IMPORTANT altool is deprecated for the purposes of notarisation and will stop working on 1 Nov 2023 [1]. If you’re currently notarising with altool, switch to notarytool now. For specific advice on how to do this, see TN3147 Migrating to the latest notarization tool.
General:
DevForums tag: Notarization
WWDC 2018 Session 702 Your Apps and the Future of macOS Security
WWDC 2019 Session 703 All About Notarization
WWDC 2021 Session 10261 Faster and simpler notarization for Mac apps
WWDC 2022 Session 10109 What’s new in notarization for Mac apps — Amongst other things, this introduced the Notary REST API
Notarizing macOS Software Before Distribution documentation
Customizing the Notarization Workflow documentation
Resolving Common Notarization Issues documentation
Notary REST API documentation
TN3147 Migrating to the latest notarization tool technote
Fetching the Notary Log DevForums post
Q&A with the Mac notary service team Developer > News post
Notarisation and the macOS 10.9 SDK DevForums post
Testing a Notarised Product DevForums post
Notarisation Fundamentals DevForums post
The Pros and Cons of Stapling DevForums post
Many notarisation issues are actually code signing or trusted execution issue. For more on those topics, see Code Signing Resources and Trusted Execution Resources.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] See Apple notary service update.
Notarization
RSS for tagNotarization is the process of scanning Developer ID-signed software for malicious components before distribution outside of the Mac App Store.
Posts under Notarization tag
120 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
I am working on developing a Mac app (WireGuard Apple VPN) that will be distributed outside the App Store.
I have added the network extension which is included in the system extension with packet tunneling capability.
I have created a build following these steps here: https://developer.apple.com/forums/thread/737894
as per your suggestions in my accepted post: https://developer.apple.com/forums/thread/761251
It works fine in this case when the machine has SIP disabled and systemextensionsctl developer enabled.
As soon as I have made changes on the machine to disable systemextensionsctl developer and enable SIP, it loads the system extension and also asks for network extension permission. But it does not connect to the VPN.
I have copied the app to the "/Applications" directory before opening it.
This issue is specific to macOS 15.1. It works fine for macOS 14.* and 13.*. Speaking of macOS 15.0, it didn't work in both cases with SIP enabled or disabled. So, it seems that it must be a bug in macOS 15.0 and it seems that this bug was partially fixed in macOS 15.1. Is that right?
I am currently planning to distribute the app to testers for final testing before rolling it out to a wider audience.
Am I missing something? Thanks in advance.
I have an app Arpeggio.app which I build and then sign without errors: "electron-osx-sign dist/mac-arm64/Arpeggio.app --identity="Developer ID Application: XXXX (XXXXXX)" --hardened-runtime --no-gatekeeper-assess --entitlements=entitlements.plist".
It returns "Application signed: dist/mac-arm64/Arpeggio.app".
I then use "/usr/bin/ditto -c -k --sequesterRsrc --keepParent src dst" to make a zip with the same signatures.
I then submit the zip for notarization: "xcrun notarytool submit dist/mac-arm64/Arpeggio.zip --apple-id XXXX etc"
which returns "Waiting for processing to complete.
Current status: Accepted..............
Processing complete
id: ***-***-xx-xx
status: Accepted".
Then I staple the notarization to the app and get "The staple and validate action worked!". Now it shows all validated and that the notarization is stapled. I then run "spctl --assess --type execute -vv 'dist/mac-arm64/Arpeggio.app'" as a last check and always get this:
dist/mac-arm64/Arpeggio.app: unknown error 99999=1869f
Why is this happening? I can't seem to debug the issue but out notarization and signing is always successful and the app works as expected. Pleas ehelp me get to the bottom of this.
Hello,
We use GitHub actions to build, sign and notarize our app. Everything was working fine, but lately the notarization has been failing almost every time. Only about 10% of attempts are successful. We haven't made any changes to the signing and notarizing processes.
Here is command we use
xcrun notarytool submit app.zip --wait --apple-id *** --team-id *** --password *** > notarization_output.txt
Here is the error
/Users/runner/work/_temp/c0b6c8e4-86d1-4307-af86-43666fcf39c7.sh: line 1: 3158 Bus error: 10 xcrun notarytool submit app.zip --wait --apple-id *** --team-id *** --password *** > notarization_output.txt
Here is the situation:
We are shipping an application bundle which is submitted to the notarization service for approval.
