Adding App Notarization For Macs To Your Build Train

Apple sent the following message out to developers yesterday:

Dear Developer, 

We’re working with developers to create a safer Mac user experience through a process where all software, whether distributed on the App Store or outside of it, is signed or notarized by Apple. With the public release of macOS 10.14.5, we require that all developers creating a Developer ID certificate for the first time notarize their apps, and that all new and updated kernel extensions be notarized as well. This will help give users more confidence that the software they download and run, no matter where they get it from, is not malware by showing a more streamlined Gatekeeper interface. In addition, we’ve made the following enhancements to the notarization process.
Legacy code is fully supported, even if it contains unsigned binaries. While new software and updates require proper signatures in order to be notarized, you can upload your existing software as-is.Apps with plugin ecosystems are better supported.Stapler supports all types of bundles and plugins.Xcode 10.2 adds secure timestamps and other code signing options required by the notary service.Related documentation has also been improved. We encourage you to take look at Notarizing Your Apps Before Distribution and Hardened Runtime Entitlements.

If you have any questions, contact us

Best regards,
Apple Developer RelationsTM and © 2019 Apple Inc.
One Apple Park Way, MS 301-1TEV, Cupertino, CA 95014.

All Rights Reserved | Privacy Policy | Account 

If you would prefer not to receive future communications from Apple Developer, you may unsubscribe.

Many organizations have a solution to automate their build process for software and will need to now add submitting an app for notarization to this process. Before you start, there are a few things you should know:

  • This is an automated scan that usually takes about 20 minutes and requires at least the 10.9 macOS SDK.
  • Before submitting, make sure code-signing has been enabled for all executables and that you enabled the Hardened Runtime option.
  • Find a workaround if you’re setting com.apple.security.get-task-allow to true for any reason.
  • Make sure to use an Apple Developer ID instead of a local cert from Xcode for apps and kexts. And make sure all code-signing certs have a timestamp when running your distribution workflows in Xcode or if using codesign make sure to add –timestamp.

You can use any tools for the next steps. Because I have a Bamboo setup on my desk, next I’m going to open it and create a command task. To do so:

  • Open the Tasks configuration tab for a job (or default job in a new plan).
  • Click Add Task.
  • Add a Task Description, which is just how the task is described in the Bamboo interface.
  • Uncheck the box to “Disable this task”
  • Provide a path to the command executable, which in this case will be a simple bash script that we’ll call /usr/bambooscripts/notarize.sh. If you’re stringing workflows together you might add other scripts as well (e.g. a per-product script as opposed to a generic script that takes positional parameters for arguments).
  • Provide any necessary Arguments. In this case it’ll just be a simple job but you can reduce the work by adding arguments for processing paths of different products.
  • Provide any necessary Environment Variables. We won’t use any in this project.
  • Provide any necessary “Working Sub Directory” settings, which is an alternative directory rather than using a relative path. If you don’t provide a working sub directory, note that Bamboo looks for build files in the root directory.
  • Click the Save button (as you can see below).

Now we’ll need to use scrub with the altool. Here, we’ll use the –notarize-app option and then define the bundle (using the reverse naming convention you’ve always used for the –primary-bundle-id option and then the username and password from your Apple ID linked to your Developer ID and finally the –file which is the zipped output from Xcode.

#!/bin/bash /usr/bin/xcrun/xcrun altool --notarize-app --primary-bundle-id "com.myorg.myproduct” --username “krypted@myorg.com” --password “icky_passwords“ --file "/Users/krypted/Documents/myproduct.zip"

We'll call this script /usr/bambooscripts/notarize.sh and then let the job pick it up and process it.

Oh funny. I just noticed Rich Trouton posted a writeup on Notarization at https://derflounder.wordpress.com/2019/04/10/notarizing-automator-applications/. I'd read that as well.

