Comment by a_t48
2 months ago
Maybe I'm too dumb, but I haven't figured out a good way to sign just a binary (or a tar/zip containing a few binaries). I zipped up the binaries, sent them off to Apple, Apple comes back and says "yup, notarized!", and they still trigger the popup. I'm probably missing a step. I guess I'm not currently stapling the ticket to the binary, but supposedly you don't have to if you are running with a network connection.
Theres two different steps, there is signing and there is notarization. You sign with the developer certificate using productsign/codesign, and then there is notarization, which you use notarytool to submit your signed binaray to apple to notarize.
finally you then take their response and staple it to your binary. Its a lot of steps.
Yup I do the first two - https://github.com/zig-for/snfm/blob/main/.github/workflows/...
The documentation implies the last step is optional https://developer.apple.com/documentation/security/customizi... but it might be inaccurate
> I guess I'm not currently stapling the ticket to the binary, but supposedly you don't have to if you are running with a network connection.
AFAIK, you do in fact have to staple the ticket. The other thing I found is that you have to make sure you're using the right kind of certificate from Apple.
You have to distribute a "bundle" in a particular directory layout.
you need to pay the tax, they are doing the 'pay money to reduce spam' solution
This was with payment to Apple