Notarization Rejection - The binary is not signed with a valid Developer ID certificate

Code Signing Notarization
AbsurdFish OP
Created 2w
Replies 3
Boosts 0
Views 818
Participants 2

Notarization Rejects Valid Developer ID Certificates - Apple Infrastructure Issue?

Environment

  • macOS: 15.6.1
  • Xcode: 26.0.1
  • Architecture: arm64 (Apple Silicon)
  • Team ID: W----------
  • Certificate Status: Valid until 2030 (verified on developer.apple.com)

Problem

Apple's notarization service consistently rejected properly signed packages with error:

"The binary is not signed with a valid Developer ID certificate."

Despite:

  • ✅ Valid certificates on developer.apple.com
  • ✅ Local signing succeeds (codesign --verify passes)
  • ✅ Proper certificate/key pairing verified
  • ✅ Package structure correct

Failed Submission IDs

September 2025:

adeeed3d-4732-49c6-a33c-724da43f9a4a
5a910f51-dc6d-4a5e-a1c7-b07f32376079
3930147e-daf6-4849-8b0a-26774fd92c3c
b7fc8e4e-e03c-44e1-a68e-98b0db38aa39
d7dee4a1-68e8-44b5-85e9-05654425e044
da6fa563-ba21-4f9e-b677-80769bd23340

What I've Tried

  1. Re-downloaded fresh certificates from Apple Developer Portal
  2. Verified certificate chain locally
  3. Tested with multiple different builds
  4. Confirmed Team ID matches across all configurations
  5. Verified no unsigned nested components
  6. Waited 3 months for potential propagation delays
  7. Verified all agreements are current and accepted
  8. Re-tested with minimal test package - same error persists

Local Verification

# Certificates present and valid
security find-identity -v -p codesigning | grep "Developer ID"
1) XXXXXXXXXX "Developer ID Application: <<REDACTED>> (W----------)"
2) XXXXXXXXXX "Developer ID Installer: <<REDACTED>> (W----------)"

# Signing succeeds
codesign --verify --deep --strict --verbose=2 [app] → Success

Question

This appears similar to thread #784184. After 3 months and ensuring all agreements are signed, the issue persists with identical error.

The certificates work for local signing but Apple's notarization service rejects them. Could this be:

  • Backend infrastructure issue with Team ID W----------?
  • Certificate not properly registered in Apple's notarization database?
  • Known issue requiring Apple Support intervention?

Has anyone else experienced valid Developer ID certificates being rejected specifically by the notarization service while working locally?

Answered by DTS Engineer in 871342022
Revoke and regenerate the Installer certificate?

Do not do that.

Developer ID signing identities are precious. See The Care and Feeding of Developer ID for a lot more background on that issue.

Download and install intermediate certificates?

Yes. The majority of unable to build chain to self-signed root problems are caused by a missing intermediate. I talk about this in detail in Fixing an untrusted code signing certificate. Its focus is on code-signing certificates, but the same logic applies to installer-signing certificates as well.

Note It’s perfectly feasible for your Developer ID Application and Developer ID Installer certificates to be issued via different intermediates, and that would explain the behaviour you’re seeing here.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  3
Boosts  0
Views  818
Participants  2
DTS Engineer OP
Apple
1w

There are two ways you could interpret that error:

  • Focus on the “valid Developer ID certificate” part.
  • Focus on the “The binary is not signed” part.

My experience is that the latter interpretation is more helpful. That is, there’s nothing wrong with your Developer ID certificate but rather there’s something wrong with your packaging that’s preventing the notary service from verifying its code signature.

Having said that, this is a strange:

Re-tested with minimal test package - same error persists

How are you creating this minimal test? With Xcode?

Here’s the diagnostic test I recommend:

  1. Create a new test project in Xcode, using the macOS > App template.
  2. Choose Product > Archive.
  3. In the Xcode organiser, click Distribute App and follow the Custom > Direct Distribution > Export path.
  4. That produces a folder containing your app binary. Use ditto to create a zip archive from that, as explained in Packaging Mac software for distribution.
  5. Notarise that with notarytool.

Does that have the same error?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1
AbsurdFish OP
6d

Thank you for your guidance on focusing on the packaging rather than the certificate!

Following your recommendation, I ran systematic tests and identified the exact root cause.

Summary

The Developer ID Application certificate works perfectly. The Developer ID Installer certificate has a broken chain.

Test Results

I created an automated diagnostic that tested 5 different combinations:

TestExecutablePackagingResult
1Compiled Swift binaryditto (.zip)Accepted
2Compiled C binarypkgbuild (.pkg)❌ Invalid
3Shell scriptditto (.zip)Accepted
4Shell scriptpkgbuild (.pkg)❌ Invalid
5Compiled C binaryproductbuild (.pkg)❌ Invalid

Pattern: Every .zip passes. Every .pkg fails.

The Issue

When signing with the Installer certificate, this warning appears:

Warning: unable to build chain to self-signed root for signer "Developer ID Installer: Matthew Seymour Greer (W2AT7M9482)"

This warning does NOT appear when signing .app bundles with the Application certificate.

The Installer certificate can sign locally, but Apple's notarization service cannot verify the chain.

Successful Submission IDs (Proof)

These .zip submissions were Accepted:

  • 7ca64ebb-963f-494e-8d62-6e6875503d82 (Swift binary)
  • 9eebce4a-a9e3-4732-9117-7aa4c16b65a5 (Shell script)
  • 9d893597-23ff-45fc-af6a-c7b34b3588e1 (DMG)
  • 982856dc-448f-442d-9e0a-d604b5d9d651 (DMG with polish)

Workaround

I'm now distributing as .dmg instead of .pkg, which uses the working Application certificate. This unblocks my releases.

Question

Is there anything that can be done to fix the Developer ID Installer certificate chain? Should I:

  1. Revoke and regenerate the Installer certificate?
  2. Download and install intermediate certificates?
  3. Something else?

The Installer certificate shows as valid on developer.apple.com (expires 2030), but the notarization service rejects packages signed with it.

Thank you for your help!

AbsurdFish

0
DTS Engineer OP
Apple
6d
Recommended
Revoke and regenerate the Installer certificate?

Do not do that.

Developer ID signing identities are precious. See The Care and Feeding of Developer ID for a lot more background on that issue.

Download and install intermediate certificates?

Yes. The majority of unable to build chain to self-signed root problems are caused by a missing intermediate. I talk about this in detail in Fixing an untrusted code signing certificate. Its focus is on code-signing certificates, but the same logic applies to installer-signing certificates as well.

Note It’s perfectly feasible for your Developer ID Application and Developer ID Installer certificates to be issued via different intermediates, and that would explain the behaviour you’re seeing here.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Notarization Rejection - The binary is not signed with a valid Developer ID certificate
First post date Last post date
 
 
Q