hi, team, we used the py2app to build the mac app, the app works well before the codesign. But when I codesign it with the --options runtime the app can't startup. with the below error: /petoi-mac-app/Petoi\ Desktop\ App.app/Contents/MacOS/Petoi\ Desktop\ App ; exit; Traceback (most recent call last): File "/Petoi Desktop App.app/Contents/Resources/__boot__.py", line 147, in <module> _setup_ctypes() File "/petoi-mac-app/Petoi Desktop App.app/Contents/Resources/__boot__.py", line 140, in _setup_ctypes from ctypes.macholib import dyld File "<frozen importlib._bootstrap>", line 983, in _find_and_load File "<frozen importlib._bootstrap>", line 967, in _find_and_load_unlocked File "<frozen importlib._bootstrap>", line 668, in _load_unlocked File "<frozen importlib._bootstrap>", line 638, in _load_backward_compatible File "ctypes/__init__.pyc", line 551, in <module> File "ctypes/__init__.pyc", line 273, in _reset_cache MemoryError 2024-02-21 19:57:09.168 Petoi Desktop App[93968:1375266] Launch error 2024-02-21 19:57:09.168 Petoi Desktop App[93968:1375266] Launch error See the py2app website for debugging launch issues But if I removed the --options runtime I got the Notarizing Error below. { "severity": "error", "code": null, "path": "PetoiDesktopInstaller.pkg/PetoiDesktopInstaller.pkg Contents/Payload/Applications/Petoi Desktop App.app/Contents/MacOS/Petoi Desktop App", "message": "The executable does not have the hardened runtime enabled.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087724", "architecture": "x86_64" } I am looking forward to your insightful reply.

Hello! I'm dealing with a strange code signing issue which is preventing me from distributing a game through Steam. I'm able to sign and notarise the app in Xcode without any issues. I can verify that the app and all frameworks in /Contents/Frameworks/ are signed, and Gatekeeper allows the app to run without complaining. $ spctl --assess -vvv ~/Temp/CodeSigningTest/GoodApp.app /Users/ruairi/Temp/CodeSigningTest/GoodApp.app: accepted source=Notarized Developer ID origin=Developer ID Application: Ruairi Dorrity (3F97UA4BF8) $ codesign --verify -vvv ~/Temp/CodeSigningTest/GoodApp.app --prepared:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/ogg.framework/Versions/Current/. --validated:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/ogg.framework/Versions/Current/. --prepared:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/mpg123.framework/Versions/Current/. --validated:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/mpg123.framework/Versions/Current/. --prepared:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/libmodplug.framework/Versions/Current/. --validated:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/libmodplug.framework/Versions/Current/. --prepared:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/freetype.framework/Versions/Current/. --validated:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/freetype.framework/Versions/Current/. --prepared:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/Lua.framework/Versions/Current/. --validated:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/Lua.framework/Versions/Current/. --prepared:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/vorbis.framework/Versions/Current/. --validated:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/vorbis.framework/Versions/Current/. --prepared:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/OpenAL-Soft.framework/Versions/Current/. --validated:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/OpenAL-Soft.framework/Versions/Current/. --prepared:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/theora.framework/Versions/Current/. --validated:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/theora.framework/Versions/Current/. --prepared:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/love.framework/Versions/Current/. --validated:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/love.framework/Versions/Current/. --prepared:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/SDL2.framework/Versions/Current/. --validated:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/SDL2.framework/Versions/Current/. /Users/ruairi/Temp/CodeSigningTest/GoodApp.app: valid on disk /Users/ruairi/Temp/CodeSigningTest/GoodApp.app: satisfies its Designated Requirement However, if I zip the app and upload it to Steam, the app that the Steam client downloads is blocked by Gatekeeper ("damaged and can't be opened") and re-running the above commands shows that the code signing seal has been broken somehow on the downloaded app: $ spctl --assess -vvv ~/Temp/CodeSigningTest/BadApp.app /Users/ruairi/Temp/CodeSigningTest/BadApp.app: cannot find code object on disk $ codesign --verify -vvv ~/Temp/CodeSigningTest/BadApp.app /Users/ruairi/Temp/CodeSigningTest/BadApp.app: code object is not signed at all In subcomponent: /Users/ruairi/Temp/CodeSigningTest/BadApp.app/Contents/Frameworks/love.framework The second command can be re-run, showing a seemingly random framework from /Contents/Frameworks/ each time e.g. $ codesign --verify -vvv ~/Temp/CodeSigningTest/BadApp.app /Users/ruairi/Temp/CodeSigningTest/BadApp.app: code object is not signed at all In subcomponent: /Users/ruairi/Temp/CodeSigningTest/BadApp.app/Contents/Frameworks/ogg.framework Further investigation shows that these frameworks are now unsigned, when they were signed before uploading and downloading: $ codesign --verify -vvv ~/Temp/CodeSigningTest/BadApp.app/Contents/Frameworks/ogg.framework /Users/ruairi/Temp/CodeSigningTest/BadApp.app/Contents/Frameworks/ogg.framework: code object is not signed at all $ codesign --verify -vvv ~/Temp/CodeSigningTest/BadApp.app/Contents/Frameworks/love.framework /Users/ruairi/Temp/CodeSigningTest/BadApp.app/Contents/Frameworks/love.framework: code object is not signed at all ... $ codesign --verify -vvv ~/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/ogg.framework /Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/ogg.framework: valid on disk /Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/ogg.framework: satisfies its Designated Requirement $ codesign --verify -vvv ~/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/love.framework /Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/love.framework: valid on disk /Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/love.framework: satisfies its Designated Requirement I'm stumped as to what's happening here. Is is possible that the app is being modified being the scenes by Steam, which breaks the code signing? This seems unfathomable because it would surely break code signing on every Mac game on Steam, but I really can't understand what else would be going on. I'm sure I need to expand my knowledge on code signing; any pointers, suggestions or assistance is greatly appreciated! Thank you!

