Adobe Photoshop for the iPad is here with the features you love: layers, retouching, compositing, and more. Your projects are the same on your desktop or a mountaintop. Adobe Photoshop CC 2021 is the latest version of the popular computer graphics editing software. It is this product that allows you to create incredible masterpieces. Make your dreams come true, make a beautiful interior design, edit the image on a professional level, and this is. Apple officially released macOS Catalina yesterday, and neither Adobe Lightroom Classic nor Adobe Photoshop CC were fully prepared to handle the new operating system as of this writing.
[See newest updates at the bottom of the article]
According to Apple (read here the whole article):
The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly. Notarization gives users more confidence that the Developer ID-signed software you distribute has been checked by Apple for malicious components. Notarization is not App Review.
Basically, it is some kind of whitelisting. From macOS Catalina on (late September 2019), notarization is mandatory: your installers won’t work if you don’t do your homeworks.
Gatekeeper
When your customers run your product’s installer.pkg
, macOS Gatekeeper connects with Apple, checking whether the file you’re executing has been vetted and thus can be run safely. If this is the case, Gatekeeper pops up the usual warning anyway:
Because users can also be offline, you can staple the notary service’s response ticket directly to the installer – an optional but recommended step.
What you need
- An active subscription to the Apple Developer Program ($99 per year).
- Xcode 10 or newer (free download via the App Store).
- An app-specific password defined for your AppleID (see here for instruction).
Notarization walkthrough
I assume that you are at least vaguely familiar with the topic of code signing. I’m going to show you how to notarize a .pkg
installer; caveats for slightly more complex scenarios (e.g. a .dmg
that wraps a .pkg
and/or .app
plus other assets) will follow in a later section.
1. Create a DeveloperID Installer certificate
Log in the Apple Developer portal portal and follow the “Certificates, Identifiers & Profiles” section. Create a new Certificate: when asked, select DeveloperID Installer:
Follow the instruction to complete the process – you’ll be required to open the Certificate Assistant from the Keychain Access application to create a Certificate request, then upload it to the Developer Portal. When the process is complete, you’ll be presented with a download link for your certificate, to be imported via double click into the Keychain Access app.
You can verify that the certificate has been successfully installed opening the Terminal and pasting the following command:
Keep note of the string between quotes that says 'Developer ID Installer: ...'
.
2. Signing the Installer
You don’t just need to notarize an installer, it must be signed first. Assuming that the installer.pkg
file sits in the folder you have cd
to in the Terminal window, you sign the installer with the following command (the output I’ve got comes right below the first line):
Let’s break down that:
productsign
is the utility in charge of the signing.--sign
is the argument that defines the Identity associated to the Apple issued certificated, which follows as a string../installer.pkg
is the relative path (can be absolute as well) that points to the file you want to be signed../installer_signed.pkg
is the path of the new, signed file that is going to be created byproductsign
.
Of course you should substitute the 'Developer ID Installer:'
string with the one you’ve noted in the previous section, as well as the files paths.
You can verify that the installer_signed.pkg
has been really signed with:
3. Sending the notarization request
Keep handy the app-specific password you’ve requested from your AppleID account (if you’ve not done it yet, follow the instruction here). Let’s say that it is cvbs-epfg-sizx-olwd
. The command I’ve used to request the notarization is:
Let’s break down that.
xcrun
is used to find and execute XCode commands.altool
is the executable that performs the notarization request.--notarize-app
is the flag that tellsaltool
to request notarization.--primary-bundle-id
links to the installer I’m submitting its unique bundle id (in my case'com.ccextensions.alce3'
, substitute it with yours)--username
wants your AppleID.--password
wants the app-specific password you’ve requested (here,'cvbs-epfg-sizx-olwd'
)--file
is the flag that tellsaltool
which file to upload. Please note that I had to specify the absolute full path (not the relative that starts with./
) between quotes
The command takes a while to upload the file, and gives you zero feedback; after a while, if the process has been successful, you get back something like:
Keep note of the RequestUUID
string.
At this point your request for notarizationhas been sent to Apple, and you have to wait for them to process the file.
