Im using a git actions CI/CD pipeline for my automated deployment and I'd like to include notarisation in this process. Right now when I'm submitting for notarisation manually/locally it's taking around 24 hours and then is eventually successfully accepted. \
Using a git actions server to do this has a cost per minute (and an even higher cost at 10x per minute for a Mac-OS machine), so notarising with a 24hr turn around time is not feasible.
Ive submitted my application many times and it's been the same experience each time taking around 24 hours and then being accepted. How can I shorten the time frame on this or even find out what I might be doing wrong to cause such a long time for a response?
here my log:
{
"logFormatVersion": 1,
"jobId": "3ccf4652-60dc-4fd1-b281-23d49b2b7bb1",
"status": "Accepted",
"statusSummary": "Ready for distribution",
"statusCode": 0,
"archiveFilename": "AudioMap.dmg",
"uploadDate": "2024-07-14T16:51:02.848Z",
"sha256": "614c5992133d61094b39b6a5d00a225d2fc7efe78ab0e59cd47c78275602cb59",
"ticketContents": [
{
"path": "AudioMap.dmg",
"digestAlgorithm": "SHA-256",
"cdhash": "9d4f500a2fd49769b99f921d3fbe8ef753604abe"
},
{
"path": "AudioMap.dmg/AudioMap.app",
"digestAlgorithm": "SHA-256",
"cdhash": "b1fa9c86be805ef28c645f3b03631e2e5873ce77",
"arch": "arm64"
},
{
"path": "AudioMap.dmg/AudioMap.app/Contents/Frameworks/libsodium.26.dylib",
"digestAlgorithm": "SHA-256",
"cdhash": "6228e3fdcd29c080ae45d1bc5a6af10960db8938",
"arch": "arm64"
},
{
"path": "AudioMap.dmg/AudioMap.app/Contents/MacOS/AudioMap",
"digestAlgorithm": "SHA-256",
"cdhash": "b1fa9c86be805ef28c645f3b03631e2e5873ce77",
"arch": "arm64"
},
{
"path": "AudioMap.dmg/AudioMap.app/Contents/Frameworks/libsodium.26.dylib",
"digestAlgorithm": "SHA-256",
"cdhash": "6228e3fdcd29c080ae45d1bc5a6af10960db8938",
"arch": "arm64"
}
],
"issues": null
}
Notarization
RSS for tagNotarization is the process of scanning Developer ID-signed software for malicious components before distribution outside of the Mac App Store.
Post
Replies
Boosts
Views
Activity
codesign --sign "Apple Development: deok cheul kim (DK46XUS3ZB)" --deep --force --options=runtime --entitlements ./entitlements.plist --timestamp ./mediasend_PC_module_mac_V1.app
codesign -vvv --deep --strict mediasend_PC_module_mac_V1.app
mediasend_PC_module_mac_V1.app: valid on disk
mediasend_PC_module_mac_V1.app: satisfies its Designated Requirement
spctl --assess --type execute --verbose mediasend_PC_module_mac_V1.app
mediasend_PC_module_mac_V1.app: rejected
xcrun notarytool store-credentials "kdcProfile" --apple-id "kdc07..." --password "emfc-lmhz-kynx-xqyy"
ditto -c -k --sequesterRsrc --keepParent mediasend_PC_module_mac_V1.app mediasend_PC_module_mac_V1.zip
xcrun notarytool submit "mediasend_PC_module_mac_V1.zip" --keychain-profile "kdcProfile" --wait
Conducting pre-submission checks for mediasend_PC_module_mac_V1.zip and initiating connection to the Apple notary service...
Submission ID received
id: 431e50cc-131a-48eb-be1e-6e1139dea347
Upload progress: 100.00% (15.7 MB of 15.7 MB)
Successfully uploaded file
id: 431e50cc-131a-48eb-be1e-6e1139dea347
path: /Users/sinaburo7/Desktop/appleCert/mediasend_PC_module_mac_V1.zip
Waiting for processing to complete.
Current status: Invalid............