I am working on an open source app. I have been testing the package installer, and something unexpected is happening: the .pkg won't run on my test machine and will instead show a banner saying "myApp.app can't be opened because Apple cannot check it for malicious software"; nevertheless, if I wait some minutes, the installer will run just fine! After reading through many of ekimo's posts, I assumed it may have something to do with stapler. I was not stapling my .dmg originally, so that's something I may be missing (my app is installed by a .pkg inside a .dmg). Nevertheless, the computer where I am testing the app has internet connection, meaning stapler should not even come into play. Regardless, I decided to staple my .dmg. Running xcrun stapler staple -v myApp.dmg after notarizing produces this result: builder ~ % xcrun stapler staple -v /Users/builder/Data/HEAD/installation/Packages/myApp.dmg Processing: /Users/builder/Data/HEAD/installation/Packages/myApp.dmg Properties are { NSURLIsDirectoryKey = 0; NSURLIsPackageKey = 0; NSURLIsSymbolicLinkKey = 0; NSURLLocalizedTypeDescriptionKey = "Disk Image"; NSURLTypeIdentifierKey = "com.apple.disk-image-udif"; "_NSURLIsApplicationKey" = 0; } Creating synthetic cdHash for unsigned disk image, myApp.dmg. Humanity must endure. Signing information is { cdhashes = ( {length = 20, bytes = 0xdd018313b1c574a403f01dccc96c21705987d76c} ); "cdhashes-full" = { 2 = {length = 32, bytes = 0xdd018313 b1c574a4 03f01dcc c96c2170 ... 918d33f3 d5a74dc3 }; }; cms = {length = 0, bytes = 0x}; "digest-algorithm" = 2; "digest-algorithms" = ( 2 ); flags = 2; format = "disk image"; identifier = ADHOC; "main-executable" = "file:///Users/builder/Data/HEAD/installation/Packages/myApp.dmg"; source = "explicit detached"; unique = {length = 20, bytes = 0xdd018313b1c574a403f01dccc96c21705987d76c}; } Stored Codesign length: 12 number of blobs: 0 Total Length: 12 Found blobs: 0 JSON Data is { records = ( { recordName = "2/2/dd018313b1c574a403f01dccc96c21705987d76c"; } ); } Headers: { "Content-Type" = "application/json"; } Domain is api.apple-cloudkit.com Response is <NSHTTPURLResponse: 0x600003b85ba0> { URL: https://api.apple-cloudkit.com/database/1/com.apple.gk.ticket-delivery/production/public/records/lookup } { Status Code: 200, Headers { Connection = ( "keep-alive" ); "Content-Encoding" = ( gzip ); "Content-Type" = ( "application/json; charset=UTF-8" ); Date = ( "Mon, 26 Feb 2024 15:34:15 GMT" ); Server = ( "AppleHttpServer/78689afb4479" ); "Strict-Transport-Security" = ( "max-age=31536000; includeSubDomains;" ); "Transfer-Encoding" = ( Identity ); Via = ( "xrail:st53p00ic-qujn15041902.me.com:8301:24R11:grp60,631194250daa17e24277dea86cf30319:59e17ac665e1de7388b8f4e69e92e383:defra2" ); "X-Apple-CloudKit-Version" = ( "1.0" ); "X-Apple-Edge-Response-Time" = ( 99 ); "X-Apple-Request-UUID" = ( "9fc0fe2d-49fd-4e74-b718-660c56edb3bb" ); "X-Responding-Instance" = ( "ckdatabasews:16306401:st42p63ic-ztfb05112901:8807:2409B432:afc827b7b1ebf24829e9c4856d4b69205f23804f" ); "access-control-expose-headers" = ( "X-Apple-Request-UUID,X-Responding-Instance,Via" ); "x-apple-user-partition" = ( 63 ); } } Size of data is 165 JSON Response is: { records = ( { reason = "Record not found"; recordName = "2/2/dd018313b1c574a403f01dccc96c21705987d76c"; serverErrorCode = "NOT_FOUND"; } ); } CloudKit query for myApp.dmg (2/dd018313b1c574a403f01dccc96c21705987d76c) failed due to "Record not found". Could not find base64 encoded ticket in response for 2/dd018313b1c574a403f01dccc96c21705987d76c The staple and validate action failed! Error 65 What does this show? Thank you.

