Reputation: 1407
Do I need to notarize both the app and dmg image?
I have an app that is signed, notarized and stapled, then archived into a zip file which is used as the object for my Sparkle updater.
I also distribute it on a DMG image for new users (and is the main download from my website). Can I just put the notarized/stapled app on a DMG, or do I need to go through a separate notarization and staple process for the DMG file?
Upvotes: 13
Views: 8218
Answers (4)
Reputation: 17491
As far as I understand from reading the Apple docs in 2024, one needs to notarize the DMG only.
Alternatively, you can put apps, kernel extensions, and other software in a container, like a disk image, and notarize the container. The notary service accepts disk images (UDIF format), signed flat installer packages, and ZIP archives. It processes nested containers as well, like packages inside a disk image.
Important: If you distribute your software via a custom third-party installer, you need two rounds of notarization. First you notarize the installer’s payload (everything the installer will install). You then package the notarized (and stapled, as described in Staple the ticket to your distribution) items into the installer and notarize it as you would any other executable. If you use a network installer, separately notarize both the installer and the items it downloads.
Upvotes: 0
Reputation: 1188
From what I read at the Apple docs (see quote below) and from my experience with mine and other apps, it's enough to just notarize the DMG. You don't have to notarize the App first...
"For example, if you submit a disk image that contains a signed installer package with an app bundle inside, the notarization service generates tickets for the disk image, installer package, and app bundle."
Upvotes: 6
Reputation: 17015
You only have to notarize the app once:
- Create a DMG file with the signed app.
- Sign, notarize and staple the DMG file.
- Open the DMG file and copy the app outside. Staple it and create an archive for Sparkle [1].
To confirm that the app is notarized run this command:
spctl -a -t exec -vv MyApp.app
And you'll see something like:
MyApp.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: Name (ID)
(Notice how the source is "Notarized Developer ID")
You can also confirm that the ticket is stapled by running this command:
xcrun stapler validate MyApp.app
And you'll see this message:
Processing: /path/to/MyApp.app
The validate action worked!
Notarizing the DMG file is enough because the notarization service notarizes any app inside the disk image. From Apple documentation:
Alternatively, you can put apps, kernel extensions, and other software in a container, like a disk image, and notarize the container. The notary service accepts disk images (UDIF format), signed flat installer packages, and ZIP archives. It processes nested containers as well, like packages inside a disk image.
[1] You can use the DMG file for Sparkle too. No need for a second archive. From Sparkle documentation:
Sparkle supports updating from DMG, ZIP archives, tarballs, and installer packages, so you can generally reuse the same archive for distribution of your app on your website as well as Sparkle updates.
Upvotes: 8
Reputation: 6461
You must zip the app, send the zip for notarization, then staple the original app. Then make the dmg with the stapled app, zip the dmg, send it for notarization, staple the dmg, and distribute.
Upvotes: 4
Related Questions
- How to notarize an app bundle containing helpers embedded in it?
- How to upload dmg file for notarization in xcode
- Notarize the Xamarin.MAC application
- Is a DMG Required to be notarised to pass Gatekeeper on Catalina
- OSX Notarize for executables (not an app)
- Is notarization necessary for Mac App store release?
- macOS Notarization and multiple embedded tools/bundles
- Do we need to notarize frameworks(.framework), dylibs and binaries?
- How to codesign dmg and App inside it?
- Do .dmg files need to be signed?