Our company changed its name as a result of a merger, and the development group responsible for our mobile apps decided to migrate from our "legacy" Apple developer account to a new account associated with the new company name. I found this out last Friday when the notification step in the build script for our Mac applications stopped working — the notification server accepts the request but never responds; we were using the --wait flag with notarytool, and as a result it hangs indefinitely. Apparently our old developer account was deactivated unexpectedly, and while it's been temporarily turned back on to allow the mobile apps team to finish migrating their apps, the notarization step continues to hang. I haven't yet tried using the new team account, because my product requires an Endpoint Security entitlement, which is associated with the old Team ID. The long-term answer is probably to re-apply for a new entitlement, but that took over a month the last time we did this, and of course we were scheduled to release a product update in two weeks. At the moment we're dead in the water. Are there any other options to get us going again? (I considered opening a code-level support request, but as this issue isn't exactly "code-level", I was worried that would be a waste of time and/or money.)

The archive build part works, and uses the correct entitlements file: [Key] com.apple.developer.networking.networkextension [Value] [Array] [String] app-proxy-provider-systemextension That's from codesign -dv --entitlements - ...../NetworkExtensionExperiment.app However, the distribution log shows "Error Domain=DVTPortalProfileErrorDomain Code=4 \"Cannot create a Developer ID provisioning profile for \"com.kithrup.NetworkExtensionExperiment\".\" UserInfo={NSLocalizedDescription=Cannot create a Developer ID provisioning profile for \"com.kithrup.NetworkExtensionExperiment\"., IDEDistributionIssueSeverity=3, NSLocalizedRecoverySuggestion=The Network Extensions capability is not available for Developer ID provisioning profiles. Disable this feature and try again., NSUnderlyingError=0x600013e719b0 {Error Domain=DVTPortalProfileTypeErrorDomain Code=0 \"Cannot create a Developer ID provisioning profile.\" UserInfo={UnsupportedFeatureNames=(\n \"Network Extensions\"\n), NSLocalizedDescription=Cannot create a Developer ID provisioning profile., NSLocalizedRecoverySuggestion=The Network Extensions capability is not available for Developer ID provisioning profiles. Disable this feature and try again.}}}", "Error Domain=IDEProfileLocatorErrorDomain Code=1 \"No profiles for 'com.kithrup.NetworkExtensionExperiment' were found\" UserInfo={IDEDistributionIssueSeverity=3, NSLocalizedDescription=No profiles for 'com.kithrup.NetworkExtensionExperiment' were found, NSLocalizedRecoverySuggestion=Xcode couldn't find any Developer ID provisioning profiles matching 'com.kithrup.NetworkExtensionExperiment'.}" which, given that I was able to build a signed version with the entitlement as shown first, seems to be a problem. All my years of hating xcode are coming back to haunt me, I can tell.

We have developed an electron app which we want to extend with an action extension. The action extension is written in swift in Xcode. Our plan was to build the .appex file and insert it into the PlugIns folder in our electron app, but I don't think this is the right way to do it? If we insert the .appex file before notarization then we get an error that we are "replacing existing signature". If we manually insert it after the notarization then we get an error with the app is damaged and can’t be opened. Can anybody provide a procedure for this kind of merge I would imagine that it goes something like: Sign app Sign extension Add extension to App Notarize app For signing the app we use electron-builder.

Hi, can't activate system-extension. in any case getting Domain=OSSystemExtensionErrorDomain Code=8 "Invalid code signature or missing entitlements" (sometimes get code = 9) P.S. In debug running all is working. (The system is asking to activate sysex) Has to read huge amount of forum, samples, and docs. But no luck What and how i've tried steps which i've doing #- signing sysextension binaries with Developer ID Application #- signing system extension with Developer ID Application #- signing application with Developer ID Application #- checking all signatures with Developer ID Application #- building pkg installer #- signing installer with Developer ID Installer #- checking signing #- sending installer for notarization #- waiting for installer verification #- after success I call stapler staple #- When calling sysex activation I get (But the problem is persist when i've try to move signed app to application folder, or try to notarize zip) or in any case which possibly mention on forum, i've get sign command sample codesign --force --timestamp --options runtime --sign "Developer ID xxx" Also has to tried with ** --deep,** but no luck. Result of steps descrribed here: App has System Extension compatibility, Sysex haven't System Extension. App is used the same bundle id as in AppStore (also has to tried separate one, but no luck) In console just two informative message regarding it, but nothing specific default 01:08:04.745310+0200 sysextd client activation request for com.company.appName.PacketTunnelMacExternal default 01:08:04.745330+0200 sysextd attempting to realize extension with identifier com.company.appName.PacketTunnelMacExternal default 01:08:04.750996+0200 appName-Mac-External [0x13a9496f0] invalidated because the current process cancelled the connection by calling xpc_connection_cancel() Could you please assits with solve issue?

