MacOS codesigning on Flet0.25.2

[ap4499]

Just sharing how I managed to get past Notarization + codesign on MacOS.

I'm interested to know what others have done, or what best practice is. I feel that the below is a little cumbersome, but I struggled to find any documentation on the specifics.

1. To kick off, I used the following file - the same as Flutter, to setup Xcode.
   Runner.xcworkspace
   (contained within ./build/flutter/macos)

2. After having done this, and clicked product > archive > distribute app > direct distribution, I was met with a lot of Notarization issues - all pertained to unsigned code, incorrect entitlements, or timestamps.

3. To rectify these issues, I created a shell script to accommodate each issue, and I have shared a generalised version below. The signature used is an Apple Distribution signature.

#!/bin/bash

APP_NAME="demo"
APP_DISPLAY_NAME="Demo"
FLUTTER_BUILD_DIR="build/flutter/build"
FLUTTER_APP_ZIP="build/flutter/app/app.zip"
DEVELOPER_ID_APP_CERT="Developer ID Application: First Last (AB12345C6D)"
WORKING_DIR=$(pwd)

# Create entitlements.plist
cat <<EOF > "entitlements.plist"
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>com.apple.security.app-sandbox</key>
        <false/>
        <key>com.apple.security.cs.allow-jit</key>
        <true/>
        <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
        <true/>
        <key>com.apple.security.cs.disable-library-validation</key>
        <true/>
</dict>
</plist>
EOF

# Unpack, sign, and repack the app.zip file
if [ -f "$FLUTTER_APP_ZIP" ]; then
    echo "Processing $FLUTTER_APP_ZIP"
    APP_ZIP_DIR="$(dirname "$FLUTTER_APP_ZIP")"
    cd "$APP_ZIP_DIR" || exit 1

    TEMP_DIR="tmp"
    rm -rf "$TEMP_DIR"
    mkdir -p "$TEMP_DIR"
    unzip -q app.zip -d "$TEMP_DIR"

    # Remove extended attributes
    find "$TEMP_DIR" -type f -exec xattr -c {} \;

    # Sign .so and .dylib files
    echo "Signing .so and .dylib files (excluding ~orch):"
    find "$TEMP_DIR" -type f \( -name "*.so" -o -name "*.dylib" \) -not -path "*~orch*" -print0 | while IFS= read -r -d $'\0' so_dylib_file; do
        echo "  Signing: $so_dylib_file"
        codesign --force --timestamp -vvvv --sign "$DEVELOPER_ID_APP_CERT" --options runtime "$so_dylib_file"
    done

    cd "$TEMP_DIR" || exit 1
    echo "Repacking app.zip"
    zip -q -r ../app.zip .
    cd ..
    rm -rf "$TEMP_DIR"

    cd "$WORKING_DIR" || exit 1
else
    echo "Warning: $FLUTTER_APP_ZIP not found."
fi

# Sign all code within build/flutter/build
echo "Signing code in $FLUTTER_BUILD_DIR"
find "$FLUTTER_BUILD_DIR" \( -name "*.so" -o -name "*.dylib" -o -perm +111 -type f \) -exec codesign --force --timestamp -vvvv --sign "$DEVELOPER_ID_APP_CERT" --options runtime {} \;

# Find main executable within build/flutter/build
MAIN_EXECUTABLE=$(find "$FLUTTER_BUILD_DIR" -name "$APP_NAME" -type f)

# Sign the main executable with entitlements
if [ -n "$MAIN_EXECUTABLE" ]; then
    echo "Signing main executable: $MAIN_EXECUTABLE"
    codesign --force --timestamp -vvvv --sign "$DEVELOPER_ID_APP_CERT" --entitlements entitlements.plist --options runtime "$MAIN_EXECUTABLE"
else
    echo "Error: Main executable not found in $FLUTTER_BUILD_DIR"
    exit 1
fi

I am now passed the Notarization step.. but thought I'd share my workflow for either suggestions of an easier way, or should someone find this in any way useful.

Environment is:
MacOS 15.2
Flet 0.25.2

[FeodorFitsner]

Thanks for putting everything together - much appreciated! Many of those steps could be built into flet build command.

Question: you are building (compiling) the app after signing contents of app and app.zip, right? Cause app.zip comes as "asset" and thus become part of ".car" file inside app bundle.

