Notarization

RSS for tag

Notarization is the process of scanning Developer ID-signed software for malicious components before distribution outside of the Mac App Store.

Notarization Documentation

Post

Replies

Boosts

Views

Activity

My MacOS application has been accepted when submitted for notarisation but I am getting an error 65 when submitting for stapling. Further, notarisation fails even when run on a clean mac. It throws an unknown developer error.
Hi, I have built a MacOS application that I intend to distribute directly. I have created a disk image and code-signed successfully with the following response. xcrun notarytool info --apple-id "" --password "" --team-id "" I have also submitted the app for notarisation which says it's accepted. equipp@equipps-MacBook-Pro dist % xcrun notarytool submit SendFiles.dmg --keychain-profile "Sendfiles-Notarisation" --wait Conducting pre-submission checks for SendFiles.dmg and initiating connection to the Apple notary service... Submission ID received id: a2941225-b036-47b3-a010-547b0dce6a1a Upload progress: 100.00% (79.0 MB of 79.0 MB) Successfully uploaded file id: a2941225-b036-47b3-a010-547b0dce6a1a path: /Users/equipp/Documents/GitHub/sendfiles/dist/SendFiles.dmg Waiting for processing to complete. Current status: Accepted................ Processing complete id: a2941225-b036-47b3-a010-547b0dce6a1a status: Accepted When I run the application on a clean mac, I am still getting the error that this application is from an unidentified developer and might contain malware.(There's internet connection) However, when I try to staple the application, I am getting an error 65. Unsure what's going wrong with the notarisation. equipp@equipps-MacBook-Pro dist % xcrun stapler staple SendFiles.dmg Processing: /Users/equipp/Documents/GitHub/sendfiles/dist/SendFiles.dmg Could not validate ticket for /Users/equipp/Documents/GitHub/sendfiles/dist/SendFiles.dmg The staple and validate action failed! Error 65. equipp@equipps-MacBook-Pro dist % Can you please help?
0
0
27
10h
Notarization Failure. HTTP status code: 401
Iam trying to notarize with notarytool command with app-specific password. xcrun notarytool submit <Path> --apple-id <APPLE_ID> --password <APP_SPECIFIC_PASSWORD> --team-id <Team-ID> But it fails with error Error: HTTP status code: 401. Unable to authenticate. Invalid session. Ensure that all authentication arguments are correct. Tried generating new app-specific password, still failing. Tried storing password in keychain with store-credentials option, again failing. --verbose option with store-credentials showing below error This process stores your credentials securely in the Keychain. You reference these credentials later using a profile name. Validating your credentials... [06:05:28.854Z] Info [API] Initialized Notary API with base URL: https://appstoreconnect.apple.com/notary/v2/\ [06:05:28.854Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/test?, Parameters: [:], Custom Headers: private<Dictionary<String, String>> [06:05:28.855Z] Debug [AUTHENTICATION] Delaying current request to refresh app-specific password token. [06:05:28.855Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/asp?, Parameters: [:], Custom Headers: private<Dictionary<String, String>> [06:05:28.855Z] Debug [AUTHENTICATION] Authenticating request to '/notary/v2/asp' with Basic Auth. Username: , Password: private, Team ID: [06:05:28.856Z] Debug [TASKMANAGER] Starting Task Manager loop to wait for asynchronous HTTP calls. [06:05:30.194Z] Debug [API] Received response status code: 401, message: unauthorized, URL: https://appstoreconnect.apple.com/notary/v2/asp?, Correlation Key: [06:05:30.195Z] Error [TASKMANAGER] Completed Task with ID 2 has encountered an error. [06:05:30.195Z] Debug [TASKMANAGER]Ending Task Manager loop. Error: HTTP status code: 401. Unable to authenticate. Invalid session. Ensure that all authentication arguments are correct.
