Last active
April 9, 2025 18:44
-
-
Save joshtynjala/b93cf8733ad58be583c40c26fe02c427 to your computer and use it in GitHub Desktop.
Ant scripts for macOS sign and notarize
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- how to sign an Adobe AIR app with captive runtime on macOS for distribution outside of App Store (Developer ID application) --> | |
| <!-- notice that you need to sign multiple files inside the .app bundle, along with the .app bundle itself --> | |
| <exec executable="/usr/bin/codesign" failonerror="true"> | |
| <arg value="-f"/> | |
| <arg value="-v"/> | |
| <arg value="-s"/> | |
| <arg value="Developer ID Application: My Company"/> | |
| <arg value="--deep"/> | |
| <arg value="--options"/> | |
| <arg value="runtime"/> | |
| <arg value="--entitlements"/> | |
| <arg value="Entitlements.plist"/> | |
| <arg value="MyApp.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/WebKit.dylib"/> | |
| </exec> | |
| <exec executable="/usr/bin/codesign" failonerror="true"> | |
| <arg value="-f"/> | |
| <arg value="-v"/> | |
| <arg value="-s"/> | |
| <arg value="Developer ID Application: My Company"/> | |
| <arg value="--deep"/> | |
| <arg value="--options"/> | |
| <arg value="runtime"/> | |
| <arg value="--entitlements"/> | |
| <arg value="Entitlements.plist"/> | |
| <arg value="MyApp.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/A2712Enabler"/> | |
| </exec> | |
| <exec executable="/usr/bin/codesign" failonerror="true"> | |
| <arg value="-f"/> | |
| <arg value="-v"/> | |
| <arg value="-s"/> | |
| <arg value="Developer ID Application: My Company"/> | |
| <arg value="--deep"/> | |
| <arg value="--options"/> | |
| <arg value="runtime"/> | |
| <arg value="--entitlements"/> | |
| <arg value="Entitlements.plist"/> | |
| <arg value="MyApp.app"/> | |
| </exec> | |
| <!-- verifies that the code signing of .app file is valid --> | |
| <exec executable="/usr/sbin/spctl" failonerror="true"> | |
| <arg value="--assess"/> | |
| <arg value="--verbose"/> | |
| <arg value="--type"/> | |
| <arg value="execute"/> | |
| <arg value="MyApp.app"/> | |
| </exec> | |
| <!-- | |
| NOTE: I delete the following files from my app, and I don't know if they need to be signed or not: | |
| MyApp.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/Flash Player.plugin | |
| MyApp.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/AdobeCP15.plugin | |
| MyApp.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/adobecp.plugin | |
| MyApp.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/Adobe AIR.vch | |
| --> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- create and sign a macOS .pkg installer file for distribution --> | |
| <!-- .pkg files should use a Developer ID Installer certificate --> | |
| <exec executable="/usr/bin/productbuild" failonerror="true"> | |
| <arg value="--component"/> | |
| <arg value="MyApp.app"/> | |
| <arg value="/Applications"/> | |
| <arg value="--version"/> | |
| <arg value="1.0.0"/> | |
| <arg value="--sign"/> | |
| <arg value="Developer ID Installer: My Company"/> | |
| <arg value="MyApp.pkg"/> | |
| </exec> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- submit the .pkg installer file to Apple for notarization --> | |
| <exec executable="/usr/bin/xcrun" failonerror="true"> | |
| <arg value="notarytool"/> | |
| <arg value="submit"/> | |
| <arg value="MyApp.pkg"/> | |
| <arg value="--apple-id"/> | |
| <arg value="XXXXXXXX"/> | |
| <arg value="--password"/> | |
| <arg value="XXXXXXXX"/> | |
| <arg value="--team-id"/> | |
| <arg value="XXXXXXXX"/> | |
| <arg value="--wait"/> | |
| </exec> | |
| <!-- staple the notarization to the .pkg --> | |
| <exec executable="/usr/bin/xcrun" failonerror="true"> | |
| <arg value="stapler"/> | |
| <arg value="staple"/> | |
| <arg value="MyApp.pkg"/> | |
| </exec> | |
| <!-- then, verify that the code signing of .pkg file is valid --> | |
| <exec executable="/usr/sbin/spctl" failonerror="true"> | |
| <arg value="--assess"/> | |
| <arg value="--verbose"/> | |
| <arg value="--type"/> | |
| <arg value="install"/> | |
| <arg value="MyApp.pkg"/> | |
| </exec> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1.0"> | |
| <dict> | |
| <key>com.apple.security.cs.allow-jit</key> | |
| <true/> | |
| <key>com.apple.security.cs.allow-unsigned-executable-memory</key> | |
| <true/> | |
| </dict> | |
| </plist> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I added the commands above to the Ant build script that I use to build an Adobe AIR app. These are snippets only, and I have not included the
mxmlcandadtcommands necessary to compile and package the Adobe AIR app. These Ant commands create a .pkg file for macOS, including signing and notarization. The resulting .pkg file is meant to be downloadable from a website only. The steps required to distribute an Adobe AIR app in the macOS App Store are likely different, and I cannot give advice about that because I always distribute my apps outside the App Store.It should be fairly simple to convert each the
<exec>sections above into actual commands that you can run directly in a terminal, if you prefer not to use Ant. I just threw this Gist together quickly with a little copying and pasting from my build.xml file, and this is not intended as a comprehensive tutorial.For more information, you might also want to read airsdk.dev: Creating macOS PKG installers.