Continued issues making a signed bundles installer... because I don't know what I'm doing :)

Got a problem with Viscosity or need help? Ask here!

horsman

Posts: 11
Joined: Thu Sep 12, 2024 2:15 am

Post by horsman » Thu Oct 17, 2024 10:23 am
Hello,

After following the instructions from both this site, and the Apple Developers site, I have made a .cer file and saved it to my desktop, when I double click on it and bring it into Keychain it imports it, but gives me a red error message underneath telling me it's not trusted.

If I proceed anyways and attempt to sign the installer in Terminal I get an error message that it cannot find an appropriate signing identify.

I'm assuming I'm doing something wrong on the certificate generation, but for the life of me I cannot figure out what. Any suggestions would be helpful. Thanks!

James

User avatar
Posts: 2372
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Thu Oct 17, 2024 5:49 pm
Hi horsman,

If macOS considers your Developer ID Installer certificate untrusted/invalid, your computer may be missing the necessary Apple Intermediate Certificates. Try downloading these and loading them into the Keychain from the link below. At a minimum you'll want the two Developer ID Intermediate certificates.
https://www.apple.com/certificateauthority/

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Bluesky: https://bsky.app/profile/sparklabs.com

horsman

Posts: 11
Joined: Thu Sep 12, 2024 2:15 am

Post by horsman » Wed Oct 23, 2024 9:55 am
Thanks. I'll give that I try. Do you know if I should be saving these into login, iCloud or System keychain?

James

User avatar
Posts: 2372
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Thu Oct 24, 2024 6:30 am
Either Login or System should be fine.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Bluesky: https://bsky.app/profile/sparklabs.com

horsman

Posts: 11
Joined: Thu Sep 12, 2024 2:15 am

Post by horsman » Thu Oct 24, 2024 7:21 am
Thanks!

horsman

Posts: 11
Joined: Thu Sep 12, 2024 2:15 am

Post by horsman » Fri Oct 25, 2024 3:43 am
Hi,

Thanks for all the help, I'm making progress but still having issues. I was able to sign the packages, and after updating my OS to install a more recent version of Xcode I'm not longer getting a Terminal error messages saying I don't have the tools needed.

However I'm still not able to Notarize the package. Initially I was getting an error saying altool couldn't be used to notarize anymore and to use notarytool.

I was hoping to be able to just update the script you had provided by changing altool to notarytool, but no luck.

I'm trying to attach screenshots to show you the messages in Terminal but I keep getting HTTP errors and I'm unsure why.

horsman

Posts: 11
Joined: Thu Sep 12, 2024 2:15 am

Post by horsman » Fri Oct 25, 2024 6:41 am
Since I can't get screenshots to upload, here's the Terminal copy:

Running altool at path '/Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Frameworks/AppStoreService.framework/Support/altool'...
2024-10-24 12:38:43.133 *** Error: altool: option '-' is unknown: ignored

2024-10-24 12:38:43.136 *** Error: altool encountered an error. No command argument was specified. Use -h for help. (-1003)
{
NSLocalizedDescription = "altool encountered an error.";
NSLocalizedFailureReason = "No command argument was specified. Use -h for help.";
}
2024-10-24 12:38:43.137
usage: altool --upload-package <file> --type <platform> --asc-public-id <id> --apple-id <id>
--bundle-version <version> --bundle-short-version-string <string>
--bundle-id <id>
{-u <username> [-p <password>] | --apiKey <api_key> --apiIssuer <issuer_id>}
altool --validate-app -f <file> -t <platform>
{-u <username> [-p <password>] | --apiKey <api_key> --apiIssuer <issuer_id>}
altool --list-apps
{-u <username> [-p <password>] | --apiKey <api_key> --apiIssuer <issuer_id>}
altool --list-providers
{-u <username> [-p <password>] | --apiKey <api_key> --apiIssuer <issuer_id>}
altool --store-password-in-keychain-item <keychain_item_name> -u <username> -p <password>
[--keychain <filename> | --sync]
altool --upload-hosted-content <file> --sku <sku> --type <platform> --product-id <id> --asc-public-id <id>
{-u <username> [-p <password>] | --apiKey <api_key> --apiIssuer <issuer_id>} [DEPRECATED]
altool --upload-app -f <file> -t <platform>
{-u <username> [-p <password>] | --apiKey <api_key> --apiIssuer <issuer_id>} [DEPRECATED]

NOTE: altool no longer supports notarization. Use notarytool to notarize apps.
XXXXXXXXX-RH-VJG24WXGX5-MBP-2023M2Max-12C38C-64GB-1TB ~ %