Processing complete
id: 431e50cc-131a-48eb-be1e-6e1139dea347
status: Invalid
xcrun notarytool log 431e50cc-131a-48eb-be1e-6e1139dea347 --keychain-profile "kdcProfile"
{
"logFormatVersion": 1,
"jobId": "431e50cc-131a-48eb-be1e-6e1139dea347",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "mediasend_PC_module_mac_V1.zip",
"uploadDate": "2024-04-30T04:19:29.294Z",
"sha256": "0661974c3a2e073ab21b15bd0c65a8647bfe756fa42e07d2bb0522a20850de32",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "mediasend_PC_module_mac_V1.zip/mediasend_PC_module_mac_V1.app/Contents/MacOS/mediasend_PC_module_mac_V1",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "mediasend_PC_module_mac_V1.zip/mediasend_PC_module_mac_V1.app/Contents/Frameworks/libtcl8.6.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "mediasend_PC_module_mac_V1.zip/mediasend_PC_module_mac_V1.app/Contents/Frameworks/libssl.3.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
.
.
.
.
.
This is how it went.
I don't know why the error occurs.
For reference, the python app was installed using the script below.
pyinstaller --onedir --hidden-import=PIL --hidden-import=flask --hidden-import=psutil --hidden-import=requests --name mediasend_PC_module_mac_V1 --icon=logo3_iMf_icon.icns --noconsole --add- data="logo3_iMf_icon.icns:." --add-data="logo.png:." --add-data="wifi.gif:." --add-data="sleep.gif:." -d all album_mac.py
Up until about 6 months ago, I was receiving the Apple success or failed email notifications. I no longer get them and can't figure out why. I checked my email rules and even the quarantine in Exchange. What can cause this and what else can I check? I am an Admin on the account but not the Account holder though.
"My .dmg notarization has taken more than 12 hours. Who should I contact for assistance?"
Successfully received submission info
createdDate: 2024-07-09T13:01:15.078Z
id: 62b98f94-e554-4194-a84c-3ec621311d47
name: SecuCompRSA.dmg
status: In Progress
Xcode:15.3.
macOS:14.3(23D56)
Hi,
I am getting following error from following command, although I am 100% sure that I am entering the right credentials:
Command:
xcrun notarytool store-credentials "MY_PROFILE" --apple-id “***” --team-id "yyy" --password "zzz"
Error:
Error: HTTP status code: 401. Invalid credentials. Username or password is incorrect. Use the app-specific password generated at appleid.apple.com. Ensure that all authentication arguments are correct.
***->https://appleid.apple.com/account/manage/email and phone number -> apple id email (email address used for developer account)
yyy->https://developer.apple.com/account#MembershipDetailsCard/Team ID -> 10 digit nummer
zzz->https://appleid.apple.com/account/manage/App-Specific Passwords created and used
I just copy pasted every single item from the defined locations above.
I would appreciate for an answer.
Best Regards
Hello,
I am currently developing a macOS application using macOS 10.15.7 and Xcode 11.1. My application is distributed directly to users via a server, not through the App Store. I recently came across the following announcement:
"Starting November 1, 2023, the Apple notary service no longer accepts uploads from altool or Xcode 13 or earlier. If you notarize your Mac software with the Apple notary service using the altool command-line utility or Xcode 13 or earlier, you need to transition to the notarytool command-line utility or upgrade to Xcode 14 or later."
Given this change, I understand that I need to use notarytool or upgrade to Xcode 14 or later for notarization. However, upgrading my current development environment is not feasible at the moment.
I would like to know if it is possible to build my application on my current environment (macOS 10.15.7 and Xcode 11.1) and then transfer the built application to a separate machine running macOS 11.0 or later with Xcode 14 or later installed, to perform the notarization using notarytool.
Could you please confirm if this approach is acceptable and if there are any specific steps or considerations I should be aware of when using notarytool on a separate machine for notarizing my application?
Thank you for your assistance.
