Unable to Staple Notarization Ticket – SSL Certificate Mismatch for oscdn.apple.com

Code Signing Notarization
Vigyanlabs
Vigyanlabs OP
Created Jul ’25
Replies 3
Boosts 1
Views 304
Participants 3

Hello Apple Support,

While attempting to staple a notarization ticket for our signed installer package, the stapler command fails with Error 65. Upon investigation, we found that connections to oscdn.apple.com present an SSL certificate issued to a248.e.akamai.net, which does not include oscdn.apple.com in its Subject Alternative Name (SAN).

This mismatch prevents our macOS environment from validating tickets and completing the stapling process.

Steps tried:

  • Verified notarization status (Accepted).
  • DNS flushed, tried different DNS (8.8.8.8, 1.1.1.1).
  • curl to oscdn.apple.com consistently fails with SSL error 60.

Please advise on resolving this certificate mismatch.

also when I try to run the stapler command with my pkg

"xcrun stapler staple/Users/mactest/Desktop/IPMPlus_Macos_Installer.signed.pkg"

getting the output like :-
Processing: /Users/mactest/Desktop/IPMPlus_Macos_Installer.signed.pkg Could not validate ticket for /Users/mac-test/Desktop/IPMPlus_Macos_Installer.signed.pkg The staple and validate action failed! Error 65.

please help

Thank you.

Answered by DTS Engineer in 851110022

I suspect that there’s something wonky in your network environment. If stapler were failing consistently in this way, DevForums would be flooded with complaints.

Consider the stapler log that I’ve attached below. As you can see, it doesn’t access oscdn.apple.com but rather api.apple-cloudkit.com. And pointing curl at that works as expected:

% curl -D /dev/stderr https://api.apple-cloudkit.com
HTTP/1.1 400 Bad Request
…

What do you see if you enable verbose mode in stapler?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

stapler.log
Replies  3
Boosts  1
Views  304
Participants  3
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
Jul ’25
Recommended

I suspect that there’s something wonky in your network environment. If stapler were failing consistently in this way, DevForums would be flooded with complaints.

Consider the stapler log that I’ve attached below. As you can see, it doesn’t access oscdn.apple.com but rather api.apple-cloudkit.com. And pointing curl at that works as expected:

% curl -D /dev/stderr https://api.apple-cloudkit.com
HTTP/1.1 400 Bad Request
…

What do you see if you enable verbose mode in stapler?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

stapler.log
0
Esbari199
Esbari199 OP
Jul ’25

Hello,

I'm having the exact same issue where it seems that there is no SSL cert in the edge I'm hitting on Apple's server.

curl https://oscdn.apple.com  
                                         
curl: (60) SSL: no alternative certificate subject name matches target host name 'oscdn.apple.com'

Notarization object looks good:

{
  "logFormatVersion": 1,
  "jobId": "2cc763d4-197d-4f48-afcc-86b8bcca9e95",
  "status": "Accepted",
  "statusSummary": "Ready for distribution",
  "statusCode": 0,
  "archiveFilename": "Zero-1.0.0-arm64.dmg",
  "uploadDate": "2025-07-28T18:02:22.960Z",
  "sha256": "f2c33e129f3120d4ea40eb03d1e2297973bbd15a8bc616b2f345437c50829021",
  "ticketContents": [
    {
      "path": "Zero-1.0.0-arm64.dmg/Zero.app/Contents/Frameworks/Zero Helper.app",
      "digestAlgorithm": "SHA-256",
      "cdhash": "8595f103cb8ab30d5e4e64e5d0644a693ed690fa",
      "arch": "arm64"
    },
    ...
    "issues": null
}

Stapling returns this: The staple and validate action failed! Error 65

0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
Jul ’25

It’s interesting that you’re also seeing problems, but I was hoping to get this:

What do you see if you enable verbose mode in stapler?

The text attachment in that post shows what I see when I do that. You’ll note that there’s no mention of oscdn.apple.com. I’m curious to see how that comes up when stapling fails for you.

Oh, I should also mention that there are two common causes of stapler failing with error 65. I explain them both in Resolving Error 65 When Stapling. I recommend that you rule those out before digging any deeper into this.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Unable to Staple Notarization Ticket – SSL Certificate Mismatch for oscdn.apple.com
First post date Last post date
 
 
Q