HERE IS THE COMPLETE LOG FROM THE SYSTEM.. please help me with the issue. Downloads % xcrun notarytool submit appName.pkg --apple-id “appleid --team-id <app_id> --wait --verbose [17:21:08.220Z] Debug [MAIN] Running notarytool version: unknown (0), date: 2024-09-09T17:21:08Z, command: /Applications/Xcode.app/Contents/Developer/usr/bin/notarytool submit _090624.pkg --apple-id <apple_id_hidden>--team-id <app_id> --wait --verbose Conducting pre-submission checks for _090624.pkg and initiating connection to the Apple notary service... [17:21:08.222Z] Debug [PREFLIGHT] _090624.pkg is a flat installer package. [17:21:08.223Z] Debug [PREFLIGHT] Finished completing determination of file type for _090624.pkg. Operation took 1ms. Password for <apple_id_hidden>: [17:21:13.354Z] Info [API] Initialized Notary API with base URL: https://appstoreconnect.apple.com/notary/v2/ [17:21:13.357Z] Debug [CTXMGR] Created temporary directory at: file:///var/folders/bj/ct_f469n03b2l596c_00n27c0000gp/T/TemporaryItems/NSIRD_notarytool_hkXwCu/ [17:21:13.359Z] Debug [CTXMGR] Copied _090624.pkg -- file:///Users/w525362/Downloads/ to file:///var/folders/bj/ct_f469n03b2l596c_00n27c0000gp/T/TemporaryItems/NSIRD_notarytool_hkXwCu/_090624.pkg [17:21:13.360Z] Debug [FILEHASH] Generating md5 and sha256 digest with buffer size 1048576 for file:///var/folders/bj/ct_f469n03b2l596c_00n27c0000gp/T/TemporaryItems/NSIRD_notarytool_hkXwCu/_090624.pkg [17:21:13.486Z] Debug [FILEHASH] MD5 digest: bd49fd77dfe36a9bbfb4c7efc329c6fe [17:21:13.486Z] Debug [FILEHASH] Base64-encoded MD5 Digest: vUn9d9/japu/tMfvwynG/g== [17:21:13.487Z] Debug [FILEHASH] SHA256 digest: 03466bf60dc33f57a2bbb2ba54402eb882529085e98f9d18e1e42ceeecd9d0aa [17:21:13.487Z] Debug [FILEHASH] Finished generating file hashes for _090624.pkg. Operation took 126ms. [17:21:13.487Z] Debug [API] Sending submissions payload: submissionPayload(submissionName: "_090624.pkg", md5: "bd49fd77dfe36a9bbfb4c7efc329c6fe", sha256: "03466bf60dc33f57a2bbb2ba54402eb882529085e98f9d18e1e42ceeecd9d0aa", notifications: []) [17:21:13.488Z] Info [API] Preparing POST request to URL: https://appstoreconnect.apple.com/notary/v2/submissions?, Custom Headers: private<Dictionary<String, String>> [17:21:13.488Z] Debug [AUTHENTICATION] Delaying current request to refresh app-specific password token. [17:21:13.488Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/asp?, Parameters: [:], Custom Headers: private<Dictionary<String, String>> [17:21:13.488Z] Debug [AUTHENTICATION] Authenticating request to '/notary/v2/asp' with Basic Auth. Username: appleID, Password: private, Team ID: <app_id> [17:21:13.489Z] Debug [TASKMANAGER] Starting Task Manager loop to wait for asynchronous HTTP calls. [17:21:14.774Z] Debug [API] Received response status code: 401, message: unauthorized, URL: https://appstoreconnect.apple.com/notary/v2/asp?, Correlation Key: QHGCOMLZWZVN4SEAKHS3SBGLS4 [17:21:14.775Z] Error [TASKMANAGER] Completed Task with ID 2 has encountered an error. [17:21:14.775Z] Debug [TASKMANAGER] Ending Task Manager loop. [17:21:14.783Z] Debug [CTXMGR] Removed temporary directory: Optional(file:///var/folders/bj/ct_f469n03b2l596c_00n27c0000gp/T/TemporaryItems/NSIRD_notarytool_hkXwCu/) Error: HTTP status code: 401. Invalid credentials. Username or password is incorrect. Use the app-specific password generated at appleid.apple.com. Ensure that all authentication arguments are correct.

Hi, we have .pkg install package consisting of various sub packages. One of them contains presets and needs to be installed the the default preset location /Library/Audio/Presets. If this non-binary preset package is the only one in a .pkg choice notarization fails with: "logFormatVersion": 1, "jobId": "*", "status": "Invalid", "statusSummary": "Archive contains critical validation errors", "statusCode": 4000, "archiveFilename": "mypackage.pkg.zip", "uploadDate": "2024-08-22T21:24:03.251Z", "sha256": "*", "ticketContents": null, "issues": [ { "severity": "error", "code": null, "path": "mypackage.pkg.zip", "message": "Package mypackage.pkg.zip has no signed executables or bundles. No tickets can be generated.", "docUrl": null, "architecture": null }, { "severity": "warning", "code": null, "path": "mypackage.pkg.zip/mypackage.pkg", "message": "b\"Invalid component package: mypackage_vstpreset Distribution file's value: #com.mycompany.mypackage.vstpreset.pkg\\n\"", "docUrl": null, "architecture": null } ] } Not sure, but maybe its worth noting that the causing sub packge only generates a warning, but the parent package seems to escalate this into an error. How can a non-binary sub package be included in a notarized parent package? Any hints or thoughts are highly appreciated, Thanks!

