Hi!
Trying to use notarytool for an app notarization via script on CD pipeline. Build machine has an Xcode 12.5 installed and currently it can't be upgraded. So, our team decided to use utility as standalone binary, placed in the /Applications directory.
The command used for notarization: '/Applications/notarytool submit '<path>' --keychain-profile '<profile-name>' --output-format 'json' --wait'.
Before running the command above, we saved keychain profile with notarytool store-credentials command. However, future runs of notarization script fail with a message: 'Error: No Keychain password item found for profile: '. But we definitely see it among Keychain entries and 'security find-generic-password -l ' command approves that profile has been saved.
Did anyone encounter a similar issue? Can someone suggest what how to cope with this behavior?
Thank you in advance for any ideas
Notarization
RSS for tagNotarization is the process of scanning Developer ID-signed software for malicious components before distribution outside of the Mac App Store.
Post
Replies
Boosts
Views
Activity
MyPythonExe is a compiled file coming from a python script compiled with using pyinstaller. After compiled, it was signed using codesign:
codesign -s "Developer ID TTT", -o runtime -f --timestamp MyPythonExe
Once signed, the exe was placed in a Zip container (exeZip), and then successfully notarized using the following:
xcrun notarytool submit exeZip --keychain-profile "MyNotarProf" --wait
It was accepted.
Now, when try to run it, the following error was thrown (oddly, the compiled unsigned Exe runs in the same computer without any issues):
/Users/admin/Downloads/MyPythonExe ; exit;
admin@admins-MacBook-Air ~ % /Users/admin/Downloads/MyPythonExe ; exit;
[1767] Error loading Python lib '/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python': dlopen: dlopen(/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python, 0x000A): tried: '/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python' (code signature in <88BFFD37-99D8-36AB-9B95-9F54B30BD667> '/private/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python' not valid for use in process: mapped file has no Team ID and is not a platform binary (signed with custom identity or adhoc?)), '/System/Volumes/Preboot/Cryptexes/OS/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python' (no such file), .... (+ a couple of similar errors)
No, the said exe file (MyPythonExe) was signed and successfully notarized. Oddly, the very same file, but unsigned runs perfectly well (after being authorized so it can surpass Gatekeeper, of course). What could be going on here? Any hint on how to overcome this issue?
I'm trying to staple a validation ticket to an exe file that is already notarized. The process ended with the following error:
Downloaded ticket has been stored at file:///var/folders/bj/ry08v0694972s03cswkq5md80000gq/T/7f1a34f0-8628-4157-92b0-b59cebe70951.ticket.
Could not remove existing ticket from file:///Users/efi-admin/Downloads/ActualSignedFile/Contents/CodeResources because an error occurred. Error Domain=NSCocoaErrorDomain Code=512 "“CodeResources” couldn’t be removed." UserInfo={NSUserStringVariant=(
Remove
), NSFilePath=/Users/efi-admin/Downloads/ActualSignedFile/Contents/CodeResources, NSUnderlyingError=0x600000151e90 {Error Domain=NSPOSIXErrorDomain Code=20 "Not a directory"}}
The staple and validate action failed! Error 73.
The above was captured using the verbose option of the cmd...
Among the response, I can see the ticket:
fields = {
signedTicket = {
type = BYTES;
value = "czhjaAEAAADxBQAALQAAADCCBe0wggL/MIICpKADAgECAghWLFU2G59vVTAKBggqhkjOPQQDAjByMSYwJAYDVQQDDB1BcHBsZSBTeXN0ZW0gSW50ZWdyYXRpb24gQ0EgNDEmMCQGA1UE.... (partial)
I need help to properly understand what is this cmd doing as the issue might be permissions one.
The path mentioned above under /ActualSignedFile:
/ActualSignedFile/Contents/CodeResources
Does not exist. Is that the cmd wants to create it?
Is there any way to manually attach the ticket to the file, given the fact that is printed in verbose mode?
Thanks!
Any help will he highly appreciated!
I am trying to notarise a .dmg of my desktop application, but the process seems to just hang on 'In Progress'. It's not actually hanging, as I accumulate extra '.', but clearly it isn't working.