Best regards,
WJohn
This afternoon notarization started throwing an error in terminal. I confirmed that the NOTARIZE_APP_LOG was created, but empty. I have been notarizing our apps on this machine (intel-12.7) with Xcode 13.4.1 for over a year without issue. Any suggestions would be greatly appreciated
9192 Bus error: 10 xcrun notarytool submit --apple-id "$ASC_USERNAME" --password "$ASC_PASSWORD" --team-id "$ASC_TEAM" "$ZIP_PATH" > "$NOTARIZE_APP_LOG" 2>&1
Translated Report (Full Report Below)
Process: notarytool [9192]
Path: /Library/Developer/CommandLineTools/usr/bin/notarytool
Identifier: notarytool
Version: ???
Code Type: X86-64 (Native)
Parent Process: bash [2167]
Responsible: Terminal [2142]
User ID: 501
Date/Time: 2024-07-02 16:29:33.5256 -0600
OS Version: macOS 12.7 (21G816)
Report Version: 12
Bridge OS Version: 8.0 (21P365)
Anonymous UUID: 9AFB52C6-5CA1-7AE0-C249-9D090ABDFD28
Time Awake Since Boot: 820 seconds
System Integrity Protection: enabled
Crashed Thread: 1 Dispatch queue: nio.nioTransportServices.connectionchannel
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000700009d77ff0
Exception Codes: 0x0000000000000002, 0x0000700009d77ff0
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace SIGNAL, Code 10 Bus error: 10
Terminating Process: exc handler [9192]
We've been notarizing apps for a while now and have been through agreement changes before. But we still keep getting the following error when trying to notarize:
Conducting pre-submission checks for myapp.dmg and initiating connection to the Apple notary service...
Error: HTTP status code: 403. A required agreement is missing or has expired. This request requires an in-effect agreement that has not been signed or has expired. Ensure your team has signed the necessary legal agreements and that they are not expired.
We've been through every document in our account to ensure it is signed. Is there any way to determine what document is not signed or what our issue is ? ...thanks
2022-07-24 16:43:30.074 *** Error: Notarization failed for '/var/folders/r1/3j8rdbl95l9csz588j1nc6xc0000gn/T/electron-notarize-gGm3Fr/git-icons.zip'.
2022-07-24 16:43:30.075 *** Error: You do not have required contracts to perform an operation. With error code FORBIDDEN_ERROR.CONTRACT_NOT_VALID for id bb96a1a8-c3c3-4ded-a3c8-2abe369d8881 You do not have required contracts to perform an operation (-19208)
{
NSLocalizedDescription = "You do not have required contracts to perform an operation. With error code FORBIDDEN_ERROR.CONTRACT_NOT_VALID for id bb96a1a8-c3c3-4ded-a3c8-2abe369d8881";
NSLocalizedFailureReason = "You do not have required contracts to perform an operation";
}
Good day,
I'm trying to get my app notarized, so I can distribute it, but my submissions get stuck on 'In Progess'.
On the 20th of June I made several submissions which seems to have disappeared. When I do 'xcrun notarytool history' they are not there anymore.
On the 21th Of June I made 2 new submission attempts with ids d68ca68e-ddfb-42c2-a491-0b24ac6efdc2 and 5f0118c9-0edd-4213-827b-a2ff53e40f27, which had been running for several hours last time I checked on the the 21th, but have also disappeared over the weekend from my history.
I checked the app with the steps described here: https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues, but all the checks were fine.
Since there is no error message or log, I have no clue why my submissions get stuck on 'In Progress' or disappear.
I've just submitted a new attempt with id 23a39a69-79a8-435c-a500-17ce1422c1fc and again it's stuck. Can anybody give any assistance?
Error code 1
"bundle format unrecognized, invalid, or unsuitable"
Yea, I'm trying to codesign a python app which has been bundled with py2app, but without success.
The codesign process logs a whole bunch of files with the above error.
def sign_file(file_path, certificate_common_name, hardened_runtime=False):
sign_command = [
"codesign", "-s", certificate_common_name,
"--force", "--timestamp", "-v", file_path
]
if hardened_runtime:
sign_command.append("--options=runtime")
success, message = run_command(sign_command)
there are literally hundreds of files that fail, and the path may look something like this;
code/dist/Impulse.app/Contents/Resources/lib/python3.10/plotly/validators/splom/marker:
Needless to say that notorization returns "failed"
Any help would be greatly appreciated.