Mind you: if you get “Error: You must first sign the relevant contracts online. (1048)” (as it has happened to me several times) don’t panic.
You can launch XCode to check whether it asks you to accept its Terms and Conditions, or run the following command to agree from the Terminal:
Then try checking at iTunesConnect, in the section “Agreements, Tax and Banking”. The “Paid Apps” list item may have a Status of “Pending User Information”1, but there shouldn’t be any Agreement pending (usually their warnings are listed separately).
If, still, nothing works it may be a glitch on Apple’s side, so wait a couple of hours and try again.
4. Checking the notarization status
In the Terminal, enter:
The command uses now --notarization-info
to ping the current status, and expects the same RequestUUID
string that has been sent you in response of the original request. The result is something like that:
Please note the in progress status. At some point the result will be different, and hopefully similar to this one:
The installer has been successfully notarized!
If, for some reason, you have to perform several requests and want to check the notarization requests history, run the following command:
5. Stapling the ticket to the file
As I wrote, this step is optional but highly recommended: Gatekeeper will be able to find the whitelist info in the file itself, without the need to perform an online check.
The command here is much simpler: you don’t need to pass any RequestUUID
string yourself, for stapler
will do the call home at Apple’s on its own.
You can check stapling details with:
The result is too long to paste here, and frankly I’ve no idea what it means: as long as it ends with 'The validate action worked!'
you should be fine.
And… you’re done 🍾
In my experience the Notarization can take from 60 seconds up to many hours (one time I’ve had the Terminal waiting and checking the status from 3PM to midnight). In theory it should be fast, in practice you can occasionally run into long delays.
Caveats for different scenarios
The example I’ve shown is for one installer.pkg
file. Let’s say that you (as I do) deliver to your customers a product.dmg
file, that wraps the installer.pkg
, an additional uninstaller.app
(say, an app-ified AppleScript) and some documentation as well.
In this case, you need to:
- Notarize only the outmost container (here the
.dmg
). - Sign all the executable children elements (here the
.app
and.pkg
) and the.dmg
as well.
Please note that in order to sign a .dmg
you need a “Developer ID Application” certificate, instead of the “Developer ID Installer” I’ve used for the .pkg
Lastly, things may get a bit convoluted when it comes to extra libraries/bundles that may be called by your panel – if you feel like it’s your case, please read this thread.
UPDATE: DMG Canvas
The software that I use, and recommend, to build .dmg
files is Araelium DMG Canvas, which has recently bumped to version 3.x (a paid upgrade, around $10). One of the new features is the possibility to automate the notarization process while building the .dmg
itself.
To tell you the truth, the first product I’ve used that for went flawlessly, and in a snap; the second product failed due to a timeout, which sounds very much an Apple issue rather than Araelium’s. Please note that DMG Canvas does the stapling too, which is quite handy, and can be automatized to fit your build system.
UPDATE: Uninstaller app
Photoshop For Catalina
As I’ve finally upgraded my machine to Catalina, I’m able to experience the entire, happy spectrum of Catalina-related issues. I’ve discovered that with the Uninstall.app
the signature I’ve been doing is not enough: the notarization of the outer .dmg
fails with the error: 'The executable does not have the hardened runtime enabled.'
.
If this is the case, be aware that you should not export the Uninstall.scpt
to Uninstall.app
while signing it with the Script Editor (it’s an option in the File > Export dialog). Instead, export it without signature and then use the codesign
utility with the -o runtime
flag:
Also, it might happen that the signing process of the .app
fails because of the error: 'resource fork, Finder information, or similar detritus not allowed'
. You can spot such digital detritus running:
To clean that mess (whatever it is), run:
…and the subsequent codesign
should complete with no problems.
Support this site!
Please consider supporting my work with the purchase of these books and courses. You can find them all here, bundles available. Thanks! 🙏🏻
Adobe Photoshop For Catalina Mac
PS. I will update the Ultimate Guide to Native Installers and Automated Build Systems as well, I just wanted you to get informed asap.
Download Photoshop For Catalina
If you don’t plan to sell through Apple, there’s no point in filling the uber-annoying Tax forms, etc. ↩