The signature of the binary is invalid

What is the proper process for notarizing an installer package? I have tried every permutation I can find and it always returns "The signature of the binary is invalid".

It's a Qt6 app if that is relevant.

I've bundled and signed the app using:

macdeployqt myapp.app \
        -always-overwrite -verbose=1 \
        -hardened-runtime \
        -sign-for-notarization=\"$${sign_name}\" \

It verifies OK

codesign -v --verify --deep myapp.app     
myapp.app: valid on disk
myapp.app: satisfies its Designated Requirement

I have successfully notarized and stapled it:

...
The staple and validate action worked!

This is where I'm not sure of the proper process.

I've used pkgbuild to put the app into .pkg file and successfully signed that using an Installer ID.

pkgutil --check-signature myapp-signed.pkg
Package "myapp-signed.pkg":
   Status: signed by a developer certificate issued by Apple for distribution
...

On attempting to notarise this packge I get The signature of the binary is invalid for every shared library and the executable in the package.

That error message is not very useful so how do I diagnose the issue? So far I've tried a few things I've found on the forum but the error is always the same unhelpful one.

Could this be failing because the timestamps are inconsistent?

pkgutil is reporting the timestamp in UTC, but codesign appears to have used local time which in my case (UTC+13) is ahead of the package signing time, UTC, and the local time at the at the notarization server.

pkgutil --check-signature myapp.pkg         
Package "myapp.pkg":
   Status: signed by a developer certificate issued by Apple for distribution
   Signed with a trusted timestamp on: 2023-12-19 22:02:34 +0000
   ...
codesign  --display -v --deep --strict  myapp.app
Executable=/path/to/myapp.app/Contents/MacOS/myapp
Identifier=myapp
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=76755 flags=0x10000(runtime) hashes=2392+3 location=embedded
Signature size=8991
Timestamp=20/12/2023 at 11:02:19 AM
...

Try this:

  1. Unpack the installer archive you submitted for notarisation. I use Pacifist for this sort of thing, but Unpacking Apple Archives has instructions for how to do this manually.

  2. Run this command:

    % codesign -v -vvv --strict --deep myapp.app
    

    against the unpacked app.

What does it report?


Could this be failing because the timestamps are inconsistent?

No. That’s just a difference in the presentation.

UTC+13

Ah, New Zealand in summer, a fabulous edge case for those with a naïve understanding of time zones (-:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

The signature of the binary is invalid
 
 
Q