Notarization

RSS for tag

Notarization is the process of scanning Developer ID-signed software for malicious components before distribution outside of the Mac App Store.

Notarization Documentation

Post

Replies

Boosts

Views

Activity

Struggling to Notarize a JUCE Plugin Installer
Hi there, I've been working on a JUCE audio plugin project and have created an installer for the demo to release to the public outside of the App Store. I have built the various forms of the plugin in Xcode (standalone, AU, vst3) and have the automatic signing set up with a Developer ID Application certificate. I have been using WhiteBox Packages to create the installer to install the AU component and the vst3 on a user's computer. I can successfully sign the installer with a Developer ID Installer certificate but when I submit it for notarization, the status returns as "invalid". When looking at the Notarytool log, it says that the binary is not signed with a valid Developer ID certificate for all versions of the plugin (for AU & vst3, and both architectures, arm64 & x86_64, as well). I can use codesign and pkgutil to confirm that the files and installer are both signed including the contents within both the AU and vst3 bundles, but the notarization still fails. I have tried to notarize just a zipped version of the plugin but that fails too. In the Customizing The Notarization Workflow documentation, it is mentioned that custom third-party installers need two rounds of notarization. I'm assuming Packages is a custom third-party installer but I don't see how two rounds of notarization is possible when I can't even notarize a zipped version of the plugin. I am still new to Xcode and Apple Developer so there is a possibility that it's something I missed or didn't do. I've read through quite a few other posts on both this forum and the JUCE forum about similar problems but I haven't found a solution that has worked so if anyone has any ideas on how to potentially get my installer notarized, I'd greatly appreciate the advice. Thanks.
2
0
327
Aug ’24
Unable to Notarize
I have been trying to notarize an app since yesterday tried about 20 times at various times of the day. Most times it stops during the upload and produces an error message "Couldn't communicate with a helper application" which occurs at various places while downloading. Three times the upload appeared to complete but then produced an error "This operation could not be completed (SotoS3.S3ErrorType.Multipart.error.1 I then looked in the status log which had several entries: Prepared archive for uploading (green check to left) Upload failed (red x to left) Notary error (red x to left) The operation couldn't be completed (SotoS3.S3ErrorType...) In Progress (grey timer icon to left)
4
0
453
Aug ’24
Developer ID target can't be signed or notarized automatically
macOS application Mulligan's Eagle (403115926) macOS deployment - macOS 10.14 (Mojave) through Sonoma 14.5 macOS targets - Mac App Store, ad hoc direct drag-to-install image Xcode version 15.4, various development Macs (Intel, M1, M2) Eagle delivered since pre-Mac App Store days - derived from System 7 MacApp development. App most recently delivered with min system Mac OS 10.12 through current Sonoma 14.5, dual target for Mac App Store automatically signed with Apple Development credentials and for outside release automatically signed with Developer ID credentials. Recent revisions to the software to bump min system to 10.14 (Mojave) with typical continuing development for tech, reqm'ts, etc. Updates (a couple since previous release) to Xcode - now using version 15.4, which recommended some config changes that made sense, except min system. Popular application with lots of older (uh... elder) users running Macs servicing golfers. The application is ready to distribute with automatic signing, but wasn't able to do so with Developer ID credentials, but Xcode note (and reading of tips in this forum and my poor understanding) managed to submit for notarization - failed. Tried to manually sign... and reviewed signing