Make signed HMSL app for MacOS

[philburk]

When downloading the app, the user is confronted with a scary dialog saying the app is untrusted.

[philburk]

I renewed my Apple Developer account for $99. Now just waiting for it to process.

[philburk]

Application approved.
Used XCode Settings >> Accounts to create a "Developer ID Application".
https://developer.apple.com/help/account/create-certificates/create-developer-id-certificates/
https://developer.apple.com/help/account/create-certificates/create-a-certificate-signing-request

What a nightmare!
I created a certicicate and then read lots of cryptic docs about signing and schemas.
I tried to build and it asked for my keychain password.
I tried all my passwords and none worked.
So I reset my keychain login chain, downloaded the certificate from Apple, and double clicked.
It shows up in my Keychain Accesss under "Certificates" but not "My Certificates".
Apparently is "missing private key".
Maybe I will just move all my HMSL development to Linux.

[philburk]

This is a log of the steps required to sing my HMSL app for Mac.
Renewed Apple Developer Program Membership for $99.
According to https://developer.apple.com/account/resources/certificates/list
I still have a Developer ID Application that expires in 2027.
I can download it but it says I should first "backup my private and public keys somewhere secure".

I found my KeyChain by opening "Applications/Utilities/Keychain Access.app".
I see no obvious way to backup keys. Also I think I am missing a key from tjhe disaster last year.

I opened XCode and went to Settings >> Accounts then "Manage Certificates".
It says my "Developer ID Application" created in 2023 is "Missing Private Key".

This fellow on Stack Overflow had a similar problem:
https://stackoverflow.com/questions/73938512/developer-id-application-certificate-missing-a-child-key-in-keychain-access
He got a new certificate from Apple Developer Program Support and installed it via XCode.

Useful sounding info here:
https://forums.developer.apple.com/forums/thread/732320

I tried to add a key at https://developer.apple.com/account/resources/authkeys/add
but that does not seem to be the right kind of key.

[philburk]

As an experiment, I am going to create a new certificate.
I went to https://developer.apple.com/account/resources/certificates/add
Selected "Mac Development".
Now I need a CRS. That seem too complicated.

So I went back to XCode and went into Manage Certificates.
Selected + Apple Development and created a new certificate.
It does not seem to be missing the private key.

Now I will try to figure out if I can sign HMSL using that, at least for testing.

[philburk]

In XCode Build Signing Certificate, I selected my new Apple Development Certificate.
When I tried to build it kept asking me for the "login" password for my keychain.
I tried all of my passwords, new and old and it would not accept them so I turned off the Certificate.

[philburk]

I also tried to use the XCode Managed certificates but it still failed.
I sent Apple support an email asking for help.

[philburk]

Apple told me to read Create, export, and delete signing certificates.

I was able to Revoke an old certificate.
It recommends using Automatic Signing from XCode. So I will try that.

I looked again in Utilties >> Keychain Access.
I do have an Apple Development Private Key that was created July 2024.
I exported it to Work/keys using my most secure password.
This week I was able to get into my Keychain login using my normal Mac login password. Go figure!

[philburk]

I tried again to use the XCode "Automatically Manage Signing" feature.
It asks me for a keychain login password but that fails.
I found two Developer Certificates in my Utilities KeychainAccess.
One was "Revoked" so I deleted it and tried again. No luck.

I found this forum with people having similar troubles.
https://forums.developer.apple.com/forums/thread/698834

I tried to Sign In with Apple so I could +1 a comment and Apple keeps saying "Page not found".
This is so broken.

[philburk]

Found this forum.
https://forums.developer.apple.com/forums/thread/92336?answerId=278867022#278867022

Apparently I have to enter my login password then click the "Always Allow" button, which is not even enabled.
Then it works!

Maybe I should just focus on the Linux version...

[philburk]

I copied the newly built JuceHMSL.app to my HMSL_release/HMSL/hmsl folder.
I can double click and run it.
But I zip the HMSL folder, trash the HMSL folder and then unzip it then I get a crash with "Code Signature Invalid".
Why?

[philburk]

A post by parkskier426 in https://forums.developer.apple.com/forums/thread/687712 said
to find the certificate you are using to sign the app during the build process in Keychain Access, expand it to show the signing key, right click on the key and choose get info. Go to the access control tab
Choose "Confirm before allowing access" and add "codesign" and "Xcode" to the list of allowed list of applications.
XCode was already listed but I figured it might be an old XCode.
I tried to remove it using the minus sign but it deleted the wrong item!
So I just found XCode in Applications and added it. Now I have two XCode listed.

Now I no longer have to enter a password!

I made a ZIP file, uploaded to Google Drive then downloaded it back down.
If I hold down the Option Key and double I get an Open button.
Then it fails with could not open file, which is Issue #171

[philburk]

Another comment wrote:

Just a note: The "Allow" option actually works, but it needs the permission multiple times. Without clicking "Always allow", new popup will appear instantly - making it seem like it didn't work for the first time. If you have a lot of patience, you can get through just with "Allow" option

Amazing.

[darrengit]

It's astounding that the Apple key management and app signing process is still so arcane and brittle. Every year I think it's bound to get better and more automatic, but alas. My understanding from a couple of years ago is that the app not only has to be signed but also notarized in order for the app to launch without needing right-clicking or the user having to interact with warning dialogs and/or the Privacy System Settings. Have you tried this additional arcane procedure?:
https://developer.apple.com/documentation/security/notarizing-macos-software-before-distribution

[philburk]

@darrengit - thanks for the tip about notarization. My notes follow:

Apple says:

Use a “Developer ID” application, kernel extension, system extension, or installer certificate for your code-signing signature.

XCode says it is using a "Development" certificate. I'm not sure if that is valid. I guess the notary will tell me.

This page told me how to add a "Hardened Runtime".
https://help.apple.com/xcode/mac/current/#/dev88ff319e7

Apple says I must "Create an archive of your app."!
Google AI told me to select Product>>Archive menu item.
I did and nothing happened.
Then I closed HMSL, which was running and tried again.
This time it showed a Build progress meter but the Build finally failed with many errors including:

Ignoring file '/Users/phil/Music/hmsl_repo/HMSL/native/osx/libs/libme2000.a[19](spmidi_orchestra.o)': found architecture 'x86_64', required architecture 'arm64'

Undefined symbol: _JukeBox_SendMIDI

So I tried to rebuild libme2000.a using the CMake instructions in:
https://github.com/philburk/mobileer-synth/blob/master/README.md#building

It still failed so I asked Google how to add arm64 to the library and the AI told me to add this to CMakeLists.txt

set(CMAKE_OSX_ARCHITECTURES "arm64;x86_64")

The libme2000.a went from 1.3MB to 2+MB so I think it added the ARM code.
But now XCode cannot link with the Jukebox symbols even for the regular build.

So I stubbed out the Jukebox functions and it now builds.
I ran Product >> Archive and it created an Archive.

I clicked "Validate Archive" and it told me:

[philburk]

So this is progress of sorts. I am worried about the "bundle must install to '/Applications'.
I was able to only get it to read the pforth.dic file when it was in the Music folder and I added Music to the Sandbox.
I may have to put the app in Applications and the Forth files in Music.

I may have to write a real package installer.

I think writing the original HForth kernel in assembly language was easier than trying to coerce XCode into building an executable app. Sigh.

[darrengit]

I think you could put the dictionary and other resources like .fth files in the ApplicationSupport folder.