Steven
I have signed and notarized a single executable file command line tool developed outside Xcode, and distributed outside of the App store by way of a download from a website as follows below, but nevertheless gatekeeper blocks running the tool with the usual message, just like without signing or notarization.
If I remove the com.apple.quarantine xattr, the tool runs as it should without gatekeeper interference, as expected.
I have browsed countless posts here, with similar issues, but in the end I can't find what's wrong with the process.
From what I gather, as long as the target Mac is connected to the Internet, stapling should not be required (I do understand I can't staple a single file executable command line tool), although Gatekeeper would be expected to complain in the case of the first run being done without Internet connection.
The certificate is a "Developer Id Application" certificate, installed and valid on the machine doing the signing.
It is unclear to me what the distinction is between "Developer Id Application" and "Developer Id Installer" certificates, but it's confusing that using -t install with spctl will actually accept the app.
The app is open source and available on GitHub (although the full distribution packaging is done in a separate build environment with some additional logic). The app used below as the target for signing and notarization is available to download from https://www.axantum.com/ in a .tar.gz archive.
Here follows a log of commands and output:
XecretsCli.plist: (This was necessary to add to the signing to avoid corruption of the executable by the code signing)
codesign -s GCXRMT5SQC -f --timestamp -s 0CF6800E595AA6DE9EBB905066619A9BFDD17A77 --entitlements XecretsCli.plist -o runtime XecretsCli
codesign -d -vvv --entitlements :- XecretsCli
Executable=/Users/svante/Downloads/XecretsCli-Osx-2.3.567 3/XecretsCli
Identifier=XecretsCli
Format=Mach-O thin (x86_64)
CodeDirectory v=20500 size=271478 flags=0x10000(runtime) hashes=8473+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b2
CandidateCDHashFull sha256=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b20c9e3c17e107f08c7ae75c5a
Hash choices=sha256
CMSDigest=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b20c9e3c17e107f08c7ae75c5a
CMSDigestType=2
CDHash=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b2
Signature size=8987
Authority=Developer ID Application: Axantum Software AB (GCXRMT5SQC)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Jun 20, 2024 at 13:26:05
Info.plist=not bound
TeamIdentifier=GCXRMT5SQC
Runtime Version=13.1.0
Sealed Resources=none
Internal requirements count=1 size=172
Warning: Specifying ':' in the path is deprecated and will not work in a future release
codesign -v -vvv --strict --deep XecretsCli
XecretsCli: valid on disk
XecretsCli: satisfies its Designated Requirement
zip XecretsCli.zip XecretsCli
adding: XecretsCli (deflated 63%)
xcrun notarytool submit "XecretsCli.zip" --keychain-profile "Notarize" --wait
Conducting pre-submission checks for XecretsCli.zip and initiating connection to the Apple notary service...
Submission ID received
id: e5990902-3101-42de-a1a6-b9ea40b944b8
Upload progress: 100.00% (12.4 MB of 12.4 MB)
Successfully uploaded file
id: e5990902-3101-42de-a1a6-b9ea40b944b8
path: /Users/svante/Downloads/XecretsCli-Osx-2.3.567 3/XecretsCli.zip
Waiting for processing to complete.
Current status: Accepted........
Processing complete
id: e5990902-3101-42de-a1a6-b9ea40b944b8
status: Accepted
spctl -a -vvv XecretsCli
XecretsCli: rejected (the code is valid but does not seem to be an app)
origin=Developer ID Application: Axantum Software AB (GCXRMT5SQC)
spctl -a -vvv -t install XecretsCli
XecretsCli: accepted
source=Notarized Developer ID
origin=Developer ID Application: Axantum Software AB (GCXRMT5SQC)
Trying to run the executable:
"XecretsCli" can't be opened
because the identity of the
developer cannot be confirmed.
Your security preferences allow
installation of only apps from the App
Store and identified developers.
Chrome downloaded this file today at
10:37.