I'm trying to notarize an Objective-C app I've written in Xcode 15. I've mostly been following this guide: https://scriptingosx.com/2021/07/notarize-a-command-line-tool-with-notarytool/. I got the Developer ID Application and Developer ID Installer certificates from Apple developer. I made sure hardened runtime was on in Xcode and chose Developer ID Application under the signing settings before archiving and exporting. After setting up my notarytool profile, I used "xcrun notarytool submit" to submit for notarization. This first attempt went over 24 hours and still said "In Progress" so I cancelled it. For my second attempt I built an installer pkg for my app signed with my Developer ID Installer certificate. I submitted this for notarization with "xcrun notarytool submit" and after over 24 hours of "in progress' it returned "the request timed out". What am I doing wrong in the sign/notarize process?

I am bundling my app in a .dmg that I made. I signed it, notarized it and stapled it. When I install it on a friends Mac, I get the error message," This error may occur if something went wrong when authenticating using Sign in with Apple Error Code 1000 for Sign in with Apple refers to an unknown error that occurred authenticating your Apple ID. Please make sure that you have Two-Factor authentication enabled for your Apple ID. Is this because his Apple ID has not got two factor enabled, or because my Dev account does not? I read somewhere that two factor must be enabled for latest versions of Macs, but again, is this my Apple Dev ID, or their's?

We have developed an application in which we have a main application and there are several loadable bundles which are loaded from within the main application. We archive the main application and generate the .app file. When we run the app, everything works fine and it loads the bundles. But when notarise the main application, it stops loading the bundles. We think we will need to notarise the bundles as well but not able to find the ways to do it. Any help will be very appreciated.

