pencil icon indicating copy to clipboard operation
pencil copied to clipboard
verified publisher icon pencil2d

Notarizing Pencil2D macOS app before distribution

Open chchwy opened this issue 6 months ago • 4 comments

Apple's security policies have become stricter in recent macOS updates, making it increasingly difficult to launch Pencil2D downloaded from the internet without notarization.

Image

This creates inconvenience for users, who now need to manually go to System Settings > Privacy & Security and allow Pencil2D to open.

Image

Reference: https://developer.apple.com/documentation/security/notarizing-macos-software-before-distribution

  • [ ] Purchase Apple Developer Program
  • [ ] Implement Notarization in Github Actions

chchwy avatar Jun 19 '25 04:06 chchwy

Excellent initiative Matt! I agree it's become more and more difficult to run non notarized application on macOS.

How can we help with the cost of this, as I recall it's 99 USD a year.

And will the account be listed as a personal one or organization?

MrStevns avatar Jun 19 '25 05:06 MrStevns

I am going to pay the annual fee myself this time.

Please correct me if I am wrong, it seems that we can only do a personal account since we are not a real nonprofit organisation/entity.

For the cost, I am considering accepting donations (not decided yet, just in my mind) to cover some basic operation expenses, such as website maintenance (thanks @J5lx!), Windows codesign, and the Apple developer program.

chchwy avatar Jun 19 '25 05:06 chchwy

Fwiw although it’s been a while and I don’t know if it’s still true, I’m pretty sure @scribblemaniac mentioned at some point that he already had a developer license and intended to use it to sign Pencil2D as well.

J5lx avatar Jun 19 '25 06:06 J5lx

Yes I have an Apple developer account and in fact the 0.7.0 legacy macOS release is already code signed with it (but not notarized as that forces linking for Mac OS X 10.9+, which is greater than the minimum supported version for the legacy build). I can go through the process manually for the upcoming release, but building a solution into GitHub Actions would be far more preferable as long as it can be done in a secure way. At some point I think I mentioned I wanted to set this up, but I do not have the time to figure it out right now and it is difficult for me to test without mac hardware of my own. So if anyone else wants to take this project on please go ahead and I will do whatever is necessary on my end to get it working.

Please correct me if I am wrong, it seems that we can only do a personal account since we are not a real nonprofit organisation/entity.

That is correct, we would need to have a legal entity unfortunately.

scribblemaniac avatar Jun 19 '25 07:06 scribblemaniac

A quick update. Two days ago, I successfully submitted our first Pencil2D notarization, and it just took ages to finish. I literally mean it because it is still in progress this morning when I checked it:

    --------------------------------------------------
    createdDate: 2025-08-16T16:09:12.862Z
    id: ec52af73-b658-4dbb-a124-dc3c5678328a
    name: Pencil2D.zip
    status: In Progress
    --------------------------------------------------
    createdDate: 2025-08-16T16:08:53.540Z
    id: adb3bd6d-021e-4c15-8451-6cb358c99c63
    name: Pencil2D.zip
    status: In Progress

Someone on the internet said the first notarization submit may take longer. So let's wait and see.

chchwy avatar Aug 18 '25 01:08 chchwy

Surprisingly, the notarizations were all accepted this morning, after around 3 days. I will open a PR.

chchwy avatar Aug 19 '25 03:08 chchwy

The PR is opened #1927

chchwy avatar Aug 21 '25 05:08 chchwy

The Pencil2D mac app was successfully notarized.

https://github.com/pencil2d/pencil/actions/runs/17273817797/job/49025347234

Run echo "Submitting to Apple for notarization..."
Submitting to Apple for notarization...
Conducting pre-submission checks for app_notarization.zip and initiating connection to the Apple notary service...
Submission ID received
  id: bfdeac65-4777-487d-bcd0-b49f2634dc6c
Successfully uploaded file
  id: bfdeac65-4777-487d-bcd0-b49f2634dc6c
  path: /Users/runner/work/pencil/pencil/app_notarization.zip
Waiting for processing to complete. Wait timeout is set to 900.0 second(s).
Current status: In Progress...
Current status: In Progress....
Current status: In Progress.....
Current status: In Progress......
Current status: In Progress.......
Current status: In Progress........
Current status: In Progress.........
Current status: In Progress..........
Current status: In Progress...........
Current status: In Progress............
Current status: Accepted.............Processing complete
  id: bfdeac65-4777-487d-bcd0-b49f2634dc6c
  status: Accepted
Run echo "Stapling notarization ticket to app..."
Stapling notarization ticket to app...
Processing: /Users/runner/work/pencil/pencil/app_notarization/Pencil2D.app
Processing: /Users/runner/work/pencil/pencil/app_notarization/Pencil2D.app
The staple and validate action worked!
Verifying notarization...
./app_notarization/Pencil2D.app: accepted
source=Notarized Developer ID
App is properly notarized and ready for distribution!

chchwy avatar Aug 27 '25 17:08 chchwy

I just downloaded pencil2d-mac-x86_64-0.7.1.1178.zip and didn't see the security warning when lauching the app.

chchwy avatar Aug 27 '25 17:08 chchwy

For the record @chchwy, why did you not want to use the developer account I already had?

scribblemaniac avatar Sep 06 '25 09:09 scribblemaniac

For the record @chchwy, why did you not want to use the developer account I already had?

Hey @scribblemaniac, I think it's simply because I knew too little about notarization initially. At the beginning, I didn't even know what I needed to ask from you to use your developer account. I spent a couple of days building the process from scratch and figuring out the requirements through lots of trial and error and back and forth on the Apple developer website and my MacBook.

chchwy avatar Sep 21 '25 15:09 chchwy