Notarization

RSS for tag

Notarization is the process of scanning Developer ID-signed software for malicious components before distribution outside of the Mac App Store.

Notarization Documentation

Post

Replies

Boosts

Views

Activity

Issues with Notarization and Stapling
Hello, I am trying without luck to create a .dmg or .pkg for my electron app that can be opened by any user on a mac. Every time I fail. All is happening by the same pattern. Here is the last try with creating a .pkg instead of .dmg. The app is built and it is signed correctly (I suppose) codesign --verify --verbose=1 dist/mac-universal/VIVIDTIME.app dist/mac-universal/VIVIDTIME.app: valid on disk dist/mac-universal/VIVIDTIME.app: satisfies its Designated Requirement I created a .pkg pkgbuild --root "dist/mac-universal/VIVIDTIME.app" \ --install-location "/Applications/VIVIDTIME.app" \ --identifier "app.vividtime.mac" \ --version "1.1.0" \ --sign "Developer ID Installer: Pavel Bochkov-Rastopchin (2QKDCTR5Y3)" \ dist/VIVIDTIME.pkg pkgbuild: Inferring bundle components from contents of dist/mac-universal/VIVIDTIME.app pkgbuild: Adding component at Contents/Frameworks/Mantle.framework pkgbuild: Adding component at Contents/Frameworks/VIVIDTIME Helper.app pkgbuild: Adding component at Contents/Frameworks/VIVIDTIME Helper (GPU).app pkgbuild: Adding component at Contents/Frameworks/Electron Framework.framework pkgbuild: Adding component at Contents/Frameworks/Squirrel.framework pkgbuild: Adding component at Contents/Frameworks/VIVIDTIME Helper (Renderer).app pkgbuild: Adding component at Contents/Frameworks/VIVIDTIME Helper (Plugin).app pkgbuild: Adding component at Contents/Frameworks/ReactiveObjC.framework pkgbuild: Using timestamp authority for signature pkgbuild: Signing package with identity "Developer ID Installer: Pavel Bochkov-Rastopchin (2QKDCTR5Y3)" from keychain /Users/innrvoice/Library/Keychains/login.keychain-db pkgbuild: Adding certificate "Developer ID Certification Authority" pkgbuild: Adding certificate "Apple Root CA" pkgbuild: Wrote package to dist/VIVIDTIME.pkg
20
0
191
3d
Team is not yet configured for notarization. Please contact Developer Programs Support at developer.apple.com under the topic Development and Technical / Other Development or Technical Questions
I had submitted my app for notarization and it shows the below error - "status": "Rejected", "statusSummary": "Team is not yet configured for notarization. Please contact Developer Programs Support at developer.apple.com under the topic Development and Technical / Other Development or Technical Questions.", "statusCode": 7000, I have raised a ticket in the support but no reply yet. Kindly help ASAP
1
0
259
1w
Notarised app crashing, build app not crashing
I have an app that only crashes once it's been notarised. I read a few posts that essentially said before trying to identify issues by reviewing the crash report I should ensure signing and notarisation has happened correctly. I've worked through the document "Resolving common notarization issues" spctl -vvv --assess --type exec: gives no errors and correctly returns my developer id. codesign -dvv: returns a timestamp My app uses a hardened runtime. My app shows up in Xcode as a macOS Archive (e.g not a Generic Xcode Archive) Here is the crash report. Translated Report (Full Report Below) Process: Scene Finder [44479] Path: /Users/USER/Downloads/Scene Finder.app/Contents/MacOS/Scene Finder Identifier: Version: 0.9 (20250206.1) Code Type: ARM-64 (Native) Parent Process: launchd [1] User ID: 501 Date/Time: 2025-02-11 13:09:03.7786 +1000 OS Version: macOS 15.3 (24D60) Report Version: 12 Anonymous UUID: EE8B1269-0A8A-3AB6-516B-C752E8A18B5A Sleep/Wake UUID: 436CD7CF-7B13-4A9C-9425-7EF94CC007A9 Time Awake Since Boot: 98000 seconds Time Since Wake: 9524 seconds System Integrity Protection: enabled Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_CRASH (SIGABRT) Exception Codes: 0x0000000000000000, 0x0000000000000000 Termination Reason: Namespace SIGNAL, Code 6 Abort trap: 6 Terminating Process: Scene Finder [44479]
2
0
219
1w
Urgent: xcrun notary submit Stuck - Notarization Process Halted
Hi everyone, Native Instruments is encountering a critical issue with the notarization process. The xcrun notary submit command appears to be stuck and is not completing, preventing us from notarizing our apps. Specifically, the command hangs indefinitely. This issue started today. We've already tried the following troubleshooting steps: Cancelling and re-running the command Checking my internet connection Checking the Apple System Status page Cleaning the build folder using a different machine This is a major blocker for our company, as it's preventing from from us from testing and releasing some of our products. It seems to be a similar issue as reported in https://developer.apple.com/forums/thread/772542?page=2. Has anyone else experienced xcrun notary submit getting stuck like this? Any insights or suggestions would be greatly appreciated. I'm particularly interested in knowing if there are any known issues with the notarization service currently. Details about my setup: Xcode Version: 16.1 macOS Version: 14.7.1 App Type: macOS app Thanks in advance for your help!
