DMG Canvas

broken image


DMG Canvas builds disk images from template documents that you create. Simply design your disk image's appearance using the graphical editor and click Build. Each time you release a new version of. DMG Canvas lets you create and build disk images using the slick WYSIWYG designer. Simply drag and drop your files into place, add text, images, and change the background image for the mounted window, and you can even add stylized license agreements to your disk images, which — believe us — is a massive pain otherwise. DMG Canvas builds disk images from template documents that you create.Simply design your disk image's appearance using the graphical editor and click Build. Each time you release a new version of your disk image, simply click Build again and DMG Canvas will pull together all of the latest versions of your files.

[See newest updates at the bottom of the article]

DMG Canvas builds disk images from template documents that you create. Simply design your disk image's appearance using the graphical editor and click Build. Each time you release a new version of your disk image, simply click Build again and DMG Canvas will pull together all of the latest versions of your files.

According to Apple (read here the whole article):

The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly. Notarization gives users more confidence that the Developer ID-signed software you distribute has been checked by Apple for malicious components. Notarization is not App Review.

Dmg canvas 2

Basically, it is some kind of whitelisting. From macOS Catalina on (late September 2019), notarization is mandatory: your installers won't work if you don't do your homeworks.

Gatekeeper

When your customers run your product's installer.pkg, macOS Gatekeeper connects with Apple, checking whether the file you're executing has been vetted and thus can be run safely. If this is the case, Gatekeeper pops up the usual warning anyway:

Because users can also be offline, you can staple the notary service's response ticket directly to the installer – an optional but recommended step.

What you need

  1. An active subscription to the Apple Developer Program ($99 per year).
  2. Xcode 10 or newer (free download via the App Store).
  3. An app-specific password defined for your AppleID (see here for instruction).

Notarization walkthrough

Cheap canvases

I assume that you are at least vaguely familiar with the topic of code signing. I'm going to show you how to notarize a .pkg installer; caveats for slightly more complex scenarios (e.g. a .dmg that wraps a .pkg and/or .app plus other assets) will follow in a later section.

1. Create a DeveloperID Installer certificate

Log in the Apple Developer portal portal and follow the 'Certificates, Identifiers & Profiles' section. Create a new Certificate: when asked, select DeveloperID Installer:

Dmg Canvas

Follow the instruction to complete the process – you'll be required to open the Certificate Assistant from the Keychain Access application to create a Certificate request, then upload it to the Developer Portal. When the process is complete, you'll be presented with a download link for your certificate, to be imported via double click into the Keychain Access app.

You can verify that the certificate has been successfully installed opening the Terminal and pasting the following command:

Keep note of the string between quotes that says 'Developer ID Installer: ...'.

Dmg Canvas App

2. Signing the Installer

You don't just need to notarize an installer, it must be signed first. Assuming that the installer.pkg file sits in the folder you have cd to in the Terminal window, you sign the installer with the following command (the output I've got comes right below the first line):

Dmg Canvas 2.3.1 Mac

Let's break down that:

  • productsign is the utility in charge of the signing.
  • --sign is the argument that defines the Identity associated to the Apple issued certificated, which follows as a string.
  • ./installer.pkg is the relative path (can be absolute as well) that points to the file you want to be signed.
  • ./installer_signed.pkg is the path of the new, signed file that is going to be created by productsign.

Dmg Canvas 3.0.6

Of course you should substitute the 'Developer ID Installer:' string with the one you've noted in the previous section, as well as the files paths.

You can verify that the installer_signed.pkg has been really signed with:

3. Sending the notarization request

Keep handy the app-specific password you've requested from your AppleID account (if you've not done it yet, follow the instruction here). Let's say that it is cvbs-epfg-sizx-olwd. The command I've used to request the notarization is:

Dmg

Let's break down that.

  • xcrun is used to find and execute XCode commands.
  • altool is the executable that performs the notarization request.
  • --notarize-app is the flag that tells altool to request notarization.
  • --primary-bundle-id links to the installer I'm submitting its unique bundle id (in my case 'com.ccextensions.alce3', substitute it with yours)
  • --username wants your AppleID.
  • --password wants the app-specific password you've requested (here, 'cvbs-epfg-sizx-olwd')
  • --file is the flag that tells altool which file to upload. Please note that I had to specify the absolute full path (not the relative that starts with ./) between quotes

The command takes a while to upload the file, and gives you zero feedback; after a while, if the process has been successful, you get back something like:

Keep note of the RequestUUID string.

At this point your request for notarizationhas been sent to Apple, and you have to wait for them to process the file.

Mind you: if you get 'Error: You must first sign the relevant contracts online. (1048)' (as it has happened to me several times) don't panic.