info in Xcode... So I reviewed Certificate(s) etc. that should have been used when previously signing Dev ID for notarization and release. I have (I think) six Developer ID Application certs and six Developer ID Installer certs and I can't find any combination of those certificates - some with duplicate dates or expirations - that allows me to use one to automatically sign code to notarization or delivery. What do I do? I've lived a peaceful solo developer life for 25 years delivering and signing code for the Mac and as long as iOS has existed. I'm terrified about this issue however... My early Mac OS using customers (since Lion - pre sandbox) still have serial numbers for this software and have bought a Mac every 6 - 10 years so they could get my latest release. We've never required that they re-purchase from the App Store... they have a perpetual license. Sandboxing was a shock they never felt - we kept delivering updates to them and if they decided sandboxing mattered, they purchased from Apple and we included the container-migration entitlement in the App Store version to move their data to the new sandbox. Pretty slick. Until we built an install disk to test it on an unsandboxed version of Eagle in our office. It "lost" its data - vanished by remaining in the old Application Support directory while the new hardened runtime version looked for it in the sandbox - finding nothing. Just imagine encountering that if you're 80 years old running a golf league. How can I "reset" the futzed-up certificate Developer ID mess? I have multiple machines, all with varying subsets of what seem to be good certificates. And Xcode builds new provisioning profiles just for the heck of it, it seems. I'm afraid to revoke or throw out any certificates because I can't tell which ones are good, bad or duplicates - they're all valid. And I can't create any more Developer ID certs because there's a max to control certificate-miscreants like me (yes, I've read Quinn's protection of your Dev ID note - I screwed it up with only 1 employee). I depend on automatic signing because I'm still, after 58 years of coding, just a novice. Is it true that I should still specify in my build settings that I'm using Developer ID credentials for my ad hoc development and distribution schemes? And that the proper settings for those should NOT enable hardened runtime or app sandboxing? Sorry for my intensity here.... It's been 2 weeks since App Review bonked an initial submission with just an "it's broken" reject message, and DTS decided this is not such an emergency that the Developer Forum shouldn't be able to handle it. I'm truly hoping it's so.
4
0
558
Jul ’24
xcrun stapler error/message confusing
Hi, We are running xcrun staple on our pkg file. It gives the following message We do not know how to deal with trailer version 9262. Exepected 1 Terminator Trailer size must be 0, not 1737 {magic: t8lr, version: 1, type: 2, length: 1737} Found expected ticket at 8164385 with length of 1737 Sig Type is RSA. Length is 3 Sig Type is CMS. Length is 3 Package mypkg.pkg uses a checksum of size 20 *The staple and validate action worked!* However, the command returns with -1 error code. So, the questions I have are: What does this return response mean? Do we consider this as a success of failure scenario (specially because the message "...action worked"
3
0
407
Jul ’24
Notarization staus code 7000
I am getting rejected while notarizing. { "logFormatVersion": 1, "jobId": "123456-123456-123456-123456", "status": "Rejected", "statusSummary": "Team is not yet configured for notarization. Please contact Developer Programs Support at developer.apple.com under the topic Development and Technical / Other Development or Technical Questions.", "statusCode": 7000, "archiveFilename": "AppName.dmg", "uploadDate": "2024-07-26T18:51:25.866Z", "sha256": "a37cd79", "ticketContents": null, "issues": null } Do let me know how I can configure my team for notarization. File size is 103 MB. Made in Electron + Vue.
3
0
539
Jul ’24
App stuck on notarizing for 2+ hours