Greetings to all. I have purchased my developer account and encountered an error message stating "Team is not yet configured for notarization" when attempting to sign my software. Despite my efforts to get in touch with Developer Programs over the past month through numerous phone calls and emails, the only response I receive is that they are unable to assist me at the moment. This situation has become quite distressing. We are encountering obstacles in releasing our software as Apple is impeding our progress. Users are experiencing an "unidentified developer" error message when trying to download it. I am unsure who to reach out to for assistance, especially when Apple support seems unresponsive despite being quick to accept payments.

I have recently upgraded to macOS 14 and Xcode 15. I gather codesign --deep no longer works. Do I have to explicitly codesign every file in my .app? There are several hundreds of them. Also, I am able to successfully codesign my executable (MyApp.app/Contents/MacOS/MyExecutable), but when I upload for Notarization, it fails with "The signature of the binary is invalid.", identifying the executable specifically. This used to work fine. Why is it failing now?

The notarytool service seems to be down, but "Developer ID Notarization Service" is green in the system-status. If I try to submit a DMG for notorization or even just try to get the history it gives this response: Error: internalError(statusCode: Optional(500), strData: nil, jsonData: Optional(["errors": <__NSSingleObjectArrayI 0x60000331d020>( { code = "UNEXPECTED_ERROR"; detail = "<null>"; id = 7S3TTC4N54UMTGOEMVREFQPSNE; links = "<null>"; status = 500; title = "Uncaught server exception"; } ) , "statusCode": 500])) Please try again at a later time. Everything worked a couple weeks ago

I'm trying to notarize an Objective-C app I've written in Xcode 15. However, when I archive the app, it is listed as a "Generic Xcode Archive" instead of an "app archive", so it can't be validated/distributed. I've tried following all the steps in this article: https://developer.apple.com/documentation/technotes/tn3110-resolving-generic-xcode-archive-issue My skip_install is set to NO. My app's dependencies don't show up under "Targets" so I couldn't check the skip_install setting for them. My linked libraries don't use a headers build phase. My install_path is set to $(LOCAL_APPS_DIR). Why am I not getting an "app archive"?

Hey all. I "Archived" my XCode application, notarized through XCode, exported the .app and used a program create-dmg to generate a DMG for me. I then notarized this using the xcrun notarytool submit Lyric\ Fever\ 1.7.dmg --keychain-profile "notarytoolProfile" command as well as xcrun stapler staple Lyric\ Fever\ 1.7.dmg, both of which passed. Running syspolicy_check distribution also passes. So does xcrun stapler validate. This dmg still fails when testing using spctl. spctl -a -t open -vvv --context context:primary-signature Lyric\ Fever\ 1.7.dmg generates the following error: Lyric Fever 1.7.dmg: rejected origin=Apple Development: Avi Wadhwa (#######) Furthermore, I uploaded this dmg to github and redownloaded it. This newly downloaded dmg does not open in finder, prompting the "unidentifier developer, malware" message. Yet xcrun stapler validate passes, and so does syspolicy_check distribution. I know as per Eskimo's previous posts that this is not the ideal way to test notarization (and setting a macOS vm is the best method), but if I cannot download my own dmg from GitHub then something is clearly wrong.

I started the notarization process last night with the following command xcrun notarytool submit --wait --keychain-profile "Developer ID Application: ..." --verbose Open\ Interface.zip When I check its status, it still shows as it's in progress over 16 hours later xcrun notarytool history --keychain-profile "Developer ID Application: ..." Successfully received submission history. history -------------------------------------------------- createdDate: 2024-04-09T03:49:07.620Z id: 8fcf8111-c18c-4941-acb6-f447d86735a2 name: Open Interface.zip status: In Progress -------------------------------------------------- createdDate: 2024-04-09T03:23:58.816Z id: 93461030-f230-4225-b9f2-5d9472904858 name: Open Interface.zip status: In Progress Does anyone know what might be going wrong? My .zip file is available here: https://github.com/AmberSahdev/Open-Interface/releases/download/0.5.0/Open-Interface-v0.5.0-MacOS.zip Thanks!

