Building and delivering command tools for Catalina

Yesterday I noted how one of the changed requirements in macOS 10.15 Catalina is that software which isn’t run by LaunchServices, such as command tools, will still need to satisfy new requirements for signature, hardening and notarization. This article looks at how you can achieve that, working through what I have done with my tool blowhole.

Some time ago, I described how I went about turning my command tools like blowhole into signed Installer packages, using Stéphane Sudre’s excellent free Packages. This saves you a fair bit of effort, particularly now that it can sign the package too, but unfortunately there’s still plenty of preparation and commands.

In the past, writing command tools in Xcode has been relatively simple. There was no need for any Info.plist file or code signature, so all you concentrated on was your code.

Those days have gone: to be hardened and signed, as required by Catalina, your tool needs an Info.plist file, a signature, and the hardening flag. Once you’ve exported the built tool in an archive, you then build it into an Installer package, which has to be signed using a special Developer ID Distribution certificate from Apple. That signed package is then submitted to Apple for notarization. If you’re successful in that, you finally staple the ticket to the package, and it’s ready to distribute.

Xcode

Command tools must have an Info.plist file containing a minimum of three items: the Bundle Identifier, such as co.eclecticlight.blowhole, the Bundle Name, such as blowhole, and a version number, in a short Bundle Versions String. When Xcode builds the tool, these will be embedded in the single Mach-O binary. Add a new Property List file with the name Info.plist to your project, and add those items to it.

toolnotaris01

In the Packaging section of the Build Settings, ensure your Info.plist is created in the binary, and uses the correct file, as shown below.

toolnotaris02

Finally, ensure that the Signing section is properly set up to use your Developer ID Application certificate, and that the Hardened Runtime is enabled there.

toolnotaris03

Once you’re happy that the tool is ready to build for distribution, build an Archive, which should then contain a hardened and signed command tool, complete with timestamp. Then check that your tool is all ready to build into a package.

The command
codesign -dvv blowhole
should return something like
Executable=/Users/hoakley/Documents/blowhole Identifier=co.eclecticlight.blowhole Format=Mach-O thin (x86_64) CodeDirectory v=20500 size=549 flags=0x10000(runtime) hashes=8+5 location=embedded Signature size=8926 Authority=Developer ID Application: Howard Oakley (QWY4LRW926) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=11 Jun 2019 at 09:22:57 Info.plist entries=12 TeamIdentifier=QWY4LRW926 Runtime Version=10.14.0 Sealed Resources=none Internal requirements count=1 size=220

And
spctl -a -vv -t install blowhole
should return
blowhole: accepted source=Developer ID origin=Developer ID Application: Howard Oakley (QWY4LRW926)

Packages

Using Packages is straightforward, and detailed help is here. Because this is just a single, simple command tool to be installed, I opt for a flat .pkg, with Project settings like

toolnotaris04

The Settings tab looks like this:

toolnotaris05

In the Payload tab, press Cmd-. to view all folders, and work your way through to /usr/local/bin. With the last folder selected, the + button at the foot is enabled. Click on that and select the hardened and signed command tool from Xcode’s archive to add it to the payload of the package.

toolnotaris06

Once those are set, select the Project tab again and add your Developer ID Distribution signature using the Set Certificate command in the Project menu. This new feature saves you from having to add the signature at the command line afterwards, and is a boon.

Before going any further, I checked that the Installer package was properly signed using
spctl -a -vv -t install BlowholeInstaller.pkg
which should return
BlowholeInstaller.pkg: accepted source=Developer ID origin=Developer ID Installer: Howard Oakley (QWY4LRW926)

Notarization

Apple details the notarization process here. Your first step is to create an app-specific password for your Apple ID to use the Xcode altool command. Do this from your Apple ID account page as explained here. Copy that and paste it somewhere safe such as your keychain, but I also put it into a text document into which I assembled the notarization command itself. That should look something like:
xcrun altool --notarize-app --primary-bundle-id "co.eclecticlight.blowhole.pkg" --username "yourappleid@me.com" --password "zzzz-zzzz-zzzz-zzzz" --file BlowholeInstaller.pkg
where you substitute your Apple ID username, the app-specific password, and the name of the signed Installer package to be notarized.

There will then be a long pause, during which the package is uploaded for notarization. Once that is complete, the command should return with
2019-06-11 13:10:38.353 altool[72153:25911638] No errors uploading 'BlowholeInstaller.pkg'. RequestUUID = 0000000-0000-0000-0000-000000000000
which confirms all went well and provides the crucial UUID which you use to refer to this notarization job.

If the notarization is successful, you’ll then get a notification and an email back to your developer account to inform you. The final step in producing the Installer package is to staple the ticket to that package, using
xcrun stapler staple "BlowholeInstaller.pkg"
which should return
Processing: /Users/hoakley/Documents/BlowholeInstaller.pkg Processing: /Users/hoakley/Documents/BlowholeInstaller.pkg The staple and validate action worked!

My last check at the command line is:
spctl -a -vv -t install BlowholeInstaller.pkg
which should return
BlowholeInstaller.pkg: accepted source=Notarized Developer ID origin=Developer ID Installer: Howard Oakley (QWY4LRW926)

Note that its source is a Notarized Developer ID now, and that it refers to a certificate origin of your Developer ID Installer for the package, rather than the Developer ID Application of the command tool inside it.

My routine testing is to present the product as the user will obtain it. Here I put the package into a Zip archive, applied a quarantine flag to it using my utility xattred, then on a Catalina system extracted and installed the command tool, and ran it to verify that it works.

