I took notes during the "What's new in notarization for Mac apps" session. If interested, please see the attached "Notes from session": Notes from session For the session video, please see the following link: https://developer.apple.com/wwdc22/10109

Hello! I have a major problem, that I cannot find any solution at all. Yestarday I did package my software(AU/VST3) (.component)(.VST3) and I did notarize it succesfully with no issues. But as this was the software in the test phase, Todat I am trying to do the same for the original Builds from Xcode. And today as every step works just fine, I did archive and distribute , I did packages installer with no issue, but when I am trying to notirize the .pkg I get and Current Status : Invalid... and I cannot find a reasonable issue about this. Please any advice? This is nearly madness

Hello everyone, Issue: fail to notarize my application. usage: electron.js **debug log: ** {   "logFormatVersion": 1,   "jobId": "22136043-4cf2-49a9-8a27-90d045cd9345",   "status": "Invalid",   "statusSummary": "Archive contains critical validation errors",   "statusCode": 4000,   "archiveFilename": "WandDesktop.zip",   "uploadDate": "2022-05-24T09:20:02Z",   "sha256": "7a4f03eff95fc4e9c3ac0d93fd926ea4669e07ed40dffaa58f34a08238e3ecfe",   "ticketContents": null,   "issues": [     {       "severity": "error",       "code": null,       "path": "WandDesktop.zip/WandDesktop.app/Contents/MacOS/WandDesktop",       "message": "The signature of the binary is invalid.",       "docUrl": null,       "architecture": "x86_64"     }   ] } I've been trying to notarize for several days and constantly receiving the error above. path/to/Contents/MacOS/exec contains only the executable file. **entitlements: **   com.apple.security.cs.allow-jit         com.apple.security.cs.allow-unsigned-executable-memory         com.apple.security.cs.allow-dyld-environment-variables         com.apple.security.cs.disable-library-validation     **checked signature: ** WandDesktop.app: valid on disk WandDesktop.app: satisfies its Designated Requirement asar: true hardenedRuntime: true nested code: everything is packed correctly and separated to Resources/MacOS etc. Obviously I went through a lot of other related issues both from electron community and apple, but no solution works so far. Any lead would help, Best regards.

Hi, I have changed the Apple ID Password. After that I have created new app specific password as well. But after this I am not able to upload the package. I get the following error when I try the command on Terminal xcrun altool --list-providers -u Apple_ID -p app_specific_password 2022-05-31 14:41:22.660 altool[2828:53360] *** Error: Failed to retrieve providers info. 2022-05-31 14:41:22.660 altool[2828:53360] *** Error: code -1011 (Failed to authenticate for session: (     "Error Domain=ITunesConnectionAuthenticationErrorDomain Code=-22938 "Sign in with the app-specific password you generated. If you forgot the app-specific password or need to create a new one, go to appleid.apple.com" UserInfo={NSLocalizedRecoverySuggestion=Sign in with the app-specific password you generated. If you forgot the app-specific password or need to create a new one, go to appleid.apple.com, NSLocalizedDescription=Sign in with the app-specific password you generated. If you forgot the app-specific password or need to create a new one, go to appleid.apple.com, NSLocalizedFailureReason=App Store operation failed.}" ) Unable to list providers.) We are blocked because of this and any help is greatly appreciated. regards Prema Kumar