I've been getting a notarization error for about a month and it's not resolved. (Case ID: 102252824962) The error message I received is as I wrote in the title: "Team is not yet configured for notarization". when I contact the support team by phone, they say that this error message is not correct and that there is no problem with my individual account. When i contacted the support team by phone, their only answer is that "Your case has been escalated to the engineers, and they’re working on it." By the way, the support team never even responds to my email support requests. The application I wrote is very very small and simple, I don't understand why it is taking so long to be analyzed and why the support team can't give any explanation?

I’m new to Mac packaging, and am confused by the multi-part signing and packaging process. I have built an app, using third party software, that I would like to upload to the Mac store for trial/testing purposes. I have joined the Apple Developers Programme, but am unsure whether I need to invest in third-party certification (e.g. Verisign) or can self-certify my app package. I would be obliged if someone would outline the sequence of steps that I need to follow to create a package that can be offered to users, and confirm whether my AD License is sufficient for me to follow same. Thanks in advance for any advice. Regards, L

Hello, I apologize for my poor English. Due to the discontinuation of the altool command line tool for notarizing client applications on Mac, we are transitioning from the altool command line to the notarytool command line. However, when attempting to add a profile to Keychain, the following command returns an error if the userID or password is incorrect: xcrun notarytool store-credentials "AC_PASSWORD" --apple-id "mailadress" --team-id "TEAMID" --password xxxx-xxxx-xxxx-xxxx Although the password and other credentials have been entered correctly multiple times, it is possible that a step is being missed. The current process is as follows: Belonging to the Apple Developer Program of the client. Generating an app-specific password from the apple ID account page with TEAMID. Adding a profile to Keychain with the above information using the notarytool command line, where the error occurs. If anyone has experience using the notarytool or has notarized Mac applications using an alternative method, any advice on the steps would be greatly appreciated. Thank you in advance.

