I seems like a pretty common issue but i'll make a post about it specifically for what i'm seeing. Its my first time notarizing an app so maybe its something in my config, but i'm not seeing any errors. For simplicity I cloned, built and signed the sample Electron Forge app following the steps on https://www.electronforge.io/ "Getting Started". The build zip is 90MB so its not that large. My production application will be DMG, but even that is stuck (Maybe because the zips before it are currently stuck) Trying to manually notarize via notarytool just hangs. I used xcrun notarytool submit <Package> --keychain-profile "NotaryProfile" --wait Running xcrun notarytool history --keychain-profile "NotaryProfile" outputs the following. createdDate: 2023-09-06T14:49:59.810Z id: 838c0903-d136-4241-be98-174152a7e3cf name: my-new-app.zip status: In Progress -------------------------------------------------- createdDate: 2023-09-06T14:31:08.880Z id: 1ce6ef46-8b09-4b20-9f61-81292b2dcbb9 name: my-new-app.zip status: In Progress -------------------------------------------------- createdDate: 2023-09-06T14:10:23.726Z id: 71bc9206-036e-46c7-aadf-6bfaa4097743 name: my-new-app.zip status: In Progress -------------------------------------------------- createdDate: 2023-09-06T13:54:35.527Z id: 7c7fd365-1f08-48c6-a314-3a1809019f9c name: my-new-app.zip status: In Progress Its been about 7 hours since my first attempt. I tried to pull logs by calling xcrun notarytool log --keychain-profile "NotaryProfile" aa6e9df3-ef62-4058-8bcc-683f015b412a but it seems like non exist yet. Submission log is not yet available or submissionId does not exist id: aa6e9df3-ef62-4058-8bcc-683f015b412a Not sure whats going on, but its pretty far off from the time estimate of 5 - 45 minutes. Any help is appreciated. NotaryTool version is 1.0.0 (28)

MyPythonExe is a compiled file coming from a python script compiled with using pyinstaller. After compiled, it was signed using codesign: codesign -s "Developer ID TTT", -o runtime -f --timestamp MyPythonExe Once signed, the exe was placed in a Zip container (exeZip), and then successfully notarized using the following: xcrun notarytool submit exeZip --keychain-profile "MyNotarProf" --wait It was accepted. Now, when try to run it, the following error was thrown (oddly, the compiled unsigned Exe runs in the same computer without any issues): /Users/admin/Downloads/MyPythonExe ; exit; admin@admins-MacBook-Air ~ % /Users/admin/Downloads/MyPythonExe ; exit; [1767] Error loading Python lib '/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python': dlopen: dlopen(/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python, 0x000A): tried: '/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python' (code signature in <88BFFD37-99D8-36AB-9B95-9F54B30BD667> '/private/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python' not valid for use in process: mapped file has no Team ID and is not a platform binary (signed with custom identity or adhoc?)), '/System/Volumes/Preboot/Cryptexes/OS/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python' (no such file), .... (+ a couple of similar errors) No, the said exe file (MyPythonExe) was signed and successfully notarized. Oddly, the very same file, but unsigned runs perfectly well (after being authorized so it can surpass Gatekeeper, of course). What could be going on here? Any hint on how to overcome this issue?

Hi there, I could use some help with notarizing. I'm developing a Python module in the Rust programming language. The extension of the resulting library file is .so, which is necessary for Python to see it, instead of the regular .dylib. I compile this library for both apple silicon and intel. When a user first imports the library which in turn imports the library, and the user is confronted with Gatekeeper. So I guess I need to notarize the module file. And that's where I'm stuck. I created an Apple developer account, created a "Developer ID Application" certificate and used codesign to sign the .so file with it. That worked. I then used ditto to create a zip file with just the .so file: "ditto -c -k --keepParent my_module.so my_module.zip" The 600 kb file quickly uploads to Apple and I get an ID for checking the logs later on. Then I wait for the progress........ And nothing happens for hours on end. When I check the logs for the provided ID I get this message: "Submission log is not yet available or submissionId does not exist" I also checked if perhaps the notarization did work regardless of the above, with "spctl -a -t exec -vvv ./my_module.so". Says it's rejected, source=Unnotarized Developer ID. There is not much that I can work with, because I don't get an error message. Any ideas? Have fun, Wybren

I'm integrating Notary API, in our CI/CD pipelines. It all works well for notarization, but there is no mention of how to obtain the signing ticket nor how to staple it to the dmg. Do I need to use for that the: xcrun stapler staple I was hoping that with use of the Notary API, I can avoid requiring xtools and developer id on the machine.

