The signature of the binary is invalid during notary, but is valid in codesign

Code Signing Notarization
200gaga OP
Created Nov ’24
Replies 3
Boosts 0
Views 353
Participants 2

I try to notarize my package, everything works except one signature of a binary. But the output of codesign seems fine.

Notary log:

  "logFormatVersion": 1,

  "jobId": "350315e0-38ae-4224-a13b-1c4dc20c1cb7",

  "status": "Invalid",

  "statusSummary": "Archive contains critical validation errors",

  "statusCode": 4000,

  "archiveFilename": "VocalNet_Installer.pkg",

  "uploadDate": "2024-11-26T18:07:57.042Z",

  "sha256": "fc59a3c2c3669f641a18d6e6df9b91e9369f8cf9cd827d5a75762beb99dfbcfe",

  "ticketContents": null,

  "issues": [

    {

      "severity": "error",

      "code": null,

      "path": "VocalNet_Installer.pkg/SLink.pkg Contents/Payload/Applications/SLink.app/Contents/MacOS/SLink",

      "message": "The signature of the binary is invalid.",

      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",

      "architecture": "arm64"

    }

  ]

}

Codesign output:

Executable=/Users/200gaga/Main/VocalNet/SLink.app/Contents/MacOS/SLink
Identifier=SLink
Format=app bundle with Mach-O thin (arm64)
CodeDirectory v=20500 size=319089 flags=0x10000(runtime) hashes=9965+3 location=embedded
VersionPlatform=1
VersionMin=720896
VersionSDK=720896
Hash type=sha256 size=32
CandidateCDHash sha256=26dc42451d203f54e29de37a5f74b8d9f9ab30c2
CandidateCDHashFull sha256=26dc42451d203f54e29de37a5f74b8d9f9ab30c26bb1dcde85d3db13fcb9ab4f
Hash choices=sha256
CMSDigest=26dc42451d203f54e29de37a5f74b8d9f9ab30c26bb1dcde85d3db13fcb9ab4f
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=81920
Executable Segment flags=0x1
Page size=4096
CDHash=26dc42451d203f54e29de37a5f74b8d9f9ab30c2
Signature size=9058
Authority=Developer ID Application: SESSION LOOPS, INC. (29DGL5KQ37)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Nov 26, 2024 at 13:04:23
Info.plist entries=9
TeamIdentifier=29DGL5KQ37
Runtime Version=11.0.0
Sealed Resources version=2 rules=13 files=5060
Internal requirements count=1 size=168
Replies  3
Boosts  0
Views  353
Participants  2
200gaga OP
Nov ’24

This app is built using pyinstaller

0
DTS Engineer OP
Apple
Dec ’24

To debug this I recommend that you:

  1. Unpack the installer package. You can do this using the command-line tools described in Unpacking Apple Archives, or using a third-party app like Pacifist.

  2. Verify the code signature of the resulting app:

% codesign --verify --strict --deep -vvv /path/to/your.app

What does it show?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
200gaga OP
Dec ’24

Hi, thanks for replying. The output is quite large as this app is built using pyinstaller and there are many .so embedded. So today instead of manually code signing it after build I tried to add codesign_identity in the spec file of pyinstaller. (https://pyinstaller.org/en/stable/feature-notes.html#macos-binary-code-signing) but it crashes.

The report is so large that I could only attach a link to this https://docs.google.com/document/d/e/2PACX-1vR_lGrD2L9ET-S8fbUKYBmoe2C0t28b0hF31Yttf0a-MH4dOX0fKtlyFZyILnBy5zPm6uDxHZXXOLo3/pub

0
The signature of the binary is invalid during notary, but is valid in codesign
First post date Last post date
 
 
Q