App Signing on macOS; aka "cannot be opened because the developer cannot be verified"

[allejo]

Looks like we really need to look into signing our distributable for macOS now. Right-clicking and hitting open no longer bypasses GateKeeper on the latest macOS 11 and results in this message:

The only remaining ways to bypass this is to go to System Preferences > Security & Privacy and allow the app to open,

Or go into Terminal and run this command.

xattr -d com.apple.quarantine BZFlag-2.4.22.app

[macsforme]

I am unable to reproduce this on my machine with Big Sur 11.4. After downloading, activating the contextual menu, and clicking Open, I get a dialog allowing me to open the application. From the discussion on IRC, it sounds like reproducing this issue is hit-and-miss over several different machines.

In any case, I do agree that we need to move toward signing and notarizing our builds.

[macsforme]

I was asked to summarize the current obstacles to signing and notarizing our macOS builds:

Back when I had a paid Apple developer account, I was signing our builds for several years. It was a fairly easy post-build step on the command line (not the only available method, but the preferable one at the time):

codesign --sign "Developer ID Application: Josh Bodine (XXXXXXXXXX)" --deep --force BZFlag.app

Starting around macOS 10.15 Catalina, Gatekeeper also requires applications to be notarized to run by default. A year or two back, ashvala and I were playing around with notarization using his paid Apple developer account (I no longer have one at the moment). It appeared that we would need to semi-substantially change our build system to accommodate notarization. This is from memory, but the general process seemed to be:

1. We need to create a manifest file of some kind, which is possibly similar in nature to our Info.plist. I remember looking at the format of this file (what you would put into it) and having trouble comprehending it, while also thinking that none of it really seemed pertinent to our application.
2. Once the manifest is incorporated into the build system, you would build the application within Xcode and then create an "archive" of the application, which I believe was some kind of zip archive (possibly with other info included).
3. We would submit the archive file to Apple's notarization service using a command-line tool, and after a short period of time, it would come back to us in a notarized state.

Here are links to some information I reviewed back when I last looked at this issue:

https://cocoacasts.com/what-are-app-ids-and-bundle-identifiers/ (these identifiers apparently become more significant once you start notarizing, possibly because of having to be unique for each version IIRC)
https://medium.com/@marksiu/how-to-build-ios-project-with-command-82f20fda5ec5 (describes creating an Xcode application archive on the command line, which would possibly help us keep signing/notarization as a post-build process)
https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow#3087734
https://abhimuralidharan.medium.com/what-is-a-provisioning-profile-in-ios-77987a7c54c2 (general info about application code signing)
https://stackoverflow.com/questions/3465792/whats-the-difference-between-bundle-display-name-and-bundle-name-in-cocoa-a (an important distinction, which I believe we recently fixed)

[blast007]

https://developer.apple.com/news/?id=saqachfa

In macOS Sequoia, users will no longer be able to Control-click to override Gatekeeper when opening software that isn’t signed correctly or notarized. They’ll need to visit System Settings > Privacy & Security to review security information for software before allowing it to run.

If you distribute software outside of the Mac App Store, we recommend that you submit your software to be notarized. The Apple notary service automatically scans your Developer ID-signed software and performs security checks. When your software is ready for distribution, it’s assigned a ticket to let Gatekeeper know it’s been notarized so customers can run it with confidence.