1
0
59
13h
App specific pw
I'm trying to store credentials on my keychange by doing this: xcrun notarytool store-credentials --apple-id APPLE-ID --team-id TEAM-ID I then I'm asked for a profile name, and the the App-specific password for my apple-id. This is when I'm getting an error: "Invalid credentials. Username or password is incorrect. Use the app-specific password generated at appleid.apple.com. Ensure that all authentication arguments are correct.". Now, I've generated the app specific pw by logging in here: https://account.apple.com/ but when I login to my Developers account, I do it here: https://developer.apple.com/account/ I've signed up for the "$99 a year"-program. Is there a problem that I've created the pw on what looks like my "private" page and not my "developer" page?
1
0
101
2d
Why is my notarized and signed macOS .app rejected by Gatekeeper during installation?
I'm trying to distribute my macOS application (a .dmg file) to customers, and I've followed all the steps to sign and notarize the application. However, when I try to install the .dmg containing the app, Gatekeeper rejects it with the error "AppName cannot be opened because developer is not verified". Even though I’ve signed the app with my Developer ID, notarized it, and verified the signature using codesign, I am still encountering issues when attempting to install or open the app on a clean macOS environment. Here’s the error I see when using spctl to check the .dmg: spctl --assess --type open --verbose=4 output/App.dmg output/App.dmg: rejected source=Insufficient Context When trying: spctl -a -t open -vvv --context context:primary-signature output/App.dmg output/Unbounded.dmg: accepted source=Notarized Developer ID origin=Developer ID Application: My .app is signed and notarised by electron builder and I explicitly signed and notarised dmg too but still not working
3
0
105
3d
Notarize with Enterprise API Key
Hello! I've been facing an issue with notarizing a macOS app with an Enterprise API Key. Due to some misunderstanding setting up the project some years ago, the notarization step was using a developer's accounts API Key. I am looking to fix it to have everything centralized in the Enterprise account we work with, but I get "Debug [JWT] Generating new JWT for key ID" with the new key. This is using the xcrun notarytool directly to get more input. Using Fastlane it fails as: Error polling for notarization info: [11:29:25]: unexpected token at '' The project is deployed via MDM, so we need it to prevent the security warning. I used this documentation to create the key: https://developer.apple.com/documentation/enterpriseprogramapi/creating-api-keys-for-enterprise-program-api I have tried a Developer and an Admin access key, and the Account Holder has also created an Admin key but the errors keep the same. I just updated my Fastlane script to use the new key with the updated values. The old developer account key still works. I am not sure if I am missing any steps in the documentation or if this is not achievable. Important to add that all the profiles and certificates were already set up properly in the Enterprise account, the only error was using an App Store Connect Key instead of an Enterprise Key. Thanks in advance for the help.
2
2
246
1w
Notarization issue with keys
Keys can vary; an account is not necessary, as only Team Keys are suitable for notarization. It seems that Developer role is sufficient for notarization. We have tried both keys and roles of Developer and Account Manager - the behavior is the same. Multiline There are two types of API keys: Team Access to all apps, with varying levels of access based on selected roles. Individual Access and roles of the associated user. Individual kevs aren't able to use Provisioning endpoints, access Sales and Finance, or notaryTool. BlockQuote Here are the parameters used for notarization via API key: `-k, --key key-path    App Store Connect API key. File system path to the private key. -d, --key-id key-id    App Store Connect API Key ID. For most teams this will be a 10 character alphanumeric string. -i, --issuer issuer    App Store Connect API Issuer ID. The issuer ID is a UUID format string.` The notarization result shows as successful, and on the same machine, the package appears as notarized. However, when the package is transferred to another system, it is displayed as not notarized.
5
0
119
1w
Notarizing a DMG bundling a complete Perl environment
...and some more simple command line utilities. I've code signed all executables and binary libraries I could find. This has got rid of most errors already. Now I'm struggling with the "hardened runtime" requirements. I understand I can somehow add entitlements - but have no clue how to do that, and what to add. Somewhere there was reference to PCRE - I don't think Perl uses that itself, but certainly does deal with regexes a lot. How would I add eg. the JIT entitlement (if that was required)? Most documents refer to .mobileprovision files or similar - but I'm dealing with a desktop application. And as all of this is rather non-standard, we don't use Xcode at all. So I wouldn't even know how to use Xcode to create a profile for an an app which is managed completely "outside" of a normal macOS development environment.
