What Needs Code Signing:
Binary Executables ✅
executables/mac/ACCID ← PyInstaller binary, MUST be signed
Why? macOS Gatekeeper checks compiled binaries for code signatures.
Shell Scripts ❌
Mac_Launcher_Wrapper.sh ← Plain text bash script, DON'T sign
Why? Shell scripts are just text files! They don’t need code signing.
The Workflow:
1. User double-clicks Mac_Launcher_Wrapper.sh
↓
First time: Right-click → Open (handles quarantine)
↓
2. Script removes quarantine from itself and ACCID
xattr -d com.apple.quarantine "$0"
xattr -d com.apple.quarantine ACCID_SINGLE/executables/mac/ACCID
↓
3. Script runs: ./executables/mac/ACCID
↓
macOS checks: "Is this binary signed and notarized?"
↓
YES! ✅ Runs without warnings
Why Not Sign the Script?
You CAN sign shell scripts, but:
- macOS doesn’t enforce code signing on scripts the same way
- Scripts are text interpreted by bash, not compiled executables
- The quarantine mechanism (
xattr) is what matters for scripts - Signing adds no benefit
Why Not Sign the Folder?
You can’t “sign a folder” directly.
You can sign:
- ✅ Individual executables (what we did)
- ✅ .app bundles (special folder structure)
- ✅ .pkg installers
- ❌ NOT regular folders
Could We Make a .app Bundle Instead?
YES! Then you’d sign the whole thing:
ACCID.app/
├── Contents/
│ ├── MacOS/
│ │ └── launcher (script inside)
│ └── Info.plist
# Sign the whole bundle:
codesign --sign "Developer ID" ACCID.app
But we avoided .app because:
- More complex structure
- More security prompts
- You wanted to keep it simple
The Answer:
We only sign the ACCID executable because:
- That’s the only compiled binary that needs signing
- The launcher script is just text (doesn’t need signing)
- Folders can’t be signed (only .app bundles can)
- macOS only enforces code signing on executables, not scripts
The launcher script handles its own quarantine with xattr -d, which is the right approach for scripts!
TL;DR: Sign binaries, not scripts. Scripts handle quarantine with xattr. It’s working as designed! ✅
🚀 ACCID Code Signing & Notarization – Complete Guide
Developer: Shawn Palmer
Team ID: 2SN54V9RU9
Certificate: Developer ID Application: Shawn Palmer (2SN54V9RU9) ✅
✅ Prerequisites (Already Done!)
- [x] Apple Developer Program membership ($99/year)
- [x] Developer ID Application certificate installed
- [x] Certificate verified:
security find-identity -v -p codesigning
Step 1: Sign Your Executable 🔏
cd /Volumes/SpiffyMagic/ACCID/ACCID_SINGLE
# Sign the ACCID executable
codesign --sign "Developer ID Application: Shawn Palmer (2SN54V9RU9)" \
--timestamp \
--options runtime \
executables/mac/ACCID
# Verify it worked
codesign -v executables/mac/ACCID
Expected output:
executables/mac/ACCID: valid on disk
executables/mac/ACCID: satisfies its Designated Requirement
Flags explained:
--timestamp– Embeds Apple’s timestamp (required for notarization)--options runtime– Enables hardened runtime (required for notarization)
Step 2: Create App-Specific Password 🔑
You need this ONCE for notarization:
- Go to: https://appleid.apple.com/account/manage
- Sign in with your Apple ID (apple@shawneee.com)
- Under “Security” → Click “App-Specific Passwords”
- Click “+” to generate a new one
- Name it: “ACCID Notarization”
- COPY THE PASSWORD! (You can’t see it again – save it somewhere!)
Format: xxxx-xxxx-xxxx-xxxx (16 characters with dashes)
Step 3: Package for Notarization 📦
cd /Volumes/SpiffyMagic/ACCID/ACCID_SINGLE
# Create a zip of the signed executable
ditto -c -k --keepParent executables/mac/ACCID ACCID.zip
Why zip? Apple requires executables to be in a container (zip, dmg, or pkg) for notarization.