OK
Error:
{
“logFormatVersion”: 1,
“jobId”: “1654af2a-ff0e-46ff-8839-5c374e63228b”,
“status”: “Invalid”,
“statusSummary”: “Archive contains critical validation errors”,
“statusCode”: 4000,
“archiveFilename”: “LocalApp-macosx.zip”,
“uploadDate”: “2024-06-12T05:33:53.719Z”,
“sha256”: “28ffff0e2c33b2f57a9f1c25677e84232bfa04b1ef5341130afbbf18093ba0ab”,
“ticketContents”: null,
“issues”: [
{
“severity”: “error”,
“code”: null,
“path”: “LocalApp-macosx.zip/LocalApp-macosx.app/Contents/Resources/Java/Disk1/InstData/Resource1.zip/$BUILD_ROOT$/Desktop/collaborator.app_zg_ia_sf.jar/Contents/MacOS/applet”,
“message”: “The signature of the binary is invalid.”,
“docUrl”: "“Resolving common notarization issues | Apple Developer Documentation ",
“architecture”: “i386”
},
{
“severity”: “error”,
“code”: null,
“path”: “LocalApp-macosx.zip/LocalApp-macosx.app/Contents/Resources/Java/Disk1/InstData/Resource1.zip/$BUILD_ROOT$/Desktop/collaborator.app_zg_ia_sf.jar/Contents/MacOS/applet”,
“message”: “The signature of the binary is invalid.”,
“docUrl”: ““Resolving common notarization issues | Apple Developer Documentation”,
“architecture”: “x86_64”
}
]
}
Why is the binary regarded as invalid and what remedy is recommended?
Greetings to all. I have purchased my developer account and encountered an error message stating "Team is not yet configured for notarization" when attempting to sign my software. Despite my efforts to get in touch with Developer Programs over the past month through numerous phone calls and emails, the only response I receive is that they are unable to assist me at the moment. This situation has become quite distressing. We are encountering obstacles in releasing our software as Apple is impeding our progress. Users are experiencing an "unidentified developer" error message when trying to download it. I am unsure who to reach out to for assistance, especially when Apple support seems unresponsive despite being quick to accept payments.
Hello, we have a pkg file which used to be easily notarized using a particular apple id, but after we shifted to another account it is taking like forever.
We have created an app-specific-password and made use of it. Anything that we have done incorrectly?
Current status: In Progress........................................................[12:12:27.335Z] Info [API] Waiting 20 seconds before next poll...
[12:12:47.337Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/submissions/***-xxxxxx?, Parameters: [:], Custom Headers: private<Dictionary<String, String>>
[12:12:47.338Z] Debug [AUTHENTICATION] Using cached token value for app-specific password request: xxxxx:xxxxx@***
[12:12:47.338Z] Debug [AUTHENTICATION] Authenticating request to '/notary/v2/submissions/***-xxxxxx' with WebServices Token. AppleID: xxxx@***, Team ID: xxxxxxxxxx, Token: private<String>
[12:12:47.339Z] Debug [TASKMANAGER] Starting Task Manager loop to wait for asynchronous HTTP calls.
[12:12:47.886Z] Debug [API] Received response status code: 200, message: no error, URL: https://appstoreconnect.apple.com/notary/v2/submissions/***-xxxxxx?, Correlation Key: GBCZEFTI5NQ3263GKRANCEPD4I
[12:12:47.887Z] Debug [TASKMANAGER] Completed Task with ID 58 has received a parsable response.
[12:12:47.887Z] Debug [TASKMANAGER] Ending Task Manager loop.
[12:12:47.888Z] Info [API] Received new status: In Progress
Hello, I've developed an application using ElectronNET with C# and Blazor Server. I have managed to deploy to both Windows and the web but having trouble deploying the application to my Mac users.
It's my first time deploying an application for Mac but feel like I'm stuck at the last hurdle and out of ideas so I'm reaching out for help.
My application is successfully signing but during the build and when my Notarize.js is running it seems to get stuck indefinitely.
I can check and see the status of the Notarize attempts but they seem to be stuck "In Progress". Here are the logs.