This post is part of a cluster of posts related to the trusted execution system. If you found your way here directly, I recommend that you start at the top. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Don’t Run App Store Distribution-Signed Code App Store distribution-signed code is intended to be uploaded to the App Store. You can’t run it locally. Except when you can! To avoid confusing yourself, don’t attempt to run App Store distribution-signed code. Intended Purpose App Store distribution-signed code is intended to be uploaded to the App Store. When you upload code to the App Store, it checks the code’s signature as part of the distribution process. App Store distribution-signed code is not intended to be run locally. That’s what development-signed code is for! If you want to test your App Store product before shipping it to users: For day-to-day work, use Development distribution. For limited testing, use Ad Hoc or Enterprise distribution (not available on macOS) or Developer ID distribution (only available on macOS). For wider testing, use TestFlight. Note Not all capabilities are supported by Developer ID distribution. For the details, see Developer Account Help > Supported capabilities (macOS). macOS Gotcha Most Apple platforms completely block you from running App Store distribution-signed code. The exception here is macOS, which runs distribution-signed code under some circumstances. Specifically, macOS runs distribution-signed code if the code claims no restricted entitlements. If the code claims a restricted entitlement that claim must be authorised by a provisioning profile. It’s not possible to create a profile that does that: A macOS App Development or Developer ID profile never authorises the certificate from your distribution signing identity. A Mac App Store profile never authorises execution on your machine. The lack of a valid profile means that the restriction entitlement is not authorised and your app will crash on launch. For more details on what that crash looks like, see Resolving Code Signing Crashes on Launch. For detailed information about provisioning profiles, see TN3125 Inside Code Signing: Provisioning Profiles. Even though there are some cases where App Store distribution-signed code will run on the Mac, the general rule is the same there as it is for other platforms: Don’t run App Store distribution-signed code. Revision History 2022-06-01 Added App Store to the title to make the subject clearer. Made similar changes throughout the text. 2022-05-31 First posted.

Hi. I've read a lot of different topics on forums and websites about software signing and notarization, and there is progress, but I need some help. 1. From the beginning: I am building an application on a Jenkins server and downloading the file 'example_app.dmg'. I am enrolled in the Apple Developer Program. 2. Then I use the command to sign the software: codesign --force --sign "Developer ID Application: name_of_my_certificate_in_keychain (number)" example_app.dmg 3. Checking the status: spctl -a -t open -vvv --context context: primary-signature example_app.dmg Result: example_app.dmg: rejected source = Unnotarized Developer ID origin = Developer ID Application: name_of_my_certificate_in_keychain (number) Why is it rejected? 4. Then notarization: xcrun altool --notarize-app \ --primary-bundle-id "example" \ --username "my_AppleID" \ --password "@keychain: NOTARIZED" \ --file "example_app.dmg" NOTARIZED is in the keychain with the generated password on my Apple account. 5. I get: No errors uploading 'example_app.dmg'. RequestUUID = 'number_of_my_request' 6. I check the notarization status: xcrun altool --notarization-info "number_of_my_request" \ --username "my_AppleID" \ --password "@keychain: NOTARIZED" Result: No errors getting notarization info. Date: 2022-05-10 14:15:35 +0000 Hash: hash_number LogFileURL: link_to_log_file RequestUUID: number_of_my_request Status: invalid Status Code: 2 Status Message: Package Invalid Inside the log_file, a lot of files have a status like: The binary is not signed. The signature does not include a secure timestamp. The executable does not have the hardened runtime enabled. Am I doing something wrong or what can I do better? And how I can make empty line here (this forum)?

Is anyone else getting errors from notarytool today? I'm getting http 500 errors: xcrun notarytool history --keychain-profile "MY_NOTARY_CREDENTIALS" Error: HTTP status code: 500. Internal server error. Error communicating with authentication service. Please try again at a later time. Apple's web page says that all services are working.

Via jpackage from java jdk (17.0.2) we generated a .dmg on a Mac Monterey (12.3.1), including codesigning (using fresh Apple Development Id certificate). Then we notarized and stapled it and uploaded the resulting .dmg to our webserver. The problem: if downloaded the .dmg in the terminal app via curl -O https://xxxxx/my.dmg, click the downloaded .dmg and the application icon in the window that opens, the app starts as expected. if downloaded the .dmg via the same URL in a web browser (e. g. Safari or Chrome), click the downloaded .dmg and the application icon in the windows that opens, the dock icon keeps bumping and the app doesn't show up, without any error messages. For both downloads, spctl shows source=Notarized Developer ID, and no issues were reported in the notarytool log. Further, both downloads are binary equal. How comes that the "normal" download does not launch?

