How to sign file using Terminal submit for Notarization?

It sounds like you’re on roughly the right track. I recommend that you read my Signing a Mac Product For Distribution, which should fill in most of the missing details. Post back if you hit any snags.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Quin, Thanks for your reply. I appreciate your providing me the link to the post you compiled since it's perfectly constructed and very clear directions. Here's where things stand. I've been able to sign my product add-on since it's a bundle (a .PVM file) that contains an app that I've signed. Since this is what the Application runs, this should be the correct file (it also has the necessary "info.plist" file and accompanying resource with correct structure). I then created a zip file of the signed item simply by using "compress file". Will that work, or should I use the command-line tool in your guide? I was going to then place that app inside my DMG, sign the DMG, create a zip of that complete package since that's what I'm distributing, and submit that for notarization by using: % sudo xcode-select -s /path/to/Xcode13.app (From: https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow ) Or should I simply submit the DMG file, without creating a zip-compressed file before submitting it? If you can help me with these remaining questions I should be on my way to completing this signing, notarization, and distribution process. Again, THANK YOU for your reply and assistance! - Ted

As an additional update I've followed the instructions in the "customizing notarizing workflow" with the specific instructions for code 12 : https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow/notarizing_apps_from_the_command_line_with_xcode_12_and_earlier

Since that appears to be what I'm running. I've created the app-specific password and can login when I do the "xcrun altool --list-providers" command, however, when I try to notarize my DMG file it fails saying the username and password aren't specified. Is this because I'm trying to upload a DMG file? Also, I am trying to notarize a DMG file from a specific path by adding the "-f" argument and including the path (defined by dragging the file into terminal and copying the full path from that to my command).

So I am trying now uploading a zip of the DMG to see if that helps, but I'm guessing the unique path is probably the bigger problem. Any suggestions I need to do to correct things and get the notarization working? Thank you Esc

I then created a zip file of the signed item simply by using [File > Compress]. Will that work, or should I use the command-line tool in your guide?

Zipping from Finder should work. The doc uses ditto because most folks want to automate this step.

sign the DMG, create a zip of that complete package since that's what I'm distributing

Hmmm, it sound like your tying yourself up in knots here (perhaps zip ties, hey hey!). The notary service will accept a disk image. If your goal is to distribute a disk image to the user, you don’t need to zip anything. Just put your program in a directory, create a disk image from that directory, sign that disk image, and then notarise and staple it.

Is this because I'm trying to upload a DMG file?

No. The best way to debug this is with the --list-providers command. It only takes your credentials, so if it fails then you know that it’s nothing to do with your submission and is solely a credentials problem.

Also, --list-providers returns your provider short name and you’ll need that for the --asc-provider argument when you actually do submit.

Or just use notarytool from the current Xcode 13 beta. While Xcode 13 itself is in beta, you can consider notarytool ready for production use.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Eskimo1 How do I specify the location for it to know what file to upload? Also, when I do the --list providers it DOES come back with my information and authenticates correctly, so why does it say the credentials are incorrect when I try to notarise?

Any help you can offer I could really use. I'm desperate to get this notarization and stapling done today. “Help me Eskimo1, you’re my only hope!”

Ted

As an update, I updated to XCode 13. I then restarted Terminal. After some trial and error, and a lot of help reading through: xcrun notarytool submit --help

Eventually I was able to successfully submit for notarization using the following command with "verbose" feedback that is allowing me to see the details of the submission currently. In the below statement, the items in "quotes" are just holder text that is specific to my particular example. If others want to replicate, they can simply enter the specifics in those values to perform the same.

xcrun notarytool submit /“folder-path”/Installer.dmg --verbose --apple-id “developer ID login” --password “ --team-id “developer team id” --progress

Once this completes I will attempt to "staple" the files with the results, barring any major issues identified in notarizing, and provide the updates/results. Thanks again!

I am now trying to get the status of the request and when I use the following command it gives me the subsequent error: (Note: items in italics are just "anonymized" to hide my particular details)

xcrun notarytool info "submission-ID-#" --apple-id "username" --password "password" -team-id "teamID" --progress

Error: The value "teamID" is invalid for '-i ': "teamID" must be a valid UUID

Why is it requiring an Apple Connect ID and issuer when I'm using my login credentials, not the API. Below is the help information and I'm confused as to why this is requiring this or mixing up the two items.

USAGE: notarytool info

ARGUMENTS:

          Notary Submission ID (UUID) 

OPTIONS:

  -v, --verbose

  -k, --key         App Store Connect API key. File system path to the private key. 

  -d, --key-id   App Store Connect API Key ID. Usually 10 alphanumeric characters. 

  -i, --issuer   App Store Connect API Issuer ID. UUID format. 

  --apple-id   Developer Apple ID. 

  --password   App-specific password for your Apple ID. You will be given a secure prompt on the command line if

                          Apple ID and Team ID are provided and '--password' option is not specified. 

  --team-id     Developer Team ID. 

  -p, --keychain-profile

                          Authenticate with credentials stored in the Keychain. Use the profile name you provided in the

                          "store-credentials" command. 

