15 KiB
Signing and notarizing distributions for macOS
Apple requires all 3rd party apps to be signed and notarized (checked by Apple) for running on recent versions of macOS.
What is covered
In this tutorial, we'll show you how to sign and notarize
native distributions of Compose apps (in dmg
or pkg
formats)
for distribution on macOS.
Prerequisites
- Xcode. The tutorial was checked with Xcode 12.3.
- JDK 15+. The tutorial was checked with OpenJDK 15.0.1.
Preparing a Developer ID certificate
You will need a Developer ID certificate for signing your app.
Checking existing Developer ID certificates
Open https://developer.apple.com/account/resources/certificates
Creating a new Developer ID certificate
- Create a certificate signing request:
- Open
Keychain Access
. - Open the menu dialog
Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority
- Enter your Developer ID email and common name.
- Check
Save to disk
option.
- Open
- Create and install a new certificate using your Apple Developer account:
- Open https://developer.apple.com/account/resources/certificates/add
- For publishing outside the App Store, choose the
Developer ID Application
certificate type. For publishing on the App Store, you need two certificates. First select theMac App Distribution
certificate type, and once you have completed the steps in this section, repeat them again for theMac Installer Distribution
certificate type. - Upload your Certificate Signing Request from the previous step.
- Download and install the certificate (drag & drop the certificate into the
Keychain Access
application).
Viewing installed certificates
You can find all installed certificates and their keychains by running the following command:
/usr/bin/security find-certificate -c "Developer ID Application"
or the following commands when publishing on the App Store:
/usr/bin/security find-certificate -c "3rd Party Mac Developer Application"
/usr/bin/security find-certificate -c "3rd Party Mac Developer Installer"
If you have multiple developer certificates of the same type installed, you will need to specify the path to the keychain, containing the certificate intended for signing.
Preparing an App ID
An App ID represents one or more applications in Apple's ecosystem.
Viewing existing App IDs
Open the page on Apple's developer portal.
Creating a new App ID
- Open the page on Apple's developer portal.
- Choose
App ID
option. - Choose
App
type. - Fill the
Bundle ID
field.- A bundle ID uniquely identifies an application in Apple's ecosystem.
- You can use an explicit bundle ID a wildcard, matching multiple bundle IDs.
- It is recommended to use the reverse DNS notation (e.g.
com.yoursitename.yourappname
).
Preparing a Provisioning Profile
For testing on TestFlight (when publishing to the App Store), you need to add a provisioning profile. You can skip this step otherwise.
First make sure you have created two app IDs, one for your app, and another one for the JVM runtime. They should look like this:
- App ID for app:
com.yoursitename.yourappname
(format:YOURBUNDLEID
) - App ID for runtime:
com.oracle.java.com.yoursitename.yourappname
(format:com.oracle.java.YOURBUNDLEID
)
Checking existing provisioning profiles
Open https://developer.apple.com/account/resources/profiles/list
Creating a new provisioning profile
- Open the page on Apple's developer portal.
- Choose
Mac App Store
option underDistribution
. - Select Profile Type
Mac
. - Select the App ID which you created earlier.
- Select the Mac App Distribution certificate you created earlier.
- Enter a name.
- Click generate and download the provisioning profile.
Note that you need to create two of these profiles, one for your app and another one for the JVM runtime.
Creating an app-specific password
To be able to upload an app for notarization, you will need an app-specific password associated with your Apple ID.
Follow these steps to generate a new password:
- Sign in to your Apple ID account page.
- In the Security section, click Generate Password below App-Specific Passwords.
See this Apple support page for more information on the app-specific passwords.
Adding an app-specific password to a keychain
To avoid remembering your one-time password, or writing it in scripts, you can add it to the keychain by running:
# Any name can be used instead of NOTARIZATION_PASSWORD
xcrun altool --store-password-in-keychain-item "NOTARIZATION_PASSWORD"
--username <apple_id>
--password <password>
Then you'll be able to refer to the password like @keychain:NOTARIZATION_PASSWORD
without the need to write the password itself.
Configuring Gradle
Gradle DSL
DSL properties should be specified in macOS
DSL block of Compose Desktop DSL:
import org.jetbrains.compose.compose
import org.jetbrains.compose.desktop.application.dsl.TargetFormat
plugins {
kotlin("jvm")
id("org.jetbrains.compose")
}
dependencies {
implementation(compose.desktop.currentOS)
}
compose.desktop {
application {
mainClass = "example.MainKt"
nativeDistributions {
targetFormats(TargetFormat.Dmg)
macOS {
// macOS DSL settings
}
}
}
}
Gradle properties
Some properties can also be specified using Gradle properties.
- Default Gradle properties (
compose.desktop.mac.*
) have lower priority, than DSL properties. - Gradle properties can be specified (the items are listed in order of ascending priority):
- In
gradle.properties
file in Gradle home; - In
gradle.properties
file in project's root; - In command-line
./gradlew packageDmg -Pcompose.desktop.mac.sign=true
- In
- Note, that
local.properties
is not a standard Gradle file, so it is not supported by default. You can load custom properties from it manually in a script, if you want.
Configuring bundle ID
macOS {
bundleID = "com.example-company.example-app"
}
A bundle ID uniquely identifies an application in Apple's ecosystem.
- A bundle ID must be specified using the
bundleID
DSL property. - Use only alphanumeric characters (
A-Z
,a-z
, and0-9
), hyphen (-
) and period (.
) characters. - Use the reverse DNS notation of your domain (e.g.
com.yoursitename.yourappname
). - The specified bundle ID must match one of your App IDs.
