Greetings, everyone!
In case it proves helpful, I've crafted a Bash script to streamline the notarization process.
Here's a breakdown of its features:
Prompts you to select the app for notarization
Offers optional codesigning before notarization
Generates a ZIP file for notarization
Requests your credentials (Apple ID, Team ID, and app-specific password)
Submits the ZIP file for notarization
Cleans up by deleting the ZIP file used for notarization
Staples the app after notarization
Creates a new ZIP file for distribution
You can check it out on GitHub: Notarization Assistant
Notarization
RSS for tagNotarization is the process of scanning Developer ID-signed software for malicious components before distribution outside of the Mac App Store.
Post
Replies
Boosts
Views
Activity
questions about Apple's notarization standards
I've found that notarization seems to be based on the team ID, with a shared history. Is my understanding correct?
If an app named ABC is initially notarized under team A, and then later updates are notarized under team B, will there be any issues? In my tests, notarizing the same app under teams A and B didn't cause any problems, but I'm curious about potential issues if there's a change in team IDs in the future.
Is it possible to delete the notarization history or transfer it to a different team ID?
What is the proper process for notarizing an installer package? I have tried every permutation I can find and it always returns "The signature of the binary is invalid".
It's a Qt6 app if that is relevant.
I've bundled and signed the app using:
macdeployqt myapp.app \
-always-overwrite -verbose=1 \
-hardened-runtime \
-sign-for-notarization=\"$${sign_name}\" \
It verifies OK
codesign -v --verify --deep myapp.app
myapp.app: valid on disk
myapp.app: satisfies its Designated Requirement
I have successfully notarized and stapled it:
...
The staple and validate action worked!
This is where I'm not sure of the proper process.
I've used pkgbuild to put the app into .pkg file and successfully signed that using an Installer ID.
pkgutil --check-signature myapp-signed.pkg
Package "myapp-signed.pkg":
Status: signed by a developer certificate issued by Apple for distribution
...
On attempting to notarise this packge I get The signature of the binary is invalid for every shared library and the executable in the package.
That error message is not very useful so how do I diagnose the issue? So far I've tried a few things I've found on the forum but the error is always the same unhelpful one.
I know I have to be doing something wrong. I've been trying notarize my app for a few days.
I've bundled my app and am able to sign with hardened runtime. When I submit for notary with this command
/Applications/Xcode.app/Contents/Developer/usr/bin/notarytool submit /path/to/your/file.zip --wait --key "/path/to/your/AuthKey_ABCD1234.p8" --key-id "ABCD1234" --issuer "uuid-issuer-id"
it just eventually times out with no feedback or error report.
We have developed a secure desktop app using QT, we are developing and delivering this app for more than 2 years. While deploying app we perform codesigning and notarization of app and we use Ventura on build system. So the issue we observed is that if we install this app on any macOS version below Sonoma it works as expected and in Apparency we can see code signature is verified and also app in notarized. But if we install the same app on Sonoma and check in Apparency, it shows signature can't be verified.
Throws an eroor
[2023-12-07 07:55:36 UZT] DBG-X: parameter MetadataChecksum = 62c853b5b00cf96f96576b4d48ce6d0a
[2023-12-07 07:55:36 UZT] DBG-X: parameter MetadataCompressed = (suppressed)
[2023-12-07 07:55:36 UZT] DBG-X: parameter MetadataInfo = {app_platform=osx, primary_bundle_identifier=ocean.drive.app, device_id=, bundle_identifier=, packageVersion=software5.9, apple_id=, asset_types=[developer-id-package], bundle_version=, bundle_short_version_string=}