  --keychain   Pass the path to a keychain file to use for reading the keychain item. If the specified keychain is

                          locked, you'll be prompted to unlock it. 

  -f, --output-format

                          Desired output format. Note that 'json' and 'plist' are incompatible with '--progress'; a single

                          update will be output at the end of the operation. Choices: ["normal", "json", "plist"] (default:

                          normal)

  --progress/--no-progress

                          Display progress indicators. Only compatible with normal output format (default) and will be

                          otherwise suppressed. (default: true)

  --version               Show the version.

  -h, --help              Show help information.

Did you really use -team-id? It should be --team-id. Note the two leading dashes. With a single dash it interprets this as -t eam -i d, and hence all those errors.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

First, yes I am using "--team id", just an annoying autocorrect that TextEdit does for some reason.

I've been able to submit my application add-on inside the DMG to Apple. The 1st time it failed because the add-on contained in the DMG didn't have "hardened-runtime" enabled. I found the answer in the following post: https://developer.apple.com/forums/thread/129544

I resigned the app inside the product add-on, using the following command to enable hardened-runtime: codesign --options=runtime -s "Developer ID Application: Whoeveryouare" -v /path/to/executable

Once I did that, I resubmitted it to be notarized, and it came back successful. Once it was notarized successfully, and I was able to staple that to the DMG file.

However, when I copy the add-on from the DMG to a test computer, the file still fails to load because Apple says it's unrecognized. I then zipped the .app file and submitted it for notarization. I got a response that the notarization failed due to "Package has no signed executables or bundles. No tickets can be generated."

I did some research and found another post that seems to cover a similar scenario: https://developer.apple.com/forums/thread/119801

I tried making the modifications to the .app contained in my .pvm bundle (these are Parallels Virtual Machines (.pvm) that contain a machine named .app, that inside of that is the info.plist file that I made the following recommended modifications:

• set CFBundlePackageType to BNDL
• deleted the CFBundleSignature key

I then re-zipped the whole .pvm file and submitted it for notarization, again I got the response: "Package has no signed executables or bundles. No tickets can be generated." If I submit the PVM inside the DMG, the DMG gets notarized but the PVM/App doesn't and won't run when I load it.

How can I get the .pvm bundle that contains the machine named .app bundle ( I may be using the wrong terminology using "bundle") so I can re-sign with hardened runtime, add to the DMG, and get BOTH the .pvm bundle for the virtual machine and the DMG that contains it to be notarized and allow me to staple the results so it can be distributed without Gatekeeper stopping them? Right now, when I launch the virtual machine I get the following error which is due to Gatekeeper not allowing the file to run: https://kb.parallels.com/en/111693

If you need additional details please let me know. I'm simply trying to distribute the PVM on the DMG to save space when distributing it across the network of machines I manage using JAMF. Gatekeeper has made what once was a simple "copy paste" function into an incredibly difficult process. My alternative is to run Parallels one-by-one, manually on each Mac, following a step-by-step process by hand, that is highly error-prone or results in varying configurations. I've built these PVMs and simply want to distribute the images uniformly.

Another thing I was looking at was whether when I run the "codesign --options=runtime ", is it possible to specify additional runtime exceptions like the ones specified here? https://developer.apple.com/documentation/security/hardened_runtime Or are those only options via Xcode? I would assume there are methods via Terminal since everything in Xcode is just a GUI to what's possible via the command line, however, I can't find any documentation for that. I'm wondering if these exceptions or lack thereof is part of the problem.

Any help you can provide would be really helpful. I've banged my head against the wall for a week now and the headache (not to mention resulting headache this has caused) is becoming unbearable. Currently, my office is expecting me to roll out the new machines starting next week due to the office being closed starting Wednesday for the 4th of July holiday. Right now I'm very worried I'm not going to be able to meet that deadline and lose the argument of "Why are we using Macs in the office when PCs might be cheaper/easier to manage?" that my boss and I have been having since I proposed it. My view is "Macs are harder upfront, but easier long term and dual environment meet every possible user need". His view is "Macs are for people's homes, not the office. Windows are more work long-term, but that's your problem to manage as the administrator not mine as the IT Director."

Help me Eskimo1, you're my only hope (and everyone's since on every discussion link I've added you seem to be THE ONLY Apple expert who's able to provide answers. Question: are you the ONLY resource Apple has devoted to answering these "outside of the AppStore" distribution questions? Kind of seems like they need more of you).

Just in case you’re commenting around this time since that’s been the case previously this week, I’m up and awake currently in hopes we might be able to run through options. If you’re able to offer any suggestions I can try I’d really appreciate it. Nothing I’ve tried since Wednesday night has worked or changed things.

Wow, that sounds quite convoluted. At this point I’m going to recommend that you open a DTS tech support incident so that I can allocate more time to look at your issue.

When you open the TSI you should get back an auto ACK. Once you get that, email me the follow-up number it contains. My address is in my signature, below. Make sure to include a reference to this thread because, as you might imagine, I get a lot of email.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thank you so much! I've opened the ticket and forwarded you the ACK email. Let me know what I can do to help/test things. Ted