This post is part of a cluster of posts related to the trusted execution system. If you found your way here directly, I recommend that you start at the top. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Resolving Gatekeeper Problems Gatekeeper strives to ensure that only trusted software runs on a user’s Mac. It’s important that your code pass Gatekeeper. If not, you’re likely to lose a lot of customers, and your users’ hard-won trust. There are three common Gatekeeper problems: App blocked by a dangling load command path Lack of notarisation Command-line tool blocked by Gatekeeper The first problem is by far the most common. For the details, see Resolving Gatekeeper Problems Caused by Dangling Load Command Paths. For general information about Gatekeeper, read Apple > Developer > Signing Mac Software with Developer ID and Apple > Support > Safely open apps on your Mac. IMPORTANT This post focuses on Developer ID-signed code. Gatekeeper should not block App Store apps. If an app downloaded from the App Store fails to run, it’s likely to be some other trusted execution issue. For more about this, read Resolving Trusted Execution Problems. Identifying a Notarisation Problem Gatekeeper requires that your app be notarised. If not, it will block the execution of your app with a generic, user-level message. If you find your app blocked by Gatekeeper, check if this is a notarisation issue by looking in the system log for an entry like this: type: info time: 2022-05-11 14:57:21.812176 -0700 process: syspolicyd subsystem: com.apple.syspolicy category: default message: ticket not available: 2/2/8b7410713591e6c79ea98f0132136f0faa55d22a Note If the ticket details show as <private>, enable private data in the system log. For information on how to do that, see Recording Private Data in the System Log. For general information about the system log, see Your Friend the System Log. The long hex number is the code directory hash, or cdhash, of the offending code. In this example, it’s the cdhash of the app itself: % codesign -d -vvv /Applications/NotNotarised.app … CDHash=8b7410713591e6c79ea98f0132136f0faa55d22a … However, in some cases it may be the cdhash of some library referenced by the app. For more information about cdhashes, see TN3126 Inside Code Signing: Hashes. Resolving a Notarisation Problem The obvious cause of this problem is that you haven’t notarised your app. For information on how to do that, see Notarizing macOS Software Before Distribution. If you have notarised your app and yet you still see this problem, something more subtle is happening. For example, your app might reference a dynamic library that wasn’t seen by the notary service. To investigate this: Fetch the notary log for your app. For advice on that, see Fetching the Notary Log. Confirm that the notary log matches the app you installed. Look in the notary log for the sha256 property. Its value is a SHA-256 hash of the file received by the notary service. Check that this matches the SHA-256 hash of the file you used to install your app. If not, see Hash Mismatch, below. Search the notary log for the cdhash value from the Gatekeeper log message. If the notary log doesn’t contain that cdhash, that code wasn’t included in the notarised ticket. It’s possible that you failed to submit the code to the notary service, that it was switched out with a different version after you notarised your app, that it was package in some way that the notary service couldn’t see it, or that something went wrong within the notary service. Hash Mismatch If you stapled your notarised ticket to the file used to install your app then the hashes in step 2 of the previous section won’t match. What to do depends on the file type: If the file used to install your app was a zip archive (.zip), you definitely have the wrong file. Zip archives don’t support stapling. If the file used to install your app was a signed disk image (.dmg), compare the disk image’s cdhash with the cdhash for the disk image in the notary log. If those match, you know you’re working with the same disk image. To dump a disk image’s cdhash, run the codesign tool as follows: % codesign -d -vvv DISK_IMAGE … CDHash=d963af703ac2e54af6609e9ad309abee7b66fae2 … Replace DISK_IMAGE with the path to your disk image. If the file used to install your app was a disk image but it wasn’t signed, switch to a signed disk image. It’s generally a better option. If the file used to install your app was an installer package (.pkg), there’s no good way to know if this is the correct package. In this case, modify your notarisation workflow to retain a copy of the file before it was modified by stapler. Tool Blocked by Gatekeeper If your product includes a command-line tool, you might notice this behaviour: When you double click the tool in Finder, it’s blocked by Gatekeeper. When you run the tool from within Terminal, it works. This is a known bug in macOS (r. 58097824). The issue is that, when you double click a tool in the Finder, it doesn’t run Gatekeeper’s standard execution logic. Rather, the Finder passes the tool to Terminal as a document and that opens a window (and associated shell) in which to run that document. This triggers Gatekeeper’s document logic, and that logic always blocks the tool. There are two ways around this: Embed your tool in an application. If the user runs the application first, Gatekeeper runs its normal application check. If the user allows the app to run, Gatekeeper records that decision and applies it to the app and any code within the app, including your tool. Install your tool using an installer package. When the user goes to install the package, Gatekeeper checks it. Assuming that check passes, Gatekeeper does no further checks on the content it installed.