The application bundle adheres to the notarization standards and is approved.
Problem: We need to ship a zip file inside this application. This zip file has all the files that are signed. Most of the files are signed by us. However there are some 3P zip files which are not signed by us. We would rather not open these 3P zip files as there might be SLAs involved here.
As a result we end up with a zip file which contains mixed signatures. This zip file needs to be part of that application that needs to be notarized.
Question: What is the best way to do this in order for the notarization service to approve the application and ship the zip file as part of the application? Note: We don't know if all the files inside the 3P zips are correctly signed (example: With Hardened Runtime). They are all signed though
Also, when the zip files contents are laid out onto the customer machine, they are all signed and validated. However, some files might not have hardened runtime.
Thanks in advance.
I am packaging an app with QtWebEngine in it, after codesign the app and the QtWebEngine Framework, the app can run properly.
The codesign result is:
valid on disk
staisfies its Designated requirements
Then I notarized and stapled the dmg file, after the dmg installed on Mac, gatekeeper still failed the check.
Here is the result for spctl:
spctl -a -t open -vvv --context context:primary-signatue Remote\ Graphics\ Workstation_.dmg
Remote Graphics Workstation_.dmg: rejected
source=Insufficient Context
Need help to identify the codesign process and the root cause why gatekeeper fail here, thanks.
App is signed, notarized and stapled, I send that dmg file with file transfer tool, it can open correctly on other mac without any warning or error. However, if I send that dmg file through IM to the same mac, it will produces the "cannot check it for malicious software" error.
I check the transfered dmg with spctl -a -t open -vvv --context context:primary-signature MyApp.dmg, it show source=Notarized Developer ID; origin=***
How can I resolve this issue?
Several hours ago I've uploaded my simple Xcode Storyboard App on Apple Notarization Service. The upload process worked successfully and I could check the notarization status via xcrun notarytool info command.
And a few minutes ago, I've met a following error when I execute the xcrun notarytool info command for checking the status of notarization:
Error: internalError(statusCode: Optional(500), strData: nil, jsonData: Optional(["statusCode": 500, "errors": <__NSSingleObjectArrayI 0x600001d58ed0>(
{
code = "UNEXPECTED_ERROR";
detail = "<null>";
id = ISDIE4GVHVXLMO24V7L5LFUHXM;
links = "<null>";
status = 500;
title = "Uncaught server exception";
}
How can I fix this error?
Hello, builds we've submitted for notarization have been stuck in the In-Progress stage for a while now. The process has taken less than 10 minutes in the past.
The latest of which is id: 86916f85-b82f-4a95-982b-1232387a92e1.
We haven't made any stark changes so we're not clear on what the issue is. Is the best way forward to submit a support ticket?
Hello,
I'm currently facing issues with the notarization process for my macOS app, which has been in progress for several days without completion. I’ve submitted multiple builds over the past few days, but they all remain stuck in "In Progress" status.
