macOS AppStore submission - ITMS-90238: Invalid Signature Email

I've notarised my app and wrapped it up as a .pkg (I think) correctly. But every time I try and submit my app to the Mac AppStore, apple sends me back this email which I cannot decipher. My certificate should be good, I use the check-signature tool to check both the .pkg and the .app files. It passes Notarisation, which I know is performing similar checks. I'm not sure if there error message it is emailing me is saying the dylib files are the problem or that they have been validated?

Code Block language
ITMS-90238: Invalid Signature - The main app bundle APP_NAME at path app_name.app has following signing error(s): 
--prepared:/Volumes/data01/app_data/app-processing/mz_621478465736756725dir/mz_11614935509311203053dir/com.company.app_name.pkg/Payload/app_name.app/Contents/Frameworks/libMonoPosixHelper.dylib 
--validated:/Volumes/data01/app_data/app-processing/mz_621478465736756725dir/mz_11614935509311203053dir/com.company.app_name.pkg/Payload/app_name.app/Contents/Frameworks/libMonoPosixHelper.dylib 
--prepared:/Volumes/data01/app_data/app-processing/mz_621478465736756725dir/mz_11614935509311203053dir/com.company.app_name.pkg/Payload/app_name.app/Contents/Frameworks/libmonobdwgc-2.0.dylib 
--validated:/Volumes/data01/app_data/app-processing/mz_621478465736756725dir/mz_11614935509311203053dir/com.company.app_name.pkg/Payload/app_name.app/Contents/Frameworks/libmonobdwgc-2.0.dylib 
--prepared:/Volumes/data01/app_data/app-processing/mz_621478465736756725dir/mz_11614935509311203053dir/com.company.app_name.pkg/Payload/app_name.app/Contents/Frameworks/libssl.dylib 
--validated:/Volumes/data01/app_data/app-processing/mz_621478465736756725dir/mz_11614935509311203053dir/com.company.app_name.pkg/Payload/app_name.app/Contents/Frameworks/libssl.dylib 
--prepared:/Volumes/data01/app_data/app-processing/mz_621478465736756725dir/mz_11614935509311203053dir/com.company.app_name.pkg/Payload/app_name.app/Contents/Frameworks/libcrypto.dylib 
--validated:/Volumes/data01/app_data/app-processing/mz_621478465736756725dir/mz_11614935509311203053dir/com.company.app_name.pkg/Payload/app_name.app/Contents/Frameworks/libcrypto.dylib 
--prepared:/Volumes/data01/app_data/app-processing/mz_621478465736756725dir/mz_11614935509311203053dir/com.company.app_name.pkg/Payload/app_name.app/Contents/Frameworks/UnityPlayer.dylib 
--validated:/Volumes/data01/app_data/app-processing/mz_621478465736756725dir/mz_11614935509311203053dir/com.company.app_name.pkg/Payload/app_name.app/Contents/Frameworks/UnityPlayer.dylib 
/Volumes/data01/app_data/app-processing/mz_621478465736756725dir/mz_11614935509311203053dir/com.company.app_name.pkg/Payload/app_name.app: valid on disk 
/Volumes/data01/app_data/app-processing/mz_621478465736756725dir/mz_11614935509311203053dir/com.company.app_name.pkg/Payload/app_name.app: satisfies its Designated Requirement 
test-requirement: code failed to satisfy specified code requirement(s) . Refer to the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple.com/library/mac/technotes/tn2206/_index.html for more information.


Up vote post of AlexNanomonx Down vote post of AlexNanomonx
1.1k views
Posted by
AlexNanomonx
Reply
Add a Comment

Replies

Are you submitting exactly the same package for notarisation and the Mac App Store? That won’t work. Notarisation requires that your code be signed with your Developer ID signing identity, whereas the Mac App Store expects an Apple Distribution signing identity.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment
Thanks for getting back to me. Yeah, we're notarising with "Developer ID Application: Company Name (XXXXXXXXXX)" and I sign the package with "3rd Party Mac Developer Installer: Company Name (XXXXXXXXXX)" (which is a Mac Installer Distribution certificate)

So two different certificates.
Posted by
AlexNanomonx
Up vote reply of AlexNanomonx Down vote reply of AlexNanomonx
Add a Comment
So, just to be clear, you sign the app and its package twice:

  • For notarisation, you sign the app with Developer ID Application, then build the package, then sign the package with Developer ID Installer

  • For submission to the Mac App Store, you sign the app with 3rd Party Mac Developer Application, then build the package, then sign the package with 3rd Party Mac Developer Installer

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment
I'm not 100% sure on the notarization process, as we've switched to using Unity Cloud Build's built-in notarization submission tool (so we just upload our credentials and it submits the app to notarization for us) but I believe this is what is happening:

  • Unity Cloud Build builds the app and produces APP_NAME.app

  • Unity Cloud Build signs the .app file with the Developer ID Application. (It might zip the file first, again this process is opaque to me as I do not control it.)

  • It then submits that build for notarization.

  • I download the notarized .app file from Unity Cloud Build

  • I build and sign the .pkg file with this command: 

Code Block bash
productbuild --component APP_NAME.app /Applications --sign '3rd Party Mac Developer Installer: Company Inc. (XXXXXXXXX)' APP_NAME.pkg

  • I then submit APP_NAME.pkg to the Mac App Store with Transporter.

  • Apple then sends me the email full of errors.

That is my process, am I meant to sign the .pkg file after it's already been signed by the product build tool?


Posted by
AlexNanomonx
Up vote reply of AlexNanomonx Down vote reply of AlexNanomonx
Add a Comment

I download the notarized .app file from Unity Cloud Build

I build and sign the .pkg file with this command:

The command you posted signs the installer package but doesn’t re-sign the app. When you install a package to the store:

  • The package must be signed with your installer distribution identity (typically 3rd Party Mac Developer Installer…).

  • The app inside the package must be signed with your app distribution identity (typically 3rd Party Mac Developer Application…).

It looks like you’re doing the first but not the second, which is problematic because a notarised app is, by definition, signed with a Developer ID signing identity.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment
OK, it took a little while to confirm it but you're right I was getting confused between the certs:

  • Developer ID Application - Can sign code, used for Notarization + distribution outside the AppStore

  • 3rd Party Mac Developer Application - Can sign code, used for AppStore submission

  • 3rd Party Installer Application - Can sign .pkg files, used for AppStore

And the different usages for the different certificates, which really confused me.

Thanks for your help eskimo, this how-to was really useful for clearing up where I was getting confused. https://developer.apple.com/forums/thread/128166
Posted by
AlexNanomonx
Up vote reply of AlexNanomonx Down vote reply of AlexNanomonx
Add a Comment