Easy Runtime Sign v3 - A helpful tool for codesigning and notarizing Filemaker Runtimes

Hi everyone,

today I'd like to introduce the new version of my tool Easy Runtime Sign v3 (EaRS). It's an open filemaker file that leads you through the process of codesigning and notarizing Runtimes and DMGs.

What it does:
As you might know all Runtimes, that have been created with FileMaker Pro must be codesigned – and since macOS Catalina – notarized in order to be executed on a Mac. To do so you have to run a few scripts in Terminal, each of which are rather complicated.
EaRS v3 takes you step by step through the process of running these scripts just by typing in the necessary information, such as your Developer ID, your Apple ID and so on. EaRS v3 uses your data to generate the correct scripts and hands them over to Terminal to be executed. Not more, not less.

Important note
All the scripts that are being used have been developed and kindly made available by Christian Schmitz, the developer of the MBS Plugin. Though you don't need a MBS Plugin in order to run EaRS v3, I highly recommend to buy (or at least try) the MBS Plugin from Christian (who is in no way related to me personally), for it is indeed an indispensable tool when it comes to Filemaker developing. Thank you Christian for driving the Community forward!

What you need in any case is the free BaseElements plugin to run EaRS v3!

Troubleshooting
Included in EaRS v3 you will find a short description as well as a troubleshooting section with known problems and solutions that might occur during executing the scripts.

Disclaimer
The tool comes with no guarantee or support whatsoever. It has successfully been tested by me and others (thank you Holger Herbst) under macOS Mojave and Catalina with FileMaker Pro 16, 17 and 18.

If you have questions feel free to post them here. I will try to answer them as good as I can. But please keep in mind, that I'm not a professional when it comes to Terminal scripting. I just made using the provided scripts simpler.

Thomas

Version 3.4
(2020-06-22)

• All libraries will now be codesigned automatically: A new line has been added to every Codesigning script (FMP 16, 17 and 18), that automatically signs every existing library in the runtime's extensions folder.
• The "Start script" script now deactivates the "Codesign library" menu item (no longer required).
• The Button to activate the menu item "Codesign library" in the home screen has been removed (no longer required).

Version 3.3
(2020-06-22)

• The Codesigning Script for FM 12 to 16 now uses option "-deep --force" to sign the XPCServices Content in order to avoid the error "The signature algorithm used is too weak." from Apples notarizing process.

• New additional solution for Error ""The signature algorithm used is too weak.""

Version 3.1
(2019-11-21)

• New additional solution for Error "rejected source=no usable signature"

• Script "Select DMG" now also allows ".pkg" as extention.

• New Script: "Export Entitlement"

• In order for Runtimes to be enabled to send E-Mails under macOS Catalina Runtimes must be entitled to do so.

Therefore the line

"codesign -f -vvvv --options runtime -s "Developer ID Application: Christian Schmitz Software GmbH" --entitlements /path/to/Runtime.entitlements test.app"

in the Codesigning Scripts is no longer optional.

• The FMScript "Codesign Runtime" now exports a text file named "[NameOfYourSolution].entitlements" to the desktop that is being used in the Codesigning Script to entitle the Runtime.

EasyRuntimeSign v3.4.fmp12 (1.0 MB)

thank you very much for this tool!
It took me several attempts and rejections. I don’t know how I did it.
This is for a " .pkg" installer file created with Apple PackageMaker:

Notarized.png775×791 56.4 KB

Has anybody worked this out with
send Email
doesn’t work with a Runtime when CodeSigned?

I haven't updated Easy Runtime Sign yet, but this should easily to be fixed with the explanation in the German FMM Forum:

Hello There,

First thanks to all. It is fantastic to share this kind of tool.

I also have problem with it.

When i try to code sign the Runtime using EasyRuntime Sign, the verification is failing : “source=no usable signature”

BUT If i use Christian’s script, as i did since years, it works as expected.

And well obviously i get my private key correctly displayed in Keychain.

Note i use a 16.0.5 Runtime.

So i bypassed this step, used the original christian script, and was able to send my Notarization request using your app and received Apple confirmation as Benjamin.

But unfortunately, the final step, notarization of the DMG, the verification also failed with the same error, which is, well, logical.

Maybe i misentered a data ? I was surprised by the Developer ID placeholder which say “123456XXX”.

My developer ID is more like ABC1234DEF

Finally i wanted to follow the link above but don’t know if it is because it is in deutsch, tried Google Translate but cannot follow the steps.

Would be great to have some insights.

Thanks,
Feed

Hi Fred,

what version macOS and XCode do you use?
Is the Developer ID bound to your XCode?
I also got that message because I initialized a new version of XCode - older ones don’t have the tools included for notarization - so I had to move to Mojave and to re-link the Apple certificates from my keychain into XCode
That did it for me

Hope that helps
Holger

Hi Holger,

Your assumptions are correct : i used version 11 of Xcode but had not registered my Apple ID on this version.

Thanks a lot for your help. Notarization of DMG now worked.

What is still unclear to me is if it would have been possible to notarize a 16.0.5 Runtime. Because i was able to use the EasyRuntimeSign v3 to code sign and notarize the 18.0.3 Runtime but code signing the 16.0.5 failed.

