PKG Installer Fails Notarytool Submission Process

I am trying to get a PKG installer through the Apple codesign and notarytool process. When I submit the PKG installer I get a status message of "Invalid" and when I review the log file it has 2 errors. For "status summary" it says: "Archive contains critical validation errors", and for "message" it says" "The binary is not signed".

The installer contains a flat file that is installed in the "Users/Shared" folder via the PKG installer.

Here are the steps I've taken to get the installer through the codesign and notarytool process.

  1. codesign the file that's placed in the "Users/Shared" folder:

codesign --options=runtime --sign 'Developer ID Application: XYZ' -v /Users/.../Documents/folder/"flat file"

  • which I get a message saying "signed generic".
  1. Create the PKG installer with the signed "flat file".
  2. Sign the PKG installer containing the signed "flat file":

codesign --options=runtime --sign 'Developer ID Application: XYZ' -v /Users/.../Documents/folder/"flat file"

  • which I get a message saying "signed generic".
  1. Submit the PKG file with notarytool:

xcrun notarytool submit /Users/.../Documents/folder/"flat file" --verbose --apple-id username --password password --team-id ID# --progress

  1. It completes and provides the submission ID.
  2. I check the status and get the error message that it's invalid.
  3. When I check the full details via the log I get the error messages mentioned above.

What am I missing or failing to do?

Answered by DTS Engineer in 826503022
Written by adminTC in 775159021
The installer contains a flat file

Is that a Mach-O executable? Or something else? Because, in general, the notary service only requires that you sign the code within your installer package. If it contains data, you have to sign the package but you don’t have to sign the data that the package installs.

Still, the most likely cause of your problem is a misunderstanding about how to sign installers. Installers are not code, and thus:

  • You don’t sign them with codesign, but rather with installer-specific tools.

  • You don’t use your Developer ID Application code-signing identity, but rather your Developer ID Installer signing identity.

Packaging Mac software for distribution has all the details.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Written by adminTC in 775159021
The installer contains a flat file

Is that a Mach-O executable? Or something else? Because, in general, the notary service only requires that you sign the code within your installer package. If it contains data, you have to sign the package but you don’t have to sign the data that the package installs.

Still, the most likely cause of your problem is a misunderstanding about how to sign installers. Installers are not code, and thus:

  • You don’t sign them with codesign, but rather with installer-specific tools.

  • You don’t use your Developer ID Application code-signing identity, but rather your Developer ID Installer signing identity.

Packaging Mac software for distribution has all the details.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

PKG Installer Fails Notarytool Submission Process
 
 
Q