This post is part of a cluster of posts related to the trusted execution system. If you found your way here directly, I recommend that you start at the top. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Resolving App Sandbox Inheritance Problems If you’re creating a product with the App Sandbox enabled and it crashes with a trap within _libsecinit_appsandbox, it’s likely that you’re tripping over one of the following problems: Nonheritable entitlements Changing sandbox Nothing to inherit Nonheritable Entitlements The most common cause of this problem is also the most obscure. If you have a sandboxed app with an embedded program that you run as a child process, a crash in _libsecinit_appsandbox is most likely caused by the embedded program being signed with entitlements that can’t be inherited. Imagine an, SandboxInit, with an embedded helper tool, NotHeritable. When the app runs the helper tool as a child process, the helper tool crashes with a crash report like this: Exception Type: EXC_BAD_INSTRUCTION (SIGILL) … Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 libsystem_secinit.dylib … _libsecinit_appsandbox.cold.7 + 49 1 libsystem_secinit.dylib … _libsecinit_appsandbox + 2096 2 libsystem_trace.dylib … _os_activity_initiate_impl + 51 3 libsystem_secinit.dylib … _libsecinit_initializer + 67 4 libSystem.B.dylib … libSystem_initializer + 286 5 dyld … invocation function for block in dyld4::Loade… 6 dyld … invocation function for block in dyld3::MachO… 7 dyld … invocation function for block in dyld3::MachO… 8 dyld … dyld3::MachOFile::forEachLoadCommand(Diagnost… 9 dyld … dyld3::MachOFile::forEachSection(void (dyld3:… 10 dyld … dyld3::MachOAnalyzer::forEachInitializer(Diag… 11 dyld … dyld4::Loader::findAndRunAllInitializers(dyld… 12 dyld … dyld4::APIs::runAllInitializersForMain() + 38 13 dyld … dyld4::prepare(dyld4::APIs&, dyld3::MachOAnal… 14 dyld … start + 388 The helper tool has trapped within _libsecinit_appsandbox. Look at the entitlements of the helper tool: % codesign -d --entitlements - SandboxInit.app/Contents/MacOS/NotHeritable … [Dict] [Key] com.apple.security.app-sandbox [Value] [Bool] true [Key] com.apple.security.inherit [Value] [Bool] true [Key] com.apple.security.get-task-allow [Value] [Bool] true The com.apple.security.app-sandbox and com.apple.security.inherit entitlements are fine: They configure the program to inherit its sandbox from its parent. The problem is the com.apple.security.get-task-allow entitlement, which is not compatible with this sandbox inheritance. The com.apple.security.get-task-allow entitlement is often automatically injected by Xcode. For information on how to prevent this, see Embedding a Command-Line Tool in a Sandboxed App. Some entitlements are compatible with sandbox inheritance. Unfortunately that list of entitlements is not documented (r. 93582428). The most commonly use ones are the hardened runtime exception entitlements documented in Hardened Runtime. The other entitlements on the list are pretty obscure. Changing Sandbox Another cause of a trap within _libsecinit_appsandbox is the child process trying to set up its own sandbox. If a sandboxed process runs another program as a child process, that child process always inherits its sandbox from the parent. If the program’s executable is signed with com.apple.security.app-sandbox but not com.apple.security.inherit — that is, it tries to set up a new sandbox — it will crash in _libsecinit_appsandbox. A process is not allowed to change its sandbox. To check for this problem, look for the following in the crash report: Application Specific Signatures: SYSCALL_SET_PROFILE This indicates that the process tried to setup its sandbox profile but that failed, in this case because it already has a sandbox profile. To fix this problem, either: In the child, add the com.apple.security.inherit entitlement so that it inherits its sandbox from the parent. In the parent, run the program so that it’s not a child process. For example, you could launch it using NSWorkspace. Nothing to Inherit Another cause of a trap within _libsecinit_appsandbox is when a nonsandboxed process runs another program as a child process and that other program’s executable has the com.apple.security.app-sandbox and com.apple.security.inherit entitlements. That is, the child process wants to inherit its sandbox from its parent but there’s nothing to inherit. To check for this problem, look for the following in the crash report: Application Specific Information: Process is not in an inherited sandbox. There are three ways you might fix this problem: Sandbox the parent. Unsandbox the child. Run the child in its own sandbox by removing the com.apple.security.inherit entitlement.

