How I notarized my desktop AIR project for MacOS AppStore

This took me some time so maybe good to share.

Stuff needed:

  • XCode command line tools
  • apple developer account
  • app configured in the apple developer / itunesconnect account, bundle id com.example.this
  • Developer ID Application certificate type
  • API key for apple developer generated and downloaded (created dir ~/.private_keys and moved downloaded key there)

Steps:

  • Added<architecture>64</architecture> and <id>com.example.this</id> to this.xml in Flash Builder project src, added -swf-version=40 to compiler arguments
  • Exported Release build via Signed Application with captive runtime
  • Once this.app was created Edited this.app/Contents/info.plist and this.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/Info.plist to include:
  <key>UseHardenedRuntime</key>
  <true/>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.disable-executable-page-protection</key>
    <true/>
  • Opened a terminal to signed everything relevant in it
  codesign --timestamp --deep -f -v -s "Developer ID Application: ACME inc (1WT4B03F67)" this.app/Contents/Frameworks/Adobe\ AIR.framework/Versions/1.0/Resources/Flash\ Player.plugin/Contents/MacOS/FlashPlayer-10.6
  codesign --timestamp --deep -f -v -s "Developer ID Application: ACME inc (1WT4B03F67)" --options runtime  this.app/Contents/Frameworks/Adobe\ AIR.framework/Versions/1.0/Resources/A2712Enabler
  codesign --timestamp --deep -f -v -s "Developer ID Application: ACME inc (1WT4B03F67)" this.app/Contents/Frameworks/Adobe\ AIR.framework/Versions/1.0/Resources/WebKit.dylib
  codesign --timestamp --deep -f -v -s "Developer ID Application: ACME inc (1WT4B03F67)" this.app/Contents/Frameworks/Adobe\ AIR.framework/Versions/1.0/Adobe\ AIR
  codesign --timestamp --deep -f -v -s "Developer ID Application: ACME inc (1WT4B03F67)" this.app/Contents/Frameworks/Adobe\ AIR.framework/Versions/1.0/Adobe\ AIR_64
  codesign --timestamp --deep -f -v -s "Developer ID Application: ACME inc (1WT4B03F67)" --options runtime this.app/Contents/MacOS/this
  • Once signed, compressed this.app to this.zip
  • Submitted archive to notarization
  	xcrun altool --notarize-app --primary-bundle-id "com.example.this" -t osx --apiIssuer 11a1aa1a-11a1-11a1-a111-111a1a11a1a1 --apiKey CFEBA4444A --file this.zip
  • Collected the status of the RequestUUID returned
  	xcrun altool --notarization-history 0 --apiIssuer 11a1aa1a-11a1-11a1-a111-111a1a11a1a1 --apiKey CFEBA4444A
  • Inspected the notarization info
  	xcrun altool --notarization-info 22b2bb2b-22b2-22b2-b222-222b2b22b2a2 --apiIssuer 11a1aa1a-11a1-11a1-a111-111a1a11a1a1 --apiKey CFEBA4444A

got Status Message: Package Approved
prior cases I was inspecting LogFileURL: returned in notarization info to repair this.app package

Maybe this.app will be approved and in the mac osx app store soon so my Catalina users can work again.

Hope this helps to you too.

7 Likes

I don’t mean to rain on your parade but notarization is for distributing apps yourself. You don’t notarize a Mac app for the AppStore

https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution

Beginning in macOS 10.14.5, software signed with a new Developer ID certificate and all new or updated kernel extensions must be notarized to run. Beginning in macOS 10.15, all software built after June 1, 2019, and distributed with Developer ID must be notarized. However, you aren’t required to notarize software that you distribute through the Mac App Store because the App Store submission process already includes equivalent security checks.

Yes I learned that too. You can’t get the air app into the app store. So the only thing you can do is to notarize it so the people can install the pkg. You’re right the title of the post is not good, shouldn’t have AppStore in it…

Thanks for this post, you saved my day! I also created a .sh bash script to run all the codesigning at once. Cheers!