Check Versions of Common Apps and Services on macOS

Just some little one-liners to grab the version of a few common Apple services/built-in apps you might need the version of for another project I’m working on kinda’:
  • cups: cups-config –version
  • Finder: mdls -name kMDItemVersion /System/Library/CoreServices/Finder.app | cut -d ‘”‘ -f2
  • Help Viewer: mdls -name kMDItemVersion /System/Library/CoreServices/HelpViewer.app | cut -d ‘”‘ -f2
  • iBooks Author: mdls -name kMDItemVersion /Application/iTunes\ Author.app | cut -d ‘”‘ -f2
  • ical/Calendar: mdls -name kMDItemVersion /Applications/Calendar.app/ | cut -d ‘”‘ -f2
  • ichat/Messages: mdls -name kMDItemVersion /Applications/Calendar.app/ | cut -d ‘”‘ -f2
  • iMovie: mdls -name kMDItemVersion /Applications/iMovie.app | cut -d ‘”‘ -f2
  • installer: /usr/sbin/installer -vers
  • Photos/iPhoto: mdls -name kMDItemVersion /Applications/Photos.app | cut -d ‘”‘ -f2 
  • iTunes: mdls -name kMDItemVersion /Applications/iTunes.app | cut -d ‘”‘ -f2 
  • Java: /usr/bin/java -version
  • Keynote: mdls -name kMDItemVersion /Applications/Keynote.app | cut -d ‘”‘ -f2
  • macOS: sw_vers -productVersion
  • macOS Server: mdls -name kMDItemVersion /Applications/Server.app | cut -d ‘”‘ -f2
  • Mail: mdls -name kMDItemVersion /Applications/Mail.app | cut -d ‘”‘ -f2
  • mdnsresponder
  • Motion: mdls -name kMDItemVersion /Applications/Motion.app | cut -d ‘”‘ -f2
  • Numbers: mdls -name kMDItemVersion /Applications/Numbers.app | cut -d ‘”‘ -f2
  • Pages Required mdls -name kMDItemVersion /Applications/Pages.app | cut -d ‘”‘ -f2
  • Preview: mdls -name kMDItemVersion /Applications/Preview.app | cut -d ‘”‘ -f2
  • Quicktime: mdls -name kMDItemVersion /Applications/Quicktime\ Player.app | cut -d ‘”‘ -f2 quicktime_broadcaster No (Darwin Stream Server deprecated) N/A quicktime_darwin_mp3_broadcaster No (deprecated service) N/A quicktime_pictureviewer No (for QuickTime for Windows) N/A quicktime_streaming_server No (deprecated service) N/A
  • Remote Desktop: defaults read /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/version.plist CFBundleShortVersionString
  • Safari: mdls -name kMDItemVersion /Applications/Safari.app | cut -d ‘”‘ -f2 server_manager No (deprecated in 2006ish) N/A software_update tcp_ip_configuration_utility No (Laserwriter vuln from 2002) N/A terminal Required mdls -name kMDItemVersion /Applications/Utilities/Terminal.app | cut -d ‘”‘ -f2
  • Textedit Required mdls -name kMDItemVersion /Applications/TextEdit.app | cut -d ‘”‘ -f2
  • Transporter: /Applications/Xcode.app/Contents/Applications/Application Loader.app/Contents/itms/bin/itsmtransporter
  • Xcode: mdls -name kMDItemVersion /Applications/Xcode.app | cut -d ‘”‘ -f2
  • Xsan: /usr/sbin/cvversions
  • openSSL: openssl -version
  • Apache: httpd -v
If you notice, a lot of the built-in apps can be scanned with the same mdls command. There are certainly better ways for some, but when it comes to runtime cost, spotlight can respond quicker than a lot of other tools (other than purpose-built open source tools of course, who already have a smaller amount of data specific to the task). 3rd party software can be checked the same way. Let’s take Microsoft Outlook as an example:

mdls -name kMDItemVersion /Applications/Microsoft\ Outlook.app | cut -d ‘”‘ -f2

Additionally, Frameworks work a little differently. If I wanted to get the WebKit Framework version programmatically, I will need the system_profiler command along with the SPFrameworksDataType option. This will show me the version of WebKit, but strictly piping the output into grep won’t find the WebKit version. Instead I actually need to use an option I don’t use often with grep. Note that -A will allow you to define a number of lines to output following the pattern in question, so here I’m saying constrain my output to what you find that’s WebKit + the next ten lines, then constrain further for just the version number. 

system_profiler SPFrameworksDataType | grep -A10 WebKit: | grep Version

Anyway, more on all this soon.

