I've tried to notarize my app recently and got the error:{
"logFormatVersion": 1,
"jobId": "...",
"status": "Rejected",
"statusSummary": "Team is not yet configured for notarization",
"statusCode": 7000,
"archiveFilename": "myapp.dmg",
"uploadDate": "2019-06-20T06:24:53Z",
"sha256": "...",
"ticketContents": null,
"issues": null
}I've never heard about "team configuration for notarization" previously. What are the steps to resolve that issue?Thanks in advance.
Notarization
RSS for tagNotarization is the process of scanning Developer ID-signed software for malicious components before distribution outside of the Mac App Store.
Post
Replies
Boosts
Views
Activity
Since upgrading to Xcode 12.5, attempting to submit an app for notarization with /usr/bin/xcrun altool --notarize-app has started failing ~10% of the time with the error Upload succeeded but did not receive a RequestUUID.. Has anyone else encountered this issue?
?xml version="1.0" encoding="UTF-8"?
!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"
plist version="1.0"
dict
keyos-version/key
string11.2.0/string
keyproduct-errors/key
array
dict
keycode/key
integer-1018/integer
keymessage/key
stringUpload succeeded but did not receive a RequestUUID./string
keyuserInfo/key
dict
keyNSLocalizedDescription/key
stringUpload succeeded but did not receive a RequestUUID./string
keyNSLocalizedFailureReason/key
stringUnable to upload your app for notarization./string
/dict
/dict
/array
keytool-path/key
string/Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/Frameworks/AppStoreService.framework/string
keytool-version/key
string4.050.1210/string
/dict
/plist
Just got my brand new M1 Max laptop and am excited to get with the times and use notary tool instead of altool as recommended by the mothership but when I try to notarize the same file that altool notarizes successfully it fails.
Here is is my sucessful altool command:
xcrun altool --notarize-app --primary-bundle-id "My Kool Tool" --username "***@***.com" -p "@keychain:ac_notary" --asc-provider XXXXXXXXXXXX --file *.zip && rm *.zip
and this is the notary tool command that fails on the same file:
xcrun notarytool submit *.zip --keychain-profile "XXXXXX Apple Developer" --wait && rm *.zip
Here is the output:
Conducting pre-submission checks for archive.zip and initiating connection to the Apple notary service...
Submission ID received
id: e20c0438-5576-4361-a11a-2efeb8exxxxx
Successfully uploaded file
id: e20c0438-5576-4361-a11a-2efeb8exxxxx
path: /Users/***/Documents/archive.zip
Waiting for processing to complete.
Current status: Invalid..........
Processing complete
id: e20c0438-5576-4361-a11a-2efeb8exxxxx
status: Invalid
and the log:
xcrun notarytool log e20c0438-5576-4361-a11a-2efeb8exxxxx --keychain-profile "XXXXXX Apple Developer"
{
"logFormatVersion": 1,
"jobId": "e20c0438-5576-4361-a11a-2efeb8exxxxx",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "archive.zip",
"uploadDate": "2021-12-07T18:57:23.193Z",
"sha256": "505d76b420d46bfd01d56c724de1c8d20121d75b0ca6cee96a51549708ec46ee",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "archive.zip",
"message": "Package archive.zip has no signed executables or bundles. No tickets can be generated.",
"docUrl": null,
"architecture": null
}
]
}
again, the same file notarizes with altool so it is properly signed
It is worth noting that if I don't include the --asc-provider in the altool command it fails so maybe I just need to do the same with the notary tool but can't find any documentation on how to do that.
Help Obi Wan
It seems like something changed in the notarization in the last few days. I'm running the same build script that creates and notarize a DMG that contains a PKG with 4 plugins. Everything is signed correctly. No error anywhere in the notarization process.
Checking the status of the notarization, I get this:
Status: success
Status Code: 0
Status Message: Package Approved
Stapling returns this:
The staple and validate action worked!
Yet, if I check the PKG inside with this command:
spctl -a -vvv -t install
I get this output:
.pkg: rejected
source=Unnotarized Developer ID
origin=Developer ID Installer: My Company
This project was perfectly working a few weeks ago, and we have not changed a thing. Checking the notarization log, the only issue I see is this:
"issues": [
{
"severity": "warning",
"code": null,
"path": "Archive.dmg/Installer.pkg",
"message": "This archive is corrupt, and cannot be unpacked for analysis.",
"docUrl": null,
"architecture": null
}
]
But this warning is also present in past DMG/PKG thatare notarized and work as they should.
Another difference from previous logs is that I can only see one item in ticketContents, which is the DMG, while previously I could see two, both the DMG and the PKG.