I'm trying to submit my application to the notarization service for the 100th time, but I keep encountering the same error message. I'm feeling frustrated and unsure of what steps to take next...

Hello, For my macOS app, on Xcode version 15.4 (15F31d) on macOS 14.5 (23F79) I follow Organizer > Distribute App > Direct Distribution, and I get a Notary Error "The operation couldn't be completed. (SotoS3.S3ErrorType.multipart error 1.)" It's been happening since 3 days. In the IDEDistribution.verbose.log file I see: https://gist.github.com/atacan/5dec7a5e26dde0ec06a5bc4eb3607461

We've been notarizing apps for a while now and have been through agreement changes before. But we still keep getting the following error when trying to notarize: Conducting pre-submission checks for myapp.dmg and initiating connection to the Apple notary service... Error: HTTP status code: 403. A required agreement is missing or has expired. This request requires an in-effect agreement that has not been signed or has expired. Ensure your team has signed the necessary legal agreements and that they are not expired. We've been through every document in our account to ensure it is signed. Is there any way to determine what document is not signed or what our issue is ? ...thanks

We submit for notarization using: xcrun notarytool submit --apple-id ACCOUNT --team-id XXXXXX --password NNNNNN application.zip I have occasionally had success uploading one of the applications, but I have never been successful uploading the bigger one. What is the reason for this? The files are not very large. The small file is only 6.0GB and the big file is only 17.5GB. Of the past 100 failures: 72: error: HTTPClientError.deadlineExceeded 28: error: The operation couldn’t be completed. (Network.NWError error 54 - Connection reset by peer)) On average it takes me around 50 attempts (2 days of uploading) to get past the S3 client configuration. I have tried 5 different internet providers for these uploads. None of them work any better, even ones that have great latency and connections to AWS. I only have a limited number of Mac OS X machines so I have tried on all of the ones I can afford, but none of them work better or worse than my new Mac Book Pro (2021) I have tried every single option and combination of options from man notarytool including disabling S3 acceleration, setting timeouts, trying to use wait. I have tried them all, Can someone please help me figure this out? I'm getting desperate and this is making me look really ****** for pushing to have a Mac OS X port because Mac users are stuck waiting for the notarization service which lags the Mac updates by many days. The error messages make it clear that notarytool is using Soto S3. The developer has indicated in multiple threads that the error HTTPClientError.deadlineExceeded is fixed by increasing the client timeout. Is there a way I can modify notarytool to apply this patch? https://github.com/soto-project/soto/discussions/622 Is it possible to write our own S3 upload tool that bypasses Soto S3 and uses something more reliable? Again, the files I am uploading are not very big none of them are bigger than 25GB. I don't understand why it doesn't work.

I've been trying to notarize an installer (.pkg file) on a new laptop. Previous versions have been notarized successfully on a previous Mac. However, in spite of having the required certificates (same as the old Mac, generated for the new Mac) the submission gets stuck at "In Progress". Doing it multiple times (even hours apart) doesn't help. Is there a FAQ / suggested list of steps to help resolve this issue? Here's what I see: xcrun notarytool history --keychain-profile "(my profile name)" results in (problem started with v4, the first version I've tried on this new Mac): createdDate: 2023-10-17T01:34:36.911Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v4.pkg status: In Progress -------------------------------------------------- createdDate: 2023-10-17T01:33:59.191Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v4.pkg status: In Progress -------------------------------------------------- createdDate: 2023-10-16T21:01:25.832Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v4.pkg status: In Progress -------------------------------------------------- createdDate: 2023-10-16T19:57:44.776Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v4.pkg status: In Progress -------------------------------------------------- createdDate: 2023-10-02T14:17:34.108Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v3.pkg status: Accepted -------------------------------------------------- createdDate: 2023-09-28T14:04:46.211Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v2.pkg status: Accepted -------------------------------------------------- createdDate: 2023-09-20T17:28:46.168Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v1.pkg status: Accepted -------------------------------------------------- xcrun notarytool log xxxxxxxxxxxxxxxxxxxx --keychain-profile "(my profile name)" results in: Submission log is not yet available or submissionId does not exist id: xxxxxxxxxxxxxxxxxxxxxxxx

Notarization step fails: New AppID and password created: xcrun notarytool submit “.dmg” --apple-id “” --team-id “” --password “” --verbose --wait Error: HTTP status code: 401. Your Apple ID has been locked. Visit iForgot to reset your account (https://iforgot.apple.com), then generate a new app-specific password. Ensure that all authentication arguments are correct. I have reset app password many times, not result. Codesigning completes normally: Mac OS 11.5.2 Xcode 13.2.1