I am using Github Actions for signing and notarizing, but it's been stuck on notarizing for hours. I cancelled and retried but same thing happens. I am using Tauri which is running the notarize scripts. Here is my main.yml: name: macOS Build Script on: push: branches: - 'main' permissions: contents: write issues: write pull-requests: write jobs: build: runs-on: macos-latest steps: - name: Checkout repository uses: actions/checkout@v2 - name: Install Rust uses: actions-rs/toolchain@v1 with: toolchain: stable profile: minimal override: true - name: Install Node.js uses: actions/setup-node@v2 with: node-version: '20' - name: Install Node.js Dependencies run: npm install - name: Build the App run: npm run tauri build - name: List build artifacts run: | echo "Build artifacts:" ls -R src-tauri/target/release/bundle/ - name: Create Release uses: tauri-apps/tauri-action@v0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }} APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} with: tagName: app-v__VERSION__ releaseName: 'App v__VERSION__' releaseBody: 'macOS build. See the assets to download this version and install.' releaseDraft: true prerelease: false - name: Create Release Manually if: failure() uses: actions/create-release@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: tag_name: app-v0.0.0 release_name: App v0.0.0 (macOS) draft: true prerelease: false id: create_release - name: Upload Release Asset if: failure() uses: actions/upload-release-asset@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_path: ./src-tauri/target/release/bundle/dmg/mac-app_0.0.0_x64.dmg asset_name: mac-app_0.0.0_x64.dmg asset_content_type: application/x-apple-diskimage
1
0
416
Jul ’24
Ported app to M2 and need advice to notarize
Hi, I am totally unaware of the new notarize mechanism and generally starting to sign my application after having ported it to M2. I want to distribute the app without App Store - yet. My application is an open source tool or better a more complex tool for the software development that contains dylibs and frameworks all within an app bundle. I am using wxWidgets and stumbled upon the build process using install_name_tool temporary for each bundle and probably all libraries that I place into the application bundle to have an @executable_path and not an absolute path. That works so far, but the notarize tool or better checking it with spctl rejects it. A further test with spctl --assess or the like, I have the command lost, shows that are resources missing and I have a hint to use @rpath entries to be added. I am using makefiles and a custom make system where I build up the make commands for each target. I won't modify the rules for each target type, if I could do this in a post build step for all the contents of the app bundle. I have therefore a shell script that handles that additional task yet until code signing and it looks like as follows: #!/bin/sh # Copies together files for the Mac OS X application bundle and created a disk image export prefix=$1 export VERSION=1.3.4 cp ../../../Database/*.sql wxWrapper.app/Contents/Resources cp splash.png wxWrapper.app/Contents/Resources mkdir wxWrapper.app/Contents/Resources/XSLT cp -R ../../../AppDevelopmentDemo/DynamicApp/XSLT_Templates/include wxWrapper.app/Contents/Resources/XSLT/include cp -R ../../../AppDevelopmentDemo/DynamicApp/XSLT_Templates/DMFToXMI wxWrapper.app/Contents/Resources/XSLT/DMFToXMI cp -R ../../../AppDevelopmentDemo/DynamicApp/XSLT_Templates/XMIToDMF wxWrapper.app/Contents/Resources/XSLT/XMIToDMF cp -R ../../../AppDevelopmentDemo/DynamicApp/XSLT_Templates/lbDMFDataViewModel wxWrapper.app/Contents/Resources/XSLT/lbDMFDataViewModel cp -R ../../../AppDevelopmentDemo/DynamicApp/XSLT_Templates/lbDMFFixedFormular wxWrapper.app/Contents/Resources/XSLT/lbDMFFixedFormular cp -R ../../../AppDevelopmentDemo/DynamicApp/XSLT_Templates/TurboVision wxWrapper.app/Contents/Resources/XSLT/TurboVision cp -R ../../../AppDevelopmentDemo/DynamicApp/XSLT_Templates/wxActiveRecords wxWrapper.app/Contents/Resources/XSLT/wxActiveRecords cp -R ../../../AppDevelopmentDemo/DynamicApp/XSLT_Templates/wxLua wxWrapper.app/Contents/Resources/XSLT/wxLua cp ../../../AppDevelopmentDemo/DynamicApp/XSLT_Templates/include/XMISettingsTemplate.xsl wxWrapper.app/Contents/Resources/XSLT/XMIToDMF/XMISettings.xsl cp -R ../../../AppDevelopmentDemo/DynamicApp/UMLSamples wxWrapper.app/Contents/Resources mkdir wxWrapper.app/Contents/Resources/toolbarimages # UGLY! Using environment that also is properly defined while jenkins build is better cp -R $prefix/lib wxWrapper.app/Contents cp -R $prefix/plugins wxWrapper.app/Contents/Resources # How to access them? cp toolbarimages/*.xpm wxWrapper.app/Contents/Resources/toolbarimages cp toolbarimages/*.png wxWrapper.app/Contents/Resources/toolbarimages #cp -R `wx-config --prefix`/lib/lib`wx-config --basename`-`wx-config --release`.0.6.0.dylib wxWrapper.app/Contents/lib #cp -R `wx-config --prefix`/lib/lib`wx-config --basename`-`wx-config --release`.0.dylib wxWrapper.app/Contents/lib cp -R `wx-config --prefix`/lib/lib`wx-config --basename`-`wx-config --release`.*.dylib wxWrapper.app/Contents/lib cp -R `wx-config --prefix`/lib/lib`wx-config --basename`-`wx-config --release`.dylib wxWrapper.app/Contents/lib cp Info.plist wxWrapper.app/Contents codesign -f -v -s "Lothar Behrens" wxWrapper.app/Contents/Frameworks/lbHook.framework/Versions/A/lbHook codesign -f -v -s "Lothar Behrens" wxWrapper.app/Contents/Frameworks/wxJson.framework/Versions/A/wxJson codesign -f -v -s "Lothar Behrens" wxWrapper.app/Contents/Frameworks/wxWrapperDLL.framework/Versions/A/wxWrapperDLL codesign -f -v -s "Lothar Behrens" wxWrapper.app/Contents/lib/* codesign -f -v -s "Lothar Behrens" wxWrapper.app/Contents/Resources/plugins/* xattr -cr wxWrapper.app codesign -f -v -s "Lothar Behrens" wxWrapper.app/Contents/MacOS/wxWrapper #codesign -dvv wxWrapper.app codesign -f -v -s "Lothar Behrens" wxWrapper.app #spctl -a -t exec -vvvv wxWrapper.app #codesign -dvv wxWrapper.app #codesign -vv --deep-verify wxWrapper.app # Creating a new diskimage hdiutil create -ov -size 200m -volname lbDMF-$VERSION lbDMF-$VERSION-`uname -p`.dmg -fs HFS+ sleep 5 hdiutil attach lbDMF-$VERSION-`uname -p`.dmg # Copy stuff #mkdir /Volumes/lbDMF-$VERSION/`uname -p` #cp -R wxWrapper.app /Volumes/lbDMF-$VERSION/`uname -p` cp -R wxWrapper.app /Volumes/lbDMF-$VERSION mkdir /Volumes/lbDMF-$VERSION/toolbarimages cp toolbarimages/*.xpm /Volumes/lbDMF-$VERSION/toolbarimages cp toolbarimages/*.png /Volumes/lbDMF-$VERSION/toolbarimages cp ../../../COPYING /Volumes/lbDMF-$VERSION cp ../../../license-bindist.txt /Volumes/lbDMF-$VERSION cp ../../../AppDevelopmentDemo/DynamicApp/Doc/ApplicationprototypingDokumentation.pdf /Volumes/lbDMF-$VERSION/ # Copying templates to an accessable place cp -R wxWrapper.app/Contents/Resources/XSLT /Volumes/lbDMF-$VERSION/ cp -R wxWrapper.app/Contents/Resources/UMLSamples /Volumes/lbDMF-$VERSION/ mkdir /Volumes/lbDMF-$VERSION/.lbDMF cp -R wxWrapper.app/Contents/Resources/*.sql /Volumes/lbDMF-$VERSION/.lbDMF cat <<EOF >> /Volumes/lbDMF-$VERSION/Readme.txt Dear Mac user! ... Thanks Lothar Behrens EOF rm -rf `find /Volumes/lbDMF-$VERSION -name CVS -print` hdiutil detach /Volumes/lbDMF-$VERSION rm lbDMF-$VERSION lbDMF-$VERSION-`uname -p`.dmg.zip zip lbDMF.dmg.zip lbDMF-$VERSION lbDMF-$VERSION-`uname -p`.dmg mv lbDMF.dmg.zip lbDMF-$VERSION-`uname -p`.dmg.zip code-block Testing the app bundle shows this: spctl --assess -vvvvv --type execute wxWrapper.app wxWrapper.app: rejected origin=Apple Development: Lothar Behrens (********) I need some help where to insert a proper notary tool command and a proper check before uploading that I can see, if I could do so. Despite that I haven't had an active developer ID, I have that now and need to setup the Developer ID Distribution certificate into the keychain. So I plan to add the @rpath values per framework/dylib/so as additional commands into the shell script above. But how can I best verify for successful usage of notary tool? Any help? Thanks, Lothar
7
0
406
Jul ’24
Notarization: The operation couldn't be completed. (SotoS3.S3ErrorType.multipart error 1.)