I am building plug-ins for audio software. I am using the JUCE framework and I am building with VScode / CMake / Ninja / LLVM I want to package the output, which are two bundles "Sinensis.component" (the AU plugin) and "Sinensis.vst3" (the vst3 plugin) I am using this script : codesign -s "Developer ID Application: $DEVELOPER_ID" --timestamp --force -o runtime -i "$PLUGIN_NAME".component "$PLUGIN_NAME".component/Contents/MacOs/"$PLUGIN_NAME" #--options=runtime pkgbuild --install-location /Library/Audio/Plug-Ins/Components --sign "Developer ID Installer: $DEVELOPER_ID" --timestamp --identifier "$IDENTIFIER"au --version "$VERSION" --root "$PLUGIN_NAME".component "$PLUGIN_NAME"_au.pkg codesign -s "Developer ID Application: $DEVELOPER_ID" --timestamp --force -o runtime -i "$PLUGIN_NAME".vst3 "$PLUGIN_NAME".vst3/Contents/MacOs/"$PLUGIN_NAME" #--options=runtime pkgbuild --install-location /Library/Audio/Plug-Ins/VST3 --sign "Developer ID Installer: $DEVELOPER_ID" --timestamp --identifier "$IDENTIFIER"vst3 --version "$VERSION" --root "$PLUGIN_NAME".vst3 "$PLUGIN_NAME"_vst3.pkg productbuild --synthesize --package "$PLUGIN_NAME"_au.pkg --package "$PLUGIN_NAME"_vst3.pkg distribution.xml productbuild --distribution distribution.xml --resources Resources/ "$PLUGIN_NAME".pkg productsign --sign "Developer ID Installer: $DEVELOPER_ID" "$PLUGIN_NAME".pkg "$PLUGIN_NAME"_installer.pkg --timestamp xcrun notarytool submit --keychain-profile "thomas" "$PLUGIN_NAME"_installer.pkg --wait xcrun stapler staple "$PLUGIN_NAME"_installer.pkg feeding it distribute.sh Sinensis "Thomas Xxxxxx (<personal identifier>)" <indentifier for the package> 101 I am using --force because of a post on the juce forum that I strangely cannot link to here. tl;dr the binary is signed at the build stage and need --force to overwrite with my signature But it ends up with error 65 Conducting pre-submission checks for Sinensis_installer.pkg and initiating connection to the Apple notary service... Submission ID received   id: 38ba301b-f857-4408-b665-9e11e8647ca1 Upload progress: 100,00 % (6,10 MB of 6,10 MB)    Successfully uploaded file   id: 38ba301b-f857-4408-b665-9e11e8647ca1   path: /Users/thomas/Desktop/Sinensis_installer.pkg Waiting for processing to complete. Current status: Invalid............ Processing complete   id: 38ba301b-f857-4408-b665-9e11e8647ca1   status: Invalid Processing: /Users/thomas/Desktop/Sinensis_installer.pkg CloudKit query for Sinensis_installer.pkg (1/dc8136b4b82a4e9c9f7b5e6064238488e97f04ad) failed due to "Record not found". Could not find base64 encoded ticket in response for 1/dc8136b4b82a4e9c9f7b5e6064238488e97f04ad The staple and validate action failed! Error 65. Looking at the log via xcrun notarytool log return {   "logFormatVersion": 1,   "jobId": "75fa5853-d19d-42a5-9069-4ed0d8f735be",   "status": "Invalid",   "statusSummary": "Archive contains critical validation errors",   "statusCode": 4000,   "archiveFilename": "Sinensis_installer.pkg",   "uploadDate": "2024-04-19T10:11:07.372Z",   "sha256": "da6457f73d1b93995392f844a25f4b9bc9750eac0555ae72854b14e270e32685",   "ticketContents": null,   "issues": [     {       "severity": "error",       "code": null,       "path": "Sinensis_installer.pkg/Sinensis_au.pkg Contents/Payload/Library/Audio/Plug-Ins/Components/Contents/MacOS/Sinensis",       "message": "The signature of the binary is invalid.",       "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",       "architecture": "arm64"     },     {       "severity": "error",       "code": null,       "path": "Sinensis_installer.pkg/Sinensis_vst3.pkg Contents/Payload/Library/Audio/Plug-Ins/VST3/Contents/MacOS/Sinensis",       "message": "The signature of the binary is invalid.",       "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",       "architecture": "arm64"     }   ] } codesign -vvv --deep --strict Sinensis.vst3 returns Sinensis.vst3: valid on disk Sinensis.vst3: satisfies its Designated Requirement pkgutil --check-signature Sinensis_installer.pkg returns Package "Sinensis_installer.pkg": Status: signed by a developer certificate issued by Apple for distribution Signed with a trusted timestamp on: 2024-04-19 10:21:59 +0000 Certificate Chain: 1. Developer ID Installer: Thomas Guillory (53B2GD4XYM) Expires: 2027-02-01 22:12:15 +0000 SHA256 Fingerprint: E8 D7 4A 6D CD 19 56 A2 39 C9 15 00 09 06 EA 98 01 B0 AF 85 59 AA AE 26 71 89 56 9B 54 EF 48 B3 ------------------------------------------------------------------------ 2. Developer ID Certification Authority Expires: 2027-02-01 22:12:15 +0000 SHA256 Fingerprint: 7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03 F2 9C 88 CF B0 B1 BA 63 58 7F ------------------------------------------------------------------------ 3. Apple Root CA Expires: 2035-02-09 21:40:36 +0000 SHA256 Fingerprint: B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 68 C5 BE 91 B5 A1 10 01 F0 24 I tried to unpack the .pkg using pacifist as recommended in multiple thread but the bundle wasn't recognized as such, I may have not follow the correct procedure. I've read the man page for productbuild, codesign and productsign. I've also read the MacOS code signing technical note althought I didn't understood everything clearly (especially on the nested part, which seems relevant). The closest thing I could find was this forum post but the bundles seems to be correctly seen by MacOs as a bundle and not as a folder I really lost at this point may Eskimo come shed some enlightenment on my poor newbie soul 🙏 Have a nice day !