Successfully received submission history.
history
--------------------------------------------------
createdDate: 2024-06-12T22:16:35.362Z
id: 26192605-001b-46ae-b622-9a79c20e1e93
name: CustomerSupportDashboard.zip
status: In Progress
--------------------------------------------------
createdDate: 2024-06-12T18:51:21.772Z
id: 6a34501c-8f48-4986-ae5e-82a99320dcbc
name: CustomerSupportDashboard.zip
status: In Progress
--------------------------------------------------
createdDate: 2024-06-12T15:13:44.722Z
id: ea5cd928-8207-4d25-b74a-45b04960dbe0
name: CustomerSupportDashboard.zip
status: In Progress
--------------------------------------------------
createdDate: 2024-06-12T14:24:48.776Z
id: 00ccd1f9-daa4-4bba-9a86-9f577c51f26b
name: CustomerSupportDashboard.zip
status: In Progress
--------------------------------------------------
createdDate: 2024-06-12T14:07:43.116Z
id: bf5dfa9c-9702-413b-8fbb-94017e930bcf
name: CustomerSupportDashboard.zip
status: In Progress
These have been running for over 6hours now and it's my understanding it should take minutes, correct me if I'm wrong?
Here is my Notarize script if it helps diagnose what might be happening. Although the requests seem to be going through ok so it doesn't seem likely.
const { join } = require('path');
const fs = require('fs-extra');
exports.default = async function notarizing(context) {
const { electronPlatformName, appOutDir } = context;
if (electronPlatformName !== 'darwin') {
console.log("Not a macOS platform, skipping notarization.");
return;
}
const appName = context.packager.appInfo.productFilename;
const appPath = `${appOutDir}/${appName}.app`;
const zipPath = `${appOutDir}/${appName}.zip`;
console.log(`Zipping the app at path: ${appPath} to: ${zipPath}`);
// Zip the app
await new Promise((resolve, reject) => {
execFile('zip', ['-r', zipPath, appPath], (error, stdout, stderr) => {
if (error) {
console.error(`Failed to zip app: ${stderr || stdout}`);
reject(new Error(`Failed to zip app: ${stderr || stdout}`));
} else {
console.log(`Successfully zipped app: ${stdout}`);
resolve();
}
});
});
console.log(`Notarizing the app with Apple ID: *************.*****@*******.****`);
await new Promise((resolve, reject) => {
execFile('xcrun', [
'notarytool',
'submit',
zipPath,
'--apple-id', '*************.*****@*******.****',
'--password', '****-****-****-****',
'--team-id', '**********',
'--wait',
'--output-format', 'json'
], (error, stdout, stderr) => {
if (error) {
console.error(`Notarization failed: ${stderr || stdout}`);
reject(new Error(`Notarization failed: ${stderr || stdout}`));
} else {
console.log(`Successfully notarized: ${stdout}`);
resolve();
}
});
});
}; ```
Hi there,
My app detects connected BlackMagic devices on a user's machine and this is done using the DeckLink SDK which first tries to load /Library/Frameworks/DeckLinkAPI.framework using CFBundleCreate. I have not been able to create a notarized app which successfully detects the devices. Either the DeckLinkAPI works or the app starts up without showing "the developer cannot be verified" on my test computer but never both.
This is what I've tried so far:
signed app: DeckLinkAPI available
hardened runtime: DeckLinkAPI not available
hardened runtime + com.apple.security.cs.disable-library-validation: DeckLinkAPI available, notarization succeeds yet the "the developer cannot be verified"
I've also tried to use weak linking to DeckLinkAPI.framework instead of including the SDK's CFBundleCreate code but that made no difference: I still needed the com.apple.security.cs.disable-library-validation entitlement for that to work which caused "the developer cannot be verified".
DeckLinkAPI.framework is notarized:
> codesign --test-requirement="=notarized" --verify --verbose /Library/Frameworks/DeckLinkAPI.framework
/Library/Frameworks/DeckLinkAPI.framework: valid on disk
/Library/Frameworks/DeckLinkAPI.framework: satisfies its Designated Requirement
/Library/Frameworks/DeckLinkAPI.framework: explicit requirement satisfied
Is there any way to successfully notarize an app to use the DeckLink SDK or any other thirdparty notarized framework which is distributed seperately?
Hello there.
I'm having trouble with notarization in Xcode.