IMPORTANT altool is deprecated for the purposes of notarisation and will stop working on 1 Nov 2023 [1]. If you’re currently notarising with altool, switch to notarytool now. For specific advice on how to do this, see TN3147 Migrating to the latest notarization tool.
General:
DevForums tag: Notarization
WWDC 2018 Session 702 Your Apps and the Future of macOS Security
WWDC 2019 Session 703 All About Notarization
WWDC 2021 Session 10261 Faster and simpler notarization for Mac apps
WWDC 2022 Session 10109 What’s new in notarization for Mac apps — Amongst other things, this introduced the Notary REST API
Notarizing macOS Software Before Distribution documentation
Customizing the Notarization Workflow documentation
Resolving Common Notarization Issues documentation
Notary REST API documentation
TN3147 Migrating to the latest notarization tool technote
Fetching the Notary Log DevForums post
Q&A with the Mac notary service team Developer > News post
Notarisation and the macOS 10.9 SDK DevForums post
Testing a Notarised Product DevForums post
Notarisation Fundamentals DevForums post
The Pros and Cons of Stapling DevForums post
Many notarisation issues are actually code signing or trusted execution issue. For more on those topics, see Code Signing Resources and Trusted Execution Resources.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] See Apple notary service update.
Hi!
Trying to use notarytool for an app notarization via script on CD pipeline. Build machine has an Xcode 12.5 installed and currently it can't be upgraded. So, our team decided to use utility as standalone binary, placed in the /Applications directory.
The command used for notarization: '/Applications/notarytool submit '<path>' --keychain-profile '<profile-name>' --output-format 'json' --wait'.
Before running the command above, we saved keychain profile with notarytool store-credentials command. However, future runs of notarization script fail with a message: 'Error: No Keychain password item found for profile: '. But we definitely see it among Keychain entries and 'security find-generic-password -l ' command approves that profile has been saved.
Did anyone encounter a similar issue? Can someone suggest what how to cope with this behavior?
Thank you in advance for any ideas
Hi,
I have a problem with replacing altool to notarytool to notarize my app for distribution outside AppStore. Earlier I used this code (-p passes App's password):
xcrun altool --notarize-app --primary-bundle-id "MyProductBundleID" -u "myname@gmail.com" -p "wxxx-xxxx-xxxx-xxxx" --file MyProduct.zip
I wrote a new script:
xcrun notarytool submit MyProduct.zip --keychain-profile "wxxx-xxxx-xxxx-xxxx" --wait
Error with unknown "--keychain-profile".
I am making the switch from altool to notarytool and I've run into a brick wall trying to submit our app zip. It is created using ditto -c -k --keepParent "path-to-app" "path-to-zip"
On submission I get:
Error: <app-name>.zip must be a zip archive (.zip), flat installer package (.pkg), or UDIF disk image (.dmg)
Absolutely baffled by this.
When altool notarizes my apps, I get an email confirmation to my Apple ID email address. This does not happen with notarytool. Is this expected behavior?
We're in the process of updating an app that we released approximately a year ago -- which had no issues with codesigning and notarization in our last release.
The current version fails at the initial submission process; stating that the file "must be a zip archive (.zip), flat installer package (.pkg), or UDIF disk image (.dmg)"
The process itself we're taking is rather straightforward, and follows much of what I've seen repeated on the forums here.
A few additional details:
The app itself (a Unity project with a lot of content that needs to be shipped with the app) is quite large, weighing in at around 20GB.
Despite this large size, we were able to go through this process in the past with no issues.
I was originally running Xcode 13 on Big Sur, but upgraded to Xcode 14 on Ventura to no avail.
Our notarization script runs the following:
ditto -c -k --keepParent OurAppName.app NotarizationFileName.zip
xcrun notarytool submit NotarizationFileName.zip --keychain-profile OUR_CREDENTIAL_PROFILE --wait
When we add --verbose to the xcrun command; this is our output:
$ Build > xcrun notarytool submit NotarizationFileName.zip --keychain-profile OUR_CREDENTIAL_PROFILE --wait --verbose
[23:01:54.643Z] Debug [MAIN] Running notarytool version: 1.0.0 (27), date: 2023-03-25T23:01:54Z, command: /Applications/Xcode.app/Contents/Developer/usr/bin/notarytool submit NotarizationFileName.zip --keychain-profile OUR_CREDENTIAL_PROFILE --wait --verbose
Conducting pre-submission checks for NotarizationFileName.zip and initiating connection to the Apple notary service...
