So you’ve built your killer app in OpenFL, compiled it to every target, and are ready to start selling it to the masses. You can’t believe how easy everything has been, and you’re riding high, but then Apple complains about something called “notarization” and you get a sinking feeling in your stomach.
If you were building your software in XCode, this would be handled for you, but you’re not; and so you’ll need to do it manually. There aren’t a lot of examples of this process documented, so I’ll walk you through it here. Unfortunately, this all has to be done on a computer running MacOS. Blame Apple.
Build your app for the macos target with
openfl build macos. This will create
Developer ID Applicationcertificate from the Certificates, Identifiers & Profiles section of the Apple Developer dashboard. Download the certificate and add it to your keychain
Sign your app with your developer certificate. This command will likely work for you:
codesign --force --deep --options runtime --timestamp --sign "Developer ID Application: YourCompany (TEAMID)" Export/macos/bin/YourProject.app(replace YourCompany, TEAMID, and the path to YourProject.app as needed)
Try to run
YourProject.app. If it now crashes on startup, you will need some hardened runtime exceptions. The following is optional, only if your app crashes now:
YourProject.app(right click the app and choose “Show Package Contents.”
Entitlements.plistis just inside the
- Add necessary hardened runtime exceptions. I can’t say exactly which you will need, but these are the ones that worked for me:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.cs.disable-library-validation</key> <true/> <key>com.apple.security.cs.allow-dyld-environment-variables</key> <true/> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> </dict> </plist>
- Copy that
Entitlements.plistfile, and place it at your project root (or wherever you’re running your commands from). You’ll need it for signing.
- Sign your app with the additional
--entitlementsflag. No, I don’t know why it can’t just read the one inside the app. This worked for me:
codesign --force --deep --entitlements Entitlements.plist --options runtime --timestamp --sign "Developer ID Application: YourCompany (TEAMID)" Export/macos/bin/YourProject.app
- Try running
YourProject.appnow. Hopefully it no longer crashes!
Now that you have a signed app, you’re ready for notarization. The notarization tool wants a zipfile, so compress
You will need an Application Password, so generate one from the Sign-In and Security page.
Run the notarization tool:
xcrun notarytool submit YourProject.zip --apple-id [email protected] --password YourAppPassword --team-id TEAMID --wait
If everything goes well, your notarization request will be accepted! If not, the notarization log can be requested like this:
xcrun notarytool log your-notarization-id --apple-id YourApp[email protected] --password YourAppPassword --team-id TEAMID
If all these steps went well, you should now have a signed and notarized application that you can deploy as you like! Good luck!