Dmg Canvas Tutorial

Canvas

You can launch XCode to check whether it asks you to accept its Terms and Conditions, or run the following command to agree from the Terminal:

Then try checking at iTunesConnect, in the section 'Agreements, Tax and Banking'. The 'Paid Apps' list item may have a Status of 'Pending User Information'1, but there shouldn't be any Agreement pending (usually their warnings are listed separately).

If, still, nothing works it may be a glitch on Apple's side, so wait a couple of hours and try again.

4. Checking the notarization status

In the Terminal, enter:

The command uses now --notarization-info to ping the current status, and expects the same RequestUUID string that has been sent you in response of the original request. The result is something like that:

Please note the in progress status. At some point the result will be different, and hopefully similar to this one:

The installer has been successfully notarized!

If, for some reason, you have to perform several requests and want to check the notarization requests history, run the following command:

5. Stapling the ticket to the file

As I wrote, this step is optional but highly recommended: Gatekeeper will be able to find the whitelist info in the file itself, without the need to perform an online check.

The command here is much simpler: you don't need to pass any RequestUUID string yourself, for stapler will do the call home at Apple's on its own.

You can check stapling details with:

The result is too long to paste here, and frankly I've no idea what it means: as long as it ends with 'The validate action worked!' you should be fine.

And… you're done 🍾

In my experience the Notarization can take from 60 seconds up to many hours (one time I've had the Terminal waiting and checking the status from 3PM to midnight). In theory it should be fast, in practice you can occasionally run into long delays.

Caveats for different scenarios

The example I've shown is for one installer.pkg file. Let's say that you (as I do) deliver to your customers a product.dmg file, that wraps the installer.pkg, an additional uninstaller.app (say, an app-ified AppleScript) and some documentation as well.

In this case, you need to:

  • Notarize only the outmost container (here the .dmg).
  • Sign all the executable children elements (here the .app and .pkg) and the .dmg as well.

Please note that in order to sign a .dmg you need a 'Developer ID Application' certificate, instead of the 'Developer ID Installer' I've used for the .pkg

Lastly, things may get a bit convoluted when it comes to extra libraries/bundles that may be called by your panel – if you feel like it's your case, please read this thread.

UPDATE: DMG Canvas

The software that I use, and recommend, to build .dmg files is Araelium DMG Canvas, which has recently bumped to version 3.x (a paid upgrade, around $10). One of the new features is the possibility to automate the notarization process while building the .dmg itself.

Canvas

Basically, it is some kind of whitelisting. From macOS Catalina on (late September 2019), notarization is mandatory: your installers won't work if you don't do your homeworks.

Gatekeeper

When your customers run your product's installer.pkg, macOS Gatekeeper connects with Apple, checking whether the file you're executing has been vetted and thus can be run safely. If this is the case, Gatekeeper pops up the usual warning anyway:

Because users can also be offline, you can staple the notary service's response ticket directly to the installer – an optional but recommended step.

What you need

  1. An active subscription to the Apple Developer Program ($99 per year).
  2. Xcode 10 or newer (free download via the App Store).
  3. An app-specific password defined for your AppleID (see here for instruction).

Notarization walkthrough

I assume that you are at least vaguely familiar with the topic of code signing. I'm going to show you how to notarize a .pkg installer; caveats for slightly more complex scenarios (e.g. a .dmg that wraps a .pkg and/or .app plus other assets) will follow in a later section.

1. Create a DeveloperID Installer certificate

Log in the Apple Developer portal portal and follow the 'Certificates, Identifiers & Profiles' section. Create a new Certificate: when asked, select DeveloperID Installer:

Dmg Canvas

Follow the instruction to complete the process – you'll be required to open the Certificate Assistant from the Keychain Access application to create a Certificate request, then upload it to the Developer Portal. When the process is complete, you'll be presented with a download link for your certificate, to be imported via double click into the Keychain Access app.

You can verify that the certificate has been successfully installed opening the Terminal and pasting the following command:

Keep note of the string between quotes that says 'Developer ID Installer: ...'.

Dmg Canvas App

2. Signing the Installer

You don't just need to notarize an installer, it must be signed first. Assuming that the installer.pkg file sits in the folder you have cd to in the Terminal window, you sign the installer with the following command (the output I've got comes right below the first line):

Dmg Canvas 2.3.1 Mac

Let's break down that:

  • productsign is the utility in charge of the signing.
  • --sign is the argument that defines the Identity associated to the Apple issued certificated, which follows as a string.
  • ./installer.pkg is the relative path (can be absolute as well) that points to the file you want to be signed.
  • ./installer_signed.pkg is the path of the new, signed file that is going to be created by productsign.

Dmg Canvas 3.0.6

Of course you should substitute the 'Developer ID Installer:' string with the one you've noted in the previous section, as well as the files paths.

You can verify that the installer_signed.pkg has been really signed with:

3. Sending the notarization request

Keep handy the app-specific password you've requested from your AppleID account (if you've not done it yet, follow the instruction here). Let's say that it is cvbs-epfg-sizx-olwd. The command I've used to request the notarization is:

Let's break down that.