2022-07-24 16:43:30.074 *** Error: Notarization failed for '/var/folders/r1/3j8rdbl95l9csz588j1nc6xc0000gn/T/electron-notarize-gGm3Fr/git-icons.zip'. 2022-07-24 16:43:30.075 *** Error: You do not have required contracts to perform an operation. With error code FORBIDDEN_ERROR.CONTRACT_NOT_VALID for id bb96a1a8-c3c3-4ded-a3c8-2abe369d8881 You do not have required contracts to perform an operation (-19208) { NSLocalizedDescription = "You do not have required contracts to perform an operation. With error code FORBIDDEN_ERROR.CONTRACT_NOT_VALID for id bb96a1a8-c3c3-4ded-a3c8-2abe369d8881"; NSLocalizedFailureReason = "You do not have required contracts to perform an operation"; }

General: Forums topic: Code Signing Forums subtopic: Code Signing > Notarization Forums tag: Notarization WWDC 2018 Session 702 Your Apps and the Future of macOS Security WWDC 2019 Session 703 All About Notarization WWDC 2021 Session 10261 Faster and simpler notarization for Mac apps WWDC 2022 Session 10109 What’s new in notarization for Mac apps — Amongst other things, this introduced the Notary REST API Notarizing macOS Software Before Distribution documentation Customizing the Notarization Workflow documentation Resolving Common Notarization Issues documentation Notary REST API documentation TN3147 Migrating to the latest notarization tool technote Fetching the Notary Log forums post Q&A with the Mac notary service team Developer > News post Apple notary service update Developer > News post Notarisation and the macOS 10.9 SDK forums post Testing a Notarised Product forums post Notarisation Fundamentals forums post The Pros and Cons of Stapling forums post Resolving Error 65 When Stapling forums post Many notarisation issues are actually code signing or trusted execution issue. For more on those topics, see Code Signing Resources and Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

