I have changed our notarization script to use notarytool.
See here:
https://github.com/mixxxdj/mixxx/blob/32d918a8e64fffea7039356de0fa94799e3fcc7e/packaging/macos/sign_notarize_staple.sh#L30
The workflow run timed out after 5 minutes here:
https://github.com/mixxxdj/mixxx/actions/runs/6834172969/job/18586695826
The notarization request is still in progress:
https://appstoreconnect.apple.com/notary/v2/submissions/ef8cf93e-c084-43eb-be1d-7ec2f20f9377
I have tried again, with another request that sucks in a the "status": "In Progress"
I am using Xcode 13.2.1 and macOS 10.12 as deployment target on macOS 11.7.10
What could have gone wrong?
Notarization
RSS for tagNotarization is the process of scanning Developer ID-signed software for malicious components before distribution outside of the Mac App Store.
Post
Replies
Boosts
Views
Activity
I've been waiting over an hour at this point—is something down or is the pipeline just really, really backed up?
I have been using XCODE to distribute macOS apps to a few "testers" by Archiving and then using the button Distribute App -> Developper ID -> using automatic signing and uploading to notary service.
I am aware that Altool is deprecated and stopped working - and of TN3147 - which explains how to migrate using command line/scripts.
However, since I upgraded to XCODE 14.3, I would have thought that the Distribute App button for the archived project no longer uses altool
AmI correct?
where in XCODE can I check if the Distribute App button uses Notary Tool?
or is the only way to transition is to implement the scripts discussed in TN3147 and never use the Distribute App button?
after today using Distribute App button - I have been suck in "In-Progress" for more than 1 hour - when I just made a rather small update to the code of this previously notarized app - which usually gets notarize very quickly.
I will get into svripts etc. per TN3147 if I have too - but I was just wondering why XCODE 14.3 Distribute App would not be already "wired" to use the notarytoll (as it used to be for altool in previous version?
Thanks
When I run notarytool submit in my github workflow, I get what appears to be some kind of segmentation fault.
Here's a direct link to the exception output:
https://github.com/recyclarr/recyclarr/actions/runs/6594346352/job/17918152266#step:6:43
My project is open source, so you can also view the shell script I use in the workflow itself:
https://github.com/recyclarr/recyclarr/blob/update-notary-tool/ci/notarize.sh
The script above contains this:
#!/usr/bin/env bash
set -xe
user="$1"
pass="$2"
teamId="$3"
archivePath="$4"
function submit() {
xcrun notarytool submit --wait \
--apple-id "$user" \
--password "$pass" \
--team-id "$teamId" \
recyclarr.zip | \
awk '/id: / { print $2;exit; }'
}
function log() {
xcrun notarytool log \
--apple-id "$user" \
--password "$pass" \
--team-id "$teamId" \
"$1"
}
tar -cvf recyclarr.tar "$archivePath"
zip recyclarr.zip recyclarr.tar
submissionId="$(submit)"
rm recyclarr.zip recyclarr.tar
if [[ -z "$submissionId" ]]; then
exit 1
fi
echo "Submission ID: $submissionId"
until log "$submissionId"
do
sleep 2
done
The error (from the workflow run) is:
2023-10-21 01:24:18.817 notarytool[4894:25434] *** Terminating app due to uncaught exception 'NSFileHandleOperationException', reason: '*** -[_NSStdIOFileHandle writeData:]: Broken pipe'
*** First throw call stack:
(
0 CoreFoundation 0x00007ff8106c4773 __exceptionPreprocess + 242
1 libobjc.A.dylib 0x00007ff810424bc3 objc_exception_throw + 48
2 Foundation 0x00007ff8115b5962 -[NSConcreteFileHandle readDataUpToLength:error:] + 0
3 Foundation 0x00007ff811497590 -[NSConcreteFileHandle writeData:] + 263
4 notarytool 0x000000010bcff026 notarytool + 462886
5 notarytool 0x000000010bcb780d notarytool + 169997
6 notarytool 0x000000010bcd37c6 notarytool + 284614
7 notarytool 0x000000010bcea719 notarytool + 378649
8 notarytool 0x000000010bcd3d19 notarytool + 285977
9 notarytool 0x000000010bcd2a4e notarytool + 281166
10 notarytool 0x000000010bcd5009 notarytool + 290825
11 notarytool 0x000000010bc8fe66 notarytool + 7782
12 dyld 0x000000011781b52e start + 462
)
libc++abi: terminating with uncaught exception of type NSException
I do not get this error when I run this script directly on my 2023 MBP. It only appears to happen in my github workflow.
