如何在Xcode中上传dmg文件以进行公证 [英] How to upload dmg file for notarization in xcode
问题描述
我正在尝试将我们现有的应用程序上载到Apple进行公证.
I am trying to upload our existing app to apple for notarization.
根据文档 https://help.apple.com/xcode/mac/current/#/dev88332a81e 我必须打开该应用程序的xcode存档管理器.
According to the document https://help.apple.com/xcode/mac/current/#/dev88332a81e I have to open the app the xcode archive organizer.
我们有一个从jenkins构建服务器生成的dmg文件. 如何在xcode中打开dmg文件进行上传?
We have a dmg file generated from our jenkins build server. How do I open the dmg file in xcode to upload?
还有,我可以使用一些命令行工具进行公证吗?
Also, is there some command line tool that I can use for the notarization?
推荐答案
您可以从命令行中完成.
You can do it from the command line.
首先,您需要从.dmg中提取.app并辞职,并在此过程中删除com.apple.security.get-task-allow
权利(此版本会由构建自动添加以支持调试,通常会通过存档删除-公证服务)但是,您将不会接受具有该权利的程序包,因此必须将其删除.)
First you will need to extract the .app from your .dmg and resign it, removing the com.apple.security.get-task-allow
entitlement in the process (this is added automatically by the build to support debugging and normally gets removed by archiving - the notarization service won't accept a package with that entitlement, however, so you must remove it).
您使用的.entitlements文件只能是一个空文件.
The .entitlements file you use can just be an empty one.
Xcode 10.2和更高版本允许您设置构建设置代码签名注入基本权利",这将防止首先添加com.apple.security.get-task-allow
权利.您可以在例如发行版本不需要调试,因此跳过了整个辞职和重新打包带有空权利文件的过程.
Xcode 10.2 and higher lets you set a build setting "Code Signing Inject Base Entitlements" that will prevent the com.apple.security.get-task-allow
entitlement from being added in the first place. You can use this option on e.g. release builds where debugging is not required, and skip this whole dance of resigning and repackaging with an empty entitlements file.
还请注意使用--options runtime
,它指定您的应用是使用强化的运行时构建的,也是必需的.
Note also the use of the --options runtime
, which specifies your app was built with the hardened runtime, and is also required.
codesign -f -s "Developer ID Application: Name (ID)" --entitlements my-entitlments.entitlements --options runtime MyApp.app
现在,您需要将.app重新包装回.dmg内,并辞职:
Now you need to repackage your .app back inside a .dmg, and resign that:
(我也使用--options runtime
标志,尽管不确定是否有必要)
(I use the --options runtime
flag here too, though not sure if it's necessary)
codesign -s "Developer ID Application: Name (ID)" MyApp.dmg --options runtime
然后使用altool
提交您的.dmg:
Then use altool
to submit your .dmg:
(用户名和密码必须是开发人员门户中macOS团队的成员)
(Username and password must be someone on the macOS team in the developer portal)
xcrun altool --notarize-app -f MyApp.dmg --primary-bundle-id my-app.myapp -u username -p password
如果上传成功,您将获得令牌:
If it upload successfully, you will get back a token:
RequestUUID = 28fad4c5-68b3-4dbf-a0d4-fbde8e6a078f
然后,您可以使用该令牌通过altool
检查状态:
Then you can check the status with altool
, using that token:
xcrun altool --notarization-info 28fad4c5-68b3-4dbf-a0d4-fbde8e6a078f -u username -p password
最终,它将成功或失败.只是继续检查.检查响应的状态"字段,该字段应为成功".响应还将包括一个日志文件,您可以使用该文件来解决错误.
Eventually, it will either succeed or fail. Just keep checking. Check the "Status" field of the response, which should be "success". The response will also include a log file that you can use to troubleshoot errors.
假设成功,则需要将公证书钉入应用程序:
Assuming it succeeds, you need to staple the notarization to the app:
xcrun stapler staple MyApp.dmg
然后验证:
xcrun stapler validate MyApp.dmg
验证操作成功!
The validate action worked!
您还可以将隔离标志应用于您的.app并尝试启动它,您将看到新的Gatekeeper对话框:
You can also apply the quarantine flag to your .app and try to launch it, you will see the new Gatekeeper dialog:
xattr -w com.apple.quarantine MyApp.app
这篇关于如何在Xcode中上传dmg文件以进行公证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!