Re: Code Signing

Jack Brindle

The answer is no. After an app is notarized you may not make any changes to the app bundle without rendering the app useless. That means you cannot store copy anything inside the app bundle after it is notarized.

It is easiest to sign and notarize an app within Xcode. If you cannot do that (perhaps you build from a script), then you will be using the codesign tool on the components of the app (or the app itself) to do the signing. Notarizing actually can help you with this. The process generates a report when it finds any signing issues within the app. Apple has three notes on Notarization that are well worth printing out - they contain lots of good info. 

Hints for signing using the codesign tool: don’t use —deep. If you have any third party components, it will overwrite their signature with yours. Use hardened runtime. Without it, you won’t notarize. Be sure to add Apple’s timestamp. Basically, follow the suggestions for signing that are outlined in the Notarization documents.

There seems to be a steep learning curve, but once you are successful you will ask yourself why it took so long to figure out. Learning how to interpret the notarization report is key, especially if your app is complex with lots of libraries and embedded tools (which all must be signed). When you run into problems, just ask. Lots of good resources here who have been through it before.


On Feb 10, 2021, at 9:53 AM, Peter Hudson via <Peter.hudson@...> wrote:

Sorry didn’t explain properly Alex.  It is a macOS app.

The license issue is about whether, for now, I can sign the application with the license file in /Contents in the bundle.
Or, as each license is different, I need to place it outside the bundle. 

I couldn’t determine, from the docs to hand, whether putting the license in the bundle would be a problem in the context of signing.

I’ll share what unfolds !




On 10 Feb 2021, at 17:21, Alex Zavatone via <zav@...> wrote:

On Feb 10, 2021, at 10:23 AM, Peter Hudson via <Peter.hudson@...> wrote:


Book suggestion looks good - have got a copy on the way !

Have been looking at the keychain as a home for the license file as part of the reorg for signing.

I’m not sure I understand.  Your license for a purchaser and the code signing should be two different things.  If you grant a license to a purchaser, then simply storing the license value in the keychain should be all you need for that, but you still will need to sort out code signing separately.

You also mentioned notarizing.   The book existed before that process, but the concepts in chapter 4 are foundational to wrap your head around code signing.

It just occurred to me that since you’re notarizing your app you need to code sign a Mac app. not an iOS one.  It’s still really important to understand the guts behind code signing and the book will help.

Here is a brief on Mac app notarizing that may help. 

Note the details about Hardened Runtime.  Is that enabled in your app?

Good luck.  Please share what you find.  

Alex Zavatone

Many thanks


On 10 Feb 2021, at 16:02, Alex Zavatone via <zav@...> wrote:

FYI, you should be storing the license in a more secure location such as the keychain.

On Feb 10, 2021, at 9:55 AM, Alex Zavatone via <zav@...> wrote:

Chapter 4 of Essential Build and Release by Ron Roche is what got me what I needed to learn.

Alex Zavatone

On Feb 10, 2021, at 9:48 AM, Peter Hudson via <Peter.hudson@...> wrote:


I finally need to sign an app that has been running for some time.  I’m looking at what docs I can find and two questions emerge.

1.    Could anybody point me at the best instructions for code signing / notarisation - I have never done it before.
   I’ve looked at the docs in Xcode and they seem to raise more questions than they solve.

2.    I currently squirrel away the license file for each install in the Contents folder of the bundle. 
   The license file is a simple text file and is different for each install.
   I wondered if this is going to cause problems in the context of code signing ?

Many thanks


Join to automatically receive all group messages.