Notarized and stapled app won't start after download

App & System Services Core OS
read_2020
read_2020 OP
Created Sep ’20
Replies 5
Boosts 0
Views 1.5k
Participants 3
I have codesigned, notarized and stapled my application bundle (MyApp.app) and all processes have finished successfully. Afterwards, I zip my application using ditto. If i unzip this package again and start the app, everything works just fine.
But if I upload this zip to our servers and redownload it using http, unzip and try to start the app, the app logo just bounces up and down in the taskbar and never starts.
I also already checked the md5 sums of both, the local zip and the re-downloaded one and they are matching. Can anyone maybe tell me what the problem could be?
Answered by read_2020 in 635101022
(deleted duplicate reply)
Replies  5
Boosts  0
Views  1.5k
Participants  3
Etresoft
Etresoft OP
Sep ’20
It isn't properly notarized. There is a general misconception that running altool to submit a binary and staple a tick is "notarization". It is not. It is submitting a binary and stapling a ticket - nothing more. Your app is notarized if and only if you can then download it and it runs properly.

What's wrong? Hard to say. The fact that you specifically mentioned "stapling" is a huge red flag. This means you aren't using Xcode at the very least. What else aren't you doing properly? Again, very hard to say. I've seen many similar posts here in the forum and I've got to say that I'm always surprised at what people are actually doing and expecting to work. In many cases, it turns out that the actual breaking problem is something very subtle. That doesn't mean notarization is a subtle process. It is drop-dead, fall-of-a-log easy. You have to work - really hard - to make it fail.

I'll just skip to the punch line. Submit a DTS ticket and somebody from Apple will help you. You could also just use Xcode, but many people won't do that.
0
read_2020
read_2020 OP
Sep ’20
Thanks for your answer Etresoft. It's true, I have not been using XCode because it is a Java based application with openjdk 15 included in the package. I have been using this official Apple tutorial for my notariation workflow (after codesigning): https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow#3087734

I am not sure if using XCode is an option when publishing custom .app packages?
0
read_2020
read_2020 OP
Sep ’20
Accepted Answer
(deleted duplicate reply)
0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
Sep ’20

I am not sure if using Xcode is an option when publishing custom
.app packages?

It is not.

Java applications are hard to sign correctly (and the notary service requires that your code be signed correctly). For concrete advice on how to tackle this, see my Signing a Mac Product For Distribution post.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
0
Etresoft
Etresoft OP
Sep ’20

it is a Java based application with openjdk 15 included in the package

At least Java isn't too outlandish compared to some of the things I've seen people attempt here in the forums. Here are a few tips to try:

  1. First question, does your app even work? Many people skip this step. Bundle your app. You don't need to code sign or do anything else at this point. Zip the bundle (ideally using the Finder, but you can use ditto if you get the arguments just right). Copy the zip file to another machine running Catalina and unzip (use Finder because that is what your users will be using). (Big Sur may have some new behaviour with respect to signatures, so avoid it for now.) Make sure the other machine is pristine. Using a VM for this is very handy because you can easily reset the VM back to a freshly installed OS state. Use xaddr to remove the quarantine flags from your app. This eliminates Gatekeeper for a while. Does your app run?

Many developers build apps that link to hard-coded dylibs or other files on their development machine. They they do 16 more steps and complain about the last step not working. It was wrong on day one. That is what you are trying check for here.

2. Repeat the above, but sign the app with the hardened runtime. Don't bother notarizing. Depending on your level of funkiness, you could also have failures due to the hardened runtime and/or dylibs. This would be your opportunity to investigate and fix those.

3. Now try after notarizing and stapling. Keep the quarantine bits enabled this time.

If you have problems running in any of these tests, what you want to do is run Console, turn on streaming, wait a second or two for some data to show up, then, as fast as humanly possible, launch your app. When it fails, turn off streaming. If you can do that in 5-10 seconds, you might have only a few thousand messages to inspect. I'm not kidding here. You can try filtering for your app name, but that isn't reliable. There is no guaranteed that the pertinent message will have your app's name. It probably will, so it is OK to try the filter at first.

What you are looking for are problems loading dylibs, environment, run paths, @rpaths, and a few dozen other things. With Java, the failures could be anywhere.

At least with Java, you have some additional tricks to try. You could setup a pristine VM with nothing but the Java runtime installed. Then you could try just running your JAR file. That might narrow down the problem space a bit.

Good luck!
0
Notarized and stapled app won't start after download
First post date Last post date
 
 
Q