microsofty.
  • GoTo Conference: Chicago – More devops but kinda’ like an unconference. Which leads to some really interesting and diverse sessions. I like getting ideas from really niche workflows.
  • O’Reilly Fluent Conference: San Jose – Ever read an O’Reilly book on HTML5 or CSS or Java? If so, you will likely find this a cool conference. 
  • JavaOne: San Francisco – Like WWDC but for Java. 
There are also a number of conferences on general Apple administration topics. If you’re doing general Apple devops and admin work I’d definitely check those out! I have a page of those here:

Apple Admin Conferences

I like engineering topics, but if you’re into the businessy side of Apps, check out: 

Top Mobile App Conferences and Events To Go To in (2019)

Get The Title Of An App From Apple App Store URLs

When you’re building and manipulating apps in the Apple App Stores, it helps to be able to pull and parse pieces of data. Here, we’ll look at two strategies that you can use to do so. It’s worth noting that the purpose of this was to use the URL of an app from an MDM and then be able to script updating metadata about the app, given that vendors often change names of the display name of an app (e.g. Yelp is actually called “Yelp: Discover Local Favorites on the App Store”).

First, we’ll grab a URL. This one is for Self Service:

https://itunes.apple.com/us/app/self-service-mobile/id718509958?mt=8

If you don’t know the URL then you can get it based on the ID by parsing the json from:

curl https://itunes.apple.com/lookup?id=718509958

Of course, if you know the id, you can probably just assume that https://itunes.apple.com/us/app/id718509958?mt=8 will work as well, since if you remove the name it has always worked for me (although I’ve never seen that in a spec so I can’t guarantee it will always be true). Then, we can curl it, but the output is a bit not lovely:

curl -s 'https://itunes.apple.com/us/app/self-service-mobile/id718509958?mt=8'

So then we’ll want to just grab the pieces of information we want, which could be done using a variety of scripting techniques. Below, we’ll use grep:

curl -s 'https://itunes.apple.com/us/app/self-service-mobile/id718509958?mt=8' | grep -o "<title>[^<]*" | cut -d'>' -f2-

And here, we’ll use perl:

curl -s 'https://itunes.apple.com/us/app/yelp/id284910350?mt=8' | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si'

And there you go, you have the title. The title is easy, because it’s a simple title tag. But let’s look at the description:

curl -s 'https://itunes.apple.com/us/app/self-service-mobile/id718509958?mt=8' | awk '/meta name="description"/{;print }'

The output would be similar to the following 

<meta name="description" content="Read reviews, compare customer ratings, see screenshots, and learn more about Self Service Mobile. Download Self Service Mobile and enjoy it on your iPhone, iPad, and iPod touch." id="ember75894226" class="ember-view">

From there it’s pretty simple to extract the exact field you want and the metadata from that field. If you are obtaining names and descriptions for a large number of apps then you’d simply move the path into a variable as follows so you can put it into your loop:

curl -s $appurl | grep -o "<title>[^<]*" | cut -d'>' -f2-

I haven’t covered finding items in the App Store if you don’t know the ID of an app, but there’s a /search endpoint at iTunes.apple.com that will respond to a variety of parameters you can pass:

curl https://itunes.apple.com/search?term=yelp&country=us&entity=software

This wasn’t necessary for my use case. But it’s worth noting. And if you’ll be doing a lot of that, I’d recommend checking out the affiliates portal at https://affiliate.itunes.apple.com/resources/documentation/itunes-store-web-service-search-api/. Additionally, if you’re actually trying to automate the App Store instead, there are a few tools out there to do so, including https://github.com/mas-cli/mas or if you want to extract packages there’s https://github.com/maxschlapfer/MacAdminHelpers/tree/master/AppStoreExtract

Who Signed My OS X App?