This exact same codebase notarised fine recently. The only change has been a downgrade in OS from Monterey to Big Sur.
I appreciate this is unusual, but I am required to support my client, who is running a 2013 MacBook Pro with Big Sur.
I appreciate that some of these tools are newer than Big Sur, but surely it should work?
I'm trying to notarize a simple Electron app (packaged with electron-forge, zip size: 150MB) using new notarytool.
When submitting the bundle it hangs on IN PROGRESS for more than 20 hours with no result yet.
I verified the app is signed.
Anybody has an idea what's wrong?
notarytool version: 1.0.0 (28)
Hello,
I have a valid developer ID downloaded from Apple. I signed the code (compiled exe file for intel Macs) and put it into a ZIP, which I also signed.
While signing I use timestamp and hardener option:
codesign -s "$LbaDevID" -o runtime -f --timestamp $conFile3
codesign -s "$LbaDevID" -o runtime -f --timestamp $conZip3
where variable $LbaDevID represent my Dev code id (VALID, downloaded from Apple after request cert; and $conFile3 the path to the exe file and $conZip3 the path to the ZIP (just $conFile3 zipped)
I attempt to notarize using the following command:
xcrun notarytool submit $compZip3 --keychain-profile "TestAppNotarz" --wait
the reply Log downloaded says:
Invalid dev ID (which is valid)
no timestamp... I corrected this error after the 1st attempt but the reply says exactly the same, even when I can see "TIMESTAMP" in the signature.
The third and last error refers to the runtime, which is present but not being seen.
Any help on how to troubleshoot this issue will be highly appreciated!
Please point me to the relevant documentation to solve this issue...
Just got my brand new M1 Max laptop and am excited to get with the times and use notary tool instead of altool as recommended by the mothership but when I try to notarize the same file that altool notarizes successfully it fails.
Here is is my sucessful altool command:
xcrun altool --notarize-app --primary-bundle-id "My Kool Tool" --username "***@***.com" -p "@keychain:ac_notary" --asc-provider XXXXXXXXXXXX --file *.zip && rm *.zip
and this is the notary tool command that fails on the same file:
xcrun notarytool submit *.zip --keychain-profile "XXXXXX Apple Developer" --wait && rm *.zip
Here is the output:
Conducting pre-submission checks for archive.zip and initiating connection to the Apple notary service...
Submission ID received
id: e20c0438-5576-4361-a11a-2efeb8exxxxx
Successfully uploaded file
id: e20c0438-5576-4361-a11a-2efeb8exxxxx
path: /Users/***/Documents/archive.zip
Waiting for processing to complete.
Current status: Invalid..........
Processing complete
id: e20c0438-5576-4361-a11a-2efeb8exxxxx
status: Invalid
and the log:
xcrun notarytool log e20c0438-5576-4361-a11a-2efeb8exxxxx --keychain-profile "XXXXXX Apple Developer"
{
"logFormatVersion": 1,
"jobId": "e20c0438-5576-4361-a11a-2efeb8exxxxx",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "archive.zip",
"uploadDate": "2021-12-07T18:57:23.193Z",
"sha256": "505d76b420d46bfd01d56c724de1c8d20121d75b0ca6cee96a51549708ec46ee",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "archive.zip",
"message": "Package archive.zip has no signed executables or bundles. No tickets can be generated.",
"docUrl": null,
"architecture": null
}
]
}
again, the same file notarizes with altool so it is properly signed
It is worth noting that if I don't include the --asc-provider in the altool command it fails so maybe I just need to do the same with the notary tool but can't find any documentation on how to do that.
Help Obi Wan
{
"logFormatVersion": 1,
"status": "Rejected",
"statusSummary": "Team is not yet configured for notarization. Please contact Developer Programs Support at developer.apple.com under the topic Development and Technical / Other Development or Technical Questions.",
"statusCode": 7000,
"ticketContents": null,
"issues": null
}
I've tried notarizing my electron app but I get this error all the time.
I've contacted Apple Developer Technical Team but I've been redirected to Developer Programs Support.