[2023-12-07 07:55:36 UZT] DBG-X: parameter OSIdentifier = Mac OS X 12.2.1 (x86_64); jvm=14.0.2+12-iTunesOpenJDK-8; jre=14.0.2+12-iTunesOpenJDK-8
[2023-12-07 07:55:36 UZT] DBG-X: parameter PackageName = 0b641208d73f17697b28370fa99ad8a7.itmsp
[2023-12-07 07:55:36 UZT] DBG-X: parameter PackageSize = 228662271
[2023-12-07 07:55:36 UZT] DBG-X: parameter StatisticsClientStartDateTimeZoneISO = 2023-12-07T07:55:36+05:00
[2023-12-07 07:55:36 UZT] DBG-X: parameter TransporterArguments = -m upload -u @@@@ -vp json -DTxHeaders=eyJqZW5nYSI6dHJ1ZX0= -sessionid @env:8A006125-AC15-400B-9FC2-C4D609DB7FA1 -sharedsecret hidden value -itc_provider PROVIDER -f /var/folders/g9/kz8cw8b57rg14vlnwhc77j840000gn/T/F75419E9-DDDB-4F74-BC71-B970FD924FB4/0b641208d73f17697b28370fa99ad8a7.itmsp -indicator true -v eXtreme -Dtransporter.client=altool -Dtransporter.client.version=5.329 (1309)
[2023-12-07 07:55:36 UZT] DBG-X: parameter Version = 3.3.0
[2023-12-07 07:55:36 UZT] DBG-X: parameter iTMSTransporterMode = upload
[2023-12-07 07:55:36 UZT] INFO: id = 20231207075536-140
[2023-12-07 07:55:36 UZT] INFO: iTMSTransporter Correlation Key: f33460ff-fc03-4158-bed2-b2e99ffd521c-0001
[2023-12-07 07:55:36 UZT] DEBUG: SMART-CLIENT: Host HTTP header: contentdelivery01.itunes.apple.com
[2023-12-07 07:55:36 UZT] DBG-X: Apple's web service operation return value:
[2023-12-07 07:55:36 UZT] DBG-X: parameter Errors = [Unable to process validateMetadata request at this time due to a general error (1019)]
[2023-12-07 07:55:36 UZT] DBG-X: parameter RestartClient = false
[2023-12-07 07:55:36 UZT] DBG-X: parameter ErrorCode = 1019
[2023-12-07 07:55:36 UZT] DBG-X: parameter ErrorMessage = Unable to process validateMetadata request at this time due to a general error (1019)
[2023-12-07 07:55:36 UZT] DBG-X: parameter ShouldUseRESTAPIs = false
[2023-12-07 07:55:36 UZT] DBG-X: parameter Success = false
[2023-12-07 07:55:36 UZT] ERROR: Unable to process validateMetadata request at this time due to a general error (1019)
[2023-12-07 07:55:36 UZT] DBG-X: The error code is: 1019
[2023-12-07 07:55:36 UZT] INFO: JSON:{"msg":{"phase":"Upload","count":2,"description":"Operation failed","index":2},"messageType":"VerifyProgress"}
[2023-12-07 07:55:36 UZT] DBG-X: Returning 1
2023-12-07 07:55:36.750 Out:
Package Summary:
1 package(s) were not uploaded because they had problems:
/var/folders/g9/kz8cw8b57rg14vlnwhc77j840000gn/T/F75419E9-DDDB-4F74-BC71-B970FD924FB4/0b641208d73f17697b28370fa99ad8a7.itmsp - Error Messages:
Unable to process validateMetadata request at this time due to a general error (1019)
2023-12-07 07:55:36.797 *** Error: Notarization failed for '/var/folders/g9/kz8cw8b57rg14vlnwhc77j840000gn/T/electron-notarize-LC5Kmm/OceanDrive.zip'.
2023-12-07 07:55:36.797 *** Error: Unable to process validateMetadata request at this time due to a general error (1019) (1019)
2023-12-07 07:55:36.797 *** Warning: altool has been deprecated for notarization and starting in late 2023 will no longer be supported by the Apple notary service. You should start using notarytool to notarize your software. (-1030)
Hi Guys, I am facing a problem I find difficult to debug.
I had a company Apple ID, member of team, that I used for notaryzation of an app via:
res=$(xcrun notarytool submit ${file_to_notarize} --apple-id stepan.svoboda@memsource.com --password ${password} --team-id PK8H4S4HPF --wait 2>&1)
But I will be leaving the company soon so we created new apple ID.
desktop@phrase.com We invited this ID to team.
And assigned it admin role.
I generated app specific password and I am using it with this new apple ID
But then running:
res=$(xcrun notarytool submit ${file_to_notarize} --apple-id desktop@phrase.com --password ${password} --team-id PK8H4S4HPF --wait 2>&1)
Fails with:
Error: HTTP status code: 401. Unable to authenticate. Invalid session. Ensure that all authentication arguments are correct.
