gon VS isign

It might be less effort to use something like this: https://gregoryszorc.com/blog/2021/04/14/pure-rust-implement...

Might even be able to modify `gon` to use that instead of Apple's `codesign` and then you'll have notarization too: https://github.com/mitchellh/gon

I’ve always used gon ( https://github.com/mitchellh/gon ) for this, which is open source golang, but I don’t think it supports mach-o embedding. I’ll have to try this tool out.

There is no need for some special solution to pack your .app, you need to create .app directories, copy your binary, create Info.plist with metadata about your binary, icon, etc. I did this for a couple of apps and it is simple. It is another thing if you want to sign and notarize the binary, there are other tools for that, like https://github.com/mitchellh/gon.

I use gon to sign and notarize a DMG file. Once you set it up, it's a simple one-line command that will upload the DMG to Apple, await notarization, and give you back a DMG that's ready for distribution.

My advice from years of notarizing my apps is to make sure you do it at least once per day for each of your apps. If you only notarize once every release (say, every month or so), you are almost guaranteed to encounter some new cryptic error that you've never seen before, either due to some glitch in signing your app or frameworks, or else some server-side error such as new terms & conditions that you are being "encouraged" to agree to. It will take you hours to research and resolve them if they aren't spotted right away.

As others pointed out, https://github.com/mitchellh/gon is a great tool for doing this on your local machine (e.g., with a cron job). In addition, if you are building your app using a GitHub action (which I highly recommend if it is open-source), you can use my https://github.com/hubomatic/hubomat action to package and notarize a release in one shot. The sample/template app does this automatically on every commit as well as once per day: https://github.com/hubomatic/MicroVector/actions.

So when this fails from a scheduled job, you at least know that something has changed on the Apple side and can investigate that right away. And if it fails as a result of a commit, then at least you can start looking at what changes you may have made to your entitlements or code signing settings or embedded frameworks or any of the other million things that can cause it to fail.

Kudos to these developers. I wish them success.

If I can do a small derail: I and some contributors had this mostly working a few iOS versions ago with isign (https://github.com/isignpy/isign). This is befor notarization. Announced several times to HN but didn’t seem to be interesting to many people.

This was a spin-off from our work at a testing company. I’m not an iOS developer.

I tried to make it into something, but I could never figure out who actually wanted this. What potential uses are foreseen for rcodedesign?

We did a project for a large financial company to make it compatible with hardware security module signing, but they never implemented it due to the pandemic changing priorities, and then someone discovered there was a little-known API to do something similar anyway, so our project was shelved. (We got paid though).

From time to time I am contacted by people who run alternative app stores, either distributing hacked versions of paid apps, or who run app store in countries under embargo from Western countries. (They have banks, they have iOS apps, their customers have iPhones, they want a way to distribute them). The ethical issues and legal risks seemed significant so I never pursued that. If someone wants to go do that, I guess that’s a use case.

It might have some use in build pipelines, but without a true Linux build environment it didn’t seem like a win.

So… again kudos, but what can we do with this? I’m not dissing it, I’m genuine baffled. I also thought this would be important and useful but couldn’t figure it out.