This post is part of a cluster of posts related to the trusted execution system. If you found your way here directly, I recommend that you start at the top. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Resolving Gatekeeper Problems Gatekeeper strives to ensure that only trusted software runs on a user’s Mac. It’s important that your code pass Gatekeeper. If not, you’re likely to lose a lot of customers, and your users’ hard-won trust. There are four common Gatekeeper problems: App blocked by a dangling load command path Broken code signature Lack of notarisation Command-line tool blocked by Gatekeeper The first problem is by far the most common. For the details, see Resolving Gatekeeper Problems Caused by Dangling Load Command Paths. For general information about Gatekeeper, read Apple > Developer > Signing Mac Software with Developer ID and Apple > Support > Safely open apps on your Mac. IMPORTANT This post focuses on Developer ID-signed code. Gatekeeper should not block App Store apps. If an app downloaded from the App Store fails to run, it’s likely to be some other trusted execution issue. For more about this, read Resolving Trusted Execution Problems. macOS 14 introduced gktool, a very minimal interface to Gatekeeper. Run the tool with the help argument to learn more: % gktool help Verify Your Signature A good first step in any Gatekeeper investigation is to verify that your code is signed correctly. Use the codesign tool for this: % codesign -v -vvv --strict --deep MyApp.app The -vvv options increase verbosity to the point where codesign will give you useful diagnostics. For example: % codesign -v -vvv --strict --deep "Munged.app" Munged.app: a sealed resource is missing or invalid file added: …/Munged.app/Contents/Resources/names/Adam.txt file modified: …/Munged.app/Contents/Resources/names/Morgan.txt file missing: …/Munged.app/Contents/Resources/names/Rhonda.txt This app was changed after it was signed in three different ways: Adam.txt was added. Morgan.txt was modified. Rhonda.txt was removed. You might see some results that make no sense. For example: Start with an app with a valid code signature: % codesign -v -vvv --strict --deep "NotNormal.app" NotNormal.app: valid on disk NotNormal.app: satisfies its Designated Requirement Use the Finder to create a zip archive (File > Compress). Use the Finder to unpack that archive. Check the code signature of the unpacked file: % codesign -v -vvv --strict --deep "NotNormal 2.app" NotNormal 2.app: a sealed resource is missing or invalid file added: …/NotNormal 2.app/Contents/Resources/names/Zoë Schrödinger.txt file missing: …/NotNormal 2.app/Contents/Resources/names/Zoë Schrödinger.txt There are two things to note here. First, just compressing and decompressing the app broke its code signature. Weird! Second, look at the error messages. It seems that the Zoë Schrödinger.txt file is was both added and removed. Weirder! To see what’s going on here you have to look at a hex dump of the file name: % ls "NotNormal.app/Contents/Resources/names" | xxd 00000000: 5a6f c3ab 2053 6368 726f cc88 6469 6e67 Zo.. Schro..ding 00000010: 6572 2e74 7874 0a er.txt. % ls "NotNormal 2.app/Contents/Resources/names" | xxd 00000000: 5a6f 65cc 8820 5363 6872 6fcc 8864 696e Zoe.. Schro..din 00000010: 6765 722e 7478 740a ger.txt. The names are not the same! The app started out with the ë in precomposed form and the ö in decomposed form. Compressing and decompressing the app converted the ë to its decomposed form, and that change broke the code signature. Programs that deal with Unicode are expected to ignore differences in normalisation. Sadly, Apple’s code signing implementation missed that memo (r. 68829319). For more details see this post but the executive summary is that it’s best to stick to ASCII when naming files in a bundle. Identify a Notarisation Problem Gatekeeper requires that your app be notarised. If not, it will block the execution of your app with a generic, user-level message. If you find your app blocked by Gatekeeper, check if this is a notarisation issue by looking in the system log for an entry like this: type: info time: 2022-05-11 14:57:21.812176 -0700 process: syspolicyd subsystem: com.apple.syspolicy category: default message: ticket not available: 2/2/8b7410713591e6c79ea98f0132136f0faa55d22a Note If the ticket details show as <private>, enable private data in the system log. For information on how to do that, see Recording Private Data in the System Log. For general information about the system log, see Your Friend the System Log. The long hex number is the code directory hash, or cdhash, of the offending code. In this example, it’s the cdhash of the app itself: % codesign -d -vvv /Applications/NotNotarised.app … CDHash=8b7410713591e6c79ea98f0132136f0faa55d22a … However, in some cases it may be the cdhash of some library referenced by the app. For more information about cdhashes, see TN3126 Inside Code Signing: Hashes. Resolve a Notarisation Problem The obvious cause of this problem is that you haven’t notarised your app. For information on how to do that, see Notarizing macOS Software Before Distribution. If you have notarised your app and yet you still see this problem, something more subtle is happening. For example, your app might reference a dynamic library that wasn’t seen by the notary service. To investigate this: Fetch the notary log for your app. For advice on that, see Fetching the Notary Log. Confirm that the notary log matches the app you installed. Look in the notary log for the sha256 property. Its value is a SHA-256 hash of the file received by the notary service. Check that this matches the SHA-256 hash of the file you used to install your app. If not, see Hash Mismatch, below. Search the notary log for the cdhash value from the Gatekeeper log message. If the notary log doesn’t contain that cdhash, that code wasn’t included in the notarised ticket. It’s possible that you failed to submit the code to the notary service, that it was switched out with a different version after you notarised your app, that it was package in some way that the notary service couldn’t see it, or that something went wrong within the notary service. Hash Mismatch If you stapled your notarised ticket to the file used to install your app then the hashes in step 2 of the previous section won’t match. What to do depends on the file type: If the file used to install your app was a zip archive (.zip), you definitely have the wrong file. Zip archives don’t support stapling. If the file used to install your app was a signed disk image (.dmg), compare the disk image’s cdhash with the cdhash for the disk image in the notary log. If those match, you know you’re working with the same disk image. To dump a disk image’s cdhash, run the codesign tool as follows: % codesign -d -vvv DISK_IMAGE … CDHash=d963af703ac2e54af6609e9ad309abee7b66fae2 … Replace DISK_IMAGE with the path to your disk image. If the file used to install your app was a disk image but it wasn’t signed, switch to a signed disk image. It’s generally a better option. If the file used to install your app was an installer package (.pkg), there’s no good way to know if this is the correct package. In this case, modify your notarisation workflow to retain a copy of the file before it was modified by stapler. Tool Blocked by Gatekeeper If your product includes a command-line tool, you might notice this behaviour: When you double click the tool in Finder, it’s blocked by Gatekeeper. When you run the tool from within Terminal, it works. This is a known bug in macOS (r. 58097824). The issue is that, when you double click a tool in the Finder, it doesn’t run Gatekeeper’s standard execution logic. Rather, the Finder passes the tool to Terminal as a document and that opens a window (and associated shell) in which to run that document. This triggers Gatekeeper’s document logic, and that logic always blocks the tool. There are two ways around this: Embed your tool in an application. If the user runs the application first, Gatekeeper runs its normal application check. If the user allows the app to run, Gatekeeper records that decision and applies it to the app and any code within the app, including your tool. Install your tool using an installer package. When the user goes to install the package, Gatekeeper checks it. Assuming that check passes, Gatekeeper does no further checks on the content it installed. Revision History 2024-11-11 Added a mention of gktool. 2022-05-20 Added the Verify Your Signature section. Made other minor editorial changes.