We do the notarization of our artifacts as part of our build pipeline, to make sure that the final artifacts that we want to distribute to users are passing the tests that are designed to emulate the users' behaviour as close as possible. We just want to make sure that Apple does not put any restrictions on the number of artifacts/requests that we sent to the notary service to be notarized. The closest documentation I found is this post on the Apple developer forum. Is there official documentation we can refer to in that regard? Just to note, so far we have never had any issue with Apple limiting us on a number of artifacts we send for notarization.

I have developed Applescripts on Mojave and exported them as apps for Mac users in my department. These ran as expected. I can run them fine on Catalina on my Mac, but cannot make them available to other Catalina users, despite code signing them. Do I need to go through the notarisation process, use XCode, or some other method to make them available as apps to other Mac users in my department? (They do not need to be made available through the app store.)

I have an app built using python with pyinstaller. I was able to successfully get the app notarized and open it on my computer as well as a different one (OS 11.6.1). I can also get the pkg successfully notarized, but when I attempt to launch it on my own computer (or a different one), an error box immediately appears stating "There was an error reading the package" along with "JavaScriptError." I looked at the log file corresponding to the notarization, and I saw no error messages or warnings. Neither "java" nor "javascript" appear anywhere. This was not a problem for me a couple weeks ago when using a slightly different version of my program. Is there a different log file of some type, associated with javascript, that might shed light on the problem? Update: I did just try to check whether package passed the gatekeeper test by typing spctl -a '/Users/..../application.pkg' at the terminal, which returned "rejected"

We have a desktop application we build using Cmake and Qt to build. I am able to codesign and notarize the app bundle and got "statusSummary": "Ready for distribution", in the log from notarization. I stapled to the .app and used ditto to zip it again but was still getting unidentified developer when I sent it to coworkers to try. I then ran create-dmg to create a dmg to distribute the application since this is our normal distribution method and was getting unverified developer warnings when sending and trying the application on other systems. I guessed that maybe I needed to codesign and notarize the .dmg as well so I did that and again got "statusSummary": "Ready for distribution", in the log but I am still seeing errors when trying to open and run on other systems. is there an order of operations I am missing in the process or a better way for me to test locally because everything I see on my end says its passing the checks.