I am having an issue trying to notarize app with a bundled binary using notarytool. Everything is signed properly, but the notarization status of every submission I've tried over the past two days have just been stuck on In Progress. I even tried submitting something else but this is also stuck on In Progress. Successfully received submission history. history -------------------------------------------------- createdDate: 2023-10-01T15:34:36.959Z id: 8461c5b0-51d0-4c00-8391-4dcb541f2ccf name: flot.zip status: In Progress -------------------------------------------------- createdDate: 2023-10-01T15:13:46.537Z id: 4fd3e79c-74e2-4824-bc5c-c63c305243c3 name: flot.zip status: Invalid -------------------------------------------------- createdDate: 2023-10-01T14:29:52.668Z id: fc8bc0ae-8e17-4286-86b5-48d71d08175c name: flot-Mac-2.0.0-Installer.dmg status: In Progress

When I try to store my credentials using the notary tool, I get the following: /Applications/Xcode.app/Contents/Developer/usr/bin/notarytool store-credentials --verbose [00:44:33.975Z] Debug [MAIN] Running notarytool version: 1.0.0 (27), date: 2023-10-03T00:44:33Z, command: /Applications/Xcode.app/Contents/Developer/usr/bin/notarytool store-credentials --verbose This process stores your credentials securely in the Keychain. You reference these credentials later using a profile name. Profile name: build We recommend using App Store Connect API keys for authentication. If you'd like to authenticate with an Apple ID and app-specific password instead, leave this unspecified. Path to App Store Connect API private key: ./private_keys/AuthKey_QHBB38VH7L.p8 App Store Connect API Key ID: storieddata App Store Connect API Issuer ID: 69a6de6f-872e-47e3-e053-5b8c7c11a4d1 Validating your credentials... [00:45:08.825Z] Info [API] Initialized Notary API with base URL: https://appstoreconnect.apple.com/notary/v2/ [00:45:08.826Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/test?, Parameters: [:], Custom Headers: private&lt;Dictionary&lt;String, String&gt;&gt; [00:45:08.827Z] Debug [JWT] Generating new JWT for key ID: storieddata. [00:45:08.829Z] Info [JWT] Caching newly generated JWT. key ID: storieddata, JWT: private&lt;String&gt; [00:45:08.830Z] Debug [AUTHENTICATION] Authenticating request with App Store Connect API credentials. Key ID: storieddata, Issuer ID: 69a6de6f-872e-47e3-e053-5b8c7c11a4d1 [00:45:08.831Z] Debug [TASKMANAGER] Starting Task Manager loop to wait for asynchronous HTTP calls. [00:45:09.243Z] Debug [API] **Received response status code: 401, message: unauthorized, URL: https://appstoreconnect.apple.com/notary/v2/test?,** Correlation Key: ZYHO7EDNX52XJBTRMIOUWGIVZI [00:45:09.244Z] Error [API] Received non-JSON response body from Notary API, URL: https://appstoreconnect.apple.com/notary/v2/test? [00:45:09.245Z] Error [TASKMANAGER] Completed Task with ID 1 has encountered an error. [00:45:09.246Z] Debug [TASKMANAGER] Ending Task Manager loop. Credential validation failed. Please verify your inputs. I have double checked the input, and everything is correct.

I signed my application in MacOS 13.4, and the signed objects include all the binary files I compiled myself, and notarizing also works. It can also run normally on my version 13.4 Mac. However, when I copied this application to a computer with Mac OS version 11.3, it couldn't run properly. Dlopen will generate an error message, indicating that some of the dynamic libraries called by the program do not match the signature of the program itself. These dynamic libraries are from JRE, so I re-signed them and notarizing also works. In MacOS 13.4, it still runs normally, but in MacOS 11.3, it will report another error: Error occurred during initialization of VM Could not reserve enough space for code cache What is the reason for this and how should I handle it? Thank you in advance for any comments on this issue.

I'm using the "notarytool store-credentials" command to store my access credentials for notarizing our apps from a build server through Jenkins. The machine is a Mac Mini M1 running Ventura. This works per se but for a reason I don't understand, I need to do this repeatedly. When I store the credentials, it will work for the next hours but at some point the machine will "forget" the access credentials resulting in this error output: Conducting pre-submission checks for <app name> and initiating connection to the Apple notary service... Error: No Keychain password item found for profile: notarization Run 'notarytool store-credentials' to create another credential profile. I then have to run the store-credentials command again so I can use it again for the next few hours. This is obviously quite annoying especially since it's absolutely not obvious why it behaves that way. The machine is on 24/7 and I don't see why the keychain item gets removed. I'd appreciate any insight and would like to know what I have to do to store the credentials permanently.