I help a lot of developers with macOS trusted execution problems. For example, they might have an app being blocked by Gatekeeper, or an app that crashes on launch with a code signing error. If you encounter a problem that’s not explained here, start a new thread with the details. Put it in the Code Signing > General subtopic and tag it with relevant tags like Gatekeeper, Code Signing, and Notarization — so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Resolving Trusted Execution Problems macOS supports three software distribution channels: The user downloads an app from the App Store. The user gets a Developer ID-signed program directly from its developer. The user builds programs locally using Apple or third-party developer tools. The trusted execution system aims to protect users from malicious code. It’s comprised of a number of different subsystems. For example, Gatekeeper strives to ensure that only trusted software runs on a user’s Mac, while XProtect is the platform’s built-in anti-malware technology. Note To learn more about these technologies, see Apple Platform Security. If you’re developing software for macOS your goal is to avoid trusted execution entanglements. You want users to install and use your product without taking any special steps. If, for example, you ship an app that’s blocked by Gatekeeper, you’re likely to lose a lot of customers, and your users’ hard-won trust. Trusted execution problems are rare with Mac App Store apps because the Mac App Store validation process tends to catch things early. This post is primarily focused on Developer ID-signed programs. Developers who use Xcode encounter fewer trusted execution problems because Xcode takes care of many code signing and packaging chores. If you’re not using Xcode, consider making the switch. If you can’t, consult the following for information on how to structure, sign, and package your code: Placing content in a bundle Embedding nonstandard code structures in a bundle Embedding a command-line tool in a sandboxed app Creating distribution-signed code for macOS Packaging Mac software for distribution Gatekeeper Basics User-level apps on macOS implement a quarantine system for new downloads. For example, if Safari downloads a zip archive, it quarantines that archive. This involves setting the com.apple.quarantine extended attribute on the file. Note The com.apple.quarantine extended attribute is not documented as API. If you need to add, check, or remove quarantine from a file programmatically, use the quarantinePropertiesKey property. User-level unarchiving tools preserve quarantine. To continue the above example, if you double click the quarantined zip archive in the Finder, Archive Utility will unpack the archive and quarantine the resulting files. If you launch a quarantined app, the system invokes Gatekeeper. Gatekeeper checks the app for problems. If it finds no problems, it asks the user to confirm the launch, just to be sure. If it finds a problem, it displays an alert to the user and prevents them from launching it. The exact wording of this alert varies depending on the specific problem, and from release to release of macOS, but it generally looks like the ones shown in Apple > Support > Safely open apps on your Mac. The system may run Gatekeeper at other times as well. The exact circumstances under which it runs Gatekeeper is not documented and changes over time. However, running a quarantined app always invokes Gatekeeper. Unix-y networking tools, like curl and scp, don’t quarantine the files they download. Unix-y unarchiving tools, like tar and unzip, don’t propagate quarantine to the unarchived files. Confirm the Problem Trusted execution problems can be tricky to reproduce: You may encounter false negatives, that is, you have a trusted execution problem but you don’t see it during development. You may also encounter false positives, that is, things fail on one specific Mac but otherwise work. To avoid chasing your own tail, test your product on a fresh Mac, one that’s never seen your product before. The best way to do this is using a VM, restoring to a snapshot between runs. For a concrete example of this, see Testing a Notarised Product. The most common cause of problems is a Gatekeeper alert saying that it’s blocked your product from running. However, that’s not the only possibility. Before going further, confirm that Gatekeeper is the problem by running your product without quarantine. That is, repeat the steps in Testing a Notarised Product except, in step 2, download your product in a way that doesn’t set quarantine. Then try launching your app. If that launch fails then Gatekeeper is not the problem, or it’s not the only problem! Note The easiest way to download your app to your test environment without setting quarantine is curl or scp. Alternatively, use xattr to remove the com.apple.quarantine extended attribute from the download before you unpack it. For more information about the xattr tool, see the xattr man page. Trusted execution problems come in all shapes and sizes. Later sections of this post address the most common ones. But first, let’s see if there’s an easy answer. Run a System Policy Check macOS has a syspolicy_check tool that can diagnose many common trusted execution issues. To check an app, run the distribution subcommand against it: % syspolicy_check distribution MyApp.app App passed all pre-distribution checks and is ready for distribution. If there’s a problem, the tool prints information about that problem. For example, here’s what you’ll see if you run it against an app that’s notarised but not stapled: % syspolicy_check distribution MyApp.app App has failed one or more pre-distribution checks. --------------------------------------------------------------- Notary Ticket Missing File: MyApp.app Severity: Fatal Full Error: A Notarization ticket is not stapled to this application. Type: Distribution Error … Note In reality, stapling isn’t always required, so this error isn’t really Fatal (r. 151446728 ). For more about that, see The Pros and Cons of Stapling forums. And here’s what you’ll see if there’s a problem with the app’s code signature: % syspolicy_check distribution MyApp.app App has failed one or more pre-distribution