General: Forums topic: Code Signing Forums subtopic: Code Signing > Notarization Forums tag: Notarization WWDC 2018 Session 702 Your Apps and the Future of macOS Security WWDC 2019 Session 703 All About Notarization WWDC 2021 Session 10261 Faster and simpler notarization for Mac apps WWDC 2022 Session 10109 What’s new in notarization for Mac apps — Amongst other things, this introduced the Notary REST API Notarizing macOS Software Before Distribution documentation Customizing the Notarization Workflow documentation Resolving Common Notarization Issues documentation Notary REST API documentation TN3147 Migrating to the latest notarization tool technote Fetching the Notary Log forums post Q&A with the Mac notary service team Developer > News post Apple notary service update Developer > News post Notarisation and the macOS 10.9 SDK forums post Testing a Notarised Product forums post Notarisation Fundamentals forums post The Pros and Cons of Stapling forums post Resolving Error 65 When Stapling forums post Many notarisation issues are actually code signing or trusted execution issue. For more on those topics, see Code Signing Resources and Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

I've tried to notarize my app recently and got the error:{ "logFormatVersion": 1, "jobId": "...", "status": "Rejected", "statusSummary": "Team is not yet configured for notarization", "statusCode": 7000, "archiveFilename": "myapp.dmg", "uploadDate": "2019-06-20T06:24:53Z", "sha256": "...", "ticketContents": null, "issues": null }I've never heard about "team configuration for notarization" previously. What are the steps to resolve that issue?Thanks in advance.

Hello, I am trying without luck to create a .dmg or .pkg for my electron app that can be opened by any user on a mac. Every time I fail. All is happening by the same pattern. Here is the last try with creating a .pkg instead of .dmg. The app is built and it is signed correctly (I suppose) codesign --verify --verbose=1 dist/mac-universal/VIVIDTIME.app dist/mac-universal/VIVIDTIME.app: valid on disk dist/mac-universal/VIVIDTIME.app: satisfies its Designated Requirement I created a .pkg pkgbuild --root "dist/mac-universal/VIVIDTIME.app" \ --install-location "/Applications/VIVIDTIME.app" \ --identifier "app.vividtime.mac" \ --version "1.1.0" \ --sign "Developer ID Installer: Pavel Bochkov-Rastopchin (2QKDCTR5Y3)" \ dist/VIVIDTIME.pkg pkgbuild: Inferring bundle components from contents of dist/mac-universal/VIVIDTIME.app pkgbuild: Adding component at Contents/Frameworks/Mantle.framework pkgbuild: Adding component at Contents/Frameworks/VIVIDTIME Helper.app pkgbuild: Adding component at Contents/Frameworks/VIVIDTIME Helper (GPU).app pkgbuild: Adding component at Contents/Frameworks/Electron Framework.framework pkgbuild: Adding component at Contents/Frameworks/Squirrel.framework pkgbuild: Adding component at Contents/Frameworks/VIVIDTIME Helper (Renderer).app pkgbuild: Adding component at Contents/Frameworks/VIVIDTIME Helper (Plugin).app pkgbuild: Adding component at Contents/Frameworks/ReactiveObjC.framework pkgbuild: Using timestamp authority for signature pkgbuild: Signing package with identity "Developer ID Installer: Pavel Bochkov-Rastopchin (2QKDCTR5Y3)" from keychain /Users/innrvoice/Library/Keychains/login.keychain-db pkgbuild: Adding certificate "Developer ID Certification Authority" pkgbuild: Adding certificate "Apple Root CA" pkgbuild: Wrote package to dist/VIVIDTIME.pkg

Hi, overnight I'm getting "HTTP status code: 403. Invalid or inaccessible developer team ID for the provided Apple ID. Ensure the Team ID is correct and that you are a member of that team." in my pipeline running notarytool store-credentials. I'm getting --apple-id, --team-id and --password from CI variables. Double checked the values (even though they shouldn't change). Tried a new app specific password I did not change anything to cause this and my apple developer account is active. Really scratching my head what's going on here. Some assistance would be greatly appreciated!

