Has the Apple Notarization Service Recently Changed to Inspect Files Inside ZIP Archives?

Hi everyone,

Been working with Apple's notarization process for a while, and we've recently noticed some unexpected behavior.

It seems like the notarization service might be looking inside ZIP archives contained within my app's distribution package.

In the past, we don't recall the notarization process digging into ZIP files like this—only the main app bundle and its contents were scanned for signatures.

Has there been a recent change or update to the notarization service that now includes inspecting files within ZIP archives?

If so, are there specific guidelines or documentation updates regarding this change? Can anyone point me to what to expect and how to adjust my workflow accordingly. While "signing all the files" is the default answer, is there a more cohesive answer to this question?

Thanks

Answered by DTS Engineer in 801663022
Has there been a recent change or update to the notarization service that now includes inspecting files within ZIP archives?

No. Notary has always looked within zip archives. This often trips up Java developers, where notary finds unsigned code within a Java archive (.jar is effectively an alias for .zip). For an example, see this thread. Or this thread, from back in 2020.

I’m not sure why you’re being hit by this just now. Regardless, the path forward is clear:

  • If you want the notary service to include this code in your ticket, sign it before putting it into the zip archive.

  • If not, use an encrypted zip archive so that notary can’t see the code.

IMPORTANT If you choose the second option then your code won’t be included in your ticket, and thus won’t be able to run directly. This is the right thing to do in some cases — for example, if you’re building an SDK and you expect the user of the SDK to include the code in their product and then sign and notarise it — but in most cases it’s better to choose the first option.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Has there been a recent change or update to the notarization service that now includes inspecting files within ZIP archives?

No. Notary has always looked within zip archives. This often trips up Java developers, where notary finds unsigned code within a Java archive (.jar is effectively an alias for .zip). For an example, see this thread. Or this thread, from back in 2020.

I’m not sure why you’re being hit by this just now. Regardless, the path forward is clear:

  • If you want the notary service to include this code in your ticket, sign it before putting it into the zip archive.

  • If not, use an encrypted zip archive so that notary can’t see the code.

IMPORTANT If you choose the second option then your code won’t be included in your ticket, and thus won’t be able to run directly. This is the right thing to do in some cases — for example, if you’re building an SDK and you expect the user of the SDK to include the code in their product and then sign and notarise it — but in most cases it’s better to choose the first option.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Has the Apple Notarization Service Recently Changed to Inspect Files Inside ZIP Archives?
 
 
Q