{
"message": "Successfully received submission history.",
"history": [
{
"status": "In Progress",
"id": "3bab3c0e-203d-4d66-87e5-e9c46e366a6c",
"name": "Offer鸡.zip",
"createdDate": "2024-09-29T19:20:39.240Z"
},
{
"createdDate": "2024-09-29T18:28:08.522Z",
"status": "In Progress",
"name": "Offer鸡.zip",
"id": "9bb19fae-e7c2-485b-90c5-7158a1639225"
},
{
"createdDate": "2024-09-29T12:31:52.458Z",
"name": "Offer鸡.zip",
"id": "ff0ec784-7014-412e-9e42-30feae65b546",
"status": "In Progress"
},
{
"status": "In Progress",
"id": "4be0d351-e3db-43cb-a2ce-71ebdecd623a",
"createdDate": "2024-09-29T05:39:23.409Z",
"name": "Offer鸡.zip"
},
{
"status": "In Progress",
"createdDate": "2024-09-28T18:15:00.601Z",
"name": "Offer鸡.zip",
"id": "2a4947e0-3a4b-45e0-832a-723fdf221cbf"
},
{
"id": "e50fbd60-8448-4f12-8539-22dcf24caee5",
"name": "offerji.zip",
"createdDate": "2024-09-27T07:47:50.919Z",
"status": "In Progress"
},
{
"createdDate": "2024-09-26T21:45:10.596Z",
"name": "offerji.zip",
"status": "Rejected",
"id": "fc3490e9-3ff5-49f8-a08a-5bfac7cca81d"
},
{
"createdDate": "2024-09-26T06:59:51.950Z",
"id": "d003f48c-01ec-48f7-89e0-8b8f5ad700bd",
"name": "offerji.zip",
"status": "Invalid"
}
]
}
I also encountered two previous submission failures:
offerji.zip (submitted on 2024-09-26 at 21:45) - Rejected
offerji.zip (submitted on 2024-09-26 at 06:59) - Invalid
Could anyone provide insight into what might have caused the earlier failures? And is it common for notarization to take this long? Any advice on how to expedite or resolve this issue would be greatly appreciated!
Thanks in advance for your help.
TL;DR - What have I messed up on this notarization workflow? I'm completely new to Apple development.
I have been trying to notarize an application I have written, that is then packaged as a .dmg.
I am trying to notarize it using the command line tools (as it is an existing app, and not written in Xcode/Swift).
My steps so far are as follows:
All libraries, frameworks, and other executables have been signed (.dylib, .so etc.). I have avoided using --deep as I understand this is not recommended.
The above includes all similar files included within zip archives (the cross platform framework I use places some inside a zip container). I have unzipped, signed, and rezipped.
I have signed the main executable within "[NAME].app/MacOS" and the "[NAME].app" with an .entitlements file, and a certificate.
codesign --verify --verbose --sign "$DEVELOPER_ID_APP_CERT" --timestamp --force --entitlements "$APP_NAME.entitlements" "$BUILD_DIR/$APP_NAME.app/Contents/MacOS/$APP_NAME"
codesign --verify --verbose --sign "$DEVELOPER_ID_APP_CERT" --options runtime --entitlements "$APP_NAME.entitlements" "$BUILD_DIR/$APP_NAME.app" --force --timestamp
echo "Checking for unsigned components..."
codesign --verify --deep --verbose=4 "$BUILD_DIR/$APP_NAME.app"
echo "Verifying entitlements..."
codesign --display --entitlements :- "$BUILD_DIR/$APP_NAME.app"
Both of the above checks come back as ok.
Then, I have the following script lines which package the app as a .dmg and submit it to notarisation.
hdiutil create -volname "$APP_NAME" -srcfolder $BUILD_DIR/$APP_NAME.app" -ov -format UDZO "$BUILD_DIR/$DMG_NAME"
# Sign the DMG
codesign --force --verify --verbose --sign "$DEVELOPER_ID_APP_CERT" "$BUILD_DIR/$DMG_NAME"
# Notarize the DMG
xcrun notarytool submit "$BUILD_DIR/$DMG_NAME" --key "[AUTH_KEY_LOCATION].p8" --key-id "[KEYID]" --issuer "[ISSUERID]" --wait
# Staple the notarization ticket to the DMG
xcrun stapler staple "$BUILD_DIR/$DMG_NAME"
# Verify the notarization
xcrun stapler validate "$BUILD_DIR/$DMG_NAME"
After a 20 hour wait, I get the following back from the notarization service:
id: 41931e00-2f34-4389-b5e1-fd76707c2162
status: Invalid
Processing: [PATH]/[APP].dmg
CloudKit query for [APP].dmg (2/a428f96446e143497380c0ae1f2b70661050aed6) failed due to "Record not found".
Could not find base64 encoded ticket in response for 2/a428f96446e143497380c0ae1f2b70661050aed6
The staple and validate action failed! Error 65.
Processing: [PATH]/[APP].dmg
FotoLabAI.dmg does not have a ticket stapled to it.
On a seperate submission, I noticed something about a note about audit.log not being found, but I can't find a reference to this on Google. So far as I understand, this is the file that is supposed to help me debug notarization errors.