This creates: ACCID.zip containing your signed executable
Step 4: Submit for Notarization 📤
xcrun notarytool submit ACCID.zip \
--apple-id apple@shawneee.com \
--team-id 2SN54V9RU9 \
--password YOUR-APP-SPECIFIC-PASSWORD \
--wait
Replace YOUR-APP-SPECIFIC-PASSWORD with the password from Step 2!
The --wait flag makes it wait for the result (takes 5-10 minutes)
Expected output:
Conducting pre-submission checks for ACCID.zip...
Submission ID received
id: abc-123-def-456-789
Successfully uploaded file
id: abc-123-def-456-789
path: /path/to/ACCID.zip
Waiting for processing to complete...
Current status: In Progress............
Current status: Accepted ✅
The software has been notarized.
If it fails: See troubleshooting section at bottom
Step 5: Staple the Notarization 📎
=
# Check the notarization info (use your submission ID)
xcrun notarytool info {submissionID} \
--apple-id apple@shawneee.com \
--team-id 2SN54V9RU9 \
--password {APP-PASSWORD}
xcrun notarytool info xxxxxxxxxxxxxxxx-xxxxxxxx-xxxxxx--xx \
--apple-id apple@shawneee.com \
--team-id 2SN54V9RU9 \
--password xxxx-xxxx-xxxx-xxxx
# Staple the approval to the executable
xcrun stapler staple executables/mac/ACCID
# Verify it worked
xcrun stapler validate executables/mac/ACCID
Expected output:
Processing: executables/mac/ACCID
The staple and validate action worked!
What stapling does: Embeds the notarization ticket in the file so it works offline.
Step 6: Test It! 🧪
# Simulate a fresh download (adds quarantine)
xattr -c executables/mac/ACCID
xattr -w com.apple.quarantine "0081;00000000;Chrome;" executables/mac/ACCID
# Try to run it
./executables/mac/ACCID
Expected result: Launches without scary warnings! ✅
Or double-click it in Finder:
- First time: “Are you sure you want to open?” → Click “Open”
- After that: Opens normally
Step 7: Distribute! 🎉
Your executable is now:
- ✅ Signed with your Developer ID
- ✅ Notarized by Apple
- ✅ Stapled with approval ticket
- ✅ Ready to ship!
Create Distribution Package:
cd /Volumes/SpiffyMagic/
# Option A: DMG (recommended for Mac)
hdiutil create -volname "ACCID v1.0" \
-srcfolder ACCID/ \
-ov \
-format UDZO \
ACCID-v1.0.dmg
# Option B: tar.gz (preserves permissions)
tar -czf ACCID-v1.0.tar.gz ACCID/
# Option C: ZIP (works but less ideal for Mac)
zip -r ACCID-v1.0.zip ACCID/
🎯 Your Friends’ Experience
With signed & notarized app:
1. Download ACCID-v1.0.dmg
2. Double-click to mount
3. Double-click Mac_Launcher_Wrapper.sh (or Start_ACCID.command)
4. First time: Click "Open" on the prompt
5. ACCID launches! ✅
6. Every time after: Just double-click!
NO MORE:
- ❌ “Cannot verify developer”
- ❌ “Malicious software” warnings
- ❌ “Move to Trash” prompts
- ❌ Right-click → Open workarounds
- ❌ Security hell!