Hi there, I want to build an application that can be run on different macos machines. That app uses libpython3.11.dylib. It could not be just linked with libpython because in out binary path to library may be different: /System/Library/Frameworks/Python.framework/... /usr/local/Cellar/python/3.X.Y/Frameworks/Python.framework/Versions/... /Library/Frameworks/Python.framework/Versions/... $(pyenv root)/versions/{VERSION} .... I need to ensure that the application uses the Python library corresponding to the Python version that the user is using. Attempted to make a workaround by creating a symlink to the current library and setting the library path to @executable_path/../lib/libpython3.11.dylib, but it did not work. Here's the error I encountered: % /Users/user/Downloads/xtensa-esp-elf-gdb/bin/xtensa-esp-elf-gdb-3.11 dyld[92502]: Library not loaded: @executable_path/../lib/libpython3.11.dylib Referenced from: <F6F408DC-F698-3545-9C75-82486ADA77BE> /Users/user/Downloads/xtensa-esp-elf-gdb/bin/xtensa-esp-elf-gdb-3.11 Reason: tried: '/Users/user/Downloads/xtensa-esp-elf-gdb/lib/libpython3.11.dylib' (code signature in <666A28FE-7CD3-384C-A727-7DE3D98625A2> '/Library/Frameworks/Python.framework/Versions/3.11/Python' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), '/System/Volumes/Preboot/Cryptexes/OS@executable_path/../lib/libpython3.11.dylib' (no such file), '/Users/user/Downloads/xtensa-esp-elf-gdb/lib/libpython3.11.dylib' (code signature in <666A28FE-7CD3-384C-A727-7DE3D98625A2> '/Library/Frameworks/Python.framework/Versions/3.11/Python' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), '/usr/lib/libpython3.11.dylib' (no such file, not in dyld cache) zsh: abort I cannot distribute libpython within the application because it requires Python modules. Moreover, the application should use Python modules that are installed on the user's system. What can I do to make this work properly? E.g. user have pythons installed: /usr/local/Cellar/python/3.11.3/Frameworks/Python.framework/Versions/3.11... /Library/Frameworks/Python.framework/Versions/3.11/... Obviously, the user has only one active Python from this list. How can my application use the correct libpython?

I'm attempting to notarize and distribute a game built with Love2D. Love2D is an engine which runs games written in Lua and bundled into .love files, which are identical to .zip files. Packaging a game for Mac distribution involves cloning the Love2D Xcode project, providing your built game.love file (the zipped game content), and then signing and notarizing as with any other Mac app (see more on the Love2D wiki: https://love2d.org/wiki/Game_Distribution#Creating_a_macOS_Application). I'm encountering an issue because my game contains compiled C binaries which the game loads at runtime. These binaries are compiled for MacOS x86 and arm64, and work perfectly in development. I am able to successfully build and sign the game with my Developer ID Application certificate and provisioning profile, but notarization of the game fails because the compiled C binaries are not signed; below is an excerpt from the audit log: { "severity": "error", "code": null, "path": "Bang_Average_Football.zip/love.app/Contents/Resources/game.love/deps/gifcatlib_arm64.so", "message": "The binary is not signed with a valid Developer ID certificate.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721", "architecture": "arm64" }, I can sign these binaries using codesign and the same certificate as the Mac app like so (with the correct name): codesign --sign "Developer ID Application: Firstname Lastname" --verbose=4 gifcatlib_arm64.so After signing the binaries, the app successfully builds, and is notarized successfully without reporting any code signing issues. Hooray! The issue is that the app doesn't actually run and crashes as soon as it attempts to use any of the now-signed binaries complaining that they haven't been signed correctly. Here's a link to the full crash log; the specific error is below: Exception Type: EXC_BAD_ACCESS (SIGKILL (Code Signature Invalid)) Exception Codes: UNKNOWN_0x32 at 0x000000010a9c8000 Exception Codes: 0x0000000000000032, 0x000000010a9c8000 Exception Note: EXC_CORPSE_NOTIFY Termination Reason: Namespace CODESIGNING, Code 2 The same error occurs even with Hardened Runtime disabled and 'Disable Library Validation' enabled. Is there a likely cause of this crash? Why does notarization succeed but the app essentially instacrashes? Have I signed the binaries incorrectly? Is what I'm attempting not actually possible? (can signed and unsigned binaries not really be hotswapped like this?) Please let me know if there's any more information I should provide. Thanks, Ruairi