Hello, For my macOS app, on Xcode version 15.4 (15F31d) on macOS 14.5 (23F79) I follow Organizer > Distribute App > Direct Distribution, and I get a Notary Error "The operation couldn't be completed. (SotoS3.S3ErrorType.multipart error 1.)" It's been happening since 3 days. In the IDEDistribution.verbose.log file I see: https://gist.github.com/atacan/5dec7a5e26dde0ec06a5bc4eb3607461
11
0
899
Jul ’24
Notarytool crashes in Python running in an Apache Webserver
notarytool-2024-07-23-143951.ips I notarytool-2024-07-23-105410.ips have two Mac machines and running the same Python script as a CGI script in an Apache webserver (httpd) installed via Homebrew. The Python script calls the subprocess.run() method to call the notarytool via xcrun. On one server the script runs as expected in the webserver environment and on the other machines it gets an exit code (-)4; SIGILL. On the machines where it fails, the notarytool command works from console, as expected. Additionally, it works if I run the script directly with Python in the console. I launch the same command in a Perl script in the webserver and the same exit code / issue occured. I have the same installed version and setup on both servers for Homebrew Apache Webserver (httpd) Python version (3.9.6) xcrun --version: xcrun version 61. xcrun notarytool --version: 1.0.0 (27) the Mac machines are identical, both are bought and set up at the same time The see similar topics at: https://forums.developer.apple.com/forums/thread/724995 Notarytool was used on a machine as an agent via Jenkins job https://github.com/moses-palmer/pynput/issues/366#issuecomment-1364470827 used Python, gets the same exit code, used in multi-thread environment (maybe like a webserver)
2
0
390
Jul ’24
Notarization error when client upload application to notarization service
After my application was singed on the mac runner, I got an error when my application was uploaded from my Mac runner to the Notarization service. Here is my error: Notarization ended with response: {"uuid":"my_uid","notarizationStatus":{"status":"ERROR","message":"Error happened while uploading file to Apple notarization service","moreInfo":"net.jodah.failsafe.FailsafeException: java.util.concurrent.ExecutionException: Error while parsing the output after the upload of the file to be notarized"}} Does anyone know how to fix it? Thank you very much!
1
0
383
Jul ’24
Notarisation taking around 24hours then accepted
Im using a git actions CI/CD pipeline for my automated deployment and I'd like to include notarisation in this process. Right now when I'm submitting for notarisation manually/locally it's taking around 24 hours and then is eventually successfully accepted. \ Using a git actions server to do this has a cost per minute (and an even higher cost at 10x per minute for a Mac-OS machine), so notarising with a 24hr turn around time is not feasible. Ive submitted my application many times and it's been the same experience each time taking around 24 hours and then being accepted. How can I shorten the time frame on this or even find out what I might be doing wrong to cause such a long time for a response? here my log: { "logFormatVersion": 1, "jobId": "3ccf4652-60dc-4fd1-b281-23d49b2b7bb1", "status": "Accepted", "statusSummary": "Ready for distribution", "statusCode": 0, "archiveFilename": "AudioMap.dmg", "uploadDate": "2024-07-14T16:51:02.848Z", "sha256": "614c5992133d61094b39b6a5d00a225d2fc7efe78ab0e59cd47c78275602cb59", "ticketContents": [ { "path": "AudioMap.dmg", "digestAlgorithm": "SHA-256", "cdhash": "9d4f500a2fd49769b99f921d3fbe8ef753604abe" }, { "path": "AudioMap.dmg/AudioMap.app", "digestAlgorithm": "SHA-256", "cdhash": "b1fa9c86be805ef28c645f3b03631e2e5873ce77", "arch": "arm64" }, { "path": "AudioMap.dmg/AudioMap.app/Contents/Frameworks/libsodium.26.dylib", "digestAlgorithm": "SHA-256", "cdhash": "6228e3fdcd29c080ae45d1bc5a6af10960db8938", "arch": "arm64" }, { "path": "AudioMap.dmg/AudioMap.app/Contents/MacOS/AudioMap", "digestAlgorithm": "SHA-256", "cdhash": "b1fa9c86be805ef28c645f3b03631e2e5873ce77", "arch": "arm64" }, { "path": "AudioMap.dmg/AudioMap.app/Contents/Frameworks/libsodium.26.dylib", "digestAlgorithm": "SHA-256", "cdhash": "6228e3fdcd29c080ae45d1bc5a6af10960db8938", "arch": "arm64" } ], "issues": null }