I saw that the signing scripts from Christian are specific to 12-16, 17 and 18.

So i suppose EasyRuntime always use 18 scripts and that is the reason why it fails with 16.

I also saw Christian’s article about hardened runtimes.

But do you know if it is theoretically possible ?

I can imagine that deploying for Catalina is better with 18.0.3 but it will also break compatibility with El Capitan and Sierra. So that is why i am hesitating…

Fred

EDIT : Sorry, i did not do my homework ! Using FMPA 16 to execute Easy Runtime did the trick for codesigning the 16.0.5 Runtime. I will proceed to the next steps !

Signing FMP 16 Runtimes shouldn’t be a problem with EaRS. I still use FMP 16 Runtimes too for the same reason you mentioned.

EaRS uses 3 different scripts for signing FMP 16, 17 and 18 Runtimes. You can see them when you go to layout mode. The scripts are stored in yellow text blocks to the right from the visible layout.

The problem that you experienced can occurr when you use a different FMP version for EaRS than your Runtime. Try to use EaR with FMP 16 if your Runtime is made with FMP16. Because the script that is being used checks for the FMP Version only, not the version of the Runtime.

Yes you are right. I realised that just after posting so i tested it and edited my original message accordingly.

Sorry. I think i was a bit tired by all the tests i did before succeeding…

No Problem. My answer might be a helpful piece of information for others as well.

Hi, I now a have a problem to notarize a new version of my app. Last step !!!

The only difference is that i now include MBS plugin on my solution.

Still v16.0.5

Any idea ?
Is there a new version of EasyRuntime ?

Apple says :

Dear Frédéric,

The Mac software that you uploaded was not notarized. Please review the notarization log with Xcode or altool, address the issues it shows, and upload your software again.

Bundle Identifier: com.filemaker.client.runtime12.ComptaBase
Request Identifier: ba2b6e1b-5225-401f-ae4e-ba923c8457a9

For troubleshooting help:
Learn how to view the log.
Read Notarizing your app before distribution.
Read Resolving common notarization issues.
If you still have questions, sign in to your developer account and submit a Technical Support Incident. Make sure to reference the request identifier in the description you provide.

Best Regards,
Apple Developer Relations

Did you Rea the details on the results?

If you include MBS Plugin, please codesign it with your certificate.

OK you are right i: had let the original signature intially.

But reprocessed all and still get the reject. I am deserpated. Hours and hours as usual....

Here is the message detail :
Last login: Wed Jul 1 18:25:27 on ttys007
MBP-de-Fred:~ fred$ xcrun altool --notarization-info 26524192-a70b-49ce-b4c5-1b68f27f16c4 -u comptabase_sarl@me.com -p afmz-xbwp-cuar-cmiy
No errors getting notarization info.

      Date: 2020-07-01 16:25:48 +0000
      Hash: e9e5f8024af2415b3ab9e7d0b63c3716a428225c27b52a19a1ade07dea8e5076
LogFileURL: https://osxapps-ssl.itunes.apple.com/itunes-assets/Enigma124/v4/5f/53/58/5f535828-0dca-3fd6-673f-4963dd858ff7/developer_log.json?accessKey=1593815398_8317944568256063290_Wa6o1fyrkZvVUJ0RlJ9ORHisasB5efbCr%2FROr7cDfZ3SE3itTWFiicnQZ8YD2YWoebVKGJjTvV4QGPjgU0XNcWTGcUTFLocmvywV8XH0chWLUoFhWTQzxHgw5nVBm2xPRWGHvfoMqKLCvGJzMVlh6hDLKl731jidHcfYmN6%2BBUk%3D

RequestUUID: 26524192-a70b-49ce-b4c5-1b68f27f16c4
Status: invalid
Status Code: 2
Status Message: Package Invalid

MBP-de-Fred:~ fred$

Hi Fred,

did you try on Sierra, High Sierra, Mojave, Catalina?
We had problems with FM16 runtimes on Catalina lately.
Thomas aka Cheesus has built a version 3.3 which solves it.
if you are for some reason registered at the FileMaker-Magazin Forum (german only)
https://filemaker-magazin.de/service/wissensdatenbank/269/
is the entry where you can find the latest release
just follow the discussion there

Thanks ! Well i do not speak german. But i use mojave with my 16.0.5. I will first try to remove MBS to see if it is related to the external library and then i will… continue to sleep 3 hours by day

I uploaded the newest Version 3.3 of EaRS (Easy Runtime Sign). You find it in the original post above.

Thomas

Thanks cheeses i am trying !

PS: if it succeed tell me you adress by PV and i will send you a gift. If not i am turning mad.

It worked

I uploaded a new Version of EaRS v3.4.

Changes:
• All libraries will now be codesigned automatically: A new line has been added to every Codesigning script (FMP 16, 17 and 18), that automatically signs every existing library in the runtime's extensions folder.
• The "Start script" script now deactivates the "Codesign library" menu item (no longer required).
• Therefore the button to activate the menu item "Codesign library" in the home screen has been removed.

Thanks for this tool. I expect I'll use it soon.
About your comment: ," I hardly recommend to buy (or at least try) the MBS Plugin", I presume you meant either 'I heartily recommend..." or "I highly recommend...".