[ap4499]

Workflow is:
Flet Build MacOS
Codesign (script above)
Xcode (step 1 onwards above)

At first, I tried signing the runnable .app (and contents etc.) from Flet directly. But it seems Xcode doesn't pull that executable in. Instead, I signed the folders above, including the app.zip (not inside the .app bundle), and that seemed to resolve it.

[ap4499]

TDLR: The above is still required, however, the final Notarized .app did not run in a clean environment, it needed to be placed inside a (Notarized) .dmg.

Adding to this, when releasing my application (to a test env with a clean Gatekeeper), the application failed to launch with Gatekeeper errors.
I had copied the file to a Google Drive, and then downloaded in to the clean OS. To simulate a kind of CDN scenario, with a file originating from the internet.

I have (very) limited MacOS experience, but my understand from the Apple dev forums, is that .app packages are very vulnerable to this issue. The OS changes data when the application is copied, downloaded or similar.

Again, I'm not an expert on MacOS, nor Gatekeeper - and any wisdom would be appreciated.

But, the solution to this was to:

1. Export the Notarzied .app from Xcode to a folder location.
2. Create, sign, and Notarize a .dmg that contains the .app file.
3. The .dmg now successfully mounts and runs on a clean dev environment/VM.

#!/bin/bash

# --- Manual steps ---
# Place the notarized .app within the folder "Notarized" within the root.



# --- Configuration Variables ---

# Developer ID Application certificate (replace with your actual certificate)
DEVELOPER_ID="Developer ID Application: First Last (AB12345C6D)"

# Path to your .app file
APP_PATH="./Notarized/DEMO.app"

# Name of the .dmg file (without the .dmg extension)
DMG_NAME="DEMO"

# Output directory for the .dmg file (default: same directory as the script)  
DMG_OUTPUT_DIR="./DMG/"

# Your Apple ID
APPLE_ID="firstlast@email.com"  # Your Apple ID

# App-specific password - generate one in your Apple ID account settings
APP_SPECIFIC_PASSWORD="passwod" 


# Your Team ID (find this in your Apple Developer account)
TEAM_ID="AB12345C6D"  # Your Apple Developer Team ID

# --- End of Configuration ---

# --- Script ---



# Check if required variables are set
if [ -z "$DEVELOPER_ID" ] || [ -z "$APP_PATH" ] || [ -z "$DMG_NAME" ] || [ -z "$APPLE_ID" ] || [ -z "$APP_SPECIFIC_PASSWORD" ] || [ -z "$TEAM_ID" ]; then
  echo "Error: One or more required variables are not set. Please edit the script and fill in the configuration variables."
  exit 1
fi

# Check if the .app file exists
if [ ! -d "$APP_PATH" ]; then
  echo "Error: .app file not found at $APP_PATH"
  exit 1
fi

# Create the full path for the .dmg file
DMG_PATH="$DMG_OUTPUT_DIR/$DMG_NAME.dmg"

# 0. Create the folder for the .dmg
mkdir -p "$DMG_OUTPUT_DIR"


# 1. Create the .dmg
echo "Creating DMG: $DMG_PATH"
hdiutil create -volname "$DMG_NAME" -srcfolder "$APP_PATH" -ov -format UDZO "$DMG_PATH"

# 2. Sign the .dmg
echo "Signing DMG..."
codesign --force --sign "$DEVELOPER_ID" "$DMG_PATH"

# 3. Notarize the .dmg
echo "Notarizing DMG... (This may take a while)"
xcrun notarytool submit --wait --apple-id "$APPLE_ID" --password "$APP_SPECIFIC_PASSWORD" --team-id "$TEAM_ID" "$DMG_PATH"

# Check notarization status
if [ $? -eq 0 ]; then
    echo "DMG notarized successfully."
else
    echo "Error: DMG notarization failed."
    exit 1
fi

# 4. Staple the notarization ticket
echo "Stapling DMG..."
xcrun stapler staple "$DMG_PATH"

# Check stapler status
if [ $? -eq 0 ]; then
    echo "DMG stapled successfully. Created, signed, notarized, and stapled DMG at: $DMG_PATH"
else
    echo "Error: DMG stapling failed."
    exit 1
fi

exit 0



# The below should be used in the terminal to run this script. This assumes your terminal is pointing to the script dir
# We need the chmod to give the script execution rights.
# chmod +x create_dmg.sh
# ./create_dmg.sh