I've asked them to approve the Team for notarization and they've redirected me back to Technical Team and said that the Team is not approved for notarization, which I know already from the logs error.
I've watched every topic related to this Team is not yet configured for notarization issue, like : https://developer.apple.com/forums/thread/118465
But it didn't helped much, because I suppose it's something that the Developer Programs Support needs to approve.
My Team seems configured in App Connect, everything seems to be in place, I've accepted all the agreements, don't know what else to accept or do for Team to be approved, I didn't receive next steps from the Apple Developer Program Support Team.
It's been 2 months since I'm trying to notarize and the deadline is coming, so please if anybody can help out to fix this.
Thank you
Hi people, I hope you could help me as I am stuck in a dead end.
I am a developper for company and we are changing from altool to notarytool.
Prior to that the code of the app has not been signed.
So now what I do is:
codesign --deep --force --verbose --timestamp --options runtime --sign "Developer ID Application: Phrase a.s. (${PHRASE_ID})" ${codesigne_app}
The result of this operation is verified with
codesign --deep --strict --vvv ${codesigne_app}
which ends in a lot of --prepared and --validated lines with
TranslationEditor.app: valid on disk
TranslationEditor.app: satisfies its Designated Requirement
Yet when I try to upload for notarization
res=$(xcrun notarytool submit te-build/dist/app/TranslationEditor.app.zip --apple-id stepan.svoboda@memsource.com --password $APP_PASSWORD --team-id ${PHRASE_ID} --wait 2>&1)
I get
{
"logFormatVersion": 1,
"jobId": "2b959997-4ac5-4bc5-a220-8f46d6b91a9b",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "TranslationEditor.app.zip",
"uploadDate": "2023-08-29T05:53:39.152Z",
"sha256": "938633e08d17f1d658ada3987017a8e9bf5afee96e5f976b31809df5daf5677c",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "TranslationEditor.app.zip/TranslationEditor.app/Contents/MacOS/TranslationEditor",
"message": "The signature of the binary is invalid.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
"architecture": "x86_64"
}
]
}
I visited the link, tried to google, ChatGPT about it. Tried to verify the codesign ...
Do you know how I can learn why it is signature of the binary is invalid? Maybe to get some more detailed log? Something the hints on what was deemed invalid?
How I can debug that? How I can learn what is wrong? I am short on ideas.
i'm using quill 0.2.0 to sign and notarize an arm64 binary and I've been getting HTTP 400 error from the notarization server. Signing and notarization has worked without hiccups throughout this year, but last night after getting the error it ended up working without any changes to the certs or call to quill.
This morning started getting the error again and only 1 of the 2 binaries were able to be signed with retries. Still getting this error on 1:
<HTML><HEAD>\n<TITLE>Bad Request</TITLE>\n</HEAD><BODY>\n<H1>Bad Request</H1>\nYour browser sent a request that this server could not understand.<P>\nReference #7.4c822c17.1692969095.ec8f4c4b\n</BODY>\n</HTML>\n
Is there a change being rolled out for the apple notarization service that requires a change on the client end? Or should this really be an http 500 error?
I publish a universal application built with Qt. When I run notarytool the application runs on Apple Silicon, but not on Intel Macs. It complains about a Qt framework not found.
When I run "xcrun altool" on my older Mac the application runs on both platforms without problems.
This is the command I use, but must migrate, to notarize a macOS app:
xcrun altool --notarize-app -f "$outputDmg" --primary-bundle-id "$notarizeBundleId" -u "$notarizeUser" -p "@keychain:AC_PASSWORD"
The migration docs I read implied that the following should work:
xcrun notarytool submit --apple-id "$notarizeUser" "--team-id" $notarizeTeam --password "@keychain:AC_PASSWORD" "$outputDmg"
But it doesn't. I can get it to work only if I put the password from the keychain on the command line. I cannot accept this.
What can I do to make this work?
Since upgrading to Xcode 12.5, attempting to submit an app for notarization with /usr/bin/xcrun altool --notarize-app has started failing ~10% of the time with the error Upload succeeded but did not receive a RequestUUID.. Has anyone else encountered this issue?