Hello. I am doing a migration from altool to notarytool. I am doing the above on an enterprise network which is not able to communicate with the outside world except for some URLs, ports. Previously, when I was using altool to execute notarize, I requested the administrator to open url, port by referring to the document below, and so far, it is proceeding without any problem. [https://support.apple.com/en-us/HT210060] The problem is that when I use notarytool to notarize, it tries to access a new domain called appstoreconnect.apple.com, which is not in the documentation above. Did I need to ask my network administrator to allow only the above URL or the other? Or is there another way to do notarize without accessing that URL? If there is any additional documentation on opening hosts and ports that I am not aware of, I would appreciate it if you could point me to it.

Hi there, I'm in a process to move from altool to notarytool, following information found at TN3147. First, TN3147 says the team-id is optional if my account has only one team membership, which is the case, but the notarytool says it's mandatory and I do have to use it (not an issue). Now, the issue I face: $ security unlock-keychain -p prorogue-stake-unused /Users/comp/Library/Keychains/my.keychain $ xcrun altool --username $APPLEID --password "@keychain:MYPASSWORD" --notarization-history 0 .. it displays the notarization history as expected .. but: $ xcrun notarytool history --apple-id $APPLEID --team-id $TEAMID --password "@keychain:MYPASSWORD" Error: HTTP status code: 401. Invalid credentials. Username or password is incorrect. Use the app-specific password generated at appleid.apple.com. Ensure that all authentication arguments are correct. The password is supposed work with both tools, according to TN3147. What am I missing? Besr regards,

Ok so I've just swapped over from altool to notarytool and submitted my first app, notarytool tells me Successfully uploaded, and having waited 30mins (which would be some sort of record wait for altool) info tells me status:Accepted I notice elsewhere that there are comments that the first submission can take some time - even days - but as I've done A LOT of notarizing over the last couple of years I wouldnt classify myself as submitting my first request... or is that more properly "my first request with notarytool"? If so - happy to sit and wait for a couple of days this first time thru....

When I run notarytool submit in my github workflow, I get what appears to be some kind of segmentation fault. Here's a direct link to the exception output: https://github.com/recyclarr/recyclarr/actions/runs/6594346352/job/17918152266#step:6:43 My project is open source, so you can also view the shell script I use in the workflow itself: https://github.com/recyclarr/recyclarr/blob/update-notary-tool/ci/notarize.sh The script above contains this: #!/usr/bin/env bash set -xe user="$1" pass="$2" teamId="$3" archivePath="$4" function submit() { xcrun notarytool submit --wait \ --apple-id "$user" \ --password "$pass" \ --team-id "$teamId" \ recyclarr.zip | \ awk '/id: / { print $2;exit; }' } function log() { xcrun notarytool log \ --apple-id "$user" \ --password "$pass" \ --team-id "$teamId" \ "$1" } tar -cvf recyclarr.tar "$archivePath" zip recyclarr.zip recyclarr.tar submissionId="$(submit)" rm recyclarr.zip recyclarr.tar if [[ -z "$submissionId" ]]; then exit 1 fi echo "Submission ID: $submissionId" until log "$submissionId" do sleep 2 done The error (from the workflow run) is: 2023-10-21 01:24:18.817 notarytool[4894:25434] *** Terminating app due to uncaught exception 'NSFileHandleOperationException', reason: '*** -[_NSStdIOFileHandle writeData:]: Broken pipe' *** First throw call stack: ( 0 CoreFoundation 0x00007ff8106c4773 __exceptionPreprocess + 242 1 libobjc.A.dylib 0x00007ff810424bc3 objc_exception_throw + 48 2 Foundation 0x00007ff8115b5962 -[NSConcreteFileHandle readDataUpToLength:error:] + 0 3 Foundation 0x00007ff811497590 -[NSConcreteFileHandle writeData:] + 263 4 notarytool 0x000000010bcff026 notarytool + 462886 5 notarytool 0x000000010bcb780d notarytool + 169997 6 notarytool 0x000000010bcd37c6 notarytool + 284614 7 notarytool 0x000000010bcea719 notarytool + 378649 8 notarytool 0x000000010bcd3d19 notarytool + 285977 9 notarytool 0x000000010bcd2a4e notarytool + 281166 10 notarytool 0x000000010bcd5009 notarytool + 290825 11 notarytool 0x000000010bc8fe66 notarytool + 7782 12 dyld 0x000000011781b52e start + 462 ) libc++abi: terminating with uncaught exception of type NSException I do not get this error when I run this script directly on my 2023 MBP. It only appears to happen in my github workflow. Is this a bug in notarytool? Notarization appears to still complete, and I also get a submission ID I can use for the notarytool log command I run after.

