Code signing my SheepShaver and BasiliskII builds

Anything not about Mac emulation.

Moderators: Cat_7, Ronald P. Regensburg

Post Reply
User avatar
Ronald P. Regensburg
Expert User
Posts: 7821
Joined: Thu Feb 09, 2006 10:24 pm
Location: Amsterdam, Netherlands

Code signing my SheepShaver and BasiliskII builds

Post by Ronald P. Regensburg »

So I joined the Apple Developer Program for $99 a year.

Now I will need to get hold of a certificate.

If, in the process, I get confused about how to proceed, I will ask here for help. :smile:
User avatar
Ronald P. Regensburg
Expert User
Posts: 7821
Joined: Thu Feb 09, 2006 10:24 pm
Location: Amsterdam, Netherlands

Re: Code signing my SheepShaver and BasiliskII builds

Post by Ronald P. Regensburg »

First stumbling block.

I got my "Developer ID Application" certificate and installed it in my Keychain.

Until now, I understood that I could code sign my applications without being bothered about hardening or notarization, as long as I distributed outside the App Store.

However, this line appeared on the page were I downloaded the certificate:
If you're generating your first Developer ID certificate, the software that you sign it with must be notarized by Apple in order to run on macOS 10.14.5 or later.
Now what?
Last edited by Ronald P. Regensburg on Thu Jul 25, 2019 1:53 pm, edited 1 time in total.
Reason:  
emendelson
Forum All-Star
Posts: 1706
Joined: Tue Oct 14, 2008 12:12 am

Re: Code signing my SheepShaver and BasiliskII builds

Post by emendelson »

Since SheepShaver (and probably BasiliskII) cannot be notarized anyway (see kanjitalk755's explanation in another thread), this may not matter in any practical way. If you're creating an AppleScript applcation, use SD Notary (also referred to in another thread) to notarize it.

After notarizing something, try to codesign SheepShaver and see what happens. I doubt it will work, if Apple means what it says, but it's worth trying.
User avatar
Ronald P. Regensburg
Expert User
Posts: 7821
Joined: Thu Feb 09, 2006 10:24 pm
Location: Amsterdam, Netherlands

Re: Code signing my SheepShaver and BasiliskII builds

Post by Ronald P. Regensburg »

I'll see what I can produce to fool Apple.
emendelson
Forum All-Star
Posts: 1706
Joined: Tue Oct 14, 2008 12:12 am

Re: Code signing my SheepShaver and BasiliskII builds

Post by emendelson »

Maybe start by using SD Notary to notarize the scripts that I notarized earlier?
User avatar
Ronald P. Regensburg
Expert User
Posts: 7821
Joined: Thu Feb 09, 2006 10:24 pm
Location: Amsterdam, Netherlands

Re: Code signing my SheepShaver and BasiliskII builds

Post by Ronald P. Regensburg »

I am trying to figure out how to use SD Notary for notarization. The "app-specific password" still confuses me.

Do I always need to use "altool" as name for the app-specific password, as you wrote in the other thread?
emendelson wrote:The only possibly confusing part is creating and storing the device-specific password. Apple will give you a password that looks like abcd-efgh-ijkl-mnop. The instructions show how to enter into the Keychain, with the name "altool". When you use SD Notary, you enter the name "altool" (no quotation marks) in the SD Notary utility and it works.
But isn't it so that if you want to notarize more than one application, you will need an app-specific password for each application? Then you would also need more names for app-specific passwords.
emendelson
Forum All-Star
Posts: 1706
Joined: Tue Oct 14, 2008 12:12 am

Re: Code signing my SheepShaver and BasiliskII builds

Post by emendelson »

You only have to set up the app-specific password once, to be used by the "altool" unix command that sends the notarization request. You do NOT need a new password for the scripts or apps that you notarize. Once you have created the app-specific password for the altool command, you never have to create an app-specific password again for anything involving notarization.

You surely know this already, but in case anyone else is reading this, this page shows you how to set up an app-specific password:

http://learn.buildfire.com/en/articles/ ... c-password

When you create the password, give it a name. The reason to use the name "altool" is that you'll be using it for the command-line altool application, and it's easy to remember, and the guides tell to you use it, so it's easy to look in the guide if you forget it. But if you want to call it "MonaLisa" or "BritneySpears", feel free to do so.

Then, when you run the SD Notary app, all you need to do is enter "altool" in the "Keychain Item Name" in the SD Notary app, as described here:

https://latenightsw.com/sd-notary-notarizing-made-easy/

The reason to use the name "altool" and not the password itself is that you don't have to remember "abcd-efgh-ijkl-mnop" or type it into a window where other people can see it. The SD Notary app gets the password from the keychain by looking up its name.

Let me know if you have any other questions. When you get this set up the first time, you don't have to set it up again.
User avatar
Ronald P. Regensburg
Expert User
Posts: 7821
Joined: Thu Feb 09, 2006 10:24 pm
Location: Amsterdam, Netherlands

Re: Code signing my SheepShaver and BasiliskII builds

Post by Ronald P. Regensburg »

Thanks for the explanation! I misunderstood "app-specific password". I thought it was a password specific for the application to be notarized. But I understand now that it is a password that is linked to the tool that is used for notarizing.
User avatar
adespoton
Forum All-Star
Posts: 4226
Joined: Fri Nov 27, 2009 5:11 am
Location: Emaculation.com
Contact:

Re: Code signing my SheepShaver and BasiliskII builds

Post by adespoton »

Essentially what it's doing is providing an app-specific access to your Apple ID. The access hash is stored in your keychain, and the password/hash pair is stored in your Apple ID, where you can revoke it from Apple's website at any time.

The only software that can access your Apple ID is software signed by Apple for that purpose, or software for which you've created an app-specific password such as altool.
Post Reply