Achieving A Completely Open Source Implementation of Apple Code Signing and Notarization
August 08, 2022 at 08:08 AM | categories: Apple, RustAs I've previously blogged in
Pure Rust Implementation of Apple Code Signing
(2021-04-14) and
Expanding Apple Ecosystem Access with Open Source, Multi Platform Code signing
(2022-04-25), I've been hacking on an open source implementation of Apple code
signing and notarization using the Rust programming language. This takes the form
of the apple-codesign
crate / library and its rcodesign
CLI executable.
(Documentation /
GitHub project /
crates.io).
As of that most recent post in April, I was pretty happy with the relative
stability of the implementation: we were able to sign, notarize, and staple
Mach-O binaries, directory bundles (.app
, .framework
bundles, etc), XAR
archives / flat packages / .pkg
installers, and DMG disk images. Except for
the known limitations,
if Apple's official codesign
and notarytool
tools support it, so do we.
This allows people to sign, notarize, and release Apple software from non-Apple
operating systems like Linux and Windows. This opens up new avenues for
Apple platform access.
A major limitation in previous versions of the apple-codesign
crate was our
reliance on Apple's Transporter
tool for notarization. Transporter is a Java application made available for macOS,
Linux, and Windows that speaks to Apple's servers and can upload assets to their
notarization service. I used this tool at the time because it seemed to
be officially supported by Apple and the path of least resistance to standing
up notarization. But Transporter was a bit wonky to use and an extra
dependency that you needed to install.
At WWDC 2022, Apple announced
a new Notary API as
part of the App Store Connect API. In what felt like a wink directly at me,
Apple themselves even calls out the possibility for leveraging this API to
notarize from Linux! I knew as soon as I saw this that it was only a matter
of time before I would be able to replace Transporter with a pure Rust client
for the new HTTP API. (I was already thinking about using the unpublished HTTP
API that notarytool
uses. And from the limited reversing notes I have from
before WWDC it looks like the new official Notary API is very similar - possibly
identical to - what notarytool
uses. So kudos to Apple for opening up this
access!)
I'm very excited to announce that we now have a pure Rust implementation
of a client for Apple's Notary API in the apple-codesign
crate. This means we
can now notarize Apple software from any machine where you can get the Rust
crate to compile. This means we no longer have a dependency on the 3rd party
Apple Transporter application. Notarization, like code signing, is 100% open
source Rust code.
As excited as I am to announce this new feature, I'm even more excited that it was largely implemented by a contributor, Robin Lambertz / @roblabla! They filed a GitHub feature request while WWDC 2022 was still ongoing and then submitted a PR a few days later. It took me a few months to get around to reviewing it (I try to avoid computer screens during summers), but it was a fantastic PR given the scope of the change. It never ceases to bring joy to me when someone randomly contributes greatness to open source.
So, as of the just-released 0.17 release
of the apple-codesign
Rust crate and its corresponding rcodesign
CLI tool, you can now
rcodesign notary-submit
to speak to Apple's Notary API using a pure Rust client. No
more requirements on 3rd party, proprietary software. All you need to sign and
notarize Apple applications is the self-contained rcodesign
executable and a Linux,
Windows, macOS, BSD, etc machine to run it on.
I'm stoked to finally achieve this milestone! There are probably thousands of companies and individuals who have wanted to release Apple software from non-macOS operating systems. (The existence and popularity of tools like fastlane seems to confirm this.) The historical lack of an Apple code signing and notarization solution that worked outside macOS has prevented this. Well, that barrier has officially fallen.
Release notes, documentation, and (self-signed) pre-built executables of the
rcodesign
executable for major platforms are available on the
0.17 release page.