Is this a bug in notarytool? Notarization appears to still complete, and I also get a submission ID I can use for the notarytool log command I run after.
Ok so I've just swapped over from altool to notarytool and submitted my first app, notarytool tells me Successfully uploaded, and having waited 30mins (which would be some sort of record wait for altool) info tells me status:Accepted
I notice elsewhere that there are comments that the first submission can take some time - even days - but as I've done A LOT of notarizing over the last couple of years I wouldnt classify myself as submitting my first request... or is that more properly "my first request with notarytool"?
If so - happy to sit and wait for a couple of days this first time thru....
Hi there,
I'm in a process to move from altool to notarytool, following information found at TN3147.
First, TN3147 says the team-id is optional if my account has only one team membership, which is the case, but the notarytool says it's mandatory and I do have to use it (not an issue).
Now, the issue I face:
$ security unlock-keychain -p prorogue-stake-unused /Users/comp/Library/Keychains/my.keychain
$ xcrun altool --username $APPLEID --password "@keychain:MYPASSWORD" --notarization-history 0
.. it displays the notarization history as expected ..
but:
$ xcrun notarytool history --apple-id $APPLEID --team-id $TEAMID --password "@keychain:MYPASSWORD"
Error: HTTP status code: 401. Invalid credentials. Username or password is incorrect. Use the app-specific password generated at appleid.apple.com. Ensure that all authentication arguments are correct.
The password is supposed work with both tools, according to TN3147. What am I missing?
Besr regards,
Hello.
I am doing a migration from altool to notarytool.
I am doing the above on an enterprise network which is not able to communicate with the outside world except for some URLs, ports.
Previously, when I was using altool to execute notarize, I requested the administrator to open url, port by referring to the document below, and so far, it is proceeding without any problem.
[https://support.apple.com/en-us/HT210060]
The problem is that when I use notarytool to notarize, it tries to access a new domain called appstoreconnect.apple.com, which is not in the documentation above.
Did I need to ask my network administrator to allow only the above URL or the other? Or is there another way to do notarize without accessing that URL?
If there is any additional documentation on opening hosts and ports that I am not aware of, I would appreciate it if you could point me to it.
I'm attempting to notarize and distribute a game built with Love2D. Love2D is an engine which runs games written in Lua and bundled into .love files, which are identical to .zip files. Packaging a game for Mac distribution involves cloning the Love2D Xcode project, providing your built game.love file (the zipped game content), and then signing and notarizing as with any other Mac app (see more on the Love2D wiki: https://love2d.org/wiki/Game_Distribution#Creating_a_macOS_Application).
I'm encountering an issue because my game contains compiled C binaries which the game loads at runtime. These binaries are compiled for MacOS x86 and arm64, and work perfectly in development. I am able to successfully build and sign the game with my Developer ID Application certificate and provisioning profile, but notarization of the game fails because the compiled C binaries are not signed; below is an excerpt from the audit log:
{
"severity": "error",
"code": null,
"path": "Bang_Average_Football.zip/love.app/Contents/Resources/game.love/deps/gifcatlib_arm64.so",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
I can sign these binaries using codesign and the same certificate as the Mac app like so (with the correct name):
codesign --sign "Developer ID Application: Firstname Lastname" --verbose=4 gifcatlib_arm64.so
After signing the binaries, the app successfully builds, and is notarized successfully without reporting any code signing issues. Hooray! The issue is that the app doesn't actually run and crashes as soon as it attempts to use any of the now-signed binaries complaining that they haven't been signed correctly. Here's a link to the full crash log; the specific error is below:
Exception Type: EXC_BAD_ACCESS (SIGKILL (Code Signature Invalid))
Exception Codes: UNKNOWN_0x32 at 0x000000010a9c8000
Exception Codes: 0x0000000000000032, 0x000000010a9c8000
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace CODESIGNING, Code 2
The same error occurs even with Hardened Runtime disabled and 'Disable Library Validation' enabled.