4
0
653
Jul ’24
xcrun notarytool store-credentials -> HTTP status code: 401. Invalid credentials error
Hi, I am getting following error from following command, although I am 100% sure that I am entering the right credentials: Command: xcrun notarytool store-credentials "MY_PROFILE" --apple-id “***” --team-id "yyy" --password "zzz" Error: Error: HTTP status code: 401. Invalid credentials. Username or password is incorrect. Use the app-specific password generated at appleid.apple.com. Ensure that all authentication arguments are correct. ***->https://appleid.apple.com/account/manage/email and phone number -> apple id email (email address used for developer account) yyy->https://developer.apple.com/account#MembershipDetailsCard/Team ID -> 10 digit nummer zzz->https://appleid.apple.com/account/manage/App-Specific Passwords created and used I just copy pasted every single item from the defined locations above. I would appreciate for an answer. Best Regards
2
0
764
Jul ’24
Inquiry About Using notarytool on a Separate Machine for Notarizing macOS Apps
Hello, I am currently developing a macOS application using macOS 10.15.7 and Xcode 11.1. My application is distributed directly to users via a server, not through the App Store. I recently came across the following announcement: "Starting November 1, 2023, the Apple notary service no longer accepts uploads from altool or Xcode 13 or earlier. If you notarize your Mac software with the Apple notary service using the altool command-line utility or Xcode 13 or earlier, you need to transition to the notarytool command-line utility or upgrade to Xcode 14 or later." Given this change, I understand that I need to use notarytool or upgrade to Xcode 14 or later for notarization. However, upgrading my current development environment is not feasible at the moment. I would like to know if it is possible to build my application on my current environment (macOS 10.15.7 and Xcode 11.1) and then transfer the built application to a separate machine running macOS 11.0 or later with Xcode 14 or later installed, to perform the notarization using notarytool. Could you please confirm if this approach is acceptable and if there are any specific steps or considerations I should be aware of when using notarytool on a separate machine for notarizing my application? Thank you for your assistance. Best regards, WJohn
1
0
573
Jul ’24
Terminal Bus error: 10 during xcrun notarytool submit
This afternoon notarization started throwing an error in terminal. I confirmed that the NOTARIZE_APP_LOG was created, but empty. I have been notarizing our apps on this machine (intel-12.7) with Xcode 13.4.1 for over a year without issue. Any suggestions would be greatly appreciated 9192 Bus error: 10 xcrun notarytool submit --apple-id "$ASC_USERNAME" --password "$ASC_PASSWORD" --team-id "$ASC_TEAM" "$ZIP_PATH" > "$NOTARIZE_APP_LOG" 2>&1 Translated Report (Full Report Below) Process: notarytool [9192] Path: /Library/Developer/CommandLineTools/usr/bin/notarytool Identifier: notarytool Version: ??? Code Type: X86-64 (Native) Parent Process: bash [2167] Responsible: Terminal [2142] User ID: 501 Date/Time: 2024-07-02 16:29:33.5256 -0600 OS Version: macOS 12.7 (21G816) Report Version: 12 Bridge OS Version: 8.0 (21P365) Anonymous UUID: 9AFB52C6-5CA1-7AE0-C249-9D090ABDFD28 Time Awake Since Boot: 820 seconds System Integrity Protection: enabled Crashed Thread: 1 Dispatch queue: nio.nioTransportServices.connectionchannel Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000700009d77ff0 Exception Codes: 0x0000000000000002, 0x0000700009d77ff0 Exception Note: EXC_CORPSE_NOTIFY Termination Reason: Namespace SIGNAL, Code 10 Bus error: 10 Terminating Process: exc handler [9192]
5
1
636
Jul ’24
Agreed to legal agreements but still get "required agreement is missing or has expired"