5
0
176
1w
Trouble with submitting my package using notarytool
I'll do my best to explain my situation. Basically I have a plugin I'm trying to sign notarize and staple. My plugin is a .component but right now it is currently not bundled so its a .component folder. I cant open it in Xcode to bundle it and therefore cannot successfully bundle it that way. other things I've tried are failing with the error message logs showing the following messages. - "The signature does not include a secure timestamp." -"The binary is not signed." -"The signature of the binary is invalid." Those messages repeat several times and the very last one I receive is -"The contents of the package at ***** could not be extracted." So what I'd like to know is what can I do to my .component folder (all contents are in it so I can successfully sign it, timestamp it and submit successfully using notarytool? Thank you!
2
0
190
1w
Notarytool agreement check?
Hi all, Occasionally, our systems grind to a halt because an agreement needs signed. As you can imagine this always happens at an inconvenient time. Is there a programmatic way we can know about this, before it happens? How is everyone else handling this? From a search through threads here and documentation, I don't see anything and thus I don't think this is possible to script, but wanted to double check. If not possible, what kind of grace period is there between when developer.apple.com mentions something will need signed, and when it stops working? I'm not the one who can sign, so can a non-signer see this? This part is basically asking: How often does someone have to log on to "poll" for this and can this be me or does it have to be the person with access to sign the agreements. Does the system maybe send out an email to the signer about these (in advance), that he's maybe not seeing? Thanks!
3
0
188
1w
Bus error: 10 xcrun notarytool submit
Hello, We use GitHub actions to build, sign and notarize our app. Everything was working fine, but lately the notarization has been failing almost every time. Only about 10% of attempts are successful. We haven't made any changes to the signing and notarizing processes. Here is command we use xcrun notarytool submit app.zip --wait --apple-id *** --team-id *** --password *** > notarization_output.txt Here is the error /Users/runner/work/_temp/c0b6c8e4-86d1-4307-af86-43666fcf39c7.sh: line 1: 3158 Bus error: 10 xcrun notarytool submit app.zip --wait --apple-id *** --team-id *** --password *** > notarization_output.txt
1
1
176
3w
How to ship zip files inside an app which needs to be submitted for notarization?
Here is the situation: We are shipping an application bundle which is submitted to the notarization service for approval. The application bundle adheres to the notarization standards and is approved. Problem: We need to ship a zip file inside this application. This zip file has all the files that are signed. Most of the files are signed by us. However there are some 3P zip files which are not signed by us. We would rather not open these 3P zip files as there might be SLAs involved here. As a result we end up with a zip file which contains mixed signatures. This zip file needs to be part of that application that needs to be notarized. Question: What is the best way to do this in order for the notarization service to approve the application and ship the zip file as part of the application? Note: We don't know if all the files inside the 3P zips are correctly signed (example: With Hardened Runtime). They are all signed though Also, when the zip files contents are laid out onto the customer machine, they are all signed and validated. However, some files might not have hardened runtime. Thanks in advance.
1
0
316
4w
Notarization succeeds, but gatekeeper check still fails, with QtWebEngine
I am packaging an app with QtWebEngine in it, after codesign the app and the QtWebEngine Framework, the app can run properly. The codesign result is: valid on disk staisfies its Designated requirements Then I notarized and stapled the dmg file, after the dmg installed on Mac, gatekeeper still failed the check. Here is the result for spctl: spctl -a -t open -vvv --context context:primary-signatue Remote\ Graphics\ Workstation_.dmg Remote Graphics Workstation_.dmg: rejected source=Insufficient Context Need help to identify the codesign process and the root cause why gatekeeper fail here, thanks.