Configure Xcode Server On macOS Server 5.2

Apple developers in growing development teams invariably need a continuous integration system. This automates the build, analysis, and testing solution for software development using Xcode. macOS Server has an Xcode service, capable of integrating your developer account with git, providing many of the options required to build a continuous integration system. Before you configure the Xcode service that can take committed code and then test and build your software, you’ll need an Apple developer account. The Xcode service then links git to a developer account and runs automations, referred to as bots, in Xcode. Therefore, you’ll also need to have Xcode installed on the computer running the Xcode service. Bots are then managed and reported on using a web app that the Server app runs. Once the pre-requisites are met, open the Server app and click on the Xcode service. screen-shot-2016-09-25-at-11-50-35-pm Click on the Choose Xcode button. screen-shot-2016-09-25-at-11-50-54-pm When prompted, browse to the version of Xcode you have installed on the server. Screen Shot 2015-09-24 at 10.11.46 PM Configure the user account to use for the service. screen-shot-2016-09-25-at-11-52-00-pm The service will then require you to login. Do so when prompted. screen-shot-2016-09-25-at-11-53-30-pm This enables the user account, which you will then need to login as. screen-shot-2016-09-25-at-11-54-24-pm You’ll see a new user environment. Use fast user switching to then switch back to your other account. Xcode will require access to the Accessibility framework to run unit tests. Click on Request Access to provide the rights to Xcode to do so. Once access has been granted to Xcode, you’ll see the version indicated in the Build Using field. screen-shot-2016-09-25-at-11-59-59-pm Next, click on Add Team, in order to identify the correct team from your Apple Developer account that will have access to the Xcode service. screen-shot-2016-09-26-at-12-00-28-am When prompted, select the team from your Apple Developer account that you wish to provide access to the server, note that you need to be a team agent or an administrator of the developer organization. screen-shot-2016-09-26-at-12-02-15-am Click on the Repositories tab. Here, you will define repositories for your Xcode projects. Click on the Repository Access button to define what protocols git should be accessible via. screen-shot-2016-09-26-at-12-02-45-am At the Repository Access screen, select HTTPS or SSH. Click OK. screen-shot-2016-09-26-at-12-04-11-am Click the Edit Repository Creators button. At the Repository Access screen, add any groups of users that should have access to create new git repositories. Once all of the appropriate users or groups have been added, click on OK. screen-shot-2016-09-26-at-12-04-30-am   Select your repository again, and click on the HTTPS Access button to provide access via HTTPS. Once saved, double-click on the repository again to see the uri for each type of access. And that’s it. screen-shot-2016-09-26-at-12-05-21-am Next, you’ll want to add a repository to the Xcode app. To do so, open Xcode and then use the Source Control menu to select Check Out. From there, you’ll get a Check Out screen. Screen Shot 2015-09-25 at 7.04.42 PM At the Check Out screen, enter the uniform the repository screen, shown in the previous step of this article and click on the Next button. Next, you’ll need to create bots to automate your build process.

Change Xcode Log Paths In macOS Server 5.2

The logs in Xcode Server (Server 5.2 for Sierra) by default point to /Library/Server/XcodeLogs/credserver.log. This takes all of the output from xcscredd and xcscredhandler. If you’re doing a lot of debugging then logs can be pointed to another location, such as another drive. The path to the logs is defined in the /Applications/Server.app/Contents/ServerRoot/System/Library/LogConfiguration directory. The file to edit is a standard property list, XCSCredentialServer.plist:
<?xml version=”1.0″ encoding=”UTF-8″?> <!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”> <plist version=”1.0″> <dict> <key>claimedFacilities</key> <array> <string>servermgrd</string> <string>servermgr-listener</string> <string>servermgr-notify</string> </array> <key>claimedSenders</key> <array> <string>servermgrd</string> <string>servermgr-listener</string> <string>servermgr-notify</string> </array> <key>logMaximumLevel</key> <string>debug</string> <key>logPath</key> <string>/Library/Server/Logs/servermgrd.log</string> </dict> </plist>
Once open, look for a key called logPath. Change that to the desired path, such as /Volumes/MyDrive/Logs/credserver.log and then restart the service: serveradmin stop xcode; serveradmin start xcode

View Logs On Apple TV

When applying management profiles, it helps to be able to look at the logs and troubleshoot why any settings aren’t applied. To view logs on an Apple TV, open Xcode and then click on an Apple TV. Screen Shot 2015-11-02 at 9.37.52 PM From the Apple TV screen, click on View Device Logs. The logs will appear in the app. Screen Shot 2015-11-02 at 9.37.58 PM Click Done when you’re finished reviewing the logs.

Take Screenshots On The 4th Generation Apple TV

The new Apple TV has a USB-C port. It’s got some great uses. One of which is that you can use it to take screenshots through Xcode. To do so, you’ll either need a USB-C MacBook or a USB-C to USB adapter. Once you’ve plugged your computer into the back of the Apple TV, open Xcode and choose Devices from the Window menu at the top of the screen. Screen Shot 2015-11-02 at 9.37.52 PM From Devices, click on your new 4th Generation Apple TV. You’ll then be greeted by a Take Screenshot button. Click on it. Screen Shot 2015-11-02 at 9.37.35 PM You should then see the screen from your Apple TV. Now, good luck with that pose… Now that I can take a proper screenshot of an Apple TV I’ll have to meditate on whether or not I’ll someday write a book on the darned things…  