I have been using XCODE to distribute macOS apps to a few "testers" by Archiving and then using the button Distribute App -> Developper ID -> using automatic signing and uploading to notary service. I am aware that Altool is deprecated and stopped working - and of TN3147 - which explains how to migrate using command line/scripts. However, since I upgraded to XCODE 14.3, I would have thought that the Distribute App button for the archived project no longer uses altool AmI correct? where in XCODE can I check if the Distribute App button uses Notary Tool? or is the only way to transition is to implement the scripts discussed in TN3147 and never use the Distribute App button? after today using Distribute App button - I have been suck in "In-Progress" for more than 1 hour - when I just made a rather small update to the code of this previously notarized app - which usually gets notarize very quickly. I will get into svripts etc. per TN3147 if I have too - but I was just wondering why XCODE 14.3 Distribute App would not be already "wired" to use the notarytoll (as it used to be for altool in previous version? Thanks

I've been waiting over an hour at this point—is something down or is the pipeline just really, really backed up?

I have changed our notarization script to use notarytool. See here: https://github.com/mixxxdj/mixxx/blob/32d918a8e64fffea7039356de0fa94799e3fcc7e/packaging/macos/sign_notarize_staple.sh#L30 The workflow run timed out after 5 minutes here: https://github.com/mixxxdj/mixxx/actions/runs/6834172969/job/18586695826 The notarization request is still in progress: https://appstoreconnect.apple.com/notary/v2/submissions/ef8cf93e-c084-43eb-be1d-7ec2f20f9377 I have tried again, with another request that sucks in a the "status": "In Progress" I am using Xcode 13.2.1 and macOS 10.12 as deployment target on macOS 11.7.10 What could have gone wrong?

I used ChatGPT to help me build a screensaver of 40 images to be shown randomly in Xcode. It works great but I get the error below when trying to deploy it on other Macs. I signed up for a developer account and a Gethub account and thought Xcode was walking me through how to notarize the software but am now stuck. I'm not a true programmer. Can someone assist me in getting this notarized as this is the last thing holding me up from launching my business - granulartraining.com Error - “CyberSecurity Reminders.saver” can’t be opened because Apple cannot check it for malicious software. Thanks. Tom

I am having troubles notarizing an installer package. I created an installer package using the pkgbuild and productbuild, and then I tried to notarize it with notarytool, but I got an error message. The error message led me to Use a valid Developer ID certificate, which includes the statement Sign installer packages with a Developer ID Installer certificate The app is signed with the team Developer ID and is notarized (via Xcode). I signed both packages (during pkgbuild and productbuild) with a certificate created when I clicked Mac Installer Distribution in the developer portal, and it created a certificate named "3rd Party Mac Developer Installer: my company" Is this the wrong certificate? If it is the wrong certificate, which one should I create in the developer portal? (I didn't see anything specified as "Developer ID Installer") If it is the right certificate, any idea what I might have done wrong? Note: The reason I am trying to notarize the installer package is because when I tried testing the installer in my test VM, I received the following message (I thought signing the pkg would have prevented this):

Notarizing was working fine on my account, but suddenly stopped working with this error message. I've contacted Apple Developer Program support and they told me it's an internal issue on their side, that their engineers are working on it and that they'll answer me when the engineers have an answer. The thing is, this thing has been going for 3 months. Every time I email the support I get a bot message saying "our engineers are looking into it". And my account still is unable to notarize my app. What's going on? I've message several other Apple Developers and none of them had to deal with this. Why is this happening to my account? This is blocking the launch of my project(https://focuslit.app), which I worked months and have costumers asking about the new features, but I can't release a new version without notarizing. What can I do? I'm seriously thinking about refunding everyone and dropping the project, I never felt this mistreated by a company(which I have all products and used to love) before.