TL;DR - What have I messed up on this notarization workflow? I'm completely new to Apple development.
I have been trying to notarize an application I have written, that is then packaged as a .dmg.
I am trying to notarize it using the command line tools (as it is an existing app, and not written in Xcode/Swift).
My steps so far are as follows:
- All libraries, frameworks, and other executables have been signed (.dylib, .so etc.). I have avoided using --deep as I understand this is not recommended.
- The above includes all similar files included within zip archives (the cross platform framework I use places some inside a zip container). I have unzipped, signed, and rezipped.
- I have signed the main executable within "[NAME].app/MacOS" and the "[NAME].app" with an .entitlements file, and a certificate.
codesign --verify --verbose --sign "$DEVELOPER_ID_APP_CERT" --timestamp --force --entitlements "$APP_NAME.entitlements" "$BUILD_DIR/$APP_NAME.app/Contents/MacOS/$APP_NAME"
codesign --verify --verbose --sign "$DEVELOPER_ID_APP_CERT" --options runtime --entitlements "$APP_NAME.entitlements" "$BUILD_DIR/$APP_NAME.app" --force --timestamp
echo "Checking for unsigned components..."
codesign --verify --deep --verbose=4 "$BUILD_DIR/$APP_NAME.app"
echo "Verifying entitlements..."
codesign --display --entitlements :- "$BUILD_DIR/$APP_NAME.app"
- Both of the above checks come back as ok.
- Then, I have the following script lines which package the app as a .dmg and submit it to notarisation.
hdiutil create -volname "$APP_NAME" -srcfolder $BUILD_DIR/$APP_NAME.app" -ov -format UDZO "$BUILD_DIR/$DMG_NAME"
# Sign the DMG
codesign --force --verify --verbose --sign "$DEVELOPER_ID_APP_CERT" "$BUILD_DIR/$DMG_NAME"
# Notarize the DMG
xcrun notarytool submit "$BUILD_DIR/$DMG_NAME" --key "[AUTH_KEY_LOCATION].p8" --key-id "[KEYID]" --issuer "[ISSUERID]" --wait
# Staple the notarization ticket to the DMG
xcrun stapler staple "$BUILD_DIR/$DMG_NAME"
# Verify the notarization
xcrun stapler validate "$BUILD_DIR/$DMG_NAME"
- After a 20 hour wait, I get the following back from the notarization service:
id: 41931e00-2f34-4389-b5e1-fd76707c2162
status: Invalid
Processing: [PATH]/[APP].dmg
CloudKit query for [APP].dmg (2/a428f96446e143497380c0ae1f2b70661050aed6) failed due to "Record not found".
Could not find base64 encoded ticket in response for 2/a428f96446e143497380c0ae1f2b70661050aed6
The staple and validate action failed! Error 65.
Processing: [PATH]/[APP].dmg
FotoLabAI.dmg does not have a ticket stapled to it.
- On a seperate submission, I noticed something about a note about audit.log not being found, but I can't find a reference to this on Google. So far as I understand, this is the file that is supposed to help me debug notarization errors.
Normally I'd try more debugging myself, but I can't afford to wait 24h for feedback.
Right, so the notary service is grumpy with your submission, which is why you get back the invalid
status. As to what’s wrong, it’s hard to say. The first step is to fetch the notary log to see what’s it’s actually complaining about.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"