And I run out of ideas what to check, what could be wrong.
Hi,
I want to use notarytool to let my installer *pkg being notarized by apple.
The app is a swift desktop app, not supposed to be distributed through the app store. It is already signed and notarized through xcode. Verification done and it has been aproved. So the process should be working.
I'm facing an issue when using notarytool to store cretentials. I followed the steps for described here https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow
My app specific password I created here: https://appleid.apple.com/account/manage
When I try to strore credentials I get a 401, what did I miss here?
xcrun notarytool store-credentials --verbose
[07:21:52.672Z] Debug [MAIN] Running notarytool version: 1.0.0 (32), date: 2023-12-01T07:21:52Z, command: /Applications/Xcode.app/Contents/Developer/usr/bin/notarytool store-credentials --verbose
This process stores your credentials securely in the Keychain. You reference these credentials later using a profile name.
Profile name:
notarytool-pw
We recommend using App Store Connect API keys for authentication. If you'd like to authenticate with an Apple ID and app-specific password instead, leave this unspecified.
Path to App Store Connect API private key:
Switching prompts to app-specific password credentials.
Developer Apple ID:
<my developer Apple ID>
App-specific password for <my developer Apple ID>:
<the app specific password I created earlier>
Developer Team ID:
<my developer team ID>
Validating your credentials...
[07:31:40.888Z] Info [API] Initialized Notary API with base URL: https://appstoreconnect.apple.com/notary/v2/
[07:31:40.890Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/test?, Parameters: [:], Custom Headers: private<Dictionary<String, String>>
[07:31:40.890Z] Debug [AUTHENTICATION] Delaying current request to refresh app-specific password token.
[07:31:40.891Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/asp?, Parameters: [:], Custom Headers: private<Dictionary<String, String>>
[07:31:40.891Z] Debug [AUTHENTICATION] Authenticating request to '/notary/v2/asp' with Basic Auth. Username: <my developer Apple ID>, Password: private<String>, Team ID: <my developer team ID>
[07:31:40.892Z] Debug [TASKMANAGER] Starting Task Manager loop to wait for asynchronous HTTP calls.
[07:31:41.921Z] Debug [API] Received response status code: 401, message: unauthorized, URL: https://appstoreconnect.apple.com/notary/v2/asp?, Correlation Key: 6WYAHNFB6NYEVPPJOT5KJMNPAE
[07:31:41.922Z] Error [TASKMANAGER] Completed Task with ID 2 has encountered an error.
[07:31:41.922Z] Debug [TASKMANAGER] Ending Task Manager loop.
Error: HTTP status code: 401. Unable to authenticate. Invalid session. Ensure that all authentication arguments are correct.
I've been trying to notarize an installer (.pkg file) on a new laptop. Previous versions have been notarized successfully on a previous Mac.
However, in spite of having the required certificates (same as the old Mac, generated for the new Mac) the submission gets stuck at "In Progress".
Doing it multiple times (even hours apart) doesn't help.
Is there a FAQ / suggested list of steps to help resolve this issue?
Here's what I see:
xcrun notarytool history --keychain-profile "(my profile name)"
results in (problem started with v4, the first version I've tried on this new Mac):
createdDate: 2023-10-17T01:34:36.911Z
id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name: xxxxxxxxxx-v4.pkg
status: In Progress
--------------------------------------------------
createdDate: 2023-10-17T01:33:59.191Z
id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name: xxxxxxxxxx-v4.pkg
status: In Progress
--------------------------------------------------
createdDate: 2023-10-16T21:01:25.832Z
id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name: xxxxxxxxxx-v4.pkg
status: In Progress
--------------------------------------------------
createdDate: 2023-10-16T19:57:44.776Z
id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name: xxxxxxxxxx-v4.pkg
status: In Progress
--------------------------------------------------
createdDate: 2023-10-02T14:17:34.108Z
id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name: xxxxxxxxxx-v3.pkg
status: Accepted
--------------------------------------------------
createdDate: 2023-09-28T14:04:46.211Z
id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name: xxxxxxxxxx-v2.pkg
status: Accepted
--------------------------------------------------
createdDate: 2023-09-20T17:28:46.168Z
id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name: xxxxxxxxxx-v1.pkg
status: Accepted
--------------------------------------------------
xcrun notarytool log xxxxxxxxxxxxxxxxxxxx --keychain-profile "(my profile name)" results in:
Submission log is not yet available or submissionId does not exist
id: xxxxxxxxxxxxxxxxxxxxxxxx
I seems like a pretty common issue but i'll make a post about it specifically for what i'm seeing. Its my first time notarizing an app so maybe its something in my config, but i'm not seeing any errors.