I'm encountering a peculiar issue with my macOS installer application when hardened runtime is enabled (--options runtime) during code signing, and I'm hoping to get some guidance on how to resolve it. Issue Description: My installer application is designed to prompt users for system credentials upon launch. After entering the correct credentials and clicking "OK", users should see the next screen to proceed with the installation process. However, with hardened runtime enabled, the application stops responding after the credential entry step. The next screen, where users should proceed with installation, does not appear. If I codesign without using hardened runtime, my installer works fine. However it fails during notarization. What I've Tried: I have reviewed Apple's documentation on hardened runtime and notarization to ensure I'm following best practices. I've checked the Console logs for any relevant error messages or warnings, but haven't found any conclusive information. Additional Information: The application is an installer built using bitrock installbuilder. It relies on prompting users for system credentials using standard macOS authentication mechanisms. Initially the installer is in tar.gz format which I extract to get .app file. This file is codesigned. Next I create a .DMG of the codesigned .app file and codesign the DMG before sending it for notarization. Request for Assistance: I'm seeking guidance on how to address this issue with my installer application not proceeding after credential entry when hardened runtime is enabled. Are there any specific configurations, entitlements, or best practices that I might be missing? Or are there alternative approaches I should consider to ensure compatibility while still meeting Apple's security requirements for notarization? Any insights or advice from your experiences would be greatly appreciated. Thank you in advance for your help!

Previously, we did Notarization with the help of altool, but it has now been decommissioned by Apple. We need to use the Notary tool for Notarization.
My application is not on App-store.So I tried storing credentials in the keychain, but encountered an error after providing all the details, including appleid, app-specific password, and teamid. it is showing this below error. Error: HTTP status code: 401. Unable to authenticate. The application is not allowed for primary authentication. Ensure that all authentication arguments are correct.
 We created app- specific password using the same Apple ID account which also has the certificates with which we are trying to Notarize our application. Initially, we were not able to access this Apple ID account because the employee that created this account has now left the organisation and we do not had enough information for access. We contacted apple and we got Alisas to original Apple ID account after that we were able to create app-specific password. We are not sure if this alias account access is affecting our issue or may be there is some particular setting that could affect the authorisation. Below are the complete info regarding the issue.
 mohd.faizan@KELLGGNLPTP1659 ~ % xcrun notarytool store-credentials --verbose --apple-id “XXXX" --password “YYYY” --team-id “ZZZZ” [11:32:40.047Z] Debug [MAIN] Running notarytool version: unknown (0), date: 2024-04-23T11:32:40Z, command: /Applications/Xcode.app/Contents/Developer/usr/bin/notarytool store-credentials --verbose --apple-id XXXX --password private --team-id ZZZZ This process stores your credentials securely in the Keychain. You reference these credentials later using a profile name. Profile name: NotaryProfile Validating your credentials... [11:32:48.390Z] Info [API] Initialized Notary API with base URL: https://appstoreconnect.apple.com/notary/v2/ [11:32:48.392Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/test?, Parameters: [:], Custom Headers: private&lt;Dictionary&lt;String, String&gt;&gt; [11:32:48.393Z] Debug [AUTHENTICATION] Delaying current request to refresh app-specific password token. [11:32:48.393Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/asp?, Parameters: [:], Custom Headers: private&lt;Dictionary&lt;String, String&gt;&gt; [11:32:48.394Z] Debug [AUTHENTICATION] Authenticating request to '/notary/v2/asp' with Basic Auth. Username: XXXX, Password: private, Team ID: ZZZZ [11:32:48.396Z] Debug [TASKMANAGER] Starting Task Manager loop to wait for asynchronous HTTP calls. [11:32:50.102Z] Debug [API] Received response status code: 401, message: unauthorized, URL: https://appstoreconnect.apple.com/notary/v2/asp?, Correlation Key: 5WDGB4XPJJAUCMTFMR6TUYYRPI [11:32:50.103Z] Error [TASKMANAGER] Completed Task with ID 2 has encountered an error. [11:32:50.103Z] Debug [TASKMANAGER] Ending Task Manager loop. Error: HTTP status code: 401. Unable to authenticate. The application is not allowed for primary authentication. Ensure that all authentication arguments are correct.