Normally I'd try more debugging myself, but I can't afford to wait 24h for feedback.
I have requested for notarizatiohn of my application with "95a8605f-9854-4984-8c07-484ea5a6303f", it is taking more than 2 days of time, how can check about the progress status, like where exactly process is proceeding, right now we are in process darkness, how we can get some visibility on this?
We have an organization with multiple developers trying to develop apps. There are times where they want to find out if their app will pass notarization or not? We have a Developer ID Application certificate that we use to sign files right before production deployment and then for notarization approval. But this is not possible when developers are working in their sandboxes.
Providing each developer their own Developer ID Application certificate for distribution is both not feasible and perhaps not very secure.
Is there a way in which they can find out if their apps would pass the notarization tests without actually uploading to Apple?
Our company changed its name as a result of a merger, and the development group responsible for our mobile apps decided to migrate from our "legacy" Apple developer account to a new account associated with the new company name. I found this out last Friday when the notification step in the build script for our Mac applications stopped working — the notification server accepts the request but never responds; we were using the --wait flag with notarytool, and as a result it hangs indefinitely.
Apparently our old developer account was deactivated unexpectedly, and while it's been temporarily turned back on to allow the mobile apps team to finish migrating their apps, the notarization step continues to hang.
I haven't yet tried using the new team account, because my product requires an Endpoint Security entitlement, which is associated with the old Team ID. The long-term answer is probably to re-apply for a new entitlement, but that took over a month the last time we did this, and of course we were scheduled to release a product update in two weeks.
At the moment we're dead in the water. Are there any other options to get us going again? (I considered opening a code-level support request, but as this issue isn't exactly "code-level", I was worried that would be a waste of time and/or money.)
The archive build part works, and uses the correct entitlements file:
[Key] com.apple.developer.networking.networkextension
[Value]
[Array]
[String] app-proxy-provider-systemextension
That's from codesign -dv --entitlements - ...../NetworkExtensionExperiment.app
However, the distribution log shows
"Error Domain=DVTPortalProfileErrorDomain Code=4 \"Cannot create a Developer ID provisioning profile for \"com.kithrup.NetworkExtensionExperiment\".\" UserInfo={NSLocalizedDescription=Cannot create a Developer ID provisioning profile for \"com.kithrup.NetworkExtensionExperiment\"., IDEDistributionIssueSeverity=3, NSLocalizedRecoverySuggestion=The Network Extensions capability is not available for Developer ID provisioning profiles. Disable this feature and try again., NSUnderlyingError=0x600013e719b0 {Error Domain=DVTPortalProfileTypeErrorDomain Code=0 \"Cannot create a Developer ID provisioning profile.\" UserInfo={UnsupportedFeatureNames=(\n \"Network Extensions\"\n), NSLocalizedDescription=Cannot create a Developer ID provisioning profile., NSLocalizedRecoverySuggestion=The Network Extensions capability is not available for Developer ID provisioning profiles. Disable this feature and try again.}}}",
"Error Domain=IDEProfileLocatorErrorDomain Code=1 \"No profiles for 'com.kithrup.NetworkExtensionExperiment' were found\" UserInfo={IDEDistributionIssueSeverity=3, NSLocalizedDescription=No profiles for 'com.kithrup.NetworkExtensionExperiment' were found, NSLocalizedRecoverySuggestion=Xcode couldn't find any Developer ID provisioning profiles matching 'com.kithrup.NetworkExtensionExperiment'.}"
which, given that I was able to build a signed version with the entitlement as shown first, seems to be a problem.
All my years of hating xcode are coming back to haunt me, I can tell.
We have developed an electron app which we want to extend with an action extension. The action extension is written in swift in Xcode. Our plan was to build the .appex file and insert it into the PlugIns folder in our electron app, but I don't think this is the right way to do it?
If we insert the .appex file before notarization then we get an error that we are "replacing existing signature".
If we manually insert it after the notarization then we get an error with the app is damaged and can’t be opened.
Can anybody provide a procedure for this kind of merge I would imagine that it goes something like:
Sign app
Sign extension
Add extension to App
Notarize app
For signing the app we use electron-builder.