This has been going on for at least a couple of hours for us: notarizing doesn't complete. Our last job ran for over 90 minutes before CircleCI timed it out. We're using xcrun notarytool submit with the --wait option; it contined to say "Current status: In Progress" for, as I said, 90 minutes or so. (Normally it takes about 70 seconds.) https://developer.apple.com/system-status/ says everything is normal. This does not seem to be the case for us. 😄

2022-07-24 16:43:30.074 *** Error: Notarization failed for '/var/folders/r1/3j8rdbl95l9csz588j1nc6xc0000gn/T/electron-notarize-gGm3Fr/git-icons.zip'. 2022-07-24 16:43:30.075 *** Error: You do not have required contracts to perform an operation. With error code FORBIDDEN_ERROR.CONTRACT_NOT_VALID for id bb96a1a8-c3c3-4ded-a3c8-2abe369d8881 You do not have required contracts to perform an operation (-19208) { NSLocalizedDescription = "You do not have required contracts to perform an operation. With error code FORBIDDEN_ERROR.CONTRACT_NOT_VALID for id bb96a1a8-c3c3-4ded-a3c8-2abe369d8881"; NSLocalizedFailureReason = "You do not have required contracts to perform an operation"; }

Hello, For my macOS app, on Xcode version 15.4 (15F31d) on macOS 14.5 (23F79) I follow Organizer > Distribute App > Direct Distribution, and I get a Notary Error "The operation couldn't be completed. (SotoS3.S3ErrorType.multipart error 1.)" It's been happening since 3 days. In the IDEDistribution.verbose.log file I see: https://gist.github.com/atacan/5dec7a5e26dde0ec06a5bc4eb3607461

We're having failures reported back to us from the notarization service as of the 4th of September. It's complaining about binaries inside .jar files, saying some aren't signed and others aren't signed with a valid developer certificate. These are third party jars; we unzip the unsigned binaries from these jars, sign them then put them back in using "jar -ufv". Notarizing is only complaining about binaries inside jars and not anything else, which implies our certificates are valid. Nothing has changed regarding these jars between the notarizing service accepting and rejecting our app. To confirm our suspicions that the notarizing service may be behaving differently, we sent it an app package that previously had succeeded in notarizing. Now the notarizing service fails, citing issues with the same jars as described above. Are you able to confirm whether anything has changed? Any ideas on what we could look at?

Normally I get a response from a submit via notarytool within 30 seconds. Today - with a process that worked a few days ago - I don't get any answer, although the system status claims that the service is up and work. Anybody else, or is it only me?

Keys can vary; an account is not necessary, as only Team Keys are suitable for notarization. It seems that Developer role is sufficient for notarization. We have tried both keys and roles of Developer and Account Manager - the behavior is the same. Multiline There are two types of API keys: Team Access to all apps, with varying levels of access based on selected roles. Individual Access and roles of the associated user. Individual kevs aren't able to use Provisioning endpoints, access Sales and Finance, or notaryTool. BlockQuote Here are the parameters used for notarization via API key: `-k, --key key-path    App Store Connect API key. File system path to the private key. -d, --key-id key-id    App Store Connect API Key ID. For most teams this will be a 10 character alphanumeric string. -i, --issuer issuer    App Store Connect API Issuer ID. The issuer ID is a UUID format string.` The notarization result shows as successful, and on the same machine, the package appears as notarized. However, when the package is transferred to another system, it is displayed as not notarized.

A few hours ago, it took 3 minutes to get the notarization phase of our build done... now I've got one that's been running for 25 minutes and hasn't finished yet. The last time this happened, the waits got up to multiple hours, and the status page didn't get updated.

I have a misterous problem with checking DMG notarization. It fails: bash-3.2$ spctl -a -t open --context context:primary-signature -v MyApp.dmg MyApp: rejected source=no usable signature However this DMG installs fine on Big Sur 11.2.2, macOS allows to run this app, and checking of notarization for installed app was passed: bash-3.2$ spctl -a -v '/Applications/MyApp.app' /Applications/MyApp.app: accepted source=Notarized Developer ID I checked other downloaded apps (Intel or Universal). Some DMG files pass DMG notarization (for example, Audacity), and some fails (PerfectTablePlan). Why? For my app (Universal) I use the following code to codesign and notarize: codesign --timestamp --options runtime --force --deep -s "Developer ID Application: MYCOMPANY" "My.app" // Creating DMG with EULA license xcrun altool --notarize-app --primary-bundle-id MyApp -u "my@email.com" -p "abc123" --file MyApp.dmg xcrun stapler staple MyApp.dmg