4
1
276
2w
Mac catalyst stuck at notarize
I have created a Mac Catalyst version of the same app, and it was transferred from an old account to a new one. However, the Mac Catalyst build has been stuck in progress for several days when attempting to notarize it. After many days, I got the rejection with the following error: Team is not yet configured for notarization. Please contact Developer Programs Support at developer.apple.com under the topic Development and Technical / Other Development or Technical Questions. I have already tried to create a new developer ID certificate, but it still has the same issue. On the other hand, the iOS app is working fine and has been published in the App Store. Could you please assist us in resolving this issue as quickly as possible? Your prompt help would be greatly appreciated.
1
0
200
2w
Code-signing and Notarization Accepted, but Stapler Fails with Error 65
Hello Apple Developer Community, I’m encountering an issue where my macOS app (signed with a valid ‘Developer ID Application’ certificate and accepted by Apple’s notary service) fails when I attempt to staple the notarization ticket. The Apple notary service reports ‘Accepted’ each time, but xcrun stapler staple always returns Error 65, with the local check (spctl -a -vvv) showing ‘Unnotarized Developer ID.’ Here are some key points: Certificate: I have a valid ‘Developer ID Application’ certificate (unexpired) in my login and system keychains, with Apple’s intermediate certificates also installed and set to System Defaults or Always Trust. Notarization: Regardless of whether I submit a .zip of the .app or the final .dmg for notarization, notarytool reports ‘Accepted.’ Stapling: xcrun stapler staple (or notarytool staple) on the exact file I uploaded fails with Error 65, claiming it can’t validate the downloaded ticket. Environment Checks: Checked for duplicate or outdated certificates—only one Developer ID remains. Repeated on multiple code-signed builds (both .app and .dmg) with the same result. Manually tested code-signing the .app with entitlements (for the hardened runtime) and then signing the .dmg without entitlements. Logs: The relevant excerpt from stapler indicates “Could not validate ticket for [app]. The staple and validate action failed! Error 65,” even though Apple’s notary service claims success. Could you please advise any additional troubleshooting steps or possible causes for local validation failure after a successful notarization? I’ve already ensured the environment is up to date with valid intermediates, only one Developer ID certificate. Any insight on diagnosing ticket mismatch or known tool bugs with Error 65 would be appreciated. Thank you!
1
0
261
3w
Notarization is very confusing
I have built a flutter desktop app and I notarized it. I have to distribute it directly as I cannot turn on App Sandboxing due to the functions included in the application. I created a build of the app from Xcode and then uploaded it for notarization and it was successfully notarized. If I compress that app into a .zip and share it over the internet, it successfully opens on any computer. But when I create a dmg using appdmg from npm and I try to distribute it, it does not open and shows me the option to either move to bin or cancel. When I notarize the dmg using the command: xcrun notarytool submit "YourApp.dmg" --apple-id "email" --password "app-specific-password" --team-id "YOUR_TEAM_ID" --wait It notarizes successfully. I have also done: xcrun stapler staple "YourApp.dmg" And validated it but it does not seem to work when I distribute it over the internet by uploading on my website. It is a bit strange that when I distribute the notarized app, it does not show any error when distributed over the internet by uploading on my website and then downloading but for a notarized dmg, which is properly signed, it gives that error that wether move to bin or do nothing. Would love someone's help on this!
2
0
263
3w
Unnotarized Developer ID
I'm new to notarizing applications. I'm building an Electron application using electron-packager. The signing looks solid: codesign -vvv --deep --strict path/to/app.app # satisfies its Designated Requirement But checking notarization, looks like it didn't work. spctl --assess -vv path/to/app.app # source=Unnotarized Developer ID # origin=Developer ID Application: Tyson XXXX (XXXXX) I'm wondering how to fix the "Unnotarized Developer ID". Thanks!
1
0
218
3w
Notarization stuck
Hello, I've been trying to notarize a Unity 2023.2 app since yesterday, but our submissions stay stuck in In Progress. The first one has been running for 18 hours now with no signs of stopping, and two more attempts have been made since with no results. Here are the submission IDs in case someone on the team wants to take a look: 00ef6def-601b-46f3-a94f-699d8956a28f d03f5748-2261-430c-934e-14fa9679afd9 a42d3b5c-3cdb-4bf2-9c86-c92320358ff3 Thank you!