3
0
273
4w
Issues with Invalid Binary Signatures During macOS Notarization of Electron App
Hello Apple Developer Community, I've been working on notarizing my macOS application, Deep Focus, built using Electron, but I'm encountering persistent issues with binary signatures being reported as invalid during the notarization process. I followed Apple's notarization documentation and ensured that all necessary configurations are in place, but I'm still seeing multiple "Invalid" errors in the notarization log. Here’s the process I've followed so far: 1. System and Tools Setup: macOS version: Apple M1 Pro Sonoma 14.5 macOS SDK: macOS 15.0 Xcode version: Version 16.0 (16A242d) (Using VSCode instead of XCode since this is an Electron /JavaScript project.) Link to source code for inspection 2. Notarization Process: Successfully stored credentials in Keychain using xcrun notarytool store-credentials. Signed all app components, including frameworks, using the command: for framework in "dist/Deep Focus-darwin-arm64/Deep Focus.app/Contents/Frameworks/"*.framework; do codesign --force --deep --options runtime --timestamp --sign "Developer ID Application: Timeo Williams (3Y4F3KTSJA)" "$framework" done Verified that Hardened Runtime is enabled and included the required entitlements. 3. Verification: Checked code signatures with codesign -vvv --deep --strict Deep Focus.app, which returned valid results for all components. Verified the presence of the _CodeSignature directory for each framework and confirmed proper entitlements using: codesign -d --entitlements - Deep Focus.app 4. Notarization Submission Compressed the app into a .zip file and submitted it with xcrun notarytool submit --keychain-profile "notary" --wait. Although the notarization log provided detailed error messages, it still reported the following issues: "The signature of the binary is invalid" for several frameworks, including Electron, ReactiveObjC, and Mantle. { "statusSummary": "Archive contains critical validation errors", "statusCode": 4000, "issues": [ { "path": "Deep Focus.zip/Deep Focus.app/Contents/Frameworks/Electron Framework.framework/Electron Framework", "message": "The signature of the binary is invalid.", "architecture": "arm64" }, ... ] } I've double-checked the signing process and attempted re-signing the frameworks, but the notarization continues to fail due to these invalid signatures. I’m not sure what’s causing the _CodeSignature file to be missing for some frameworks even after signing. [I also installed the Signet app to test verification. My Questions: What could be causing the binary signatures to be reported as invalid during notarization, despite the app satisfying its designated requirements according to codesign? Is there a specific way I should be handling Electron-based apps for macOS notarization that differs from standard macOS apps? Could the issue be related to the use of ARM64 architecture, and are there any additional steps required for signing on ARM-based systems? Are there any known compatibility issues with frameworks like ReactiveObjC, Mantle, or Squirrel that could affect the notarization process? Any guidance or troubleshooting steps would be greatly appreciated. Thank you in advance!
2
1
289
Oct ’24
How to fix notary service internalError(statusCode: 500)
Several hours ago I've uploaded my simple Xcode Storyboard App on Apple Notarization Service. The upload process worked successfully and I could check the notarization status via xcrun notarytool info command. And a few minutes ago, I've met a following error when I execute the xcrun notarytool info command for checking the status of notarization: Error: internalError(statusCode: Optional(500), strData: nil, jsonData: Optional(["statusCode": 500, "errors": <__NSSingleObjectArrayI 0x600001d58ed0>( { code = "UNEXPECTED_ERROR"; detail = "<null>"; id = ISDIE4GVHVXLMO24V7L5LFUHXM; links = "<null>"; status = 500; title = "Uncaught server exception"; } How can I fix this error?
2
1
273
Oct ’24
Notarization unusually stuck
Hello, builds we've submitted for notarization have been stuck in the In-Progress stage for a while now. The process has taken less than 10 minutes in the past. The latest of which is id: 86916f85-b82f-4a95-982b-1232387a92e1. We haven't made any stark changes so we're not clear on what the issue is. Is the best way forward to submit a support ticket?