Configuring signing settings
macOS {
signing {
sign.set(true)
identity.set("John Doe")
// keychain.set("/path/to/keychain")
}
}
- Set the
sign
DSL property or totrue
.- Alternatively, the
compose.desktop.mac.sign
Gradle property can be used.
- Alternatively, the
- Set the
identity
DSL property to the certificate's name, e.g."John Doe"
.- Alternatively, the
compose.desktop.mac.signing.identity
Gradle property can be used.
- Alternatively, the
- Optionally, set the
keychain
DSL property to the path to the specific keychain, containing your certificate.- Alternatively, the
compose.desktop.mac.signing.keychain
Gradle property can be used. - This step is only necessary, if multiple developer certificates of the same type are installed.
- Alternatively, the
The following Gradle properties can be used instead of DSL properties:
compose.desktop.mac.sign
enables or disables signing. Possible values:true
orfalse
.compose.desktop.mac.signing.identity
overrides theidentity
DSL property.compose.desktop.mac.signing.keychain
overrides thekeychain
DSL property.
Those properties could be stored in $HOME/.gradle/gradle.properties
to use across multiple applications.
Configuring notarization settings
macOS {
notarization {
appleID.set("john.doe@example.com")
password.set("@keychain:NOTARIZATION_PASSWORD")
// optional
ascProvider.set("<TEAM_ID>")
}
}
- Set
appleID
to your Apple ID.- Alternatively, the
compose.desktop.mac.notarization.appleID
Gradle property can be used.
- Alternatively, the
- Set
password
to the app-specific password created previously.- Alternatively, the
compose.desktop.mac.notarization.password
Gradle property can be used. - Don't write raw password directly into a build script.
- If the password was added to the keychain, as described previously, it can be referenced as
@keychain:NOTARIZATION_PASSWORD
- Alternatively, the
- Set
ascProvider
to your Team ID, if your account is associated with multiple teams.- Alternatively, the
compose.desktop.mac.notarization.ascProvider
Gradle property can be used. - To get a table of team IDs associated with a given username and password, run:
- Alternatively, the
xcrun altool --list-providers -u <Apple ID> -p <Notarization password>"
Configuring provisioning profile
For testing on TestFlight (when publishing to the App Store), you need to add a provisioning profile. You can skip this step otherwise.
Note that this option requires JDK 18 due to this issue.
macOS {
provisioningProfile.set(project.file("embedded.provisionprofile"))
runtimeProvisioningProfile.set(project.file("runtime.provisionprofile"))
}
Make sure to rename your provisioning profile you created earlier to embedded.provisionprofile
and the provisioning profile for the JVM runtime to runtime.provisionprofile
.
Configuring entitlements
For TestFlight you need to set some special entitlements.
Create a file entitlements.plist
with the following content:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.cs.debugger</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
<key>com.apple.application-identifier</key>
<string>TEAMID.APPID</string>
<key>com.apple.developer.team-identifier</key>
<string>TEAMID</string>
<!-- Add additional entitlements here, for example for network or hardware access. -->
</dict>
</plist>
These are the entitlements for your application. Set TEAMID
to your team ID and APPID
to your app bundle ID.
Then create another file called runtime-entitlements.plist
with the following content:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.cs.debugger</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
</dict>
</plist>
These are the entitlements for the JVM runtime.
Now configure the entitlements in Gradle like this:
macOS {
entitlementsFile.set(project.file("entitlements.plist"))
runtimeEntitlementsFile.set(project.file("runtime-entitlements.plist"))
}
TestFlight
Some special configuration is needed to get the app working in TestFlight. If something is incorrect, the App Store will either send an email or show that your build is "Not Available for Testing". The build could still work for the App Store but won't work in TestFlight.
If that is the case, make sure the following is configured correctly:
- Provisioning profiles for both app and JVM runtime are provided.
- Entitlement files for both app and JVM runtime are provided.
- Both entitlement files contain at least the values provided here.
- Team ID and App ID are the same in the app entitlements file and the app provisioning profile.
Furthermore, make sure you follow the steps to get the app working on the App Store.
That means signing with the correct certificates, setting appStore
to true
in Gradle, etc.
Note that apps for both the App Store and TestFlight are sandboxed.
If you are loading native libraries from JVM code, they must be loaded directly from the app bundle (because of sandbox and signing).
That means they cannot first be extracted from a JAR and then loaded (what some libraries do).
You can include native libraries in the bundle using fromFiles
(see here)
and then you can load them in JVM code using System.loadLibrary("LIBRARYNAME")
.
Note that the Skiko native library used by Compose is already loaded correctly if you are using the
default application configuration.
In case you are still experiencing issues with TestFlight, you could consider opening a TSI with Apple, and they may be able to give you a more detailed error message.
Using Gradle
The following tasks are available:
- Use
createDistributable
orpackageDmg
to get a signed application (no separate step is required). - Use
notarize<PACKAGING_FORMAT>
(e.g.notarizeDmg
) to upload an application for notarization. Once the upload finishes, aRequestUUID
will be printed. The notarization process takes some time. Once the notarization process finishes, an email will be sent to you. Uploaded file is saved to<BUILD_DIR>/compose/notarization/main/<UPLOAD_DATE>-<PACKAGING_FORMAT>
- Use
checkNotarizationStatus
to check a status of last notarization requests. You can also use a command-line command to check any notarization request:
xcrun altool --notarization-info <RequestUUID>
--username <Apple_ID>
--password "@keychain:NOTARIZATION_PASSWORD"