Hi, can't activate system-extension.
in any case getting
Domain=OSSystemExtensionErrorDomain Code=8 "Invalid code signature or missing entitlements"
(sometimes get code = 9)
P.S. In debug running all is working. (The system is asking to activate sysex)
Has to read huge amount of forum, samples, and docs. But no luck
What and how i've tried
steps which i've doing
#- signing sysextension binaries with Developer ID Application
#- signing system extension with Developer ID Application
#- signing application with Developer ID Application
#- checking all signatures with Developer ID Application
#- building pkg installer
#- signing installer with Developer ID Installer
#- checking signing
#- sending installer for notarization
#- waiting for installer verification
#- after success I call stapler staple
#- When calling sysex activation I get
(But the problem is persist when i've try to move signed app to application folder, or try to notarize zip) or in any case which possibly mention on forum, i've get
sign command sample
codesign --force --timestamp --options runtime --sign "Developer ID ***"
Also has to tried with ** --deep,** but no luck.
Result of steps descrribed here:
App has System Extension compatibility, Sysex haven't System Extension.
App is used the same bundle id as in AppStore (also has to tried separate one, but no luck)
In console just two informative message regarding it, but nothing specific
default 01:08:04.745310+0200 sysextd client activation request for com.company.appName.PacketTunnelMacExternal
default 01:08:04.745330+0200 sysextd attempting to realize extension with identifier com.company.appName.PacketTunnelMacExternal
default 01:08:04.750996+0200 appName-Mac-External [0x13a9496f0] invalidated because the current process cancelled the connection by calling xpc_connection_cancel()
Could you please assits with solve issue?
HERE IS THE COMPLETE LOG FROM THE SYSTEM.. please help me with the issue.
Downloads % xcrun notarytool submit appName.pkg --apple-id “appleid --team-id <app_id> --wait --verbose
[17:21:08.220Z] Debug [MAIN] Running notarytool version: unknown (0), date: 2024-09-09T17:21:08Z, command: /Applications/Xcode.app/Contents/Developer/usr/bin/notarytool submit _090624.pkg --apple-id <apple_id_hidden>--team-id <app_id> --wait --verbose
Conducting pre-submission checks for _090624.pkg and initiating connection to the Apple notary service...
[17:21:08.222Z] Debug [PREFLIGHT] _090624.pkg is a flat installer package.
[17:21:08.223Z] Debug [PREFLIGHT] Finished completing determination of file type for _090624.pkg. Operation took 1ms.
Password for <apple_id_hidden>:
[17:21:13.354Z] Info [API] Initialized Notary API with base URL: https://appstoreconnect.apple.com/notary/v2/
[17:21:13.357Z] Debug [CTXMGR] Created temporary directory at: file:///var/folders/bj/ct_f469n03b2l596c_00n27c0000gp/T/TemporaryItems/NSIRD_notarytool_hkXwCu/
[17:21:13.359Z] Debug [CTXMGR] Copied _090624.pkg -- file:///Users/w525362/Downloads/ to file:///var/folders/bj/ct_f469n03b2l596c_00n27c0000gp/T/TemporaryItems/NSIRD_notarytool_hkXwCu/_090624.pkg
[17:21:13.360Z] Debug [FILEHASH] Generating md5 and sha256 digest with buffer size 1048576 for file:///var/folders/bj/ct_f469n03b2l596c_00n27c0000gp/T/TemporaryItems/NSIRD_notarytool_hkXwCu/_090624.pkg
[17:21:13.486Z] Debug [FILEHASH] MD5 digest: bd49fd77dfe36a9bbfb4c7efc329c6fe
[17:21:13.486Z] Debug [FILEHASH] Base64-encoded MD5 Digest: vUn9d9/japu/tMfvwynG/g==
[17:21:13.487Z] Debug [FILEHASH] SHA256 digest: 03466bf60dc33f57a2bbb2ba54402eb882529085e98f9d18e1e42ceeecd9d0aa
[17:21:13.487Z] Debug [FILEHASH] Finished generating file hashes for _090624.pkg. Operation took 126ms.
