I've created a package from an app using productbuild and signed it using
productsign --sign 'Developer ID Installer: MyName (XXXXXX7RBW)' /Users/Desktop/my_app.pkg /Users/Desktop/my_app_signed.pkg
I then checked the signature via
pkgutil --check-signature /Users/Desktop/my_appsigned.pkg
I uploaded the package for notarization, which subsequently failed. The error log indicated two binaries were not signed with a valid developer ID certificate. The names were QtWebSockets and QtQmlModels.
While I've encountered similar obstacles in the past, they usually arose when folder names contained periods. I simply deleted the folders from the package, which seemed to have no effect on its functionality.
This error is altogether new for me though.
-
—
fishbacp
Add a CommentI was able to get things to work, but only by signing the app first with --deep, which I understand to be ill-advised. Then I built my installer, which was notarized successfully. (I tried to staple, which yielded an error message as described at https://developer.apple.com/forums/thread/120351. The proposed work-around didn't work for me.) I have yet to see if this prevents things from opening on a new machine.
I'd be very appreciative if anyone can guide me through the process of successfully notarizing a package like mine without using --deep.
In particular, am I correct that if the two problematic executables above were code-signed individually before the package as a whole was product signed, then things should work out?What exactly is the syntax for signing the executables, and should I use my developer ID application for signing them?Thanks.