Xcode Server On OS X Server 5

OS X and iOS developers need a continuous integration system. This automates the build, analysis, and testing solution for software development using Xcode. OS X Server has an Xcode service, capable of integrating your developer account with git, providing many of the options required to build a continuous integration system. Before you configure the Xcode service that can take committed code and then test and build your software, you’ll need an Apple developer account. The Xcode service then links git to a developer account and runs automations, referred to as bots, in Xcode. Therefore, you’ll also need to have Xcode installed on the computer running the Xcode service. Bots are then managed and reported on using a web app that the Server app runs. Once the pre-requisites are met, open the Server app and click on the Xcode service. Screen Shot 2015-09-24 at 10.11.10 PM Click on the Choose Xcode button. Screen Shot 2015-09-24 at 10.11.30 PM When prompted, browse to the version of Xcode you have installed on the server. Screen Shot 2015-09-24 at 10.11.37 PM If you haven’t accepted the Xcode licensing agreement, when prompted, click on Agree to do so. Screen Shot 2015-09-24 at 10.11.46 PM Xcode will require access to the Accessibility framework to run unit tests. Click on Request Access to provide the rights to Xcode to do so. Screen Shot 2015-09-24 at 10.19.13 PM Once access has been granted to Xcode, you’ll see the version indicated in the Build Using field. Screen Shot 2015-09-24 at 10.19.23 PM Next, click on Add Team, in order to identify the correct team from your Apple Developer account that will have access to the Xcode service. Screen Shot 2015-09-24 at 10.19.32 PM When prompted, select the team from your Apple Developer account that you wish to provide access to the server. Screen Shot 2015-09-24 at 10.20.27 PM Click on the Repositories tab. Here, you will define repositories for your Xcode projects. Click on the Repository Access button to define what protocols git should be accessible via. Screen Shot 2015-09-24 at 10.20.30 PM At the Repository Access screen, select HTTPS or SSH. Click OK. Screen Shot 2015-09-24 at 10.20.41 PM Click the Edit Repository Creators button. At the Repository Access screen, add any groups of users that should have access to create new git repositories. Once all of the appropriate users or groups have been added, click on OK. Finally, click on the plus sign to add your first repository. Screen Shot 2015-09-24 at 10.20.55 PM At the new repository screen, provide a name for the repository. Then, use the Edit button to choose the level of access that logged in users have. Back at the repository screen, click on the HTTPS Access button to provide access via HTTPS. Once saved, double-click on the repository again to see the uri for each type of access. And that’s it. Screen Shot 2015-09-25 at 7.02.47 PM Next, you’ll want to add a repository to the Xcode app. To do so, open Xcode and then use the Source Control menu to select Check Out. From there, you’ll get a Check Out screen. Screen Shot 2015-09-25 at 7.04.42 PM At the Check Out screen, enter the uniform the repository screen, shown in the previous step of this article and click on the Next button. Next, you’ll need to create bots to automate your build process.  

Changing the Xcode Server Log Path in OS X 10.10 Yosemite Server

The logs in Xcode Server (Server 3) by default point to /Library/Server/XcodeLogs/credserver.log. This takes all of the output from xcscredd and xcscredhandler. If you’re doing a lot of debugging then logs can be pointed to another location, such as another drive. The path to the logs is defined in the /Applications/Server.app/Contents/ServerRoot/System/Library/LogConfiguration directory. The file to edit is a standard property list, XCSCredentialServer.plist:
<?xml version=”1.0″ encoding=”UTF-8″?> <!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”> <plist version=”1.0″> <dict> <key>claimedFacilities</key> <array> <string>servermgrd</string> <string>servermgr-listener</string> <string>servermgr-notify</string> </array> <key>claimedSenders</key> <array> <string>servermgrd</string> <string>servermgr-listener</string> <string>servermgr-notify</string> </array> <key>logMaximumLevel</key> <string>debug</string> <key>logPath</key> <string>/Library/Server/Logs/servermgrd.log</string> </dict> </plist>
Once open, look for a key called logPath. Change that to the desired path, such as /Volumes/MyDrive/Logs/credserver.log and then restart the service: serveradmin stop xcode; serveradmin start xcode

Install Xcode Command Line Tools On A Fresh Mac Image

I didn’t figure this out myself but can’t remember the source to attribute. Anyway, I image a lot of systems in my home lab for testing. Many tools I use (e.g. ant, metasploit, etc) need the Xcode Command Line Tools. The easy way to install these is to run xcode-select sung the –install option, as follows: /usr/bin/xcode-select --install