checks. --------------------------------------------------------------- Codesign Error File: MyApp.app/Contents/Resources/added.txt Severity: Fatal Full Error: File added after outer app bundle was codesigned. Type: Notary Error … The syspolicy_check isn’t perfect. There are a few issues it can’t diagnose (r. 136954554, 151446550). However, it should always be your first step because, if it does work, it’ll save you a lot of time. Note syspolicy_check was introduced in macOS 14. If you’re seeing a problem on an older system, first check your app with syspolicy_check on macOS 14 or later. If you can’t run the syspolicy_check tool, or it doesn’t report anything actionable, continue your investigation using the instructions in the following sections. App Blocked by Gatekeeper If your product is an app and it works correctly when not quarantined but is blocked by Gatekeeper when it is, you have a Gatekeeper problem. For advice on how to investigate such issues, see Resolving Gatekeeper Problems. App Can’t Be Opened Not all failures to launch are Gatekeeper errors. In some cases the app is just broken. For example: The app’s executable might be missing the x bit set in its file permissions. The app’s executable might be subtly incompatible with the current system. A classic example of this is trying to run a third-party app that contains arm64e code on systems prior to macOS 26 beta. macOS 26 beta supports arm64e apps directly. Prior to that, third-party products (except kernel extensions) were limited to arm64, except for the purposes of testing. The app’s executable might claim restricted entitlements that aren’t authorised by a provisioning profile. Or the app might have some other code signing problem. Note For more information about provisioning profiles, see TN3125 Inside Code Signing: Provisioning Profiles. In such cases the system displays an alert saying: The application “NoExec” can’t be opened. [[OK]] Note In macOS 11 this alert was: You do not have permission to open the application “NoExec”. Contact your computer or network administrator for assistance. [[OK]] which was much more confusing. A good diagnostic here is to run the app’s executable from Terminal. For example, an app with a missing x bit will fail to run like so: % NoExec.app/Contents/MacOS/NoExec zsh: permission denied: NoExec.app/Contents/MacOS/NoExec And an app with unauthorised entitlements will be killed by the trusted execution system: % OverClaim.app/Contents/MacOS/OverClaim zsh: killed OverClaim.app/Contents/MacOS/OverClaim In some cases running the executable from Terminal will reveal useful diagnostics. For example, if the app references a library that’s not available, the dynamic linker will print a helpful diagnostic: % MissingLibrary.app/Contents/MacOS/MissingLibrary dyld[88394]: Library not loaded: @rpath/CoreWaffleVarnishing.framework/Versions/A/CoreWaffleVarnishing … zsh: abort MissingLibrary.app/Contents/MacOS/MissingLibrary Code Signing Crashes on Launch A code signing crash has the following exception information: Exception Type: EXC_CRASH (SIGKILL (Code Signature Invalid)) The most common such crash is a crash on launch. To confirm that, look at the thread backtraces: Backtrace not available For steps to debug this, see Resolving Code Signing Crashes on Launch. One common cause of this problem is running App Store distribution-signed code. Don’t do that! For details on why that’s a bad idea, see Don’t Run App Store Distribution-Signed Code. Code Signing Crashes After Launch If your program crashes due to a code signing problem after launch, you might have encountered the issue discussed in Updating Mac Software. Non-Code Signing Failures After Launch The hardened runtime enables a number of security checks within a process. Some coding techniques are incompatible with the hardened runtime. If you suspect that your code is incompatible with the hardened runtime, see Resolving Hardened Runtime Incompatibilities. App Sandbox Inheritance If you’re creating a product with the App Sandbox enabled and it crashes with a trap within _libsecinit_appsandbox, it’s likely that you’re having App Sandbox inheritance problems. For the details, see Resolving App Sandbox Inheritance Problems. Library Loading Problem Most library loading problems have an obvious cause. For example, the library might not be where you expect it, or it might be built with the wrong platform or architecture. However, some library loading problems are caused by the trusted execution system. For the details, see Resolving Library Loading Problems. Explore the System Log If none of the above resolves your issue, look in the system log for clues as to what’s gone wrong. Some good keywords to search for include: gk, for Gatekeeper xprotect syspolicy, per the syspolicyd man page cmd, for Mach-O load command oddities amfi, for Apple mobile file integrity, per the amfid man page taskgated, see its taskgated man page yara, discussed in Apple Platform Security ProvisioningProfiles You may be able to get more useful logging with this command: % sudo sysctl -w security.mac.amfi.verbose_logging=1 Here’s a log command that I often use when I’m investigating a trusted execution problem and I don’t know here to start: % log stream --predicate "sender == 'AppleMobileFileIntegrity' or sender == 'AppleSystemPolicy' or process == 'amfid' or process == 'taskgated-helper' or process == 'syspolicyd'" For general information the system log, see Your Friend the System Log. Revision History 2025-08-06 Added the Run a System Policy Check section, which talks about the syspolicy_check tool (finally!). Clarified the discussion of arm64e. Made other editorial changes. 2024-10-11 Added info about the security.mac.amfi.verbose_logging option. Updated some links to point to official documentation that replaces some older DevForums posts. 2024-01-12 Added a specific command to the Explore the System Log section. Change the syspolicy_check callout to reflect that macOS 14 is no longer in beta. Made minor editorial changes. 2023-06-14 Added a quick call-out to the new syspolicy_check tool. 2022-06-09 Added the Non-Code Signing Failures After Launch section. 2022-06-03 Added a link to Don’t Run App Store Distribution-Signed Code. Fixed the link to TN3125. 2022-05-20 First posted.

