Apple notarization altool command will be discontinued Fall 2023

[Tom Goddard]

A command that the ChimeraX Mac notarization script uses to notarize the app is deprecated and will no longer be available in Fall 2023.
We will need to find out the new way of doing notarization and use it.

	<key>warnings</key>
	<array>
		<dict>
			<key>code</key>
			<integer>-1030</integer>
			<key>message</key>
			<string>altool has been deprecated and, starting in fall 2023, will no longer be supported by the Apple notary service. You should start using notarytool to notarize your software.</string>
			<key>userInfo</key>
			<dict>
				<key>NSLocalizedDescription</key>
				<string>altool has been deprecated and, starting in fall 2023, will no longer be supported by the Apple notary service. You should start using notarytool to notarize your software.</string>
			</dict>
		</dict>
	</array>

[Tom Goddard]

Not sure who is taking over Conrad's Mac notarization script, so I assigned to Eric. But could be me or Zach or Greg. We can discuss in developer meeting.

[Tom Goddard]

The warning message says the replacement for the altool command is notarytool.

[Zach Pearson]

Need to find out which folders require notarization and which do not. For example, Foo/Contents/MacOS requires notarization but Foo/Contents/Resources does not.

[goddard@…]

Conrad's script that automates the notarization is build_tools/macosx_package/notarize.py in the build_tools git repository.  It traverses the application directory structure to figure out what to notarize.  The current script is 515 lines.  Another notarization problem is ticket #7209 where we do not get timestamps from Apple's  server most likely due to UCSF firewall issues.

[Eric Pettersen]

email from Apple:

Hello RBVI,

We’re reaching out because you recently used the altool command-line utility to notarize your macOS software with Apple. As announced last year at WWDC22, if you’re still using altool with the Apple notary service, you should transition to the notarytool command-line utility as soon as possible. Notarizing software with altool was deprecated in Xcode 13, and the Apple notary service will no longer accept uploads from altool as of November 1, 2023. Existing notarized software will continue to function properly.

For information on notarizing your apps, read TechNote TN3147: Migrating to the latest notarization tool.

If you have any questions, contact us.

Apple Developer Relations

[Eric Pettersen]

That tech note links to: ​https://developer.apple.com/documentation/technotes/tn3147-migrating-to-the-latest-notarization-tool?changes=_3_3

[Zach Pearson]

We'll probably have to notarize all our distributions on the M1 machine -- Xcode 13 requires 11.3 or later.

[Tom Goddard]

This web page talks about how to use notary tool

​https://scriptingosx.com/2021/07/notarize-a-command-line-tool-with-notarytool/

And says that it can me used with macOS 10.15.7. If it cannot be used with 10.14 then we may want to revisit the idea of updating the Intel Mac ChimeraX and Chimera build machine from 10.14 to 10.15 so we can continue to notarize on the same machine where we build.

[Tom Goddard]

This page gives a very clear description of how to migrate from altool to notarytool

​https://developer.apple.com/documentation/technotes/tn3147-migrating-to-the-latest-notarization-tool

I read it and it looks like it will be easy for us, in fact simpler than our current notarization since we can eliminate polling for completion and instead use the "--wait" option.

But it also says that notarytool will only run on macOS 10.15 and newer. Our Intel Mac build machine essex2 is on macOS 10.14. We could probably update essex2 to macOS 10.15 but Chimera is also built on that machine and may run into build problems on 10.15. But Chimera also needs to be notarized so it would be best if both could be built on 10.15. Another options that the notarization just uses the dmg file and those can be shipped to a newer Mac after compiling in order to notarize them.

[Tom Goddard]

I tried copying notarytool from XCode 14.1 on Intel Mac descartes.cgl.ucsf.edu running macOS 13.4.1 to essex2.cgl.ucsf.edu running macOS 10.14. Online documentation claimed the copied notarytool should run on macOS 10.15.

​https://discuss.4d.com/t/tip-how-to-use-notarytool-on-macos-10-15-7-catalina/25618

Unsurprisingly it fails to run on macOS 10.14 on essex2:

essex2:~ chimera$ ./notarytool history --apple-id rbvi-apple-id@cgl.ucsf.edu --password redacted --team-id redacted
dyld: Library not loaded: /System/Library/Frameworks/CryptoKit.framework/Versions/A/CryptoKit
  Referenced from: /Users/chimera/./notarytool
  Reason: image not found
Abort trap: 6

[Tom Goddard]

I migrated the Intel Mac ChimeraX build from essex2 to descartes a week ago and plan to leave it there and notary tool works on descartes.

The problem is how to notarize Chimera builds which still are done on essex2. We could try to build Chimera on macOS 10.15 and if successful update essex2 to macOS 10.15. That may be difficult. A simpler approach might be to copy the essex2 chimera.dmg to descartes, notarize it on descartes, and copy back to essex2.

[Eric Pettersen]

Yeah, the copy-back-and-forth approach, while somewhat of a PITA, won't be quite as bad now that polling isn't needed.

[Tom Goddard]

I updated the ChimeraX notarization to use notarytool instead of altool. It also uses the Apple codesign and stapler command-line tools which have not been deprecated. Signing, making the dmg and notarizing on Intel Mac took 13 minutes. I have not tested notarization for Mac ARM or the Mac universal build, but I expect those to work, will see if tonight's daily builds succeed.

[Tom Goddard]

I have not yet made Chimera notarization work with notarytool. The plan is to copy the Chimera.app and notarize.py script to descartes, run the signing, dmg creation, and notarization, and copy the dmg back to essex2. It should use an almost identical notarize.py script as ChimeraX and the Chimera copy currently is in the chimera source repository under chimera/dist/mac.

[Tom Goddard]

I updated Chimera build scripts to notarize with notarytool. The build is done on essex2 (macOS 10.14) and notarization is done on descartes (macOS 13.4) and copied back to essex2 since notarytool requires macOS 10.15 or newer.

I put a backup drive on essex2 and am making a full backup with Time Machine so we can attempt to update it to macOS 10.15 so that notarization can be done on essex2 which would make the build less fragile (depending on fewer machines). If Chimera won't build on macOS 10.15 we can use the backup to revert to 10.14.

[Tom Goddard]

Done.

ChimeraX notarization uses notarytool and the build and notarization runs on descartes.

Chimera notartization also uses notarytool on descartes with the build on essex2. I decided not to try to update essex2 from macOS 10.14 to 10.15 which would allow running notarytool on essex2 because I am afraid the Chimera build may break. The build produces over 800,000 lines of output, lots of it compiler warnings.