[23:01:54.717Z] Info [PREFLIGHT] NotarizationFileName.zip is not a zip archive. warning [/Users/michael/.jenkins/workspace/bastion-add-build-tools/Build/NotarizationFileName.zip]: 17179869184 extra bytes at beginning or within zipfile
(attempting to process anyway)
. Err: 1
[23:01:54.729Z] Debug [PREFLIGHT] NotarizationFileName.zip did not pass the disk image potentiality test. Moving on to other tests.
[23:01:54.730Z] Debug [PREFLIGHT] NotarizationFileName.zip is not a flat installer package.
[23:01:54.731Z] Debug [PREFLIGHT] Finished completing determination of file type for NotarizationFileName.zip. Operation took 80ms.
Error: NotarizationFileName.zip must be a zip archive (.zip), flat installer package (.pkg), or UDIF disk image (.dmg)
Usage: notarytool <subcommand>
See 'notarytool --help' for more information.
Notarization step fails: New AppID and password created:
xcrun notarytool submit “.dmg” --apple-id “” --team-id “” --password “” --verbose --wait
Error: HTTP status code: 401. Your Apple ID has been locked. Visit iForgot to reset your account (https://iforgot.apple.com), then generate a new app-specific password. Ensure that all authentication arguments are correct.
I have reset app password many times, not result.
Codesigning completes normally:
Mac OS 11.5.2
Xcode 13.2.1
This is the command I use, but must migrate, to notarize a macOS app:
xcrun altool --notarize-app -f "$outputDmg" --primary-bundle-id "$notarizeBundleId" -u "$notarizeUser" -p "@keychain:AC_PASSWORD"
The migration docs I read implied that the following should work:
xcrun notarytool submit --apple-id "$notarizeUser" "--team-id" $notarizeTeam --password "@keychain:AC_PASSWORD" "$outputDmg"
But it doesn't. I can get it to work only if I put the password from the keychain on the command line. I cannot accept this.
What can I do to make this work?
I publish a universal application built with Qt. When I run notarytool the application runs on Apple Silicon, but not on Intel Macs. It complains about a Qt framework not found.
When I run "xcrun altool" on my older Mac the application runs on both platforms without problems.
i'm using quill 0.2.0 to sign and notarize an arm64 binary and I've been getting HTTP 400 error from the notarization server. Signing and notarization has worked without hiccups throughout this year, but last night after getting the error it ended up working without any changes to the certs or call to quill.
This morning started getting the error again and only 1 of the 2 binaries were able to be signed with retries. Still getting this error on 1:
<HTML><HEAD>\n<TITLE>Bad Request</TITLE>\n</HEAD><BODY>\n<H1>Bad Request</H1>\nYour browser sent a request that this server could not understand.<P>\nReference #7.4c822c17.1692969095.ec8f4c4b\n</BODY>\n</HTML>\n
Is there a change being rolled out for the apple notarization service that requires a change on the client end? Or should this really be an http 500 error?
Hi people, I hope you could help me as I am stuck in a dead end.
I am a developper for company and we are changing from altool to notarytool.
Prior to that the code of the app has not been signed.
So now what I do is:
codesign --deep --force --verbose --timestamp --options runtime --sign "Developer ID Application: Phrase a.s. (${PHRASE_ID})" ${codesigne_app}
The result of this operation is verified with
codesign --deep --strict --vvv ${codesigne_app}
which ends in a lot of --prepared and --validated lines with
TranslationEditor.app: valid on disk
TranslationEditor.app: satisfies its Designated Requirement
Yet when I try to upload for notarization
res=$(xcrun notarytool submit te-build/dist/app/TranslationEditor.app.zip --apple-id stepan.svoboda@memsource.com --password $APP_PASSWORD --team-id ${PHRASE_ID} --wait 2>&1)
I get
{
"logFormatVersion": 1,
"jobId": "2b959997-4ac5-4bc5-a220-8f46d6b91a9b",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "TranslationEditor.app.zip",
"uploadDate": "2023-08-29T05:53:39.152Z",
"sha256": "938633e08d17f1d658ada3987017a8e9bf5afee96e5f976b31809df5daf5677c",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "TranslationEditor.app.zip/TranslationEditor.app/Contents/MacOS/TranslationEditor",
"message": "The signature of the binary is invalid.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
"architecture": "x86_64"
}
]
}
I visited the link, tried to google, ChatGPT about it. Tried to verify the codesign ...
Do you know how I can learn why it is signature of the binary is invalid? Maybe to get some more detailed log? Something the hints on what was deemed invalid?
How I can debug that? How I can learn what is wrong? I am short on ideas.