For simplicity I cloned, built and signed the sample Electron Forge app following the steps on https://www.electronforge.io/ "Getting Started". The build zip is 90MB so its not that large. My production application will be DMG, but even that is stuck (Maybe because the zips before it are currently stuck)
Trying to manually notarize via notarytool just hangs. I used xcrun notarytool submit <Package> --keychain-profile "NotaryProfile" --wait
Running xcrun notarytool history --keychain-profile "NotaryProfile" outputs the following.
createdDate: 2023-09-06T14:49:59.810Z
id: 838c0903-d136-4241-be98-174152a7e3cf
name: my-new-app.zip
status: In Progress
--------------------------------------------------
createdDate: 2023-09-06T14:31:08.880Z
id: 1ce6ef46-8b09-4b20-9f61-81292b2dcbb9
name: my-new-app.zip
status: In Progress
--------------------------------------------------
createdDate: 2023-09-06T14:10:23.726Z
id: 71bc9206-036e-46c7-aadf-6bfaa4097743
name: my-new-app.zip
status: In Progress
--------------------------------------------------
createdDate: 2023-09-06T13:54:35.527Z
id: 7c7fd365-1f08-48c6-a314-3a1809019f9c
name: my-new-app.zip
status: In Progress
Its been about 7 hours since my first attempt.
I tried to pull logs by calling xcrun notarytool log --keychain-profile "NotaryProfile" aa6e9df3-ef62-4058-8bcc-683f015b412a but it seems like non exist yet.
Submission log is not yet available or submissionId does not exist
id: aa6e9df3-ef62-4058-8bcc-683f015b412a
Not sure whats going on, but its pretty far off from the time estimate of 5 - 45 minutes.
Any help is appreciated.
NotaryTool version is 1.0.0 (28)
For a few days now, notarytool is crashing whenever I'm running one of my Jenkins jobs where notarytool is called from a shell script.
Based on the debug log, the crash appears round at the time that the upload of the binary to be notarized is attempted. When a runloop should be started to run the upload via an async http request:
Debug [TASKMANAGER] Starting Task Manager loop to wait for asynchronous HTTP calls.
The specific job setup looks like this:
Jenkins Job › Run shell script phase › Shell script › Second shell script › notarytool call.
Running the notarytool directly from Terminal works and completes as expected.
Crashlog Snippet:
Path: /Applications/Xcode-14.2.app/Contents/Developer/usr/bin/notarytool
Identifier: notarytool
Version: ???
Code Type: X86-64 (Native)
Parent Process: launchd [1]
Responsible: java [428]
OS Version: macOS 12.6.2 (21G320)
Crashed Thread: 1 Dispatch queue: com.apple.NSURLSession-work
Exception Type: EXC_BAD_INSTRUCTION (SIGILL)
Exception Codes: 0x0000000000000001, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace SIGNAL, Code 4 Illegal instruction: 4
Terminating Process: exc handler [18889]
Application Specific Signatures:
API Misuse
Thread 1 Crashed:: Dispatch queue: com.apple.NSURLSession-work
0 libxpc.dylib 0x7ff81aa2720e _xpc_api_misuse + 117
1 libxpc.dylib 0x7ff81aa128bb xpc_connection_set_target_uid + 193
2 AppSSOCore 0x7ff8264facaa -[SOServiceConnection _connectToService] + 533
3 AppSSOCore 0x7ff8264faa6f -[SOServiceConnection initWithQueue:] + 102
4 AppSSOCore 0x7ff8264fa98a -[SOClient init] + 122
5 AppSSOCore 0x7ff8264fa855 -[SOConfigurationClient init] + 180
6 AppSSOCore 0x7ff8264fa78c __38+[SOConfigurationClient defaultClient]_block_invoke + 16
7 libdispatch.dylib 0x7ff81ab1c317 _dispatch_client_callout + 8
8 libdispatch.dylib 0x7ff81ab1d4fa _dispatch_once_callout + 20
9 AppSSOCore 0x7ff8264fa77a +[SOConfigurationClient defaultClient] + 117
10 AppSSOCore 0x7ff8264fa6af +[SOAuthorizationCore _canPerformAuthorizationWithURL:responseCode:callerBundleIdentifier:useInternalExtensions:] + 130
11 AppSSOCore 0x7ff8264f9df0 appSSO_willHandle + 64
Back in January the exact same setup was still working. Same macOS version. Xcode version might have been different.
