Checking DMG notarization never successed, allways shows:Rejected

Code Signing Notarization
terry2010 OP
Created Jan ’22
Replies 5
Boosts 0
Views 1.5k
Participants 3

hello , I am developing a MacOS App. I stuck in some errors during DMG notarization.

after

xcrun stapler staple -v "${APP_PATH}.dmg"

it allways shows dmg: rejected:

spctl -a -t exec -vv ${APP_PATH}.dmg
../dist/IM-darwin-x64/IM.app.dmg: rejected
source=Notarized Developer ID
origin=Developer ID Application: ........ (.......)

I stuck here for a while , please help me to fix this error , thank you very much

my step demo:

#!/bin/bash
OSX_PUBLISH_USER="APP PUBLISHER USER"
OSX_PUBLISH_PASSWD="APP PUBLISHER PASSWD"
APP_PATH="YOUR APP PATH"
PLIST_PATH="YOUR entitlements.plist PATH"

ASC_PORVIDER="xxxxx" #UMZRU526AB
APPLICATION_CER_NAME="Developer ID Application: XXXXX ({$ASC_PORVIDER})" #"Developer ID Application: XXX XXX (UMZRU526AB)"
PRIMARY_BUNDLE_ID="app primary-bundle-id name"


if [ "$OSX_PUBLISH_USER" == "" ]; then
  echo "OSX_DEV_USER is empty"
  exit -1
fi

if [ "$OSX_PUBLISH_PASSWD" == "" ]; then
  echo "OSX_PUBLISH_PASSED is empty"
  exit -1
fi

RESULT=$(codesign --deep --force --sign "${APPLICATION_CER_NAME}" --options runtime --entitlements ${PLIST_PATH} ${APP_PATH} 2>&1)
echo $RESULT

result=$(echo $RESULT | grep "The timestamp service is not available")
if [[ "$result" != "" ]]; then
  echo "codesign fail:The timestamp service is not available"
  exit 3
fi
echo "codesign-finish"

echo "createArchive-start"
ditto -c -k -rsrc --sequesterRsrc --keepParent $APP_PATH ${APP_PATH}.zip
echo "createArchive-finish"
echo "notarize-start"
RESULT=$(xcrun altool --notarize-app --primary-bundle-id $PRIMARY_BUNDLE_ID --username $OSX_PUBLISH_USER --password $OSX_PUBLISH_PASSWD --asc-provider=$ASC_PORVIDER -t osx --file ${APP_PATH}.zip)
UUID=$(echo $RESULT | grep -Eo 'RequestUUID = [[:alnum:]]{8}-([[:alnum:]]{4}-){3}[[:alnum:]]{12}' | grep -Eo '[[:alnum:]]{8}-([[:alnum:]]{4}-){3}[[:alnum:]]{12}' | sed -n "1p")
echo $RESULT
echo $UUID
if [[ "$UUID" == "" ]]; then
  echo "notarize-upload-fail"
  exit 3
fi
echo "notarize-finish"

i=0
times=5
while [ $i -le $times ]; do
  let i++
  echo "sleep 60 seconds to get history"
  sleep 60
  RESULT=$(xcrun altool --notarization-history 0 -u "$OSX_PUBLISH_USER" -p "$OSX_PUBLISH_PASSWD" | sed -n "6p")
  echo $RESULT
  result=$(echo $RESULT | grep "success")
  if [[ "$result" != "" ]]; then
    xcrun stapler staple -v $APP_PATH
    echo "notarize app success"
    times=-1
  else
    if [[ $i > 5 ]]; then
      echo "notarize app fail:timeout"
      xcrun altool --notarization-history 0 -u "$OSX_PUBLISH_USER" -p "$OSX_PUBLISH_PASSWD"
      exit 1
    fi
  fi
  result=$(echo $RESULT | grep "Package Invalid")
  if [[ "$result" != "" ]]; then
    echo "notarize app fail:Package Invalid"
    xcrun altool --notarization-info "$UUID" -u "$OSX_PUBLISH_USER" -p "$OSX_PUBLISH_PASSWD"
    times=-1
    exit 2
  else
    if [[ $i > 5 ]]; then
      echo "notarize app fail:timeout.."
      xcrun altool --notarization-history 0 -u "$OSX_PUBLISH_USER" -p "$OSX_PUBLISH_PASSWD"
      exit 1
    fi
  fi
done

result=$(echo $RESULT | grep "success")
if [[ "$result" != "" ]]; then
  echo "createDMG-start"
  #node createMacDMG.js
  hdiutil create -srcFolder $APP_PATH -o ${APP_PATH}.dmg
  codesign --deep --force  --verify --verbose --sign "${APPLICATION_CER_NAME}" -i "${PRIMARY_BUNDLE_ID}" --timestamp ${APP_PATH}.dmg

