notary tool fails on same file that altool notarizes successfully

Just got my brand new M1 Max laptop and am excited to get with the times and use notary tool instead of altool as recommended by the mothership but when I try to notarize the same file that altool notarizes successfully it fails.

Here is is my sucessful altool command:

xcrun altool --notarize-app --primary-bundle-id "My Kool Tool" --username "***@***.com" -p "@keychain:ac_notary" --asc-provider XXXXXXXXXXXX --file *.zip && rm *.zip

and this is the notary tool command that fails on the same file:

xcrun notarytool submit *.zip --keychain-profile "XXXXXX Apple Developer" --wait && rm *.zip

Here is the output:

Conducting pre-submission checks for archive.zip and initiating connection to the Apple notary service...
Submission ID received
 id: e20c0438-5576-4361-a11a-2efeb8exxxxx
Successfully uploaded file
 id: e20c0438-5576-4361-a11a-2efeb8exxxxx
 path: /Users/***/Documents/archive.zip
Waiting for processing to complete.
Current status: Invalid..........
Processing complete
 id: e20c0438-5576-4361-a11a-2efeb8exxxxx
 status: Invalid

and the log:

xcrun notarytool log e20c0438-5576-4361-a11a-2efeb8exxxxx --keychain-profile "XXXXXX Apple Developer"
{
 "logFormatVersion": 1,
 "jobId": "e20c0438-5576-4361-a11a-2efeb8exxxxx",
 "status": "Invalid",
 "statusSummary": "Archive contains critical validation errors",
 "statusCode": 4000,
 "archiveFilename": "archive.zip",
 "uploadDate": "2021-12-07T18:57:23.193Z",
 "sha256": "505d76b420d46bfd01d56c724de1c8d20121d75b0ca6cee96a51549708ec46ee",
 "ticketContents": null,
 "issues": [
  {
   "severity": "error",
   "code": null,
   "path": "archive.zip",
   "message": "Package archive.zip has no signed executables or bundles. No tickets can be generated.",
   "docUrl": null,
   "architecture": null
  }
 ]
}

again, the same file notarizes with altool so it is properly signed

It is worth noting that if I don't include the --asc-provider in the altool command it fails so maybe I just need to do the same with the notary tool but can't find any documentation on how to do that.

Help Obi Wan

Up vote post of aescripts Down vote post of aescripts
616 views
Posted by
aescripts
Reply
Add a Comment

Replies

Well, that’s weird. Both altool and notarytool connect to the same notary service back end, and it shouldn’t matter how you transport your file to that back end. Moreover, the fact that you get a log response from notarytool indicates that your file made it to that back end.

Try this:

  1. Find the UUID of the request that you submitted via altool.

  2. Use the --notarization-info subcommand of altool to get the log file URL.

  3. Download that.

  4. Verify that the SHA-56 checksum (in the sha256 property) matches the one you posted in the notarytool log.

It is worth noting that if I don't include the --asc-provider in the altool command it fails so maybe I just need to do the same with the notarytool

No. The whole --asc-provider thing is a historical quirk and is not necessary for notarytool.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

I'm posting this here because I believe it falls within the same use case. But what do I know!

Using terminal Xcode I am able to harden, notarize, pkg and validate my app for the distribution via the App Store, although I have not yet uploaded to the App Store.

Process #1:

  1. Harden myApp using ID: Developer ID Application
  2. Zip myApp
  3. Notarize myApp using altool
  4. Pkg myApp using productbuild ID: 3rd Party Mac Developer Installer
  5. Validate myApp for compatibility with App Store using altool.
  6. Test installing myApp using the pkg.

Success.

Attempting to notarize and pkg myApp using Xcode notarytool produces (two) different results depending on the ID used.

Process #2:

  1. Harden myApp using ID: Developer ID Application
  2. Pkg myApp using productbuild ID: 3rd Party Mac Developer Installer
  3. Notarize pkg generates a validation error:

    {       "severity": "error",       "code": null,       "path": "myApp.pkg",       "message": "The binary is not signed with a valid Developer ID certificate.",       "docUrl": null,       "architecture": null     }

Process #3:

  1. Harden myApp using ID: Developer ID Application
  2. Pkg myApp using productbuild ID: Developer ID Installer
  3. Notarize pkg. Successfully {

Conducting pre-submission checks for myApp.pkg and initiating connection to the Apple notary service... Submission ID received   id: 610ca3ff-e587-4434-xxxx Successfully uploaded file153 MB of 153 MB)       id: 610ca3ff-e587-4434-xxxx   path: myApp Waiting for processing to complete. Current status: Accepted..................... Processing complete   id: 610ca3ff-e587-4434-xxxx   status: Accepted }

  1. Validate myApp.pkg using altool --validate-app errors for it requires the pkg to be signed with 3rd Party Mac Developer Installer.

I need to be able to notarize and pkg myApp for the App Store.  

Thanks for being here: Be well

Posted by
saibion
Up vote reply of saibion Down vote reply of saibion
Add a Comment

I need to be able to notarize and pkg myApp for the App Store.

That goal doesn’t make sense. There are two distribution channels for Mac software:

  • Mac App Store

  • Independent distribution

The latter requires notarisation; the former does not.

If your goal is to distribute via the Mac App Store:

  1. Sign with App Store distribution signing identities, not Developer ID ones.

  2. Optionally validate it with the --validate-app in altool.

  3. Don’t notarise.

  4. Submit to the Mac App Store using --upload-app.

For specific advice on the first step, see Creating Distribution-Signed Code for Mac and Packaging Mac Software for Distribution.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment