Failed to notarize a "distribution" pkg

Question

Created 21h

Replies 1

Boosts 0

Participants 1

I believe that this is related to the post https://developer.apple.com/forums/thread/790880.

I essentially have the same problem that they did. I submit my Distribution PKG for notarization but the notarization fails and when I attempt to install the PKG user the UI I get a "External component packages (3) trustLevel=0 (trust evaluation failed; treating as invalid due to higher trust level for parent product archive)"

However if I install using "sudo installer -verboseR -pkg ConcealDistribution.pkg -target /" everything works as expected.

The difference between me and the other post is that when I expand my PKG using pkgutil --expand I do not have a Resources folder within my top level distribution. Instead my structure looks like

ConcealDistribution
	├── Distribution
	├── ConcealConnect.pkg
	├── ConcealBrowse.pkg
	└── ConcealUpdate.pkg

The specific notary service errors I receive are as follows

{
  "logFormatVersion": 1,
  "jobId": "7e30e3fd-1739-497c-a02e-64fbe357221d",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "ConcealDistribution.pkg",
  "uploadDate": "2025-10-08T19:41:33.491Z",
  "sha256": "40aacfacf25c6da0be8fe31ae9c145a25ddf9ed1f38be714687c74d95b26619d",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "ConcealDistribution.pkg",
      "message": "Package ConcealDistribution.pkg has no signed executables or bundles. No tickets can be generated.",
      "docUrl": null,
      "architecture": null
    },
    {
      "severity": "warning",
      "code": null,
      "path": "ConcealDistribution.pkg",
      "message": "The contents of the package at ConcealDistribution.pkg could not be extracted.",
      "docUrl": null,
      "architecture": null
    }
  ]
}

For what its worth all the inner PKGs have their executables signed, the PKGs are signed themselves and they are all notarized and stapled without issue. Then I am attempting to sign and notarize the outer PKG and that is where the problems pop up.

Additionally I'm not sure when this stopped working as I expected but just a few months ago I was able to do this exact same process and install with the UI and have it work.

Boost

Answer 1

pchihak OP

16h

Update seems like this was related to the Notary service being unavailable. It has since resolved itself and my Distribution PKG is being notarized like normal.

It would be useful if in the future we could get more actionable error messages to know what is happening.

0