I regularly help developers with notarisation and trusted execution problems. The notary log is a critical tool for debugging such problems, and so I figured I should post instructions on how to fetch it. If you have comments or questions about this, start a new thread and tag it with Notarization so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Fetching the Notary Log The notary log is a key tool for debugging notarisation and trusted execution issues. Review the log: When notarisation fails, for information as to what’s wrong When notarisation succeeds, to check for warnings If you encounter a trusted execution problem, to confirm that all your code was included in the notarised ticket The way to fetch the log depends on how you notarised your product. Reveal the Notary Log in Xcode If you notarised your app with Xcode, reveal the notary log as follows: Go to the Xcode organiser. Select the archive that you notarised. Click Show Status Log. Find the “Ready to distribute” or “Package Invalid” item and click the small arrow next to it. That reveals the notary log, a file called audit.log, in the Finder. Fetch the Notary Log with notarytool If you notarise your product from the command-line using notarytool, use the log subcommand to fetch the notary log: % xcrun notarytool log CREDENTIALS REQUEST_UUID where: CREDENTIALS is your notary service credentials, the same credentials you used to submit your request REQUEST_UUID is the UUID printed by notarytool when you submitted your request. Fetch the Notary Log with altool If you notarise your product from the command-line using altool, first run the --notarization-info subcommand to get the notary log URL: % xcrun altool CREDENTIALS --notarization-info REQUEST_UUID … LogFileURL: https://osxapps-ssl.itunes.apple.com/itunes-assets/Enigma… … where: CREDENTIALS is your notary service credentials, the same credentials you used to submit your request REQUEST_UUID is the UUID printed by notarytool when you submitted your request. In the output the URL next to LogFileURL is the notary log URL. Use your HTTP client of choice to fetch that URL. For example: % curl "https://osxapps-ssl.itunes.apple.com/itunes-assets/Enigma…" The notary log URL has a limited lifetime, so fetch the log immediately after getting the URL. If the URL is too old, more than a day or so, use --notarization-info to fetch a new URL. IMPORTANT altool has been deprecated for the purposes of notarisation. Switch to notarytool; it’s better, stronger, and faster. For the details, see WWDC 2021 Session 10261 Faster and simpler notarization for Mac apps.

Hi all, I'm attempting to distribute a notarized expiring demo variant of my Mac App Store app (TypeMetal) directly to potential customers as a download on our website, using the procedure documented here: https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution I successfully complete the 9 steps listed in "Notarize Your App Automatically as Part of the Distribution Process", including choosing "Developer ID (Distribute directly to customers)" and "Upload (Send to Apple notary service)", and successfully download the resultant .app bundle, but I'm unable to run the app. It looks to me as if the system is attempting to obtain an App Store receipt for the app, when what I want is for this variant of the app to be treated as distinct from the purchased Mac App Store version, and be runnable without purchase. I have tried changing the app's bundle identifier and removing the LSApplicationCategoryType (in the Xcode target's settings, before building), but neither seems to affect these results. I'm left wondering how the system is determining that this is an .app that requires App Store sign-in/receipt-checking. When I copy the downloaded, notarized .app to a different macOS user account, log in as that user, and attempt to launch it there, the system presents a panel, prompting for the user to sign in with their Apple ID: When I attempt to launch the app in my own user account (the one I build and develop in), the system presents the same prompt in a slightly different form: Whether or not I provide a valid Apple ID sign-in in either case, the launched app then terminates with a fatal alert. (Same result in a separate user account as in my own development account.) I would like for the distributed app to be runnable by customers without requiring an App Store receipt. I have verified that my own App Store receipt-checking code is being omitted, as I intend, from the build I that submit for notarization. Is there something I need to do differently to make this work? The notarized app has passed the checks described here: Resolving Common Notarization Issues https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721 I can provide the outputs of the codesign and spctl checks recommended on that page, if that would be helpful. The .app contains one embedded framework (OpenSSL.framework) and one command-line executable (tidy), but I believe they are correctly code-signed. I'm testing this on a 2020 M1 MacBook Air running macOS 12.3.1 (21E258), using Xcode 13.3.1 (13E500a) to do the build, upload for notarization, and export of the notarized result. Thanks very much in advance for any insight you can offer. Troy Stephens Coherence Labs, LLC