?xml version="1.0" encoding="UTF-8"?
!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"
plist version="1.0"
dict
keyos-version/key
string11.2.0/string
keyproduct-errors/key
array
dict
keycode/key
integer-1018/integer
keymessage/key
stringUpload succeeded but did not receive a RequestUUID./string
keyuserInfo/key
dict
keyNSLocalizedDescription/key
stringUpload succeeded but did not receive a RequestUUID./string
keyNSLocalizedFailureReason/key
stringUnable to upload your app for notarization./string
/dict
/dict
/array
keytool-path/key
string/Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/Frameworks/AppStoreService.framework/string
keytool-version/key
string4.050.1210/string
/dict
/plist
Notarization step fails: New AppID and password created:
xcrun notarytool submit “.dmg” --apple-id “” --team-id “” --password “” --verbose --wait
Error: HTTP status code: 401. Your Apple ID has been locked. Visit iForgot to reset your account (https://iforgot.apple.com), then generate a new app-specific password. Ensure that all authentication arguments are correct.
I have reset app password many times, not result.
Codesigning completes normally:
Mac OS 11.5.2
Xcode 13.2.1
We're in the process of updating an app that we released approximately a year ago -- which had no issues with codesigning and notarization in our last release.
The current version fails at the initial submission process; stating that the file "must be a zip archive (.zip), flat installer package (.pkg), or UDIF disk image (.dmg)"
The process itself we're taking is rather straightforward, and follows much of what I've seen repeated on the forums here.
A few additional details:
The app itself (a Unity project with a lot of content that needs to be shipped with the app) is quite large, weighing in at around 20GB.
Despite this large size, we were able to go through this process in the past with no issues.
I was originally running Xcode 13 on Big Sur, but upgraded to Xcode 14 on Ventura to no avail.
Our notarization script runs the following:
ditto -c -k --keepParent OurAppName.app NotarizationFileName.zip
xcrun notarytool submit NotarizationFileName.zip --keychain-profile OUR_CREDENTIAL_PROFILE --wait
When we add --verbose to the xcrun command; this is our output:
$ Build > xcrun notarytool submit NotarizationFileName.zip --keychain-profile OUR_CREDENTIAL_PROFILE --wait --verbose
[23:01:54.643Z] Debug [MAIN] Running notarytool version: 1.0.0 (27), date: 2023-03-25T23:01:54Z, command: /Applications/Xcode.app/Contents/Developer/usr/bin/notarytool submit NotarizationFileName.zip --keychain-profile OUR_CREDENTIAL_PROFILE --wait --verbose
Conducting pre-submission checks for NotarizationFileName.zip and initiating connection to the Apple notary service...
[23:01:54.717Z] Info [PREFLIGHT] NotarizationFileName.zip is not a zip archive. warning [/Users/michael/.jenkins/workspace/bastion-add-build-tools/Build/NotarizationFileName.zip]: 17179869184 extra bytes at beginning or within zipfile
(attempting to process anyway)
. Err: 1
[23:01:54.729Z] Debug [PREFLIGHT] NotarizationFileName.zip did not pass the disk image potentiality test. Moving on to other tests.
[23:01:54.730Z] Debug [PREFLIGHT] NotarizationFileName.zip is not a flat installer package.
[23:01:54.731Z] Debug [PREFLIGHT] Finished completing determination of file type for NotarizationFileName.zip. Operation took 80ms.
Error: NotarizationFileName.zip must be a zip archive (.zip), flat installer package (.pkg), or UDIF disk image (.dmg)
Usage: notarytool <subcommand>
See 'notarytool --help' for more information.
I am making the switch from altool to notarytool and I've run into a brick wall trying to submit our app zip. It is created using ditto -c -k --keepParent "path-to-app" "path-to-zip"
On submission I get:
Error: <app-name>.zip must be a zip archive (.zip), flat installer package (.pkg), or UDIF disk image (.dmg)
Absolutely baffled by this.
When altool notarizes my apps, I get an email confirmation to my Apple ID email address. This does not happen with notarytool. Is this expected behavior?