I have a .NET application that is designed to be run on the command line. You type the name of the application followed by its arguments in a shell window, it does some work, and prints the results. That all works perfectly fine.
But, of course, if I distribute that application, MacOS warns the user that they're about to run a potentially malicious application. Toavoid this, I need to get the application notarized by Apple.
I've joined the developer program, created my keys, and verified that I can sign things with them.
Except signing fails with .NET 5. I eventually found (but cannot refind) a Microsoft bug report about that where they claim it's fixedin .NET 6 and they have no plans to back port. Okay.
I upgrade to .NET 6 and build my application. It works fine.
Now about the signing and notarizing. Apple expects you to do this in XCode, but this is .NET application not an XCode application. I found a number of pages that talked about how to build the bundles that you need for Apple to notarize.
The https://github.com/KosalaHerath/macos-installer-builder might work, but it seems hardcoded to put the installed artifacts in /Library without asking. That's not sufficient.
This tutorial shows how to create a package, https://www.xamboy.com/2020/05/28/net-core-application-macos-packaging-and-notarization/ and that also might work, but the resulting application doesn't run on the command line, it pops up a new window. That's not useful.
This weblog describes the process, https://thegreyblog.blogspot.com/2014/06/os-x-creating-packages-from-command_2.html but it seems to be predicated on the application being compiled with XCode, which obviously mine isn't.
Eventually, I found https://github.com/mitchellh/gon which builds, signs, submits and successfully get notarized, stapled files back.
Here's my config, anonymized slightly:
source = ["./build/cs/bin/Release/net5.0/osx-x64/publish/AppCS",
"./build/cs/bin/Release/net5.0/osx-x64/publish/AppCS.pdb",
"./build/cs/bin/Release/net5.0/osx-x64/publish/AppCS.xml",
"./build/cs/bin/Release/net5.0/osx-x64/publish/libSystem.IO.Compression.Native.dylib",
"./build/cs/bin/Release/net5.0/osx-x64/publish/libSystem.Native.dylib",
"./build/cs/bin/Release/net5.0/osx-x64/publish/libSystem.Net.Security.Native.dylib",
"./build/cs/bin/Release/net5.0/osx-x64/publish/libSystem.Security.Cryptography.Native.Apple.dylib",
"./build/cs/bin/Release/net5.0/osx-x64/publish/libSystem.Security.Cryptography.Native.OpenSsl.dylib",
"./build/cs/bin/Release/net5.0/osx-x64/publish/libclrjit.dylib",
"./build/cs/bin/Release/net5.0/osx-x64/publish/libcoreclr.dylib"]
bundle_id = "com.example.AppCS"
apple_id {
username = "norm@example.com"
password = "@env:AC_PASSWORD"
}
sign {
application_identity = "Developer ID Application: Example Limited"
}
dmg {
output_path = "app.dmg"
volume_name = "AppCS"
}
zip {
output_path = "app.zip"
}
Fantastic!
Except they don't work. :-( After a little digging it seems that the process of signing the files corrupts them. After signing, running the application reports:
Failed to create CoreCLR, HRESULT: 0x80004005
Is it possible to thread this needle?