Notarization service rejects .pkg. pkgutil, codesign and spctl validate app/package.

Question

Created Jul ’21

Replies 2

Boosts 0

Participants 3

Hello.

We have an app bundle that we package into a .pkg file. We are currently getting an error when notarizing the .pkg artifact. But running all the suggested tool vs the built bundle/package results in validating the bundle/package. We don't know what notarization service is rejecting the pkg.

The notarization failure:


Notarization Invalid
{
    "logFormatVersion": 1,
    "jobId": "b26ec329-409e-4a21-88f0-6f924795a6db",
    "status": "Invalid",
    "statusSummary": "Archive contains critical validation errors",
    "statusCode": 4000,
    "archiveFilename": "MY-APP.pkg",
    "uploadDate": "2021-07-19T17:39:59Z",
    "sha256": "019c0409eab63e68cfe6323sd2e33715f07c731d5b4192254277ed62db1b6e97d",
    "ticketContents": null,
    "issues": [
        {
            "severity": "error",
            "code": null,
            "path": "MY-APP.pkg",
            "message": "The binary is not signed.",
            "docUrl": null,
            "architecture": null
        }
    ]
}

Here is the output of codesign -v -vvv --deep --strict MY-APP.app:

...
MY-APP.app: valid on disk
MY-APP.app: satisfies its Designated Requirement

Output of pkgutil --check-signature MY-APP.pkg :

Package "MY-APP.pkg":
   Status: signed by a developer certificate issued by Apple for distribution
   Signed with a trusted timestamp on: 2021-07-20 08:59:11 +0000
   Certificate Chain:
    1. Developer ID Installer: MY COMPANY (XXXXXXXXXX)
       Expires: 2024-06-26 09:35:51 +0000
       SHA256 Fingerprint:
           3D ...
       ------------------------------------------------------------------------
    2. Developer ID Certification Authority
       Expires: 2027-02-01 22:12:15 +0000
       SHA256 Fingerprint:
           7A ...
       ------------------------------------------------------------------------
    3. Apple Root CA
       Expires: 2035-02-09 21:40:36 +0000
       SHA256 Fingerprint:
           B0 ..

And the output of spctl -vvv --assess --raw --verbose=10 --type exec MY-APP.app:

build/MY-APP.app: accepted
origin=Developer ID Application: MY COMPANY (XXXXXXXXXX)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>assessment:authority</key>
	<dict>
		<key>assessment:authority:flags</key>
		<integer>2</integer>
		<key>assessment:authority:row</key>
		<integer>6</integer>
		<key>assessment:authority:source</key>
		<string>Developer ID</string>
	</dict>
	<key>assessment:originator</key>
	<string>Developer ID Application: MY COMPANY (XXXXXXXXXX)</string>
	<key>assessment:remote</key>
	<true/>
	<key>assessment:verdict</key>
	<true/>
</dict>
</plist>

We are blocked at the moment and can't figure out why the notarization service is rejecting the .pkg file due to "binary not signed" error. any suggestions on how to solve this or analyse the root cause of the failure?

Boost

Answer 1

Systems Engineer OP

Apple

Jul ’21

Accepted Answer

We don't know what notarization service is rejecting the pkg.

Well, as the Notary service is pointing out, the pkg is not showing up as signed for some reason, even though you do seem to have the correct signature on your pkg installer. A few things you can try here:

Are you using an outer delivery container, such as a disk image (dmg) or another pkg installer to perform the distribution of your app, and MY-APP.pkg is inside this container? If this is true then you need to also Developer ID sign the outer container. Use the Developer ID Application signing identity for the disk image and the Developer ID Installer signing identity for the pkg installer.
Try using a .zip archive just as a test here to see if you can Notarize that. This is documented here. If all goes through successfully there then you know you have an issue with your pkg installer.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 2

DTS Engineer OP

Apple

Jul ’21

What Matt said, but also…

Make sure you’re the notary service is getting the right package. To do this:

Upload your package for notarisation.
Wait for the error.
Get the SHA-256 checksum from the notarisation log (that was 019c0409eab63e68cfe6323sd2e33715f07c731d5b4192254277ed62db1b6e97d in the example you posted).
Check your package signature using pkgutil.
Then calculate the checksum and check that it matches the one from step 3:
```
% shasum -a 256 MY-APP.pkg
```

Also, did you build this package with Apple tools? Or something from a third party?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1