Notarizing Your Xojo Apps

The release of macOS 10.15 Catalina is fast approaching. One of the new things that Apple has done in this release is increase the security even more. No longer is simply code signing your app good enough. Apple is now notarizing applications meaning that applications and disk images are submitted to Apple for their seal-of-approval that ideally have some minimum level of scrutiny that the item is not malware. Presumably this means they can identify bad actors even faster by seeing patterns. Good for consumers but it’s a pain for developers.

For those developers using Xcode it’s no big deal as it’s part of the built-in process. For Xojo developers the process is not nearly so simple. You still have to code sign your application and your disk image. We use AppWrapper from Ohanaware to code sign and notarize our apps. We also use DMG Canvas from Araelium Group to create disk images. AppWrapper can notarize disk images as well.

The process of Notarization is not as automated as one would hope. After you’ve code signed your application you have to click the Notarize button to send the application to Apple. This isn’t exactly clear but once you realize this it’s no big deal.

Notarizing requires some information for Apple. The first is your AppleID and since you’ve already code signed your application that should be a no brainer. The second is the application specific password. You can get this by logging in at AppleID account page at https://appleid.apple.com/#!&page=signin and then creating an app-specific password by choosing that option from the Security section.

The third bit of information that may be required is your short name ASC Provider. This information is not immediately obvious and your app may fail if you don’t have it. Note that the ASC Provider information is considered optional – until the process fails. Fun stuff. I had to look in the log created by AppWrapper to see this information:

Error: Your Apple ID account is attached to other iTunes providers. You will need to specify which provider you intend to submit content to by using the -itc_provider command. Please contact us if you have questions or need help. (1627)

To get your short name open Terminal and do the command shown here (this assumed Xcode 11). is your login username and is the password you created specifically for this application.

xcrun iTMSTransporter -m provider -u <AppleID>  -p <ApplicationSpecificPassword> 

This will provide you a listing of the long and short names of all of your providers. If you’re part of multiple Apple developer groups you’ll get all of them.

Voila! Once you have the short name and input into the ASC Provider section of AppWrapper and DMG Canvas my upload completed and Apple Notarized my application and disk image that works perfect in Catalina.

Hopefully this is helpful. Any other gotcha’s that you’ve seen from Catalina?