I've been waiting over an hour at this point—is something down or is the pipeline just really, really backed up?
Notarization
RSS for tagNotarization is the process of scanning Developer ID-signed software for malicious components before distribution outside of the Mac App Store.
Post
Replies
Boosts
Views
Activity
Hi there,
I'm in a process to move from altool to notarytool, following information found at TN3147.
First, TN3147 says the team-id is optional if my account has only one team membership, which is the case, but the notarytool says it's mandatory and I do have to use it (not an issue).
Now, the issue I face:
$ security unlock-keychain -p prorogue-stake-unused /Users/comp/Library/Keychains/my.keychain
$ xcrun altool --username $APPLEID --password "@keychain:MYPASSWORD" --notarization-history 0
.. it displays the notarization history as expected ..
but:
$ xcrun notarytool history --apple-id $APPLEID --team-id $TEAMID --password "@keychain:MYPASSWORD"
Error: HTTP status code: 401. Invalid credentials. Username or password is incorrect. Use the app-specific password generated at appleid.apple.com. Ensure that all authentication arguments are correct.
The password is supposed work with both tools, according to TN3147. What am I missing?
Besr regards,
Hi there,
I want to build an application that can be run on different macos machines. That app uses libpython3.11.dylib.
It could not be just linked with libpython because in out binary path to library may be different:
/System/Library/Frameworks/Python.framework/...
/usr/local/Cellar/python/3.X.Y/Frameworks/Python.framework/Versions/...
/Library/Frameworks/Python.framework/Versions/...
$(pyenv root)/versions/{VERSION}
....
I need to ensure that the application uses the Python library corresponding to the Python version that the user is using.
Attempted to make a workaround by creating a symlink to the current library and setting the library path to @executable_path/../lib/libpython3.11.dylib, but it did not work. Here's the error I encountered:
% /Users/user/Downloads/xtensa-esp-elf-gdb/bin/xtensa-esp-elf-gdb-3.11
dyld[92502]: Library not loaded: @executable_path/../lib/libpython3.11.dylib
Referenced from: <F6F408DC-F698-3545-9C75-82486ADA77BE> /Users/user/Downloads/xtensa-esp-elf-gdb/bin/xtensa-esp-elf-gdb-3.11
Reason: tried: '/Users/user/Downloads/xtensa-esp-elf-gdb/lib/libpython3.11.dylib' (code signature in <666A28FE-7CD3-384C-A727-7DE3D98625A2> '/Library/Frameworks/Python.framework/Versions/3.11/Python' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), '/System/Volumes/Preboot/Cryptexes/OS@executable_path/../lib/libpython3.11.dylib' (no such file), '/Users/user/Downloads/xtensa-esp-elf-gdb/lib/libpython3.11.dylib' (code signature in <666A28FE-7CD3-384C-A727-7DE3D98625A2> '/Library/Frameworks/Python.framework/Versions/3.11/Python' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), '/usr/lib/libpython3.11.dylib' (no such file, not in dyld cache)
zsh: abort
I cannot distribute libpython within the application because it requires Python modules. Moreover, the application should use Python modules that are installed on the user's system.
What can I do to make this work properly? E.g. user have pythons installed:
/usr/local/Cellar/python/3.11.3/Frameworks/Python.framework/Versions/3.11...
/Library/Frameworks/Python.framework/Versions/3.11/...
Obviously, the user has only one active Python from this list. How can my application use the correct libpython?
When I run notarytool submit in my github workflow, I get what appears to be some kind of segmentation fault.
Here's a direct link to the exception output:
https://github.com/recyclarr/recyclarr/actions/runs/6594346352/job/17918152266#step:6:43
My project is open source, so you can also view the shell script I use in the workflow itself:
https://github.com/recyclarr/recyclarr/blob/update-notary-tool/ci/notarize.sh
The script above contains this:
#!/usr/bin/env bash
set -xe
user="$1"
pass="$2"
teamId="$3"
archivePath="$4"
function submit() {
xcrun notarytool submit --wait \
--apple-id "$user" \
--password "$pass" \
--team-id "$teamId" \
recyclarr.zip | \
awk '/id: / { print $2;exit; }'
}
function log() {
xcrun notarytool log \
--apple-id "$user" \
--password "$pass" \
--team-id "$teamId" \
"$1"
}
tar -cvf recyclarr.tar "$archivePath"
zip recyclarr.zip recyclarr.tar
submissionId="$(submit)"
rm recyclarr.zip recyclarr.tar
if [[ -z "$submissionId" ]]; then
exit 1
fi
echo "Submission ID: $submissionId"
until log "$submissionId"
do
sleep 2
done
The error (from the workflow run) is:
2023-10-21 01:24:18.817 notarytool[4894:25434] *** Terminating app due to uncaught exception 'NSFileHandleOperationException', reason: '*** -[_NSStdIOFileHandle writeData:]: Broken pipe'
*** First throw call stack:
(
0 CoreFoundation 0x00007ff8106c4773 __exceptionPreprocess + 242
1 libobjc.A.dylib 0x00007ff810424bc3 objc_exception_throw + 48
2 Foundation 0x00007ff8115b5962 -[NSConcreteFileHandle readDataUpToLength:error:] + 0
3 Foundation 0x00007ff811497590 -[NSConcreteFileHandle writeData:] + 263
4 notarytool 0x000000010bcff026 notarytool + 462886
5 notarytool 0x000000010bcb780d notarytool + 169997
6 notarytool 0x000000010bcd37c6 notarytool + 284614
7 notarytool 0x000000010bcea719 notarytool + 378649
8 notarytool 0x000000010bcd3d19 notarytool + 285977
9 notarytool 0x000000010bcd2a4e notarytool + 281166
10 notarytool 0x000000010bcd5009 notarytool + 290825
11 notarytool 0x000000010bc8fe66 notarytool + 7782
12 dyld 0x000000011781b52e start + 462
)
libc++abi: terminating with uncaught exception of type NSException
I do not get this error when I run this script directly on my 2023 MBP. It only appears to happen in my github workflow.
Is this a bug in notarytool? Notarization appears to still complete, and I also get a submission ID I can use for the notarytool log command I run after.
Ok so I've just swapped over from altool to notarytool and submitted my first app, notarytool tells me Successfully uploaded, and having waited 30mins (which would be some sort of record wait for altool) info tells me status:Accepted
I notice elsewhere that there are comments that the first submission can take some time - even days - but as I've done A LOT of notarizing over the last couple of years I wouldnt classify myself as submitting my first request... or is that more properly "my first request with notarytool"?
If so - happy to sit and wait for a couple of days this first time thru....
Hello.
I am doing a migration from altool to notarytool.
I am doing the above on an enterprise network which is not able to communicate with the outside world except for some URLs, ports.
Previously, when I was using altool to execute notarize, I requested the administrator to open url, port by referring to the document below, and so far, it is proceeding without any problem.
[https://support.apple.com/en-us/HT210060]
The problem is that when I use notarytool to notarize, it tries to access a new domain called appstoreconnect.apple.com, which is not in the documentation above.
Did I need to ask my network administrator to allow only the above URL or the other? Or is there another way to do notarize without accessing that URL?
If there is any additional documentation on opening hosts and ports that I am not aware of, I would appreciate it if you could point me to it.
I'm using the "notarytool store-credentials" command to store my access credentials for notarizing our apps from a build server through Jenkins.
The machine is a Mac Mini M1 running Ventura.
This works per se but for a reason I don't understand, I need to do this repeatedly.
When I store the credentials, it will work for the next hours but at some point the machine will "forget" the access credentials resulting in this error output:
Conducting pre-submission checks for <app name> and initiating connection to the Apple notary service...
Error: No Keychain password item found for profile: notarization
Run 'notarytool store-credentials' to create another credential profile.
I then have to run the store-credentials command again so I can use it again for the next few hours. This is obviously quite annoying especially since it's absolutely not obvious why it behaves that way.
The machine is on 24/7 and I don't see why the keychain item gets removed.
I'd appreciate any insight and would like to know what I have to do to store the credentials permanently.
I'm attempting to notarize and distribute a game built with Love2D. Love2D is an engine which runs games written in Lua and bundled into .love files, which are identical to .zip files. Packaging a game for Mac distribution involves cloning the Love2D Xcode project, providing your built game.love file (the zipped game content), and then signing and notarizing as with any other Mac app (see more on the Love2D wiki: https://love2d.org/wiki/Game_Distribution#Creating_a_macOS_Application).
I'm encountering an issue because my game contains compiled C binaries which the game loads at runtime. These binaries are compiled for MacOS x86 and arm64, and work perfectly in development. I am able to successfully build and sign the game with my Developer ID Application certificate and provisioning profile, but notarization of the game fails because the compiled C binaries are not signed; below is an excerpt from the audit log:
{
"severity": "error",
"code": null,
"path": "Bang_Average_Football.zip/love.app/Contents/Resources/game.love/deps/gifcatlib_arm64.so",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
I can sign these binaries using codesign and the same certificate as the Mac app like so (with the correct name):
codesign --sign "Developer ID Application: Firstname Lastname" --verbose=4 gifcatlib_arm64.so
After signing the binaries, the app successfully builds, and is notarized successfully without reporting any code signing issues. Hooray! The issue is that the app doesn't actually run and crashes as soon as it attempts to use any of the now-signed binaries complaining that they haven't been signed correctly. Here's a link to the full crash log; the specific error is below:
Exception Type: EXC_BAD_ACCESS (SIGKILL (Code Signature Invalid))
Exception Codes: UNKNOWN_0x32 at 0x000000010a9c8000
Exception Codes: 0x0000000000000032, 0x000000010a9c8000
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace CODESIGNING, Code 2
The same error occurs even with Hardened Runtime disabled and 'Disable Library Validation' enabled.
Is there a likely cause of this crash? Why does notarization succeed but the app essentially instacrashes? Have I signed the binaries incorrectly? Is what I'm attempting not actually possible? (can signed and unsigned binaries not really be hotswapped like this?)
Please let me know if there's any more information I should provide.
Thanks,
Ruairi
I signed my application in MacOS 13.4, and the signed objects include all the binary files I compiled myself, and notarizing also works. It can also run normally on my version 13.4 Mac. However, when I copied this application to a computer with Mac OS version 11.3, it couldn't run properly.
Dlopen will generate an error message, indicating that some of the dynamic libraries called by the program do not match the signature of the program itself. These dynamic libraries are from JRE, so I re-signed them and notarizing also works.
In MacOS 13.4, it still runs normally, but in MacOS 11.3, it will report another error:
Error occurred during initialization of VM
Could not reserve enough space for code cache
What is the reason for this and how should I handle it? Thank you in advance for any comments on this issue.
When I try to store my credentials using the notary tool, I get the following:
/Applications/Xcode.app/Contents/Developer/usr/bin/notarytool store-credentials --verbose
[00:44:33.975Z] Debug [MAIN] Running notarytool version: 1.0.0 (27), date: 2023-10-03T00:44:33Z, command: /Applications/Xcode.app/Contents/Developer/usr/bin/notarytool store-credentials --verbose
This process stores your credentials securely in the Keychain. You reference these credentials later using a profile name.
Profile name:
build
We recommend using App Store Connect API keys for authentication. If you'd like to authenticate with an Apple ID and app-specific password instead, leave this unspecified.
Path to App Store Connect API private key:
./private_keys/AuthKey_QHBB38VH7L.p8
App Store Connect API Key ID:
storieddata
App Store Connect API Issuer ID:
69a6de6f-872e-47e3-e053-5b8c7c11a4d1
Validating your credentials...
[00:45:08.825Z] Info [API] Initialized Notary API with base URL: https://appstoreconnect.apple.com/notary/v2/
[00:45:08.826Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/test?, Parameters: [:], Custom Headers: private<Dictionary<String, String>>
[00:45:08.827Z] Debug [JWT] Generating new JWT for key ID: storieddata.
[00:45:08.829Z] Info [JWT] Caching newly generated JWT. key ID: storieddata, JWT: private<String>
[00:45:08.830Z] Debug [AUTHENTICATION] Authenticating request with App Store Connect API credentials. Key ID: storieddata, Issuer ID: 69a6de6f-872e-47e3-e053-5b8c7c11a4d1
[00:45:08.831Z] Debug [TASKMANAGER] Starting Task Manager loop to wait for asynchronous HTTP calls.
[00:45:09.243Z] Debug [API] **Received response status code: 401, message: unauthorized, URL: https://appstoreconnect.apple.com/notary/v2/test?,** Correlation Key: ZYHO7EDNX52XJBTRMIOUWGIVZI
[00:45:09.244Z] Error [API] Received non-JSON response body from Notary API, URL: https://appstoreconnect.apple.com/notary/v2/test?
[00:45:09.245Z] Error [TASKMANAGER] Completed Task with ID 1 has encountered an error.
[00:45:09.246Z] Debug [TASKMANAGER] Ending Task Manager loop.
Credential validation failed. Please verify your inputs.
I have double checked the input, and everything is correct.
I am having an issue trying to notarize app with a bundled binary using notarytool. Everything is signed properly, but the notarization status of every submission I've tried over the past two days have just been stuck on In Progress. I even tried submitting something else but this is also stuck on In Progress.
Successfully received submission history.
history
--------------------------------------------------
createdDate: 2023-10-01T15:34:36.959Z
id: 8461c5b0-51d0-4c00-8391-4dcb541f2ccf
name: flot.zip
status: In Progress
--------------------------------------------------
createdDate: 2023-10-01T15:13:46.537Z
id: 4fd3e79c-74e2-4824-bc5c-c63c305243c3
name: flot.zip
status: Invalid
--------------------------------------------------
createdDate: 2023-10-01T14:29:52.668Z
id: fc8bc0ae-8e17-4286-86b5-48d71d08175c
name: flot-Mac-2.0.0-Installer.dmg
status: In Progress
I'm integrating Notary API, in our CI/CD pipelines.
It all works well for notarization, but there is no mention of how to obtain the signing ticket nor how to staple it to the dmg.
Do I need to use for that the:
xcrun stapler staple
I was hoping that with use of the Notary API, I can avoid requiring xtools and developer id on the machine.
Hi there,
I could use some help with notarizing. I'm developing a Python module in the Rust programming language. The extension of the resulting library file is .so, which is necessary for Python to see it, instead of the regular .dylib. I compile this library for both apple silicon and intel.
When a user first imports the library which in turn imports the library, and the user is confronted with Gatekeeper.
So I guess I need to notarize the module file. And that's where I'm stuck. I created an Apple developer account, created a "Developer ID Application" certificate and used codesign to sign the .so file with it. That worked.
I then used ditto to create a zip file with just the .so file: "ditto -c -k --keepParent my_module.so my_module.zip"
The 600 kb file quickly uploads to Apple and I get an ID for checking the logs later on. Then I wait for the progress........ And nothing happens for hours on end. When I check the logs for the provided ID I get this message: "Submission log is not yet available or submissionId does not exist"
I also checked if perhaps the notarization did work regardless of the above, with "spctl -a -t exec -vvv ./my_module.so". Says it's rejected, source=Unnotarized Developer ID.
There is not much that I can work with, because I don't get an error message. Any ideas?
Have fun,
Wybren
I've tried to notarize my app recently and got the error:{
"logFormatVersion": 1,
"jobId": "...",
"status": "Rejected",
"statusSummary": "Team is not yet configured for notarization",
"statusCode": 7000,
"archiveFilename": "myapp.dmg",
"uploadDate": "2019-06-20T06:24:53Z",
"sha256": "...",
"ticketContents": null,
"issues": null
}I've never heard about "team configuration for notarization" previously. What are the steps to resolve that issue?Thanks in advance.
Hi!
Trying to use notarytool for an app notarization via script on CD pipeline. Build machine has an Xcode 12.5 installed and currently it can't be upgraded. So, our team decided to use utility as standalone binary, placed in the /Applications directory.
The command used for notarization: '/Applications/notarytool submit '<path>' --keychain-profile '<profile-name>' --output-format 'json' --wait'.
Before running the command above, we saved keychain profile with notarytool store-credentials command. However, future runs of notarization script fail with a message: 'Error: No Keychain password item found for profile: '. But we definitely see it among Keychain entries and 'security find-generic-password -l ' command approves that profile has been saved.
Did anyone encounter a similar issue? Can someone suggest what how to cope with this behavior?
Thank you in advance for any ideas
MyPythonExe is a compiled file coming from a python script compiled with using pyinstaller. After compiled, it was signed using codesign:
codesign -s "Developer ID TTT", -o runtime -f --timestamp MyPythonExe
Once signed, the exe was placed in a Zip container (exeZip), and then successfully notarized using the following:
xcrun notarytool submit exeZip --keychain-profile "MyNotarProf" --wait
It was accepted.
