Signing and Notarizing a Protected Application
This section describes the following activities:
>Adding Entitlements to the Protected Application
>Signing the Protected Application
>Notarizing the Protected Application
>Signing and Notarizing the Customized Run-time Environment Installer
Thales recommends that you sign the application and use Apple's notary service to have your application notarized.
NOTE Any existing code signing signature and notarization of your application become invalid after the application has been protected by Envelope. You need to re-sign your application and re-submit your application to the Apple notary service. You can no longer notarize your application through the Xcode user interface.
Adding Entitlements to the Protected Application
While signing an application protected by Envelope, you need to add entitlements to the application.
If you already have an entitlements file in your project, you just need to add the entitlement key com.apple.security.cs.allow-unsigned-executable-memory to your entitlements. This can be done easily in Xcode. In the target's Signing and Capabilities pane > Hardened Runtime section, select the Allow Unsigned Memory checkbox.
When not using Xcode for building your application or if you do not already have an entitlements file, use the following entitlements file:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
</dict>
</plist>
Signing the Protected Application
Applications that are installed through the AppStore are always signed by the vendor and then reviewed by Apple. macOS will refuse to start a protected application (that was not installed through the AppStore) with a broken or missing signature, and an entry in the logs will indicate that “storeagent” refuses to start an unsigned application. In addition, GateKeeper may quarantine applications that were downloaded from the Internet when they are not signed and notarized. As a result, the protected application may not work properly.
Applications that are protected by the Sentinel LDK Envelope for Mac must be code signed manually to satisfy the requirements that Apple introduced with Gatekeeper to distribute trusted applications.
To sign the protected application from the command line :
1.Open the Terminal and locate the directory where the protected application has been placed by Sentinel LDK Envelope.
2.On the command line prompt, use the codesign tool provided with the Apple Developer Tools (Xcode). Enter the following command:
codesign -f -s "certificateName" --deep -o runtime --entitlements bundle.entitlements --timestamp bundleName
Where:
•certificateName is the name of the certificate to be used to sign the bundle. Paste the name that you copied from the Keychain Access Manager. Be sure to enclose the name in double quotation marks. For details, see Obtaining the Certificate Name for Signing a Protected Application.
•bundle.entitlements is the name of the entitlements file used when signing the application.
•bundleName is the name of the bundle to sign.
For example:
codesign -f -s "Developer ID Application: SFNT Germany GmbH" --deep -o runtime \ --entitlements Mac_Bounce.entitlements --timestamp Mac_Bounce.app/
The system response is similar to this:
Mac_Bounce.app/: signed bundle with Mach-O universal (x86_64) [com.safenet-inc.Mac-Bounce]
NOTE To submit a macOS application to the Apple Notary service, you must use the options for hardened runtime, entitlements, and timestamp, as described in Resolving Common Notarization Issues. You can also find information on the codesign man page.
3.(Optional) You can use the following command to verify the signature:
codesign -v --verbose bundleName
The system response is similar to this:
Mac_Bounce.app/ Mac_Bounce.app/: valid on disk
Mac_Bounce.app/: satisfies its Designated Requirement
The code of the protected application is now signed with your Apple Developer ID.
Settings for GateKeeper can be adjusted in the Security Preference pane.
For more information about the codesign tool, refer to the manpage (man codesign) and the "Code Signing Guide" available at: http://developer.apple.com
Notarizing the Protected Application
After you protect and sign your application, Apple recommends that you have your application notarized by Apple's notary service before distribution outside of the AppStore. Notarization gives users more confidence that the developer ID-signed software you distribute has been checked by Apple for malicious components. (For more information, see Notarizing Your App Before Distribution.)
>To submit your application for notarization using a command line, perform the steps described in the following page:
Customizing the Notarization Workflow
>For tips on how to resolve issues that can occur during notarization, see the following page:
Resolving Common Notarization Issues
Signing and Notarizing the Customized Run-time Environment Installer
Using Sentinel Master Wizard, you can generate a Run-time Environment (RTE) Installer that is customized with your Vendor Codes.
To be able to distribute this installer to your customers, you must code sign the installer and, preferably, have the installer notarized by Apple's notary service. Sentinel LDK is not able to handle this since
You must code sign the RTE Installer separately from your own application. However, to have the RTE Installer notarized, you can do either of the following:
>Submit the code signed RTE Installer to Apple's notary service as a stand-alone application.
>If you are distributing your application as a DMG file, include the code signed RTE Installer in the DMG file that you submit for notarization.