Would really appreciate some help since for now re-implementing notarytool appears to be the only solution.
2022-07-24 16:43:30.074 *** Error: Notarization failed for '/var/folders/r1/3j8rdbl95l9csz588j1nc6xc0000gn/T/electron-notarize-gGm3Fr/git-icons.zip'.
2022-07-24 16:43:30.075 *** Error: You do not have required contracts to perform an operation. With error code FORBIDDEN_ERROR.CONTRACT_NOT_VALID for id bb96a1a8-c3c3-4ded-a3c8-2abe369d8881 You do not have required contracts to perform an operation (-19208)
{
NSLocalizedDescription = "You do not have required contracts to perform an operation. With error code FORBIDDEN_ERROR.CONTRACT_NOT_VALID for id bb96a1a8-c3c3-4ded-a3c8-2abe369d8881";
NSLocalizedFailureReason = "You do not have required contracts to perform an operation";
}
IMPORTANT altool is deprecated for the purposes of notarisation and will stop working on 1 Nov 2023 [1]. If you’re currently notarising with altool, switch to notarytool now. For specific advice on how to do this, see TN3147 Migrating to the latest notarization tool.
General:
DevForums tag: Notarization
WWDC 2018 Session 702 Your Apps and the Future of macOS Security
WWDC 2019 Session 703 All About Notarization
WWDC 2021 Session 10261 Faster and simpler notarization for Mac apps
WWDC 2022 Session 10109 What’s new in notarization for Mac apps — Amongst other things, this introduced the Notary REST API
Notarizing macOS Software Before Distribution documentation
Customizing the Notarization Workflow documentation
Resolving Common Notarization Issues documentation
Notary REST API documentation
TN3147 Migrating to the latest notarization tool technote
Fetching the Notary Log DevForums post
Q&A with the Mac notary service team Developer > News post
Notarisation and the macOS 10.9 SDK DevForums post
Testing a Notarised Product DevForums post
Notarisation Fundamentals DevForums post
The Pros and Cons of Stapling DevForums post
Many notarisation issues are actually code signing or trusted execution issue. For more on those topics, see Code Signing Resources and Trusted Execution Resources.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] See Apple notary service update.
It seems like something changed in the notarization in the last few days. I'm running the same build script that creates and notarize a DMG that contains a PKG with 4 plugins. Everything is signed correctly. No error anywhere in the notarization process.
Checking the status of the notarization, I get this:
Status: success
Status Code: 0
Status Message: Package Approved
Stapling returns this:
The staple and validate action worked!
Yet, if I check the PKG inside with this command:
spctl -a -vvv -t install
I get this output:
.pkg: rejected
source=Unnotarized Developer ID
origin=Developer ID Installer: My Company
This project was perfectly working a few weeks ago, and we have not changed a thing. Checking the notarization log, the only issue I see is this:
"issues": [
{
"severity": "warning",
"code": null,
"path": "Archive.dmg/Installer.pkg",
"message": "This archive is corrupt, and cannot be unpacked for analysis.",
"docUrl": null,
"architecture": null
}
]
But this warning is also present in past DMG/PKG thatare notarized and work as they should.
Another difference from previous logs is that I can only see one item in ticketContents, which is the DMG, while previously I could see two, both the DMG and the PKG.
I've tried to notarize my app recently and got the error:{
"logFormatVersion": 1,
"jobId": "...",
"status": "Rejected",
"statusSummary": "Team is not yet configured for notarization",
"statusCode": 7000,
"archiveFilename": "myapp.dmg",
"uploadDate": "2019-06-20T06:24:53Z",
"sha256": "...",
"ticketContents": null,
"issues": null
}I've never heard about "team configuration for notarization" previously. What are the steps to resolve that issue?Thanks in advance.