I have a misterous problem with checking DMG notarization. It fails: bash-3.2$ spctl -a -t open --context context:primary-signature -v MyApp.dmg MyApp: rejected source=no usable signature However this DMG installs fine on Big Sur 11.2.2, macOS allows to run this app, and checking of notarization for installed app was passed: bash-3.2$ spctl -a -v '/Applications/MyApp.app' /Applications/MyApp.app: accepted source=Notarized Developer ID I checked other downloaded apps (Intel or Universal). Some DMG files pass DMG notarization (for example, Audacity), and some fails (PerfectTablePlan). Why? For my app (Universal) I use the following code to codesign and notarize: codesign --timestamp --options runtime --force --deep -s "Developer ID Application: MYCOMPANY" "My.app" // Creating DMG with EULA license xcrun altool --notarize-app --primary-bundle-id MyApp -u "my@email.com" -p "abc123" --file MyApp.dmg xcrun stapler staple MyApp.dmg

The notary service requires that all Mach-O images be linked against the macOS 10.9 SDK or later. This isn’t an arbitrary limitation. The hardened runtime, another notarisation requirement, relies on code signing features that were introduced along with macOS 10.9 and it uses the SDK version to check for their presence. Specifically, it checks the SDK version using the sdk field in the LC_BUILD_VERSION Mach-O load command (or the older LC_VERSION_MIN_MACOSX command). There are three common symptoms of this problem: When notarising your product, the notary service rejects a Mach-O image with the error The binary uses an SDK older than the 10.9 SDK. When loading a dynamic library, the system fails with the error mapped file has no cdhash, completely unsigned?. When displaying the code signature of a library, codesign prints this warning: % codesign -d vvv /path/to/your.dylib … Library validation warning=OS X SDK version before 10.9 does not support Library Validation … If you see any of these errors, read on… The best way to avoid this problem is to rebuild your code with modern tools. However, in some cases that’s not possible. Imagine if your app relies on the closed source libDodo.dylib library. That library’s vendor went out of business 10 years ago, and so the library hasn’t been updated since then. Indeed, the library was linked against the macOS 10.6 SDK. What can you do? The first thing to do is come up with a medium-term plan for breaking your dependency on libDodo.dylib. Relying on an unmaintained library is not something that’s sustainable in the long term. The history of the Mac is one of architecture transitions — 68K to PowerPC to Intel, 32- to 64-bit, and so on — and this unmaintained library will make it much harder to deal with the next transition. IMPORTANT I wrote the above prior to the announcement of the latest Apple architecture transition, Apple silicon. When you update your product to a universal binary, you might as well fix this problem on the Intel side as well. Do not delay that any further: While Apple silicon Macs are currently able to run Intel code using Rosetta 2, that’s not something you want to rely on in the long term. Heed this advice from About the Rosetta Translation Environment: Rosetta is meant to ease the transition to Apple silicon, giving you time to create a universal binary for your app. It is not a substitute for creating a native version of your app. But what about the short term? Historically I wasn’t able to offer any help on that front, but this has changed recently. Xcode 11 ships with a command-line tool, vtool, that can change the LC_BUILD_VERSION and LC_VERSION_MIN_MACOSX commands in a Mach-O. You can use this to change the sdk field of these commands, and thus make your Mach-O image ‘compatible’ with notarisation and the hardened runtime. Before doing this, consider these caveats: Any given Mach-O image has only a limited amount of space for load commands. When you use vtool to set or modify the SDK version, the Mach-O could run out of load command space. The tool will fail cleanly in this case but, if it that happens, this technique simply won’t work. Changing a Mach-O image’s load commands will break the seal on its code signature. If the image is signed, remove the signature before doing that. To do this run codesign with the --remove-signature argument. You must then re-sign the library as part of your normal development and distribution process. Remember that a Mach-O image might contain multiple architectures. All of the tools discussed here have an option to work with a specific architecture (usually -arch or --architecture). Keep in mind, however, that macOS 10.7 and later do not run on 32-bit Macs, so if your deployment target is 10.7 or later then it’s safe to drop any 32-bit code. If you’re dealing with a Mach-O image that includes 32-bit Intel code, or indeed PowerPC code, make your life simpler by removing it from the image. Use lipo for this; see its man page for details. It’s possible that changing a Mach-O image’s SDK version could break something. Indeed, many system components use the main executable’s SDK version as part of their backwards compatibility story. If you change a main executable’s SDK version, you might run into hard-to-debug compatibility problems. Test such a change extensively. It’s also possible, but much less likely, that changing the SDK version of a non-main executable Mach-O image might break something. Again, this is something you should test extensively. This list of caveats should make it clear that this is a technique of last resort. I strongly recommend that you build your code with modern tools, and work with your vendors to ensure that they do the same. Only use this technique as part of a short-term compatibility measure while you implement a proper solution in the medium term. For more details on vtool, read its man page. Also familiarise yourself with otool, and specifically the -l option which dumps a Mach-O image’s load commands. Read its man page for details. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Revision history: 2025-04-03 — Added a discussion of common symptoms. Made other minor editorial changes. 2022-05-09 — Updated with a note about Apple silicon. 2020-09-11 — First posted.

I've tried to notarize my app recently and got the error:{ "logFormatVersion": 1, "jobId": "...", "status": "Rejected", "statusSummary": "Team is not yet configured for notarization", "statusCode": 7000, "archiveFilename": "myapp.dmg", "uploadDate": "2019-06-20T06:24:53Z", "sha256": "...", "ticketContents": null, "issues": null }I've never heard about "team configuration for notarization" previously. What are the steps to resolve that issue?Thanks in advance.