🔄 For Future Updates
Every time you rebuild ACCID, repeat these steps:
cd /Volumes/SpiffyMagic/ACCID/ACCID_SINGLE
# 1. Sign
codesign --sign "Developer ID Application: Shawn Palmer (2SN54V9RU9)" \
--timestamp \
--options runtime \
executables/mac/ACCID
# 2. Zip
ditto -c -k --keepParent executables/mac/ACCID ACCID.zip
# 3. Notarize
xcrun notarytool submit ACCID.zip \
--apple-id apple@shawneee.com \
--team-id 2SN54V9RU9 \
--password YOUR-APP-SPECIFIC-PASSWORD \
--wait
# 4. Staple
xcrun stapler staple executables/mac/ACCID
# 5. Clean up
rm ACCID.zip
# 6. Distribute!
cd /Volumes/SpiffyMagic/
hdiutil create -volname "ACCID v1.0" -srcfolder ACCID/ -ov -format UDZO ACCID-v1.0.dmg
Total time per update: ~10 minutes (mostly waiting for notarization)
🆘 Troubleshooting
If Notarization Fails:
Get the detailed log:
xcrun notarytool log SUBMISSION-ID \
--apple-id apple@shawneee.com \
--team-id 2SN54V9RU9 \
--password YOUR-APP-SPECIFIC-PASSWORD
Common issues:
-
“The binary is not signed with a valid Developer ID”
- Missing
--timestampflag when signing - Re-sign with the correct flags
- Missing
-
“The signature does not include a secure timestamp”
- Missing
--timestampflag - Re-sign with
--timestamp
- Missing
-
“The executable does not have the hardened runtime enabled”
- Missing
--options runtimeflag - Re-sign with
--options runtime
- Missing
-
“Invalid password”
- Wrong app-specific password
- Generate a new one and try again
-
“Asset validation failed”
- File wasn’t packaged correctly
- Use
ditto -c -k --keepParentexactly as shown
💾 Save Your Credentials
For future reference, save these:
Apple ID: apple@shawneee.com
Team ID: 2SN54V9RU9
Certificate: Developer ID Application: Shawn Palmer (2SN54V9RU9)
App-Specific Password: xxxx-xxxx-xxxx-xxxx (from Step 2)
📋 Quick Reference Card
One-liner for future updates:
cd /Volumes/SpiffyMagic/ACCID/ACCID_SINGLE && \
codesign --sign "Developer ID Application: Shawn Palmer (2SN54V9RU9)" --timestamp --options runtime executables/mac/ACCID && \
ditto -c -k --keepParent executables/mac/ACCID ACCID.zip && \
xcrun notarytool submit ACCID.zip --apple-id apple@shawneee.com --team-id 2SN54V9RU9 --password YOUR-PASSWORD --wait && \
xcrun stapler staple executables/mac/ACCID && \
rm ACCID.zip && \
echo "✅ Done! Ready to distribute!"
Replace YOUR-PASSWORD with your app-specific password!
✅ Summary
What you accomplished:
- ✅ Paid Apple’s $99/year protection fee
- ✅ Got Developer ID certificate working
- ✅ Learned to sign executables
- ✅ Learned to notarize with Apple
- ✅ Learned to staple approvals
- ✅ Can now distribute without scary warnings!
What your friends get:
- ✅ One-click (or close to it) ACCID launch
- ✅ No Terminal commands needed
- ✅ No security workarounds
- ✅ Professional user experience
What it cost:
- 💰 $99/year
- ⏱️ ~3 days figuring it out
- 🧠 Deep understanding of Apple’s security theater
- 😤 Justified frustration with the system
Was it worth it?
- Your time is worth more than $99 ✅
- Your friends’ experience improved ✅
- You can now ship with confidence ✅
- You beat Apple’s security theater ✅
🎉 NOW GO SHIP IT!
You’ve got everything you need:
- Certificate installed ✅
- Signing command ready ✅
- Notarization process understood ✅
- Distribution strategy ready ✅
Time to make ACCID available to the world! 🚀
Made with ❤️ and 😤 (mostly 😤) after 3 days of fighting Apple’s security
“Nice app you got there… glad you paid us to let it run!” 🤌
# Check the notization
# Check the notarization info (use your submission ID)
xcrun notarytool info ef1b5758-c480-4fc5-a8d4-8f3eaffa82d3 \
–apple-id apple@shawneee.com \
–team-id 2SN54V9RU9 \
–password YOUR-APP-PASSWORD