How to notarize your merged 4D application

With Catalina (macOS 10.15), it’s highly recommended that you notarize applications distributed over a public network. A significant number of developers transfer their applications using a connected storage device or via file sharing, notarization isn’t required in these cases where the user already trusts the developer. The purpose of notarization is to assure users that the application isn’t malicious and is only required for applications downloaded from a website.

If you use our built-in signature feature when building your applications with 4D v18, your application is ready to be notarized. This process is conducted outside of 4D. It involves adding an electronic signature to your application and submitting your signed application to an automated inspection service. Here’s everything you need to know:

Prerequisites

Xcode

Notarization requires Xcode 10 or later and macOS 10.13.6 or later.

If you have more than one version of Xcode installed on your Mac, you can use the xcode-select utility to choose the appropriate version:

sudo xcode-select -s /path/to/Xcode10.app

Two-factor authentification

You’ll also need to have activated two-factor authentication on your Apple ID.

If you’re not sure if you’ve set up two-factor authentication, sign in to your Apple ID account page. In the Security section, search for the two-factor authentication option and see if the feature is on or off.

app-specific password for altool

Uploading an application for notarization is done via the command line interface for the application loader plug-in called altool, which comes with Xcode.

Before notarizing your first application, you’ll need to generate an app-specific password for altool.

Sign in to your Apple ID account page. In the Security section, click the “Generate Password” option below the “App-Specific Passwords” option, enter a password label as requested and click the “Create” button.

You can now store the password as a keychain item, using your Apple ID and the app-specific password:

security add-generic-password -a "<apple_id>" -w "<password>" -s "altool"

Signing your application with 4D

In 4D v18, 4D’s built-in signing script has been updated to meet all of Apple’s requirements for notarization. 4D now performs a recursive signature of all of the package contents and a secure timestamp is included with the signature. Hardened runtime is enabled and an entitlements file is provided. In order to avoid any feature restriction, all capabilities are set to “true”.

Creating a zip archive or a dmg image

Because .app bundles cannot be directly uploaded to the notary service, you’ll need to create a compressed archive containing your signed application:

/usr/bin/ditto -c -k --keepParent "<path_to_app>" "<path_to_zip_archive>"

Note that you could also upload a .dmg image instead of a .zip archive.

Uploading your application

You can now upload your application for notarization using the following command:

xcrun altool --notarize-app --primary-bundle-id "<primary_bundle_identifier>" --username "<apple_id>" --password "@keychain:altool" --file path_to_zip_archive

Note: you can use any name as a primary bundle identifier, but it must not contain spaces, underscores or anything other than letters, numbers, hyphens, and periods.

If the upload succeeds, a request UID is returned. Save this to use later when checking the status of your notarization request.

Checking the notarization status

The notarization process may take up to an hour. When it’s finished, you’ll receive an email indicating the outcome.

Since Apple has eased notarization prerequisites until January 2020, it’s advised that you also request a detailed report to verify if it contains any warnings that may prevent notarization after January 2020.

A detailed report can be requested with the following command, which will return a status and a log file URL:

xcrun altool --notarization-info <request_uid> -u "<apple_id>" -p "@keychain:altool"

Stapling the ticket to your application

In order to make sure that Gatekeeper knows that your application is notarized (even when no network connection is available at first launch of the application), it’s recommended that you attach the ticket produced by notarization to your application. This process is called “stapling”.

If you used a .zip archive for notarization, please note that the stapler tool must be run against the .app bundle originally added to the zip archive because you can’t staple a .zip archive. If you used a .dmg image, you can directly staple your .dmg image.

Stapling is processed with the following command:

xcrun stapler staple <your_app_or_dmg_file>

Once all is said and done, you can then create a new .zip archive containing the stapled application for distribution.

 

Update

Recent macOS versions (BigSur/xcode 12) might require changes.

Apple now recommends to register your password using:

xcrun altool --store-password-in-keychain-item "altool" -u "<apple_id>" -p "password"

And then not to specify the user name (apple_id) any longer using -u or –username when uploading or checking the application.

For latest updates for xcrun altool open your Terminal and enter:

xcrun altool --help