Can anyone help me in resolving this issue?  What steps do I need to take to fix this? Thanks in advance for the help.

codesign --sign "Apple Development: deok cheul kim (DK46XUS3ZB)" --deep --force --options=runtime --entitlements ./entitlements.plist --timestamp ./mediasend_PC_module_mac_V1.app codesign -vvv --deep --strict mediasend_PC_module_mac_V1.app mediasend_PC_module_mac_V1.app: valid on disk mediasend_PC_module_mac_V1.app: satisfies its Designated Requirement spctl --assess --type execute --verbose mediasend_PC_module_mac_V1.app mediasend_PC_module_mac_V1.app: rejected xcrun notarytool store-credentials "kdcProfile" --apple-id "kdc07..." --password "emfc-lmhz-kynx-xqyy" ditto -c -k --sequesterRsrc --keepParent mediasend_PC_module_mac_V1.app mediasend_PC_module_mac_V1.zip xcrun notarytool submit "mediasend_PC_module_mac_V1.zip" --keychain-profile "kdcProfile" --wait Conducting pre-submission checks for mediasend_PC_module_mac_V1.zip and initiating connection to the Apple notary service... Submission ID received id: 431e50cc-131a-48eb-be1e-6e1139dea347 Upload progress: 100.00% (15.7 MB of 15.7 MB) Successfully uploaded file id: 431e50cc-131a-48eb-be1e-6e1139dea347 path: /Users/sinaburo7/Desktop/appleCert/mediasend_PC_module_mac_V1.zip Waiting for processing to complete. Current status: Invalid............ Processing complete id: 431e50cc-131a-48eb-be1e-6e1139dea347 status: Invalid xcrun notarytool log 431e50cc-131a-48eb-be1e-6e1139dea347 --keychain-profile "kdcProfile" { "logFormatVersion": 1, "jobId": "431e50cc-131a-48eb-be1e-6e1139dea347", "status": "Invalid", "statusSummary": "Archive contains critical validation errors", "statusCode": 4000, "archiveFilename": "mediasend_PC_module_mac_V1.zip", "uploadDate": "2024-04-30T04:19:29.294Z", "sha256": "0661974c3a2e073ab21b15bd0c65a8647bfe756fa42e07d2bb0522a20850de32", "ticketContents": null, "issues": [ { "severity": "error", "code": null, "path": "mediasend_PC_module_mac_V1.zip/mediasend_PC_module_mac_V1.app/Contents/MacOS/mediasend_PC_module_mac_V1", "message": "The binary is not signed with a valid Developer ID certificate.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721", "architecture": "arm64" }, { "severity": "error", "code": null, "path": "mediasend_PC_module_mac_V1.zip/mediasend_PC_module_mac_V1.app/Contents/Frameworks/libtcl8.6.dylib", "message": "The binary is not signed with a valid Developer ID certificate.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721", "architecture": "arm64" }, { "severity": "error", "code": null, "path": "mediasend_PC_module_mac_V1.zip/mediasend_PC_module_mac_V1.app/Contents/Frameworks/libssl.3.dylib", "message": "The binary is not signed with a valid Developer ID certificate.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721", "architecture": "arm64" }, . . . . . This is how it went. I don't know why the error occurs. For reference, the python app was installed using the script below. pyinstaller --onedir --hidden-import=PIL --hidden-import=flask --hidden-import=psutil --hidden-import=requests --name mediasend_PC_module_mac_V1 --icon=logo3_iMf_icon.icns --noconsole --add- data="logo3_iMf_icon.icns:." --add-data="logo.png:." --add-data="wifi.gif:." --add-data="sleep.gif:." -d all album_mac.py

Up until about 6 months ago, I was receiving the Apple success or failed email notifications. I no longer get them and can't figure out why. I checked my email rules and even the quarantine in Exchange. What can cause this and what else can I check? I am an Admin on the account but not the Account holder though.