1
0
224
4w
Code Signing, Certificates and Profiles for Notarisation
I keep having issues with my account. I have certificates that will not revoke. I create new certificates, then I create new profiles for development, distribution and for developer ID application distribution outside of the app store as well. With my app in Xcode, I can only get the Developer profile to work to allow builds. My distribution profile builds and then fails, with an error 5. The Developer ID Application profile will not even accept the profile in XCode, sighting that there is no code signing, yet I have checked things over and over again. Ontop of this, I had developers in the past in my team and they added a whole lot of certificates for Developer ID that I just cannot use now. I also cannot revoke them. I have no active apps on the app store now, so I was wondering if Apple or someone can assist me in removing ALL the certificates, all the profiles and get a clean slate, so that I can setup everything from scratch again, because I have lost countless of hours getting nowhere and I cannot get Apple support to assist? Anyone been through this before?
1
0
297
Jan ’25
Issues with certificates, profiles etc. especially for distribution and developer ID distribution
I keep having issues with my account. I have certificates that will not revoke. I create new certificates, then I create new profiles for development, distribution and for developer ID application distribution outside of the app store as well. With my app in Xcode, I can only get the Developer profile to work to allow builds. My distribution profile builds and then fails, with an error 5. The Developer ID Application profile will not even accept the profile in XCode, sighting that there is no code signing, yet I have checked things over and over again. Ontop of this, I had developers in the past in my team and they added a whole lot of certificates for Developer ID that I just cannot use now. I also cannot revoke them. I have no active apps on the app store now, so I was wondering if Apple or someone can assist me in removing ALL the certificates, all the profiles and get a clean slate, so that I can setup everything from scratch again, because I have lost countless of hours getting nowhere and I cannot get Apple support to assist? Anyone been through this before?
1
0
264
Jan ’25
The staple and validate action failed! Error 65.
I've tried to sign/notarize/staple my Electron app via electron-builder, using electron-notarize. I tried it as well in cmd line - both times, same result. Code signing runs without a problem. Notarize (I did wait two days first time, now it's couple of minutes) Stapling - failure `Downloaded ticket has been stored at file:///var/folders/.... Could not validate ticket for.... The staple and validate action failed! Error 65. ` I've checked, and the tickets are downloaded to said folder. My process: `codesign --deep --force --options runtime \ --entitlements build/entitlements.mac.plist \ --sign "Developer ID Application: Pete..." \ dist/mac-arm64/Modelist.app` ditto -c -k --sequesterRsrc --keepParent dist/mac-arm64/Modelist.app dist/mac-arm64/Modelist.zip xcrun notarytool submit dist/mac-arm64/Modelist.zip \ --apple-id "email" \ --password "app_specific_pass" \ --team-id "team_id" \ --wait Conducting pre-submission checks for Modelist.zip and initiating connection to the Apple notary service... Submission ID received id: 8fa0b3d3-291... Upload progress: 100,00% (98,1 MB of 98,1 MB) Successfully uploaded file id: 8fa0b3d3-291... path: /Users/pete/projects/modelist2/dist/mac-arm64/Modelist.zip Waiting for processing to complete. Current status: Accepted............. Processing complete id: 8fa0b3d3-291... status: Accepted xcrun stapler staple dist/mac-arm64/Modelist.app Processing: /Users/pete/projects/modelist2/dist/mac-arm64/Modelist.app Could not validate ticket for /Users/pete/projects/modelist2/dist/mac-arm64/Modelist.app The staple and validate action failed! Error 65. The certs were installed via XCode. Variables are all exported in env. I followed the instructions for electron-builder from here: https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/ I'm sure I made a stupid little mistake, but after hours of arguing with ChatGPT we are going in circles and after clicking on almost every link in Google, I'm kindda lost.
4
0
476
Jan ’25
notarytool takes a long time (2h+) breaking our CI/CD pipeline
Hi, Since about 2 weeks notarytool is not very reliable on our CI/CD server. The tool either exists without printing any reason (killed by a signal; not caused by timeout - we have 6h timeouts and the tool gets killed after about 30 mins) or the process takes a very long time e.g. 2h to complete. We use the same pipeline since at least 2 years and we did not have this problem before. Some problematic calls: createdDate: 2025-01-15T14:50:22.545Z id: ca0faad3-789a-4842-a8c9-14aa7c2297a9 name: xxxxxx status: In Progress -------------------------------------------------- createdDate: 2025-01-15T14:33:06.813Z id: 22df0da8-70de-4dd9-935d-a26055242014 name: xxxxxx status: In Progress -------------------------------------------------- createdDate: 2025-01-15T14:18:36.436Z id: 5729b836-69f0-4526-b1d2-7743bd4d57a6 name: xxxxxx status: In Progress -------------------------------------------------- createdDate: 2025-01-15T14:18:31.716Z id: 58f3c7a1-96bd-4f5d-8a3c-6860f925659e name: xxxxxx status: In Progress Can anyone check why the tool is taking now way more time than before to process a submission? The app that we are notarizing did not change that much.
4
0
297
Jan ’25
Notarization stuck on "In Progress"
Hi there, this is the first time I submitted a Mac app for notarization but looks like all my submissions are stuck in in progress for like one day at the moment. Can anyone help take a look? This is my submission history: Successfully received submission history. history -------------------------------------------------- createdDate: 2025-01-16T00:23:18.445Z id: 0581680c-9cfe-4e5b-9cc9-3ba101c9fd52 name: MiniCalendar.zip status: In Progress -------------------------------------------------- createdDate: 2025-01-15T05:12:13.480Z id: 55a03297-491b-4d30-8126-45d488a6beb9 name: MiniCalendar.zip status: In Progress -------------------------------------------------- createdDate: 2025-01-15T04:27:40.510Z id: 092f558f-01d0-48e5-9761-58dda54de23c name: MiniCalendar.zip status: In Progress -------------------------------------------------- createdDate: 2025-01-15T01:12:55.923Z id: 3aa74a6f-bcb8-4911-9d18-fcbb3e9a6c11 name: MiniCalendar.zip status: In Progress
8
0
408
Jan ’25
Notarization service issue
This has been going on for at least a couple of hours for us: notarizing doesn't complete. Our last job ran for over 90 minutes before CircleCI timed it out. We're using xcrun notarytool submit with the --wait option; it contined to say "Current status: In Progress" for, as I said, 90 minutes or so. (Normally it takes about 70 seconds.) https://developer.apple.com/system-status/ says everything is normal. This does not seem to be the case for us. 😄
17
1
706
Jan ’25
The notarized custom PAM module cannot function properly after unlock from screensaver
We are developing a custom login service including custom PAM module. While it initially works correctly after installation on macOS, it becomes blocked by the system during privilege escalation (coreauthd) after unlocking the screensaver. The custom PAM module has been signed with a Developer ID certificate and submitted for notarization using notarytool. And passed staple check. spctl -at open --context context:primary-signature -v pam_custom.so: accepted source=Notarized Developer ID Here are the detail steps: Install the custom PAM file under /usr/local/lib/pam/. Ensure SIP (System Integrity Protection) is enabled. Log in to the Mac using the custom login service developed with the custom PAM module. Successfully log in. Open System Settings > Touch ID & Password. Click Add Fingerprint to trigger local authentication. This local authentication can be passed using Touch ID without invoking the custom PAM. Cancel adding fingerprints. Allow the Mac to idle until the screensaver is triggered. Unlock the screen using the custom PAM. Go to System Settings > Touch ID & Password and click Add Fingerprint again. This time, local authentication triggers the custom PAM, but it always fails. The system log shows that the custom PAM is not found. Related system logs at step 9: 2024-12-25 19:05:05.320264-0800 0x42f3 Error 0x0 0 0 kernel: (AppleMobileFileIntegrity) Library Validation failed: Rejecting '/usr/local/lib/pam/pam_custom.so' (Team ID: none, platform: no) for process 'authorizationhos(941)' (Team ID: N/A, platform: yes), reason: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed. 2024-12-25 19:05:05.320629-0800 0x42f3 Error 0x0 0 0 kernel: (AppleMobileFileIntegrity) Library Validation failed: Rejecting '/usr/local/lib/pam/pam_custom.so' (Team ID: none, platform: no) for process 'authorizationhos(941)' (Team ID: N/A, platform: yes), reason: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed. Related system logs at step 11: 2024-12-25 19:05:22.510658-0800 0x41a6 Error 0x0 0 0 kernel: (AppleMobileFileIntegrity) Library Validation failed: Rejecting '/usr/local/lib/pam/pam_custom.so' (Team ID: none, platform: no) for process 'coreauthd(653)' (Team ID: N/A, platform: yes), reason: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed. 2024-12-25 19:05:22.510953-0800 0x41a6 Error 0x0 0 0 kernel: (AppleMobileFileIntegrity) Library Validation failed: Rejecting '/usr/local/lib/pam/pam_custom.so' (Team ID: none, platform: no) for process 'coreauthd(653)' (Team ID: N/A, platform: yes), reason: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed. 2024-12-25 19:05:22.511624-0800 0x41a6 Default 0x16b99 653 0 coreauthd: (libpam.2.dylib) in openpam_load_module(): no pam_custom.so found Why does local authentication call the custom PAM after unlocking from the screensaver? Could this issue also be related to a code signing configuration that needs adjustment?
1
0
321
Jan ’25