1
0
315
Oct ’24
Notray taking over 9 hours
Hello. Last night, I was working on notarizing my macOS application. It succeeded for the first several requests, where I was submitting zipped applications. Then I tried to notarize a .pkg file. It has been in progress for 9+ hours, and the subsequent requests seem to be all waiting. Is there anything wrong with the notary service now? Is it true that subsequent requests will not proceed until the previous request is finished? Here's the log: createdDate: 2024-10-03T14:39:48.607Z id: 9739a538-1426-4036-971d-850f202306e0 name: <Redacted> status: In Progress -------------------------------------------------- createdDate: 2024-10-03T14:34:17.276Z id: c12e54d8-f362-4301-b099-ffcd51c27a91 name: <Redacted> status: In Progress -------------------------------------------------- createdDate: 2024-10-03T14:28:43.293Z id: 9a5b5c6b-37af-4761-944c-8ada884f6714 name: <Redacted> status: In Progress -------------------------------------------------- createdDate: 2024-10-03T13:56:35.675Z id: 32d46395-c5e3-4af5-9e02-01c1d8ae4865 name: <Redacted> status: In Progress -------------------------------------------------- createdDate: 2024-10-03T05:08:17.658Z id: 2c042894-79c8-4cc9-ab2b-a08920158023 name: <Redacted> status: In Progress
1
0
336
Oct ’24
xcrun notarytool submit is failing to upload
Hello,I have been using Apple’s notarization services for some time, but for some reason, it has been failing for the last two days. Please find the command and it's output. Conducting pre-submission checks for Espressif-IDE-macosx-cocoa-aarch64.dmg and initiating connection to the Apple notary service... Submission ID received id: bde93f95-4208-45c2-b238-1bcf629648c7 Error: abortedUpload(resumeRequest: SotoS3.S3.ResumeMultipartUploadRequest(uploadRequest: SotoS3.S3.CreateMultipartUploadRequest(acl: nil, bucket: "notary-submissions-prod", bucketKeyEnabled: nil, cacheControl: nil, contentDisposition: nil, contentEncoding: nil, contentLanguage: nil, contentType: nil, expectedBucketOwner: nil, _expires: SotoCore.OptionalCustomCoding<SotoCore.HTTPHeaderDateCoder>(value: nil), grantFullControl: nil, grantRead: nil, grantReadACP: nil, grantWriteACP: nil, key: "prod/AROARQRX7CZS3PRF6ZA5L:bde93f95-4208-45c2-b238-1bcf629648c7", metadata: nil, objectLockLegalHoldStatus: nil, objectLockMode: nil, _objectLockRetainUntilDate: SotoCore.OptionalCustomCoding<SotoCore.ISO8601DateCoder>(value: nil), requestPayer: nil, serverSideEncryption: nil, sSECustomerAlgorithm: nil, sSECustomerKey: nil, sSECustomerKeyMD5: nil, sSEKMSEncryptionContext: nil, sSEKMSKeyId: nil, storageClass: nil, tagging: nil, websiteRedirectLocation: nil), uploadId: "C18xItDUHLkciEHQt_ctoMujceWSoVDz6_V8GRjSPhb2JI4YghXecKH3AVdBVKfTiPXInPr_TbF1aIfWJVKGkuIPtmKm6yzybc1mXTJDWlO.306kjAf5sNxO2H5ksNuy6Jqluc9gXAt3FFJKJZrf1CO3g_mIdfwGNUvQsAP3NpyoOWyDX6E4Ti36IdEZrlOj", completedParts: [SotoS3.S3.CompletedPart(eTag: Optional("\"089a88c4fb3c6844234dc2a89c027da7\""), partNumber: Optional(1)), SotoS3.S3.CompletedPart(eTag: Optional("\"e0e74de26a56733b7a1a5dd48e1f4184\""), partNumber: Optional(2))]), error: The operation couldn’t be completed. (Network.NWError error 54 - Connection reset by peer)) [log.txt](https://developer.apple.com/forums/content/attachment/ccc54854-9f87-4b44-bcac-8fd5efb53e81)
1
0
299
Oct ’24
Mac App Notarization Stuck 'In Progress' Several Days