And then when I change altool for notarytool:

Last login: Thu Oct 24 12:38:09 on ttys000
XXXXXXXXX-RH-VJG24WXGX5-MBP-2023M2Max-12C38C-64GB-1TB ~ % xcrun notarytool --notarize-app \
--primary-bundle-id "com.sparklabs.pkg.ViscosityInstaller" \
--username "XXXXXXXXX" \
--password "XXXXXXXXX" \
--asc-provider "XXXXXXXXX" \
--file "/Users/rhorsman/Desktop/Viscosity/Viscosity Installer/build/Viscosity Installer Signed.pkg"
Error: Unknown option '--notarize-app'
Usage: notarytool <subcommand>
See 'notarytool --help' for more information.
XXXXXXXXX-RH-VJG24WXGX5-MBP-2023M2Max-12C38C-64GB-1TB ~ %


(Personal information replaced with XXXXXXXXX)

horsman

Posts: 11
Joined: Thu Sep 12, 2024 2:15 am

Post by horsman » Sat Oct 26, 2024 4:56 am
Never mind. If I distribute the package through my MDM the signed package works just fine and doesn't need to be notarized. Now I just need to sort out what I did wrong as no connections were included in the install.

horsman

Posts: 11
Joined: Thu Sep 12, 2024 2:15 am

Post by horsman » Sat Oct 26, 2024 11:07 am
I feel like every time I take a step forward, I take another step back.

No matter what I do I cannot get the installer to install any bundled connections on my test machine. It always shows 0 Connections, and when I go to Application Support>Viscosity>OpenVPN the folder is empty.

Here is what my folder structure looks like before I run Viscosity Installer.pkgproj (sorry, I cannot attach images, constantly get a HTTP error)

Connections
- Empty

Connections-Append:
1> ca.crt
ta.key
config.conf

Connections-Overwrite
- Empty

MenuItems
- Empty

com.viscosityvpn.Viscosity.plist
Here's what's in there. I removed any "ConnectionOrder" reference:

?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>FirstRun</key>
<false/>
<key>License</key>
<string>REMOVED THIS INFO FOR THIS POST=</string>
<key>MenuBarIcons</key>
<string>Default Colored</string>
<key>SUAutomaticallyUpdate</key>
<true/>
<key>SUEnableAutomaticChecks</key>
<true/>
<key>StartAtLogin</key>
<true/>
</dict>
</plist>

If it helps, here is the contents of the config.conf file:

#viscosity name REMOVED FOR PRIVACY
#viscosity protocol openvpn
#viscosity startonopen false
#viscosity usepeerdns false
#viscosity dns automatic
#viscosity dnsserver 8.8.8.8
#viscosity dnsserver 8.8.4.4
#viscosity autoreconnect true
#viscosity dhcp true
remote REMOVED FOR PRIVACY 1194 udp
nobind
dev tun
redirect-gateway def1 ipv6
persist-tun
persist-key
compress lzo
pull
auth-user-pass
tls-client
ca ca.crt
tls-auth ta.key 1
auth SHA512
cipher AES-256-CBC
reneg-sec 0

For what it's worth, I've also tried moving the contents of Connection-Append to the other Connection folders and have also had no luck.

I notice that I can export a connection directly out of Viscosity>Settings. Should I be doing something with that?

James

User avatar
Posts: 2372
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Mon Oct 28, 2024 6:44 pm
Never mind. If I distribute the package through my MDM the signed package works just fine and doesn't need to be notarized.
Glad to hear you found a solution. Just in case anyone else comes across this forum post with the same issue, the most recent version of Xcode requires "notarytool" be used instead. To use this command you must first store the Apple credentials to use in the Keychain using a command like so:
Code: Select all
xcrun notarytool store-credentials --apple-id "[email protected]" --team-id "ABCD1234AB" --password myApplePassword NotaryToolCreds

You can then notarize the package using a command like so:
Code: Select all
xcrun notarytool submit "/path/to/Viscosity Installer.pkg" --keychain-profile NotaryToolCreds --wait

No matter what I do I cannot get the installer to install any bundled connections on my test machine. It always shows 0 Connections, and when I go to Application Support>Viscosity>OpenVPN the folder is empty.
Please feel free to email us a copy of your bundled version (you can remove the Viscosity application itself to reduce the file size, but keep everything else in place and zip it up) and we can take a look and see what may be wrong for you. Our support email address can be found at https://www.sparklabs.com/support/#contact

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Bluesky: https://bsky.app/profile/sparklabs.com
15 posts Page 1 of 2