{
"logFormatVersion": 1,
"status": "Rejected",
"statusSummary": "Team is not yet configured for notarization. Please contact Developer Programs Support at developer.apple.com under the topic Development and Technical / Other Development or Technical Questions.",
"statusCode": 7000,
"ticketContents": null,
"issues": null
}
I've tried notarizing my electron app but I get this error all the time.
I've contacted Apple Developer Technical Team but I've been redirected to Developer Programs Support.
I've asked them to approve the Team for notarization and they've redirected me back to Technical Team and said that the Team is not approved for notarization, which I know already from the logs error.
I've watched every topic related to this Team is not yet configured for notarization issue, like : https://developer.apple.com/forums/thread/118465
But it didn't helped much, because I suppose it's something that the Developer Programs Support needs to approve.
My Team seems configured in App Connect, everything seems to be in place, I've accepted all the agreements, don't know what else to accept or do for Team to be approved, I didn't receive next steps from the Apple Developer Program Support Team.
It's been 2 months since I'm trying to notarize and the deadline is coming, so please if anybody can help out to fix this.
Thank you
I'm trying to notarize a simple Electron app (packaged with electron-forge, zip size: 150MB) using new notarytool.
When submitting the bundle it hangs on IN PROGRESS for more than 20 hours with no result yet.
I verified the app is signed.
Anybody has an idea what's wrong?
notarytool version: 1.0.0 (28)
Hello,
I have a valid developer ID downloaded from Apple. I signed the code (compiled exe file for intel Macs) and put it into a ZIP, which I also signed.
While signing I use timestamp and hardener option:
codesign -s "$LbaDevID" -o runtime -f --timestamp $conFile3
codesign -s "$LbaDevID" -o runtime -f --timestamp $conZip3
where variable $LbaDevID represent my Dev code id (VALID, downloaded from Apple after request cert; and $conFile3 the path to the exe file and $conZip3 the path to the ZIP (just $conFile3 zipped)
I attempt to notarize using the following command:
xcrun notarytool submit $compZip3 --keychain-profile "TestAppNotarz" --wait
the reply Log downloaded says:
Invalid dev ID (which is valid)
no timestamp... I corrected this error after the 1st attempt but the reply says exactly the same, even when I can see "TIMESTAMP" in the signature.
The third and last error refers to the runtime, which is present but not being seen.
Any help on how to troubleshoot this issue will be highly appreciated!
Please point me to the relevant documentation to solve this issue...
I am trying to notarise a .dmg of my desktop application, but the process seems to just hang on 'In Progress'. It's not actually hanging, as I accumulate extra '.', but clearly it isn't working.
This exact same codebase notarised fine recently. The only change has been a downgrade in OS from Monterey to Big Sur.
I appreciate this is unusual, but I am required to support my client, who is running a 2013 MacBook Pro with Big Sur.
I appreciate that some of these tools are newer than Big Sur, but surely it should work?
I'm trying to staple a validation ticket to an exe file that is already notarized. The process ended with the following error:
Downloaded ticket has been stored at file:///var/folders/bj/ry08v0694972s03cswkq5md80000gq/T/7f1a34f0-8628-4157-92b0-b59cebe70951.ticket.
Could not remove existing ticket from file:///Users/efi-admin/Downloads/ActualSignedFile/Contents/CodeResources because an error occurred. Error Domain=NSCocoaErrorDomain Code=512 "“CodeResources” couldn’t be removed." UserInfo={NSUserStringVariant=(
Remove
), NSFilePath=/Users/efi-admin/Downloads/ActualSignedFile/Contents/CodeResources, NSUnderlyingError=0x600000151e90 {Error Domain=NSPOSIXErrorDomain Code=20 "Not a directory"}}
The staple and validate action failed! Error 73.
The above was captured using the verbose option of the cmd...
Among the response, I can see the ticket:
fields = {
signedTicket = {
type = BYTES;
value = "czhjaAEAAADxBQAALQAAADCCBe0wggL/MIICpKADAgECAghWLFU2G59vVTAKBggqhkjOPQQDAjByMSYwJAYDVQQDDB1BcHBsZSBTeXN0ZW0gSW50ZWdyYXRpb24gQ0EgNDEmMCQGA1UE.... (partial)
I need help to properly understand what is this cmd doing as the issue might be permissions one.
The path mentioned above under /ActualSignedFile:
/ActualSignedFile/Contents/CodeResources
Does not exist. Is that the cmd wants to create it?
Is there any way to manually attach the ticket to the file, given the fact that is printed in verbose mode?
Thanks!
Any help will he highly appreciated!