Binaries aren't verified on MacOS

[Michael-F-Bryan]

@Mi1ind was going through his workshop today and when he tried to run the rune binary MacOS stopped him with a "Cannot Be Opened Because the Developer Cannot be Verified" error.

Some solutions are:

• Manually add a security exception
• Upload to the App Store

[Michael-F-Bryan]

@meelislootus did a test run of using rune on his M1 and ran into this issue:

[saidinesh5]

This should help us get there I think .. https://github.com/koordinates/kart/blob/master/.github/workflows/build.yml#L228-L269

[Michael-F-Bryan]

I stumbled across the actual commands we'll need while browsing Reddit:

Our desktop application (written mostly in Rust) is notarized via command line tools. Notarizing assumes several steps:

1. Signing the binaries, the app bundle and the installer pkg
2. Notarizing the pkg file
3. Stapling the pkg file

You need two certificates linked to your Apple developer account: one for signing applications (binaries and bundles) and another for signing pkg installer files.

For signing binaries you run codesign utility, something like:

codesign -s "$APP_CERT_ID" --deep -v -f -o runtime <your_exe_or_app>

For signing pkg installers:

productsign --sign "$PKG_CERT_ID" "yourpackage.pkg" "signedpackage.pkg"

Once signed you can do the notarization:

xcrun altool --notarize-app \
             --primary-bundle-id "com.acme.appid" \
             --username "$APPLE_ID" \
             --password "$APP_PASSWORD" \
             --file "/path/to/signed.pkg"

Where APPLE_ID - is your Apple ID (email), APP_PASSWORD - application password created in your account.

It will upload the pkg file to Apple server. You will get an email when it is completed (ok or nok).

You can staple it afterwards (not strictly necessary though but is recommended):

xcrun stapler staple "signed.pkg"