We've been notarizing apps for a while now and have been through agreement changes before. But we still keep getting the following error when trying to notarize: Conducting pre-submission checks for myapp.dmg and initiating connection to the Apple notary service... Error: HTTP status code: 403. A required agreement is missing or has expired. This request requires an in-effect agreement that has not been signed or has expired. Ensure your team has signed the necessary legal agreements and that they are not expired. We've been through every document in our account to ensure it is signed. Is there any way to determine what document is not signed or what our issue is ? ...thanks
2
0
886
Jul ’24
Notarization submissions stuck on 'In Progress'
Good day, I'm trying to get my app notarized, so I can distribute it, but my submissions get stuck on 'In Progess'. On the 20th of June I made several submissions which seems to have disappeared. When I do 'xcrun notarytool history' they are not there anymore. On the 21th Of June I made 2 new submission attempts with ids d68ca68e-ddfb-42c2-a491-0b24ac6efdc2 and 5f0118c9-0edd-4213-827b-a2ff53e40f27, which had been running for several hours last time I checked on the the 21th, but have also disappeared over the weekend from my history. I checked the app with the steps described here: https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues, but all the checks were fine. Since there is no error message or log, I have no clue why my submissions get stuck on 'In Progress' or disappear. I've just submitted a new attempt with id 23a39a69-79a8-435c-a500-17ce1422c1fc and again it's stuck. Can anybody give any assistance?
0
0
485
Jun ’24
Gatekeeper blocks command line tool after signing and notarization
I have signed and notarized a single executable file command line tool developed outside Xcode, and distributed outside of the App store by way of a download from a website as follows below, but nevertheless gatekeeper blocks running the tool with the usual message, just like without signing or notarization. If I remove the com.apple.quarantine xattr, the tool runs as it should without gatekeeper interference, as expected. I have browsed countless posts here, with similar issues, but in the end I can't find what's wrong with the process. From what I gather, as long as the target Mac is connected to the Internet, stapling should not be required (I do understand I can't staple a single file executable command line tool), although Gatekeeper would be expected to complain in the case of the first run being done without Internet connection. The certificate is a "Developer Id Application" certificate, installed and valid on the machine doing the signing. It is unclear to me what the distinction is between "Developer Id Application" and "Developer Id Installer" certificates, but it's confusing that using -t install with spctl will actually accept the app. The app is open source and available on GitHub (although the full distribution packaging is done in a separate build environment with some additional logic). The app used below as the target for signing and notarization is available to download from https://www.axantum.com/ in a .tar.gz archive. Here follows a log of commands and output: XecretsCli.plist: (This was necessary to add to the signing to avoid corruption of the executable by the code signing) codesign -s GCXRMT5SQC -f --timestamp -s 0CF6800E595AA6DE9EBB905066619A9BFDD17A77 --entitlements XecretsCli.plist -o runtime XecretsCli codesign -d -vvv --entitlements :- XecretsCli Executable=/Users/svante/Downloads/XecretsCli-Osx-2.3.567 3/XecretsCli Identifier=XecretsCli Format=Mach-O thin (x86_64) CodeDirectory v=20500 size=271478 flags=0x10000(runtime) hashes=8473+7 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b2 CandidateCDHashFull sha256=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b20c9e3c17e107f08c7ae75c5a Hash choices=sha256 CMSDigest=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b20c9e3c17e107f08c7ae75c5a