Is there a likely cause of this crash? Why does notarization succeed but the app essentially instacrashes? Have I signed the binaries incorrectly? Is what I'm attempting not actually possible? (can signed and unsigned binaries not really be hotswapped like this?)
Please let me know if there's any more information I should provide.
Thanks,
Ruairi
Hi there,
I want to build an application that can be run on different macos machines. That app uses libpython3.11.dylib.
It could not be just linked with libpython because in out binary path to library may be different:
/System/Library/Frameworks/Python.framework/...
/usr/local/Cellar/python/3.X.Y/Frameworks/Python.framework/Versions/...
/Library/Frameworks/Python.framework/Versions/...
$(pyenv root)/versions/{VERSION}
....
I need to ensure that the application uses the Python library corresponding to the Python version that the user is using.
Attempted to make a workaround by creating a symlink to the current library and setting the library path to @executable_path/../lib/libpython3.11.dylib, but it did not work. Here's the error I encountered:
% /Users/user/Downloads/xtensa-esp-elf-gdb/bin/xtensa-esp-elf-gdb-3.11
dyld[92502]: Library not loaded: @executable_path/../lib/libpython3.11.dylib
Referenced from: <F6F408DC-F698-3545-9C75-82486ADA77BE> /Users/user/Downloads/xtensa-esp-elf-gdb/bin/xtensa-esp-elf-gdb-3.11
Reason: tried: '/Users/user/Downloads/xtensa-esp-elf-gdb/lib/libpython3.11.dylib' (code signature in <666A28FE-7CD3-384C-A727-7DE3D98625A2> '/Library/Frameworks/Python.framework/Versions/3.11/Python' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), '/System/Volumes/Preboot/Cryptexes/OS@executable_path/../lib/libpython3.11.dylib' (no such file), '/Users/user/Downloads/xtensa-esp-elf-gdb/lib/libpython3.11.dylib' (code signature in <666A28FE-7CD3-384C-A727-7DE3D98625A2> '/Library/Frameworks/Python.framework/Versions/3.11/Python' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), '/usr/lib/libpython3.11.dylib' (no such file, not in dyld cache)
zsh: abort
I cannot distribute libpython within the application because it requires Python modules. Moreover, the application should use Python modules that are installed on the user's system.
What can I do to make this work properly? E.g. user have pythons installed:
/usr/local/Cellar/python/3.11.3/Frameworks/Python.framework/Versions/3.11...
/Library/Frameworks/Python.framework/Versions/3.11/...
Obviously, the user has only one active Python from this list. How can my application use the correct libpython?
I'm using the "notarytool store-credentials" command to store my access credentials for notarizing our apps from a build server through Jenkins.
The machine is a Mac Mini M1 running Ventura.
This works per se but for a reason I don't understand, I need to do this repeatedly.
When I store the credentials, it will work for the next hours but at some point the machine will "forget" the access credentials resulting in this error output:
Conducting pre-submission checks for <app name> and initiating connection to the Apple notary service...
Error: No Keychain password item found for profile: notarization
Run 'notarytool store-credentials' to create another credential profile.
I then have to run the store-credentials command again so I can use it again for the next few hours. This is obviously quite annoying especially since it's absolutely not obvious why it behaves that way.
The machine is on 24/7 and I don't see why the keychain item gets removed.
I'd appreciate any insight and would like to know what I have to do to store the credentials permanently.
I signed my application in MacOS 13.4, and the signed objects include all the binary files I compiled myself, and notarizing also works. It can also run normally on my version 13.4 Mac. However, when I copied this application to a computer with Mac OS version 11.3, it couldn't run properly.
Dlopen will generate an error message, indicating that some of the dynamic libraries called by the program do not match the signature of the program itself. These dynamic libraries are from JRE, so I re-signed them and notarizing also works.
In MacOS 13.4, it still runs normally, but in MacOS 11.3, it will report another error:
Error occurred during initialization of VM
Could not reserve enough space for code cache
What is the reason for this and how should I handle it? Thank you in advance for any comments on this issue.
When I try to store my credentials using the notary tool, I get the following:
/Applications/Xcode.app/Contents/Developer/usr/bin/notarytool store-credentials --verbose
[00:44:33.975Z] Debug [MAIN] Running notarytool version: 1.0.0 (27), date: 2023-10-03T00:44:33Z, command: /Applications/Xcode.app/Contents/Developer/usr/bin/notarytool store-credentials --verbose
This process stores your credentials securely in the Keychain. You reference these credentials later using a profile name.
Profile name:
build
We recommend using App Store Connect API keys for authentication. If you'd like to authenticate with an Apple ID and app-specific password instead, leave this unspecified.
Path to App Store Connect API private key:
./private_keys/AuthKey_QHBB38VH7L.p8
App Store Connect API Key ID:
storieddata
App Store Connect API Issuer ID:
69a6de6f-872e-47e3-e053-5b8c7c11a4d1
Validating your credentials...
[00:45:08.825Z] Info [API] Initialized Notary API with base URL: https://appstoreconnect.apple.com/notary/v2/
[00:45:08.826Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/test?, Parameters: [:], Custom Headers: private<Dictionary<String, String>>
[00:45:08.827Z] Debug [JWT] Generating new JWT for key ID: storieddata.
[00:45:08.829Z] Info [JWT] Caching newly generated JWT. key ID: storieddata, JWT: private<String>
[00:45:08.830Z] Debug [AUTHENTICATION] Authenticating request with App Store Connect API credentials. Key ID: storieddata, Issuer ID: 69a6de6f-872e-47e3-e053-5b8c7c11a4d1
[00:45:08.831Z] Debug [TASKMANAGER] Starting Task Manager loop to wait for asynchronous HTTP calls.
[00:45:09.243Z] Debug [API] **Received response status code: 401, message: unauthorized, URL: https://appstoreconnect.apple.com/notary/v2/test?,** Correlation Key: ZYHO7EDNX52XJBTRMIOUWGIVZI
[00:45:09.244Z] Error [API] Received non-JSON response body from Notary API, URL: https://appstoreconnect.apple.com/notary/v2/test?
[00:45:09.245Z] Error [TASKMANAGER] Completed Task with ID 1 has encountered an error.
[00:45:09.246Z] Debug [TASKMANAGER] Ending Task Manager loop.
Credential validation failed. Please verify your inputs.
I have double checked the input, and everything is correct.
I am having an issue trying to notarize app with a bundled binary using notarytool. Everything is signed properly, but the notarization status of every submission I've tried over the past two days have just been stuck on In Progress. I even tried submitting something else but this is also stuck on In Progress.
Successfully received submission history.
history
--------------------------------------------------
createdDate: 2023-10-01T15:34:36.959Z
id: 8461c5b0-51d0-4c00-8391-4dcb541f2ccf
name: flot.zip
status: In Progress
--------------------------------------------------
createdDate: 2023-10-01T15:13:46.537Z
id: 4fd3e79c-74e2-4824-bc5c-c63c305243c3
name: flot.zip
status: Invalid
--------------------------------------------------
createdDate: 2023-10-01T14:29:52.668Z
id: fc8bc0ae-8e17-4286-86b5-48d71d08175c
name: flot-Mac-2.0.0-Installer.dmg
status: In Progress
I'm integrating Notary API, in our CI/CD pipelines.
It all works well for notarization, but there is no mention of how to obtain the signing ticket nor how to staple it to the dmg.
Do I need to use for that the:
xcrun stapler staple
I was hoping that with use of the Notary API, I can avoid requiring xtools and developer id on the machine.
Hi there,
I could use some help with notarizing. I'm developing a Python module in the Rust programming language. The extension of the resulting library file is .so, which is necessary for Python to see it, instead of the regular .dylib. I compile this library for both apple silicon and intel.
When a user first imports the library which in turn imports the library, and the user is confronted with Gatekeeper.
So I guess I need to notarize the module file. And that's where I'm stuck. I created an Apple developer account, created a "Developer ID Application" certificate and used codesign to sign the .so file with it. That worked.
I then used ditto to create a zip file with just the .so file: "ditto -c -k --keepParent my_module.so my_module.zip"
The 600 kb file quickly uploads to Apple and I get an ID for checking the logs later on. Then I wait for the progress........ And nothing happens for hours on end. When I check the logs for the provided ID I get this message: "Submission log is not yet available or submissionId does not exist"
I also checked if perhaps the notarization did work regardless of the above, with "spctl -a -t exec -vvv ./my_module.so". Says it's rejected, source=Unnotarized Developer ID.
There is not much that I can work with, because I don't get an error message. Any ideas?
Have fun,
Wybren
MyPythonExe is a compiled file coming from a python script compiled with using pyinstaller. After compiled, it was signed using codesign:
codesign -s "Developer ID TTT", -o runtime -f --timestamp MyPythonExe
Once signed, the exe was placed in a Zip container (exeZip), and then successfully notarized using the following:
xcrun notarytool submit exeZip --keychain-profile "MyNotarProf" --wait
It was accepted.
Now, when try to run it, the following error was thrown (oddly, the compiled unsigned Exe runs in the same computer without any issues):
/Users/admin/Downloads/MyPythonExe ; exit;
admin@admins-MacBook-Air ~ % /Users/admin/Downloads/MyPythonExe ; exit;
[1767] Error loading Python lib '/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python': dlopen: dlopen(/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python, 0x000A): tried: '/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python' (code signature in <88BFFD37-99D8-36AB-9B95-9F54B30BD667> '/private/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python' not valid for use in process: mapped file has no Team ID and is not a platform binary (signed with custom identity or adhoc?)), '/System/Volumes/Preboot/Cryptexes/OS/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python' (no such file), .... (+ a couple of similar errors)
No, the said exe file (MyPythonExe) was signed and successfully notarized. Oddly, the very same file, but unsigned runs perfectly well (after being authorized so it can surpass Gatekeeper, of course). What could be going on here? Any hint on how to overcome this issue?
I seems like a pretty common issue but i'll make a post about it specifically for what i'm seeing. Its my first time notarizing an app so maybe its something in my config, but i'm not seeing any errors.
For simplicity I cloned, built and signed the sample Electron Forge app following the steps on https://www.electronforge.io/ "Getting Started". The build zip is 90MB so its not that large. My production application will be DMG, but even that is stuck (Maybe because the zips before it are currently stuck)
Trying to manually notarize via notarytool just hangs. I used xcrun notarytool submit <Package> --keychain-profile "NotaryProfile" --wait
Running xcrun notarytool history --keychain-profile "NotaryProfile" outputs the following.
createdDate: 2023-09-06T14:49:59.810Z
id: 838c0903-d136-4241-be98-174152a7e3cf
name: my-new-app.zip
status: In Progress
--------------------------------------------------
createdDate: 2023-09-06T14:31:08.880Z
id: 1ce6ef46-8b09-4b20-9f61-81292b2dcbb9
name: my-new-app.zip
status: In Progress
--------------------------------------------------
createdDate: 2023-09-06T14:10:23.726Z
id: 71bc9206-036e-46c7-aadf-6bfaa4097743
name: my-new-app.zip
status: In Progress
--------------------------------------------------
createdDate: 2023-09-06T13:54:35.527Z
id: 7c7fd365-1f08-48c6-a314-3a1809019f9c
name: my-new-app.zip
status: In Progress
Its been about 7 hours since my first attempt.
I tried to pull logs by calling xcrun notarytool log --keychain-profile "NotaryProfile" aa6e9df3-ef62-4058-8bcc-683f015b412a but it seems like non exist yet.
Submission log is not yet available or submissionId does not exist
id: aa6e9df3-ef62-4058-8bcc-683f015b412a
Not sure whats going on, but its pretty far off from the time estimate of 5 - 45 minutes.
Any help is appreciated.
NotaryTool version is 1.0.0 (28)
I'm trying to staple a validation ticket to an exe file that is already notarized. The process ended with the following error:
Downloaded ticket has been stored at file:///var/folders/bj/ry08v0694972s03cswkq5md80000gq/T/7f1a34f0-8628-4157-92b0-b59cebe70951.ticket.
Could not remove existing ticket from file:///Users/efi-admin/Downloads/ActualSignedFile/Contents/CodeResources because an error occurred. Error Domain=NSCocoaErrorDomain Code=512 "“CodeResources” couldn’t be removed." UserInfo={NSUserStringVariant=(
Remove
), NSFilePath=/Users/efi-admin/Downloads/ActualSignedFile/Contents/CodeResources, NSUnderlyingError=0x600000151e90 {Error Domain=NSPOSIXErrorDomain Code=20 "Not a directory"}}
The staple and validate action failed! Error 73.
The above was captured using the verbose option of the cmd...
Among the response, I can see the ticket:
fields = {
signedTicket = {
type = BYTES;
value = "czhjaAEAAADxBQAALQAAADCCBe0wggL/MIICpKADAgECAghWLFU2G59vVTAKBggqhkjOPQQDAjByMSYwJAYDVQQDDB1BcHBsZSBTeXN0ZW0gSW50ZWdyYXRpb24gQ0EgNDEmMCQGA1UE.... (partial)
I need help to properly understand what is this cmd doing as the issue might be permissions one.
The path mentioned above under /ActualSignedFile:
/ActualSignedFile/Contents/CodeResources
Does not exist. Is that the cmd wants to create it?
Is there any way to manually attach the ticket to the file, given the fact that is printed in verbose mode?
Thanks!
Any help will he highly appreciated!
I am trying to notarise a .dmg of my desktop application, but the process seems to just hang on 'In Progress'. It's not actually hanging, as I accumulate extra '.', but clearly it isn't working.
This exact same codebase notarised fine recently. The only change has been a downgrade in OS from Monterey to Big Sur.
I appreciate this is unusual, but I am required to support my client, who is running a 2013 MacBook Pro with Big Sur.
I appreciate that some of these tools are newer than Big Sur, but surely it should work?
Hello,
I have a valid developer ID downloaded from Apple. I signed the code (compiled exe file for intel Macs) and put it into a ZIP, which I also signed.
While signing I use timestamp and hardener option:
codesign -s "$LbaDevID" -o runtime -f --timestamp $conFile3
codesign -s "$LbaDevID" -o runtime -f --timestamp $conZip3
where variable $LbaDevID represent my Dev code id (VALID, downloaded from Apple after request cert; and $conFile3 the path to the exe file and $conZip3 the path to the ZIP (just $conFile3 zipped)
I attempt to notarize using the following command:
xcrun notarytool submit $compZip3 --keychain-profile "TestAppNotarz" --wait
the reply Log downloaded says:
Invalid dev ID (which is valid)
no timestamp... I corrected this error after the 1st attempt but the reply says exactly the same, even when I can see "TIMESTAMP" in the signature.
The third and last error refers to the runtime, which is present but not being seen.
Any help on how to troubleshoot this issue will be highly appreciated!
Please point me to the relevant documentation to solve this issue...