  #codesign -s III --timestamp -i BBB ${APP_PATH}.dmg
  echo "createDMG-finish"
  echo "notarize-start"
  RESULT=$(xcrun altool --notarize-app --primary-bundle-id "${PRIMARY_BUNDLE_ID}" --username $OSX_PUBLISH_USER --password $OSX_PUBLISH_PASSWD --asc-provider=$ASC_PORVIDER -t osx --file ${APP_PATH}.dmg)
  UUID=$(echo $RESULT | grep -Eo 'RequestUUID = [[:alnum:]]{8}-([[:alnum:]]{4}-){3}[[:alnum:]]{12}' | grep -Eo '[[:alnum:]]{8}-([[:alnum:]]{4}-){3}[[:alnum:]]{12}' | sed -n "1p")
  echo $RESULT
  echo $UUID
  if [[ "$UUID" == "" ]]; then
    echo "notarize-upload-fail"
    exit 3
  fi
  echo "notarize-finish"

  i=0
  times=5
  while [ $i -le $times ]; do
    let i++
    echo "sleep 60 seconds to get history"
    sleep 60
    RESULT=$(xcrun altool --notarization-history 0 -u "$OSX_PUBLISH_USER" -p "$OSX_PUBLISH_PASSWD" | sed -n "6p")
    echo $RESULT
    result=$(echo $RESULT | grep "success")
    if [[ "$result" != "" ]]; then
      xcrun stapler staple -v "${APP_PATH}.dmg"
      echo "notarize dmg success"
      times=-1
    else
      if [[ $i > 5 ]]; then
        echo "notarize dmg fail:timeout"
        xcrun altool --notarization-history 0 -u "$OSX_PUBLISH_USER" -p "$OSX_PUBLISH_PASSWD"
        exit 1
      fi
    fi
    result=$(echo $RESULT | grep "Package Invalid")
    if [[ "$result" != "" ]]; then
      echo "notarize dmg fail:Package Invalid"
      xcrun altool --notarization-info "$UUID" -u "$OSX_PUBLISH_USER" -p "$OSX_PUBLISH_PASSWD"
      times=-1
      exit 2
    else
      if [[ $i > 5 ]]; then
        echo "notarize dmg fail:timeout.."
        xcrun altool --notarization-history 0 -u "$OSX_PUBLISH_USER" -p "$OSX_PUBLISH_PASSWD"
        exit 1
      fi
    fi
  done

fi

echo "check-notarize-result"
xcrun altool --notarization-info "$UUID" -u "$OSX_PUBLISH_USER" -p "$OSX_PUBLISH_PASSWD"

echo "check-app"
spctl -a -t exec -vv $APP_PATH
echo "check-dmg"
spctl -a -t exec -vv ${APP_PATH}.dmg

exit 0
Replies  5
Boosts  0
Views  1.5k
Participants  3
Systems Engineer OP
Apple
Jan ’22

A few things I see here off the top of my head:

  1. Do not use the --deep argument when code signing, this can create all sorts of issues, especially for Notarization.

  2. Why are you Notarizing the app and then the DMG? You will only need to Notarize the outer container, which would be the DMG it looks like.

Also, are you receiving a Notary log on a success or failure of the DMG's notarization process?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
terry2010 OP
Jan ’22
  1. After I remove --deep argument , I fixed this problem , thank you very much.
  2. I am working on trying to fix this problem: a customer download this xxxx.dmg , and double clicked to open it , OSX system (10.14.5) not mount dmg and popup a alert window
can't open  "xxxx.dmg" , because apple can not check if it contains  baleful software

(sorry , I only have window capture image . I translated text form chinese to english myself , and I don't konw the orignal text)

I don't know what caused this problem , now I tried to notarize and stapler dmg to avoid this situation. maybe it will not works ,I don't know.

thank you very much

0
DTS Engineer OP
Apple
Jan ’22

a customer download this xxxx.dmg, and double clicked to open it, [macOS] system (10.14.5) not mount dmg and popup a alert window

macOS 10.14 requires that the disk image be signed and notarised. That requirement was relaxed on later systems, which is why you’re only see the problem on 10.14.

As Matt said, our advice is that you sign everything, from the inside out, and then notarise the outermost container. This will actually simplify your script because you don’t need the zip step or the double notarisation.

For more detailed advice, see Signing a Mac Product For Distribution.

Looking at your original post:

  • You are using spctl incorrectly. I generally recommend against using spctl for testing your notarisation but, if you do, you need to use it the right way. Testing a Notarised Product has both my recommended instructions and the correct spctl command.

  • You should switch to notarytool. It’s better, stronger, and faster (-: For more details, see WWDC 2021 Session 10261 Faster and simpler notarization for Mac apps.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1
terry2010 OP
Jan ’22

thank you very much , All problem have been resolved.

  1. I should not sign dmg file , sign app is enough
  2. switched to notarytool , it much more faster and easier then old way

demo.sh:

#store credentials
#xcrun notarytool store-credentials "AC_PASSWORD" --apple-id "AC_USERNAME"  --team-id <WWDRTeamID> --password <secret_2FA_password>

RESULT=$(codesign --verify --verbose --force --sign {$APPLICATION_CER_NAME} --options runtime --entitlements {$PLIST_PATH} ${APP_PATH} 2>&1)
echo $RESULT

hdiutil create -srcFolder $APP_PATH -o ${APP_PATH}.dmg
# notice:donot sign dmg

xcrun notarytool submit ${APP_PATH}.dmg --keychain-profile "AC_PASSWORD" --wait

xcrun stapler staple -v ${APP_PATH}.dmg

echo "check-app"
spctl -a -t exec -vv ${APP_PATH}
echo "check-dmg"
spctl -a -t open -vvv --context context:primary-signature ${APP_PATH}.dmg
0
DTS Engineer OP
Apple
Jan ’22
Accepted Answer

I should not sign .dmg file, sign app is enough

This is not best practice. We recommend that you sign all components from the inside out and then notarise and staple the outermost component. If you ship a disk image to end users, it’s best to sign, notarise, and staple that disk image.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Checking DMG notarization never successed, allways shows:Rejected
First post date Last post date
 
 
Q