CMSDigestType=2 CDHash=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b2 Signature size=8987 Authority=Developer ID Application: Axantum Software AB (GCXRMT5SQC) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=Jun 20, 2024 at 13:26:05 Info.plist=not bound TeamIdentifier=GCXRMT5SQC Runtime Version=13.1.0 Sealed Resources=none Internal requirements count=1 size=172 Warning: Specifying ':' in the path is deprecated and will not work in a future release codesign -v -vvv --strict --deep XecretsCli XecretsCli: valid on disk XecretsCli: satisfies its Designated Requirement zip XecretsCli.zip XecretsCli adding: XecretsCli (deflated 63%) xcrun notarytool submit "XecretsCli.zip" --keychain-profile "Notarize" --wait Conducting pre-submission checks for XecretsCli.zip and initiating connection to the Apple notary service... Submission ID received id: e5990902-3101-42de-a1a6-b9ea40b944b8 Upload progress: 100.00% (12.4 MB of 12.4 MB) Successfully uploaded file id: e5990902-3101-42de-a1a6-b9ea40b944b8 path: /Users/svante/Downloads/XecretsCli-Osx-2.3.567 3/XecretsCli.zip Waiting for processing to complete. Current status: Accepted........ Processing complete id: e5990902-3101-42de-a1a6-b9ea40b944b8 status: Accepted spctl -a -vvv XecretsCli XecretsCli: rejected (the code is valid but does not seem to be an app) origin=Developer ID Application: Axantum Software AB (GCXRMT5SQC) spctl -a -vvv -t install XecretsCli XecretsCli: accepted source=Notarized Developer ID origin=Developer ID Application: Axantum Software AB (GCXRMT5SQC) Trying to run the executable: "XecretsCli" can't be opened because the identity of the developer cannot be confirmed. Your security preferences allow installation of only apps from the App Store and identified developers. Chrome downloaded this file today at 10:37. OK
3
0
747
Jun ’24
codesign py2app bundle format unrecognized, invalid, or unsuitable
Error code 1 "bundle format unrecognized, invalid, or unsuitable" Yea, I'm trying to codesign a python app which has been bundled with py2app, but without success. The codesign process logs a whole bunch of files with the above error. def sign_file(file_path, certificate_common_name, hardened_runtime=False): sign_command = [ "codesign", "-s", certificate_common_name, "--force", "--timestamp", "-v", file_path ] if hardened_runtime: sign_command.append("--options=runtime") success, message = run_command(sign_command) there are literally hundreds of files that fail, and the path may look something like this; code/dist/Impulse.app/Contents/Resources/lib/python3.10/plotly/validators/splom/marker: Needless to say that notorization returns "failed" Any help would be greatly appreciated. Steven
4
0
761
Jun ’24
Notarisation failing with “The signature of the binary is invalid"
Error: { “logFormatVersion”: 1, “jobId”: “1654af2a-ff0e-46ff-8839-5c374e63228b”, “status”: “Invalid”, “statusSummary”: “Archive contains critical validation errors”, “statusCode”: 4000, “archiveFilename”: “LocalApp-macosx.zip”, “uploadDate”: “2024-06-12T05:33:53.719Z”, “sha256”: “28ffff0e2c33b2f57a9f1c25677e84232bfa04b1ef5341130afbbf18093ba0ab”, “ticketContents”: null, “issues”: [ { “severity”: “error”, “code”: null, “path”: “LocalApp-macosx.zip/LocalApp-macosx.app/Contents/Resources/Java/Disk1/InstData/Resource1.zip/$BUILD_ROOT$/Desktop/collaborator.app_zg_ia_sf.jar/Contents/MacOS/applet”, “message”: “The signature of the binary is invalid.”, “docUrl”: "“Resolving common notarization issues | Apple Developer Documentation ", “architecture”: “i386” }, { “severity”: “error”, “code”: null, “path”: “LocalApp-macosx.zip/LocalApp-macosx.app/Contents/Resources/Java/Disk1/InstData/Resource1.zip/$BUILD_ROOT$/Desktop/collaborator.app_zg_ia_sf.jar/Contents/MacOS/applet”, “message”: “The signature of the binary is invalid.”, “docUrl”: ““Resolving common notarization issues | Apple Developer Documentation”, “architecture”: “x86_64” } ] } Why is the binary regarded as invalid and what remedy is recommended?
1
0
578
Jun ’24