Notarisation requirement and future of Mac builds

Solar2D macOS Desktop
#1

Does Corona plan to actively support Mac builds going forward? It seems that the current build process has not been revised in a long time while requirements with Steam and other digital stores will change as time moves on and it’s imperative for us developers to keep up.

Just recently Apple has introduced the requirement to notarise apps for the newer Mac OS versions and Steam are already pushing developers to start notarising their new apps. 

My colleague has also recently posted on the forum regarding some important features that were missing from the Steamworks plugin and signing the apps through the standard Corona build process is not presently possible due to multiple libraries failing strict validation checks-- I remember seeing a few unanswered threads here regarding this issue.

A lack of Vsync support, no options for resolutions etc. are also significant shortcomings but so far we’ve managed without these. However, when it comes to compliance, updating important plugins for steamworks etc, we would certainly like to know if these things are at all on Corona’s agenda.

Thanks

#2

As far as I understand all we need - to be able to submit to apple for notarisation - is to be able to add the hardened runtime entitlement

https://developer.apple.com/documentation/security/hardened_runtime_entitlements

Would be nice if corona could add that. Otherwise mac apps distributed outside of the app store shows the “Apple cannot check for malicious software warning”.

Like this one: https://apple.stackexchange.com/questions/366542/install-spotify-cant-be-opened-because-apple-cannot-check-it-for-malicious-so

#3

While this is speculation, Steam have said that they are almost certain that further down the line, Apple will invariably take steps to push developers to notarise their apps-- I read this in a reply by Steam staff on one of their dev forums so this is not an official statement, of course.

Generally speaking, the mac/ PC builds still feel quite far behind. We are trying to make a proper PC game and have had interest from some fairly big publishers who all eventually turned our product down due to the lack of some very basic features. 

As for app singing, it doesn’t work through Corona’s build system and one needs to sign every included framework manually from terminal so I am quite interested to know if Corona have plans to improve Mac/ PC support or will exclusively be focusing on mobile. 

#4

I think we are working on that.

Rob

#5

Hello!

You raise a very valid concern, thanks for that. We indeed working on the issue. There are two parts to notarization: providing easy way to notarize user built apps and notarizing Corona Simulator.

Luckily, Apple just made notarizing way easier. Right now it is done with a single command. Here is how I manually notarized the Simulator

xcrun altool --notarize-app --username 'my-email@coronalabs.com' --password '@keychain:AC\_PASSWORD' --file ~/Downloads/Corona-2019.3535.dmg  --primary-bundle-id 'com.coronalabs.CoronaSimulator' --asc-provider anscainc

There are two magical parts to this command requiring previous setup. This things should be done only once:

1) --ask-provider is a short name for the team used. Usually everyone have two teams: personal and company. To list providers this command can be used:

xcrun iTMSTransporter -m provider -u 'my-email@coronalabs.com' -p 'my-apple-password'

It will list short names for teams in the end if successful

2) --password is to retrieve password from system keychain instead of typing it in the terminal. Typing password in terminal would be a security risk. One can add it manually through Key Chain.app, or via command

security add-generic-password -a 'my-email@coronalabs.com' -w 'my-apple-password' -s AC\_PASSWORD

Note, that --primary-bundle-id is not something “official” this is just a string you come up with so you’ll understand an email you get when notarization is done.

Also, when sending for notarization, you get a token back. You can check on status using command

xcrun altool --notarization-info f771794a-317c-4b5b-9582-9fe549079338  --username 'my-email@coronalabs.com'  --password '@keychain:AC\_PASSWORD'

Which will give you nice status message, and link to report if notarization is completed.

While integrating this into our build system to Corona Simulator should not be a problem, we would like to provide nicer interface to people who build their apps with Corona. This poses several issues, like, how to handle Apple password (we really don’t want to be responsible for those).

P.S. Corona 3535 should be notarized already. 3538 is pending notarization, it takes like 3 hours already for some reason.

#6

Thanks so much for the detailed response!

It’s good to know that these things are being worked upon by Corona and we’ll look forward to when they become available through the Corona build process. 

i’ll try out the steps that you’ve described here-- if you could also please address the issue with the signing process, that will be a massive help!

Signing an app through the Corona build interface always fails validation checks (sorry, I don’t know the very low-level technical details-- wish I could give a more detailed description on the nature of the problem) and I reckon singing the app must be done first before applying for notarisation. 

I’d really appreciate your advice on this.

Cheers

#7

For debuggin your issue with signing please enable detailed build log:

defaults write com.coronalabs.Corona\_Simulator debugBuildProcess  -int 5

Then specific error would be displayed in the console, with invocation which caused it etc. I don’t know what issue do you have specifically, I was just able to sign both development and app store build.

#8

Some part of the Steam API appears to fail the validation. I am including the error details from console. 

Please let me know if you are aware of what might be causing this. 

Thanks

ERROR: build command failed: /usr/bin/xattr -cr "/Users/shashwat/Desktop/appname.app/Contents/Plugins/libsteam\_api.dylib" && /usr/bin/codesign --deep -f -s "XXXXXXXXXXXXXX" -vvvvv "/Users/shashwat/Desktop/appname.app/Contents/Plugins/libsteam\_api.dylib" ERROR: with exit code 1 and output: captureCommandOutput: /bin/cat /tmp/lua\_b1wGvd /Users/shashwat/Desktop/appname.app/Contents/Plugins/libsteam\_api.dylib: main executable failed strict validation BUILD ERROR: plugin code signing for '/Users/shashwat/Desktop/appname.app/Contents/Plugins/libsteam\_api.dylib' failed: /Users/shashwat/Desktop/appname.app/Contents/Plugins/libsteam\_api.dylib: main executable failed strict validation
#9

Hi @vlads – just wanted to check if you were able to look at this. Thanks!

#10

Silly question, but do you have to code sign steam apps?

#11

I suppose we will need to now after the notarisation requirement. We were able to avoid it throughout the beta testing but after the recent requirements imposed by apple, we get an alert message from steam each time we submit a build, asking us to notarise the app in order to distribute on Apple. 

We also plan to go on the mac store at some stage so it will certainly help if this can be looked at. We’re quite happy to offer any assistance in testing etc wherever we can. 

#12

There’s also an interesting tool to help automate this process for users who might be interested and it has a GUI. https://latenightsw.com/sd-notary-notarizing-made-easy/

I’ve managed to pretty much notarise a copy of my successfully when I tried a build without the steamworks plugin but with the plugin, I cannot still sign the app. 

@Vlads Do you know if this is something that I can fix at my end?

#13

In case it’s something about the plugin, I just updated steam to latest 1.46 SDK, no changes to the plugin itself. I still not sure if you need to do all this things for steam apps. Don’t distribute steam plugin outside steam.

#14

Update: I just checked, Valve games doesn’t have any code signature on them:

➜ codesign -d -v /Users/vlad/Library/Application\ Support/Steam/steamapps/common/dota\ 2\ beta/game/bin/osx64/dota2.app

/Users/vlad/Library/Application Support/Steam/steamapps/common/dota 2 beta/game/bin/osx64/dota2.app: code object is not signed at all

#15

@vlads- Sorry if I’m missing something or doing something wrong but I don’t think the problem here is about signing apps for Steam distribution at all.

As I said in an earlier post, we are content with distributing apps on Steam without signing it for Mac OS but the problem arises at the step where OS X Catalina imposes the requirement for apps to be notarised and notarisation (to my knowledge) can be done only once the bundle is singed. Steam are aligning themselves with this requirement and show big red text on our store page saying that the app won’t run on Catalina.

Notarisation, as you have also pointed out, is not very complex in itself but I’m unable to sign my builds if I include the Steamworks plugin. To be clear, if I exclude the plugin, everything works and the app is notarised successfully. 

#16

Pretty sure Valve’s games are not notarized either… Can you show me your store page? What does it say or is there any info on the issue?

#17

Okey… So I looked around, and finally found the Steam Game with a warning:

GjQJytD.png

With the link leading to this page: https://support.steampowered.com/kb_article.php?ref=1055-ISJM-8568

If you notice, the page is about 64 vs 32 bit apps. Nothing about Notarization. Unless you got another warning, I don’t know what is going on. Corona is 64 and steam plugin as well. I run Corona and Steam Corona apps on my macOS Catalina OK.

I noticed that steam library contained 32bit slice. I removed it and committed the plugin. It should get your app signing and notarizing if you want it. But, steam apps are not signed or notarized. I installed several games, and they are not signed, or notarized and run just fine without any issues on macOS Catalina, which I am running right now.

I hope that removing 32bit slice will also get rid of warning. If not, I suggest getting in contact with Valve, telling them that you app is getting flagged, even if it is all 64bit app.

For reference, I tried plying this https://store.steampowered.com/app/487030/ game. It is Corona game, and it works on Catalina.

EDIT: I submitted a ticket to Steam support about this. It seems their validator checking for 32bit apps is broken. https://i.imgur.com/tngl3SQ.png

#18

@vlads - Thanks for looking into this so promptly. The updated plugin works and I’m able to sign the app. 

You’re right that the warning is related to the 64-bit requirement which seems wrong as we have clearly marked our app as 64-bit in the settings. We’ll contact Steam regarding this. 

Thanks again :slight_smile:

#19

Steam responded to me. HWBv7Ol.jpghttps://steamcommunity.com/groups/steamworks/announcements/detail/3632639303428097613So indeed there seems to be notarization requirement. Eve if Valves own apps are not signed (or notarized).

#20

Yeah it appears notarisation is going to become necessary for Mac but we’re happy that we are now able to get the builds signed and at least got rid of the warning message on the store page. 

SD Notary offers a nice GUI for notarisation through apple in case some users are interested- https://latenightsw.com/sd-notary-notarizing-made-easy/