The codesign command is used to sign apps and check the signature of apps. Apps need to be signed more and more and more these days. So, you might need to loop through your apps and verify that they’re signed. You might also choose to stop trusting given signing authorities if one is compromised. To check signing authorities, you can use codesign -dv --verbose=4 /Applications/Firefox.app/ 2>&1 | sed -n '/Authority/p' The options in the above command:
  • -d is used to display information about the app (as opposed to a -s which would actually sign the app)
  • -v increases the verbosity level (without the v’s we won’t see the signing “Authority”)
  • –verbose=4 indicates the level of verbosity
  • 2>&1 redirects stderr to stdout
  • /Applications/Firefox.app/ – the path to the app we’re checking (or signing if you’re signing)
Then we pipe the output into a simple sed and get the signing chain. Or don’t. For example, if you’re scripting don’t forget a sanity check for whether an object isn’t signed. For example, if we just run the following for a non-signed app: codesign -dv --verbose=4 /Applications/Utilities/XQuartz.app/ The output would be as follows:
/Applications/Utilities/XQuartz.app/: code object is not signed at all

Huffington Post Article: 20 Cool Things You Can Do With Box.com

My latest Huffington Post article, Twenty Cool Things You Can Do with Box is online here. It begins:
If you are looking for a secure and uncomplicated and file sharing service, you will find box.com to be a wonderful way to share files from any device. Today, it is easier than ever for businesses to operate globally regardless of how large or small they are. This is because of the digital age that makes works products easy to share or transfer. Here are twenty cool things that you can do with box.com.
Screen Shot 2016-04-01 at 9.12.58 PM For more, click here.  

Change the Language On Your Nest Protect

Last night, I went to setup a new Nest Protect in my home, and while I was futzing with the app (yes, futzing is the technical term) I missed the question that was asked on the device about what language to use while waiting at this screen. IMG_8200 And so my Nest Protect was speaking Spanish. Which is fine with me; but notsofine for my daughter. So, I needed to change the language. And after hunting for the setting for awhile, I thought: self, you should document this. So to change the language on a Nest protect, open the Nest app and then tap on the icon for Protect (which will appear once you’ve associated the first Nest Protect to your account. Then tap on the Settings gear icon in the upper right corner of the screen, which allows you to configure all your Nest Protects at once. Then tap on the Protect you want to change the language on and there’s a magical setting for Spoken Language there. Tap that and select the language you wish to use. Out of the box, the device only supports English and Spanish. But once setup, you can change the language to French or Dutch. So this is also the method to unlock French and Dutch language support on the device. Once changed, you can replicate the change to other devices by cycling through them. I also noticed the setting didn’t appear on my iPhone. I had to use an Android device to access my Protect and make the change. The setting doesn’t seem to be a part of the iOS code. But YMMV.

10 Cool Things You Might Not Know You Can Do With Dropbox Article On Huffington Post

My latest Huffington Post article is up; this one on 10 Cool Things You Might Not Know You Can Do With Dropbox. A sample of the article:

You lіvе in an аgе whеn you wаnt (and ѕоmеtіmеѕ nееd) tо access іnfоrmаtіоn аt аll tіmеѕ. Thіѕ іnсludеѕ yоur оwn dаtа аnd fіlеѕ — text dосumеntѕ, рhоtоgrарhѕ, vіdеоѕ, music and mоrе. Thаt’ѕ whу ѕеrvісеѕ lіkе Drорbоx is so popular wіth thе соnnесtеd gеnеrаtіоn.

Free оf сhаrgе (wіth a раіd uрgrаdе орtіоn), Dropbox lеtѕ уоu uрlоаd уоur files tо fоldеrѕ ассеѕѕіblе аnуwhеrе thеrе’ѕ аn Intеrnеt connection. It еlіmіnаtеѕ thе hаѕѕlе of еmаіlіng уоurѕеlf attachments аnd runnіng іntо size limits. People can use Dropbox through the desktop арр, mоbіlе аррѕ оr via thе wеb.