[17:21:13.487Z] Debug [API] Sending submissions payload: submissionPayload(submissionName: "_090624.pkg", md5: "bd49fd77dfe36a9bbfb4c7efc329c6fe", sha256: "03466bf60dc33f57a2bbb2ba54402eb882529085e98f9d18e1e42ceeecd9d0aa", notifications: [])
[17:21:13.488Z] Info [API] Preparing POST request to URL: https://appstoreconnect.apple.com/notary/v2/submissions?, Custom Headers: private<Dictionary<String, String>>
[17:21:13.488Z] Debug [AUTHENTICATION] Delaying current request to refresh app-specific password token.
[17:21:13.488Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/asp?, Parameters: [:], Custom Headers: private<Dictionary<String, String>>
[17:21:13.488Z] Debug [AUTHENTICATION] Authenticating request to '/notary/v2/asp' with Basic Auth. Username: appleID, Password: private, Team ID: <app_id>
[17:21:13.489Z] Debug [TASKMANAGER] Starting Task Manager loop to wait for asynchronous HTTP calls.
[17:21:14.774Z] Debug [API] Received response status code: 401, message: unauthorized, URL: https://appstoreconnect.apple.com/notary/v2/asp?, Correlation Key: QHGCOMLZWZVN4SEAKHS3SBGLS4
[17:21:14.775Z] Error [TASKMANAGER] Completed Task with ID 2 has encountered an error.
[17:21:14.775Z] Debug [TASKMANAGER] Ending Task Manager loop.
[17:21:14.783Z] Debug [CTXMGR] Removed temporary directory:
Optional(file:///var/folders/bj/ct_f469n03b2l596c_00n27c0000gp/T/TemporaryItems/NSIRD_notarytool_hkXwCu/)
Error: HTTP status code: 401. Invalid credentials. Username or password is incorrect. Use the app-specific password generated at appleid.apple.com. Ensure that all authentication arguments are correct.
I recently changed the architecture of my app by moving some of the logic into a helper app, which is embedded together with the main app.
The main app's bundle looks like this:
Main.app
- Contents
- MacOS
- Main
- Helper.app
It all works fine during development, and I could successfully archive and notarize it. However, when I try to launch the notarized version of the helper app, it fails with the signing issues.
failed to fetch
Main.app/Contents/MacOS/Helper.app/Contents/_CodeSignature/CodeRequirements-1 error=-10
I have tried a few things, but could not find any working solution. Any help is appreciated!
Hi,
we have .pkg install package consisting of various sub packages. One of them contains presets and needs to be installed the the default preset location /Library/Audio/Presets. If this non-binary preset package is the only one in a .pkg choice notarization fails with:
"logFormatVersion": 1,
"jobId": "*",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "mypackage.pkg.zip",
"uploadDate": "2024-08-22T21:24:03.251Z",
"sha256": "*",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "mypackage.pkg.zip",
"message": "Package mypackage.pkg.zip has no signed executables or bundles. No tickets can be generated.",
"docUrl": null,
"architecture": null
},
{
"severity": "warning",
"code": null,
"path": "mypackage.pkg.zip/mypackage.pkg",
"message": "b\"Invalid component package: mypackage_vstpreset Distribution file's value: #com.mycompany.mypackage.vstpreset.pkg\\n\"",
"docUrl": null,
"architecture": null
}
]
}
Not sure, but maybe its worth noting that the causing sub packge only generates a warning, but the parent package seems to escalate this into an error.
How can a non-binary sub package be included in a notarized parent package?
Any hints or thoughts are highly appreciated, Thanks!
Hi everyone,
Been working with Apple's notarization process for a while, and we've recently noticed some unexpected behavior.
It seems like the notarization service might be looking inside ZIP archives contained within my app's distribution package.
In the past, we don't recall the notarization process digging into ZIP files like this—only the main app bundle and its contents were scanned for signatures.
Has there been a recent change or update to the notarization service that now includes inspecting files within ZIP archives?
If so, are there specific guidelines or documentation updates regarding this change? Can anyone point me to what to expect and how to adjust my workflow accordingly. While "signing all the files" is the default answer, is there a more cohesive answer to this question?
Thanks