  • xcrun is used to find and execute XCode commands.
  • altool is the executable that performs the notarization request.
  • --notarize-app is the flag that tells altool to request notarization.
  • --primary-bundle-id links to the installer I'm submitting its unique bundle id (in my case 'com.ccextensions.alce3', substitute it with yours)
  • --username wants your AppleID.
  • --password wants the app-specific password you've requested (here, 'cvbs-epfg-sizx-olwd')
  • --file is the flag that tells altool which file to upload. Please note that I had to specify the absolute full path (not the relative that starts with ./) between quotes

The command takes a while to upload the file, and gives you zero feedback; after a while, if the process has been successful, you get back something like:

Keep note of the RequestUUID string.

At this point your request for notarizationhas been sent to Apple, and you have to wait for them to process the file.

Mind you: if you get 'Error: You must first sign the relevant contracts online. (1048)' (as it has happened to me several times) don't panic.

Dmg Canvas Tutorial

You can launch XCode to check whether it asks you to accept its Terms and Conditions, or run the following command to agree from the Terminal:

Then try checking at iTunesConnect, in the section 'Agreements, Tax and Banking'. The 'Paid Apps' list item may have a Status of 'Pending User Information'1, but there shouldn't be any Agreement pending (usually their warnings are listed separately).

If, still, nothing works it may be a glitch on Apple's side, so wait a couple of hours and try again.

4. Checking the notarization status

In the Terminal, enter:

The command uses now --notarization-info to ping the current status, and expects the same RequestUUID string that has been sent you in response of the original request. The result is something like that:

Please note the in progress status. At some point the result will be different, and hopefully similar to this one:

The installer has been successfully notarized!

If, for some reason, you have to perform several requests and want to check the notarization requests history, run the following command:

5. Stapling the ticket to the file

As I wrote, this step is optional but highly recommended: Gatekeeper will be able to find the whitelist info in the file itself, without the need to perform an online check.

The command here is much simpler: you don't need to pass any RequestUUID string yourself, for stapler will do the call home at Apple's on its own.

You can check stapling details with:

The result is too long to paste here, and frankly I've no idea what it means: as long as it ends with 'The validate action worked!' you should be fine.

And… you're done 🍾

In my experience the Notarization can take from 60 seconds up to many hours (one time I've had the Terminal waiting and checking the status from 3PM to midnight). In theory it should be fast, in practice you can occasionally run into long delays.

Caveats for different scenarios

The example I've shown is for one installer.pkg file. Let's say that you (as I do) deliver to your customers a product.dmg file, that wraps the installer.pkg, an additional uninstaller.app (say, an app-ified AppleScript) and some documentation as well.

In this case, you need to:

  • Notarize only the outmost container (here the .dmg).
  • Sign all the executable children elements (here the .app and .pkg) and the .dmg as well.

Please note that in order to sign a .dmg you need a 'Developer ID Application' certificate, instead of the 'Developer ID Installer' I've used for the .pkg

Lastly, things may get a bit convoluted when it comes to extra libraries/bundles that may be called by your panel – if you feel like it's your case, please read this thread.

UPDATE: DMG Canvas

The software that I use, and recommend, to build .dmg files is Araelium DMG Canvas, which has recently bumped to version 3.x (a paid upgrade, around $10). One of the new features is the possibility to automate the notarization process while building the .dmg itself.

To tell you the truth, the first product I've used that for went flawlessly, and in a snap; the second product failed due to a timeout, which sounds very much an Apple issue rather than Araelium's. Please note that DMG Canvas does the stapling too, which is quite handy, and can be automatized to fit your build system.

UPDATE: Uninstaller app

As I've finally upgraded my machine to Catalina, I'm able to experience the entire, happy spectrum of Catalina-related issues. I've discovered that with the Uninstall.app the signature I've been doing is not enough: the notarization of the outer .dmg fails with the error: 'The executable does not have the hardened runtime enabled.'.

If this is the case, be aware that you should not export the Uninstall.scpt to Uninstall.app while signing it with the Script Editor (it's an option in the File > Export dialog). Instead, export it without signature and then use the codesign utility with the -o runtime flag:

Also, it might happen that the signing process of the .app fails because of the error: 'resource fork, Finder information, or similar detritus not allowed'. You can spot such digital detritus running:

To clean that mess (whatever it is), run:

Dmg Canvas Alternative

…and the subsequent codesign should complete with no problems.

Support this site!

Please consider supporting my work with the purchase of these books and courses. You can find them all here, bundles available. Thanks! 🙏🏻

PS. I will update the Ultimate Guide to Native Installers and Automated Build Systems as well, I just wanted you to get informed asap.

  1. If you don't plan to sell through Apple, there's no point in filling the uber-annoying Tax forms, etc. ↩





broken image