We submit for notarization using: xcrun notarytool submit --apple-id ACCOUNT --team-id XXXXXX --password NNNNNN application.zip I have occasionally had success uploading one of the applications, but I have never been successful uploading the bigger one. What is the reason for this? The files are not very large. The small file is only 6.0GB and the big file is only 17.5GB. Of the past 100 failures: 72: error: HTTPClientError.deadlineExceeded 28: error: The operation couldn’t be completed. (Network.NWError error 54 - Connection reset by peer)) On average it takes me around 50 attempts (2 days of uploading) to get past the S3 client configuration. I have tried 5 different internet providers for these uploads. None of them work any better, even ones that have great latency and connections to AWS. I only have a limited number of Mac OS X machines so I have tried on all of the ones I can afford, but none of them work better or worse than my new Mac Book Pro (2021) I have tried every single option and combination of options from man notarytool including disabling S3 acceleration, setting timeouts, trying to use wait. I have tried them all, Can someone please help me figure this out? I'm getting desperate and this is making me look really ****** for pushing to have a Mac OS X port because Mac users are stuck waiting for the notarization service which lags the Mac updates by many days. The error messages make it clear that notarytool is using Soto S3. The developer has indicated in multiple threads that the error HTTPClientError.deadlineExceeded is fixed by increasing the client timeout. Is there a way I can modify notarytool to apply this patch? https://github.com/soto-project/soto/discussions/622 Is it possible to write our own S3 upload tool that bypasses Soto S3 and uses something more reliable? Again, the files I am uploading are not very big none of them are bigger than 25GB. I don't understand why it doesn't work.

Hi there, this is the first time I submitted a Mac app for notarization but looks like all my submissions are stuck in in progress for like one day at the moment. Can anyone help take a look? This is my submission history: Successfully received submission history. history -------------------------------------------------- createdDate: 2025-01-16T00:23:18.445Z id: 0581680c-9cfe-4e5b-9cc9-3ba101c9fd52 name: MiniCalendar.zip status: In Progress -------------------------------------------------- createdDate: 2025-01-15T05:12:13.480Z id: 55a03297-491b-4d30-8126-45d488a6beb9 name: MiniCalendar.zip status: In Progress -------------------------------------------------- createdDate: 2025-01-15T04:27:40.510Z id: 092f558f-01d0-48e5-9761-58dda54de23c name: MiniCalendar.zip status: In Progress -------------------------------------------------- createdDate: 2025-01-15T01:12:55.923Z id: 3aa74a6f-bcb8-4911-9d18-fcbb3e9a6c11 name: MiniCalendar.zip status: In Progress

Iam trying to notarize with notarytool command with app-specific password. xcrun notarytool submit <Path> --apple-id <APPLE_ID> --password <APP_SPECIFIC_PASSWORD> --team-id <Team-ID> But it fails with error Error: HTTP status code: 401. Unable to authenticate. Invalid session. Ensure that all authentication arguments are correct. Tried generating new app-specific password, still failing. Tried storing password in keychain with store-credentials option, again failing. --verbose option with store-credentials showing below error This process stores your credentials securely in the Keychain. You reference these credentials later using a profile name. Validating your credentials... [06:05:28.854Z] Info [API] Initialized Notary API with base URL: https://appstoreconnect.apple.com/notary/v2/\ [06:05:28.854Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/test?, Parameters: [:], Custom Headers: private<Dictionary<String, String>> [06:05:28.855Z] Debug [AUTHENTICATION] Delaying current request to refresh app-specific password token. [06:05:28.855Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/asp?, Parameters: [:], Custom Headers: private<Dictionary<String, String>> [06:05:28.855Z] Debug [AUTHENTICATION] Authenticating request to '/notary/v2/asp' with Basic Auth. Username: , Password: private, Team ID: [06:05:28.856Z] Debug [TASKMANAGER] Starting Task Manager loop to wait for asynchronous HTTP calls. [06:05:30.194Z] Debug [API] Received response status code: 401, message: unauthorized, URL: https://appstoreconnect.apple.com/notary/v2/asp?, Correlation Key: [06:05:30.195Z] Error [TASKMANAGER] Completed Task with ID 2 has encountered an error. [06:05:30.195Z] Debug [TASKMANAGER]Ending Task Manager loop. Error: HTTP status code: 401. Unable to authenticate. Invalid session. Ensure that all authentication arguments are correct.