I'm developing a Swift Mac app with Xcode 14, but even when I enable Hardened Runtime and perform notarization, it displays the message "Hardened Runtime is not enabled" and I can't proceed.
The steps for notarization are [Window] -> [Organizer] -> [Distribute App] -> [Developer ID] [Next] -> [Upload].
Could you please tell me what I should check, or any other information?
I've attached screenshots.
Thank you.
Hi!
I am fairly new to Mac/ Python development. I have written a python script that includes the lovely customTkinter Library. the app works, I have checked it extensively, but after creating an executable with both Pyinstaller and Py2app, my app keeps failing notarization. I have the developer account, I have the Developer ID application: Name (xxxxxxxxxx).
My last attempt with py2app, I try to codesign the .app bundle with :
codesign --deep --force --verbose --options=runtime --timestamp --sign "Developer ID Application: Lennert Esser (5823RMSZ52)" XYZ\ 2\ OSC.app if I do that, I receive a clean message that XYZ 2 OSC.app: signed app bundle with Mach-O universal (x86_64 arm64) [com.myname.appname.app]
the verify of the code signature gives nice messages as well:
--prepared:/Users/lennert/Documents/SoftwareDevelopment/PythonLocal/Pozyx/dist/XYZ 2 OSC.app/Contents/MacOS/python
--validated:/Users/lennert/Documents/SoftwareDevelopment/PythonLocal/Pozyx/dist/XYZ 2 OSC.app/Contents/MacOS/python
....
XYZ 2 OSC.app: valid on disk
XYZ 2 OSC.app: satisfies its Designated Requirement
So I would say, so far so good...?
BUT.... if I try to notarize my archived .app bundle. the notarization fails, with looadddssss of errors, with both:
"The signature does not include a secure timestamp."
and
"The binary is not signed with a valid Developer ID certificate."
I am completely stuck. Believe me, I have tried everything. Google, ChatGTP, multiple tries to codesign everything separately with:
find /path/to/my/app/contents -type f -exec codesign -s "Developer ID application: Name (xxxxxxxxxx)" {} ;
please, please someone help me explain what I am doing wrong....
I am pretty much at a loss here...
In the past I used altool which worked. Not sure of related though, been a while since. But the same build script I use, just replaced altool with notarytool
I first codesigen
`MYNAME@MYMACNAME ~ % codesign --verbose --force --options runtime --timestamp --sign "COMPANYSIGN" "/Volumes/DiskW/projects-cool-MYNAME/MYPRODPATH/osx/final_MYPRODNAME-dist/mac-MYPRODNAME-files/MYPRODNAME.app"
/Volumes/DiskW/projects-cool-MYNAME/MYPRODPATH/osx/final_MYPRODNAME-dist/mac-MYPRODNAME-files/MYPRODNAME.app: replacing existing signature
/Volumes/DiskW/projects-cool-MYNAME/MYPRODPATH/osx/final_MYPRODNAME-dist/mac-MYPRODNAME-files/MYPRODNAME.app: signed app bundle with Mach-O thin (x86_64) [com.MYCOMPANY.MYPRODNAME]
MYNAME@MYMACNAME ~ % `
Then display entitlements:
MYNAME@MYMACNAME ~ % codesign --verbose --display --entitlements :- "/Volumes/DiskW/projects-cool-MYNAME/MYPRODPATH/osx/final_MYPRODNAME-dist/mac-MYPRODNAME-files/MYPRODNAME.app"
Executable=/Volumes/DiskW/projects-cool-MYNAME/MYPRODPATH/osx/final_MYPRODNAME-dist/mac-MYPRODNAME-files/MYPRODNAME.app/Contents/MacOS/MYPRODNAME
Identifier=com.MYCOMPANY.MYPRODNAME
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=127176 flags=0x10000(runtime) hashes=3967+3 location=embedded
Signature size=9057
Timestamp=16 May 2024 at 11.49.11
Info.plist entries=17
TeamIdentifier=MYTEAMID
Runtime Version=10.16.0
Sealed Resources version=2 rules=13 files=279
Internal requirements count=1 size=188
MYNAME@MYMACNAME ~ %
Then I try do notarization (see next post)