The steps above are summarised in this PDF cheat sheet:
NotarizeCmdTool

I wish you success in your notarization tasks. If you discover a simpler way, I’d love to hear about it.

It has taken me 4 apps in addition to Xcode, 4 command tools invoked in 6 different commands, 2 different developer certificates and an app-specific password, to turn my 260 lines of Swift into a usable 50 KB command tool. That’s security for you.

14Comments

Add yours

1

Joe Barisa on June 14, 2019 at 1:08 am

What will this mean for things like MacPorts?

LikeLike
- 2
  
  hoakley on June 14, 2019 at 5:39 am
  
  I have an article coming tomorrow morning (Saturday) to explain more as to what is needed.
  The bottom line is that MacPorts is fine.
  Howard.
  
  LikeLike
3

Michael Tsai - Blog - Notarizing Command-Line Tools for macOS 10.15 on June 17, 2019 at 9:04 pm

[…] notarize each of my four command tools were a revelation. They’re detailed step by step in this article and in this […]

LikeLike
4

Karl on August 2, 2019 at 2:50 pm

Thank you very much for all these Mac detailed info you provide for the admin community, it’s very appreciated, Keep going ! Love it.

LikeLiked by 1 person
5

spartygw on August 12, 2019 at 5:26 pm

Any idea on how to add entitlements to a command line tool? I can’t seem to find that info anywhere and the “Capabilities” tab in Xcode doesn’t seem to be visible for command line tools.

LikeLiked by 1 person
- 6
  
  hoakley on August 12, 2019 at 5:31 pm
  
  I’m not sure how a command tool can have entitlements, can it?
  Entitlements are surely only for the sandbox, or (in the case of privacy-based ones) determined by the app in TCC’s Attribution Chain.
  Howard.
  
  LikeLiked by 1 person
  - 7
    
    spartygw on August 12, 2019 at 7:32 pm
    
    Ah, ok. I’m trying to understand an issue I’m having with my app and I thought it was the command line tool I’m building.
    
    I have a background process (the command line app I spoke of) that starts a VOIP app when a call comes in. When I codesign with –options runtime (to force code hardening) I never get the Privacy popup for the VOIP app.
    
    When I don’t codesign with –options runtime I do get the Privacy popup for the VOIP app. The VOIP app has hardening turned on with proper entitlements for the mic. I just can’t figure out why enabling hardening for the background process fails to generate that popup.
    
    I’m grasping at straws. Sorry for the length.
    
    LikeLiked by 1 person
    - 8
      
      hoakley on August 12, 2019 at 10:21 pm
      
      No problems: I wish I could be more helpful. In this case, the Privacy handling should pass up the calling chain to the app which runs the command tool – that’s the top of TCC’s Attribution Chain.
      Have you asked around, say on Twitter? Quite a few developers have been wrestling with similar problems, and you may be able to tap into their experience. I’ll always RT if I see a request like that to amplify your reach. You may also get some advice direct from Apple staff there.
      Howard.
      
      LikeLiked by 1 person
9

spartygw on August 12, 2019 at 10:33 pm

Thanks. I’ll stop spamming your page here but just wanted to close the circle by saying I posted a question on stackoverflow here ( https://stackoverflow.com/questions/57465931/command-line-macos-tool-that-starts-another-app-isnt-generating-the-privacy-pop )

I’ve spent 2 days just googling and reading and trying to understand code hardening and the chain of events that leads to the lack of a Privacy popup.

Thanks

LikeLiked by 1 person
10

gapfrack on November 7, 2019 at 10:12 pm

I cannot reproduce the step where the Info.plist file is added to the command line tool project.
When I run codesign -dvv tool, I get Info.plist=not bound.
Could you please elaborate this step a bit?
Thanks!

LikeLiked by 1 person
- 11
  
  hoakley on November 7, 2019 at 11:17 pm
  
  I presume that you’ve already added the Info.plist file to your project, and set it up with the correct entries as explained.
  You then have to go into the Build settings for the project and ensure that the file is actually built into your command tool.
  Select the project both at the left, and in the main view. Then select Build Settings. Scroll down to the Packaging section in those settings, and select Yes to Create Info.plist in Binary, then ensure the correct location and file are set for the Info.plist file setting.
  When you next build the tool, the Info.plist file will be embedded in its binary.
  I wish you success,
  Howard.
  
  LikeLiked by 1 person
  - 12
    
    gapfrack on November 11, 2019 at 8:54 am
    
    Thank you very much, that worked for me. This article is extremely helpful.
    Also, in this context, would you know of any resources on the web that help in configuring entitlements or capabilities for command line tool targets in Xcode, so that the command line tool would be able to talk to the secure enclave and create key pairs and sign / encrypt messages?
    
    LikeLiked by 1 person
    - 13
      
      hoakley on November 11, 2019 at 9:07 am
      
      Thank you.
      Entitlements are primarily used by sandboxed apps. AFAIK, you can’t sandbox a command tool, and wouldn’t want to anyway.
      I’m not aware of any entitlement or indeed support which gives access to secure enclave features such as that. There are standard system calls for encryption support, but I don’t think any of them explicitly accesses the secure enclave which is an enclave after all, so not intended to be accessed from userland.
      But I could be wrong.
      Howard.
      
      LikeLiked by 1 person
14

How to access MacOS secure enclave from command line tool in Xcode - Onooks on November 13, 2019 at 12:58 am

[…] https://eclecticlight.co/2019/06/13/building-and-delivering-command-tools-for-catalina/ […]

LikeLike

Share this:

Related