Now, when try to run it, the following error was thrown (oddly, the compiled unsigned Exe runs in the same computer without any issues):
/Users/admin/Downloads/MyPythonExe ; exit;
admin@admins-MacBook-Air ~ % /Users/admin/Downloads/MyPythonExe ; exit;
[1767] Error loading Python lib '/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python': dlopen: dlopen(/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python, 0x000A): tried: '/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python' (code signature in <88BFFD37-99D8-36AB-9B95-9F54B30BD667> '/private/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python' not valid for use in process: mapped file has no Team ID and is not a platform binary (signed with custom identity or adhoc?)), '/System/Volumes/Preboot/Cryptexes/OS/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python' (no such file), .... (+ a couple of similar errors)
No, the said exe file (MyPythonExe) was signed and successfully notarized. Oddly, the very same file, but unsigned runs perfectly well (after being authorized so it can surpass Gatekeeper, of course). What could be going on here? Any hint on how to overcome this issue?
I'm trying to staple a validation ticket to an exe file that is already notarized. The process ended with the following error:
Downloaded ticket has been stored at file:///var/folders/bj/ry08v0694972s03cswkq5md80000gq/T/7f1a34f0-8628-4157-92b0-b59cebe70951.ticket.
Could not remove existing ticket from file:///Users/efi-admin/Downloads/ActualSignedFile/Contents/CodeResources because an error occurred. Error Domain=NSCocoaErrorDomain Code=512 "“CodeResources” couldn’t be removed." UserInfo={NSUserStringVariant=(
Remove
), NSFilePath=/Users/efi-admin/Downloads/ActualSignedFile/Contents/CodeResources, NSUnderlyingError=0x600000151e90 {Error Domain=NSPOSIXErrorDomain Code=20 "Not a directory"}}
The staple and validate action failed! Error 73.
The above was captured using the verbose option of the cmd...
Among the response, I can see the ticket:
fields = {
signedTicket = {
type = BYTES;
value = "czhjaAEAAADxBQAALQAAADCCBe0wggL/MIICpKADAgECAghWLFU2G59vVTAKBggqhkjOPQQDAjByMSYwJAYDVQQDDB1BcHBsZSBTeXN0ZW0gSW50ZWdyYXRpb24gQ0EgNDEmMCQGA1UE.... (partial)
I need help to properly understand what is this cmd doing as the issue might be permissions one.
The path mentioned above under /ActualSignedFile:
/ActualSignedFile/Contents/CodeResources
Does not exist. Is that the cmd wants to create it?
Is there any way to manually attach the ticket to the file, given the fact that is printed in verbose mode?
Thanks!
Any help will he highly appreciated!
I am trying to notarise a .dmg of my desktop application, but the process seems to just hang on 'In Progress'. It's not actually hanging, as I accumulate extra '.', but clearly it isn't working.
This exact same codebase notarised fine recently. The only change has been a downgrade in OS from Monterey to Big Sur.
I appreciate this is unusual, but I am required to support my client, who is running a 2013 MacBook Pro with Big Sur.
I appreciate that some of these tools are newer than Big Sur, but surely it should work?
I'm trying to notarize a simple Electron app (packaged with electron-forge, zip size: 150MB) using new notarytool.
When submitting the bundle it hangs on IN PROGRESS for more than 20 hours with no result yet.
I verified the app is signed.
Anybody has an idea what's wrong?
notarytool version: 1.0.0 (28)
Hello,
I have a valid developer ID downloaded from Apple. I signed the code (compiled exe file for intel Macs) and put it into a ZIP, which I also signed.
While signing I use timestamp and hardener option:
codesign -s "$LbaDevID" -o runtime -f --timestamp $conFile3
codesign -s "$LbaDevID" -o runtime -f --timestamp $conZip3
where variable $LbaDevID represent my Dev code id (VALID, downloaded from Apple after request cert; and $conFile3 the path to the exe file and $conZip3 the path to the ZIP (just $conFile3 zipped)
I attempt to notarize using the following command:
xcrun notarytool submit $compZip3 --keychain-profile "TestAppNotarz" --wait
the reply Log downloaded says:
Invalid dev ID (which is valid)
no timestamp... I corrected this error after the 1st attempt but the reply says exactly the same, even when I can see "TIMESTAMP" in the signature.
The third and last error refers to the runtime, which is present but not being seen.
Any help on how to troubleshoot this issue will be highly appreciated!
Please point me to the relevant documentation to solve this issue...