Read more at http://www.huffingtonpost.com/charles-edge/10-cl-things-you-didnt-kn_b_9515912.html Screen Shot 2016-03-22 at 1.29.15 PM

Swiping Through Spam Like A Boss

Who still says “like a boss?” I guess I did. Get over it. But don’t get over spam. Especially annoying are the ones we know we accidentally signed up for. Because it’s our own darn fault. But luckily, there’s a lot more tools for dealing with bulk mail (solicited or unsolicited) these days. Most modern email clients have the ability to deal with spam. Exchange/Office 365 has clutter and junk. You can build rules on sites. You can use spam assassin on your servers. But, there’s also a nice little app called unroll.me. Once you sign up you’ll have 3 ways of dealing with each message: request removal from a list, mark as rolled up into a single daily digest, or mark as good email. Download it here. The app works a lot like something like Tinder. You swipe right to like something, left to not like something. Facebook should implement this into your timeline! Screen Shot 2015-12-01 at 2.34.08 PM If you decide to mark emails as digests, you’ll get an email once a day that looks like this: Screen Shot 2015-12-01 at 2.20.58 PM This works great for organizations that actually properly remove you from lists (which is surprisingly most). Using this swiping type of workflow, you can knock through 100 or more emails in 10-15 minutes. For organizations that don’t respect unfollow or stop sending me your crap emails, there’s also always just marking them as spam. The only problem with this is that you likely have a phone, a computer, a home computer, and maybe a tablet. No one wants to mark the same email as spam four times and then potentially have emails disappearing and not being able to figure out which computer they were marked as junk on. There are lots and lots of options for this type of thing. But given the ease of use an quick evisceration I can do on my mailbox, I rather like unfollow.me. Give it a shot. You might hate it. I don’t.

My 3,000th Post On Krypted

This is my 3,000th post on Krypted.com. The past 3,000 posts have primarily been about OS X Server, Mac automation, Mac deployment, scripting, iOS deployments, troubleshooting, Xsan, Windows Servers, Exchange Server, Powershell, security, and other technical things that I have done in my career. I started the site in response to a request from my first publisher. But it took on a mind of its own. And I’m happy with the way it’s turned out. My life has changed a lot over these past 11 years. I got married and then I got divorced. I now have a wonderful daughter. I became a partner and the Chief Technology Officer of 318 and helped to shape it into what was the largest provider of Apple services, I left Los Angeles and moved to Minnesota, left 318 to help start up a new MDM for small businesses at JAMF Software called Bushel, and now I have become the Consulting Engineering Manager at JAMF. In these 11 years, I have made a lot of friends along the way. Friends who helped me so much. I have written 14 more books, spoken at over a hundred conferences, watched the Apple community flourish, and watched the emergence of the Post-PC era. In these 11 years, a lot has happened. Twitter and Facebook have emerged. Microsoft has hit hard times. Apple has risen like a phoenix from those dark ashes. Unix has proved a constant. Open Source has come into the Mac world. The Linux gurus are still waiting for Linux on the desktop to take over the world. Apps. iOS. iPad. Mobility. Android. Wearables. Less certifications. More admins. And you can see these trends in the traffic for the site. For example, the top post I’ve ever written is now a list of Fitbit badges. The second top post is a list of crosh commands. My list of my favorite hacking movies is the third top post. None of these have to do with scripting, Apple, or any of the articles that I’ve spent the most time writing. That’s the first 3,000 posts. What’s next? 3,000 more posts? Documenting the unfolding of the Post-PC era? Documenting the rise and fall of more technologies? I will keep writing, that’s for sure. I will continue doing everything I can to help build out the Apple community. And I will enjoy it. I’ve learned a lot about writing along this path. But I have a lot more to learn. Unknown The past 3,000 posts have mostly been technical in nature. I’ve shown few of my opinions, choosing to keep things how-to oriented and very technical. Sure, there’s the occasional movie trailer when I have a “squee” moment. But pretty technical, overall. I’ve been lucky to have been honored to speak at many conferences around the world. One thing I’ve noticed over the past few years is that when people ask me to speak at conferences, they ask me to speak about broader topics. They don’t want me doing a technical deep dive. People use the term thought leader. And while I don’t necessarily agree, maybe it’s time I step up and write more of those kinds of articles here and there. I’ve learned so much from you these 11 years. But I feel like I’ve barely scratched the surface. I look forward to learning together over the course of the next 3,000 posts! Thank you for your support. Without it, I’d have probably stopped at 10 articles!