The notary service requires that all Mach-O images be linked against the macOS 10.9 SDK or later. This isn’t an arbitrary limitation. The hardened runtime, another notarisation requirement, relies on code signing features that were introduced along with macOS 10.9 and it uses the SDK version to check for their presence. Specifically, it checks the SDK version using the sdk field in the LC_BUILD_VERSION Mach-O load command (or the older LC_VERSION_MIN_MACOSX command). The best way to meet this requirement is to rebuild your code with modern tools. However, in some cases that’s not possible. Imagine if your app relies on the closed source libDodo.dylib library. That library’s vendor went out of business 10 years ago, and so the library hasn’t been updated since then. Indeed, the library was linked against the macOS 10.6 SDK. What can you do? The first thing to do is come up with a medium-term plan for breaking your dependency on libDodo.dylib. Relying on an unmaintained library is not something that’s sustainable in the long term. The history of the Mac is one of architecture transitions — 68K to PowerPC to Intel, 32- to 64-bit, and so on — and this unmaintained library will make it much harder to deal with the next transition. IMPORTANT I wrote the above prior to the announcement of the latest Apple architecture transition, Apple silicon. When you update your product to a universal binary, you might as well fix this problem on the Intel side as well. Do not delay that any further: While Apple silicon Macs are currently able to run Intel code using Rosetta 2, that’s not something you want to rely on in the long term. Heed this advice from About the Rosetta Translation Environment: Rosetta is meant to ease the transition to Apple silicon, giving you time to create a universal binary for your app. It is not a substitute for creating a native version of your app. But what about the short term? Historically I wasn’t able to offer any help on that front, but this has changed recently. Xcode 11 ships with a command-line tool, vtool, that can change the LC_BUILD_VERSION and LC_VERSION_MIN_MACOSX commands in a Mach-O. You can use this to change the sdk field of these commands, and thus make your Mach-O image ‘compatible’ with notarisation and the hardened runtime. Before doing this, consider these caveats: Any given Mach-O image has only a limited amount of space for load commands. When you use vtool to set or modify the SDK version, the Mach-O could run out of load command space. The tool will fail cleanly in this case but, if it that happens, this technique simply won’t work. Changing a Mach-O image’s load commands will break the seal on its code signature. If the image is signed, remove the signature before doing that. To do this run codesign with the --remove-signature argument. You must then re-sign the library as part of your normal development and distribution process. Remember that a Mach-O image might contain multiple architectures. All of the tools discussed here have an option to work with a specific architecture (usually -arch or --architecture). Keep in mind, however, that macOS 10.7 and later do not run on 32-bit Macs, so if your deployment target is 10.7 or later then it’s safe to drop any 32-bit code. If you’re dealing with a Mach-O image that includes 32-bit Intel code, or indeed PowerPC code, make your life simpler by removing it from the image. Use lipo for this; see its man page for details. It’s possible that changing a Mach-O image’s SDK version could break something. Indeed, many system components use the main executable’s SDK version as part of their backwards compatibility story. If you change a main executable’s SDK version, you might run into hard-to-debug compatibility problems. Test such a change extensively. It’s also possible, but much less likely, that changing the SDK version of a non-main executable Mach-O image might break something. Again, this is something you should test extensively. This list of caveats should make it clear that this is a technique of last resort. I strongly recommend that you build your code with modern tools, and work with your vendors to ensure that they do the same. Only use this technique as part of a short-term compatibility measure while you implement a proper solution in the medium term. For more details on vtool, read its man page. Also familiarise yourself with otool, and specifically the -l option which dumps a Mach-O image’s load commands. Read its man page for details. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Revision history: 2020-09-11 — First posted. 2022-05-09 — Updated with a note about Apple silicon.

Hi Folks, I am trying to build an electron app on a Mac with MacOS 10.10.5 Yosemite. I have been able to sign the app bundle. Am trying to notarize it now but I find that the --notarize-app option is not available. I suspect this is because of an older version of altool. 2 Questions: A) Can I notarize an app on OS 10.10.5? B) If yes, how can I update only altool? I tried to download a higher version of Xcode command line tools but I can't install it. Am stuck, so any help will be much appreciated. Regards, Arun