I’m having trouble with the notary step of our electron app. It sometimes says “In progress” for days on end, where other times, it only takes 15-20 minutes. For the last few weeks, I’ve noticed that it will take longer than the 20 minutes if our app was using a not latest version of the electron module -- https://www.npmjs.com/package/electron. I would then update our codebase to build using the latest version, and then try to sign and notarize the app again, and it would work till a new version was released. This was the first time that that process didn’t work. Everything is on latest, and we’re still getting stuck “in progress” for days on end. We have been signing and Notarizing this app for years now, so it's not the first time we're trying to do this process To make matters stranger, I have two branches of the same exact code base – same dependencies, same source code, same everything – there is no difference. One sign and notarize works 100% of the time where the other one hasn’t worked yet. Any ideas would be helpful. I'm not really sure where to begin to debug this. Thanks!

I'm trying to get an app notarized, which fails with this error: The signature of the binary is invalid. However, locally checking the signature does succeed: $ codesign -vvv --deep --strict TheApp.app […] TheApp.app: valid on disk TheApp.app: satisfies its Designated Requirement Performing this check on every single item in the app's MacOS folder also succeeds. Context: embedded prebuilt binaries Now, the app has something unusual about it: it embeds prebuilt binaries, arranged in various nested folders. So, the app bundle's MacOS folder actually contains another folder with a whole tree of executables and libraries: Removing these (before building) does fix the notarization issue, but obviously I'd like to keep them in. I did my best to properly sign these items: At build time, they're copied into the product by a Copy Files phase (but not signed), then signed by a script phase That signing uses the same signing identity as the running Xcode build, and enables the hardened runtime The app builds and runs correctly, even as a release build The app has runtime hardening and app sandbox enabled How should I go about diagnosing the notarization issue?

Dear Apple support, Since the last couple of days, we have some (very) long running notarization requests. Similar requests were done normally under 1 minute. This behavior is unexpected to us, and we did not see it before. The issue occurs for a small CLI tool submitted as a ZIP archive. Checking the documentation, I come across the section about "Avoid long notarization response times and size limits" (https://developer.apple.com/documentation/security/customizing-the-notarization-workflow#Avoid-long-notarization-response-times-and-size-limits). One fact is mentioned “Limit notarizations to 75 per day.” What is behavior if that limitation is reached? Is that limitation per Apple ID or per team ID? Are there some known issues about Notarization Service? Best regards, Stefan

Hello! I've been facing an issue with notarizing a macOS app with an Enterprise API Key. Due to some misunderstanding setting up the project some years ago, the notarization step was using a developer's accounts API Key. I am looking to fix it to have everything centralized in the Enterprise account we work with, but I get "Debug [JWT] Generating new JWT for key ID" with the new key. This is using the xcrun notarytool directly to get more input. Using Fastlane it fails as: Error polling for notarization info: [11:29:25]: unexpected token at '' The project is deployed via MDM, so we need it to prevent the security warning. I used this documentation to create the key: https://developer.apple.com/documentation/enterpriseprogramapi/creating-api-keys-for-enterprise-program-api I have tried a Developer and an Admin access key, and the Account Holder has also created an Admin key but the errors keep the same. I just updated my Fastlane script to use the new key with the updated values. The old developer account key still works. I am not sure if I am missing any steps in the documentation or if this is not achievable. Important to add that all the profiles and certificates were already set up properly in the Enterprise account, the only error was using an App Store Connect Key instead of an Enterprise Key. Thanks in advance for the help.

My app has been attempting to notarize for almost 3 hours now. The status page shows everything is ok: https://developer.apple.com/system-status/ Anyone else experiencing this? Anything I can do to expedite the process? xcrun notarytool history Successfully received submission history. history -------------------------------------------------- createdDate: 2024-12-29T01:20:45.358Z id: 449ebcdd-60eb-41e3-87a7-8107fe6276c3 name: Scourhead.zip status: In Progress -------------------------------------------------- createdDate: 2024-12-29T00:51:10.641Z id: 0054eebd-ddcc-4eb3-928f-86ce2182dbfe name: Scourhead.zip status: In Progress

Notarization has been stuck for hours in "Current Status: In Progress...." Should I keep on waiting or restart the process. If I need to restart the process, how should I go about and do that?