Hello, I'm currently facing issues with the notarization process for my macOS app, which has been in progress for several days without completion. I’ve submitted multiple builds over the past few days, but they all remain stuck in "In Progress" status. { "message": "Successfully received submission history.", "history": [ { "status": "In Progress", "id": "3bab3c0e-203d-4d66-87e5-e9c46e366a6c", "name": "Offer鸡.zip", "createdDate": "2024-09-29T19:20:39.240Z" }, { "createdDate": "2024-09-29T18:28:08.522Z", "status": "In Progress", "name": "Offer鸡.zip", "id": "9bb19fae-e7c2-485b-90c5-7158a1639225" }, { "createdDate": "2024-09-29T12:31:52.458Z", "name": "Offer鸡.zip", "id": "ff0ec784-7014-412e-9e42-30feae65b546", "status": "In Progress" }, { "status": "In Progress", "id": "4be0d351-e3db-43cb-a2ce-71ebdecd623a", "createdDate": "2024-09-29T05:39:23.409Z", "name": "Offer鸡.zip" }, { "status": "In Progress", "createdDate": "2024-09-28T18:15:00.601Z", "name": "Offer鸡.zip", "id": "2a4947e0-3a4b-45e0-832a-723fdf221cbf" }, { "id": "e50fbd60-8448-4f12-8539-22dcf24caee5", "name": "offerji.zip", "createdDate": "2024-09-27T07:47:50.919Z", "status": "In Progress" }, { "createdDate": "2024-09-26T21:45:10.596Z", "name": "offerji.zip", "status": "Rejected", "id": "fc3490e9-3ff5-49f8-a08a-5bfac7cca81d" }, { "createdDate": "2024-09-26T06:59:51.950Z", "id": "d003f48c-01ec-48f7-89e0-8b8f5ad700bd", "name": "offerji.zip", "status": "Invalid" } ] } I also encountered two previous submission failures: offerji.zip (submitted on 2024-09-26 at 21:45) - Rejected offerji.zip (submitted on 2024-09-26 at 06:59) - Invalid Could anyone provide insight into what might have caused the earlier failures? And is it common for notarization to take this long? Any advice on how to expedite or resolve this issue would be greatly appreciated! Thanks in advance for your help.
2
2
336
Sep ’24
Notarization issue
TL;DR - What have I messed up on this notarization workflow? I'm completely new to Apple development. I have been trying to notarize an application I have written, that is then packaged as a .dmg. I am trying to notarize it using the command line tools (as it is an existing app, and not written in Xcode/Swift). My steps so far are as follows: All libraries, frameworks, and other executables have been signed (.dylib, .so etc.). I have avoided using --deep as I understand this is not recommended. The above includes all similar files included within zip archives (the cross platform framework I use places some inside a zip container). I have unzipped, signed, and rezipped. I have signed the main executable within "[NAME].app/MacOS" and the "[NAME].app" with an .entitlements file, and a certificate. codesign --verify --verbose --sign "$DEVELOPER_ID_APP_CERT" --timestamp --force --entitlements "$APP_NAME.entitlements" "$BUILD_DIR/$APP_NAME.app/Contents/MacOS/$APP_NAME" codesign --verify --verbose --sign "$DEVELOPER_ID_APP_CERT" --options runtime --entitlements "$APP_NAME.entitlements" "$BUILD_DIR/$APP_NAME.app" --force --timestamp echo "Checking for unsigned components..." codesign --verify --deep --verbose=4 "$BUILD_DIR/$APP_NAME.app" echo "Verifying entitlements..." codesign --display --entitlements :- "$BUILD_DIR/$APP_NAME.app" Both of the above checks come back as ok. Then, I have the following script lines which package the app as a .dmg and submit it to notarisation. hdiutil create -volname "$APP_NAME" -srcfolder $BUILD_DIR/$APP_NAME.app" -ov -format UDZO "$BUILD_DIR/$DMG_NAME" # Sign the DMG codesign --force --verify --verbose --sign "$DEVELOPER_ID_APP_CERT" "$BUILD_DIR/$DMG_NAME" # Notarize the DMG xcrun notarytool submit "$BUILD_DIR/$DMG_NAME" --key "[AUTH_KEY_LOCATION].p8" --key-id "[KEYID]" --issuer "[ISSUERID]" --wait # Staple the notarization ticket to the DMG xcrun stapler staple "$BUILD_DIR/$DMG_NAME" # Verify the notarization xcrun stapler validate "$BUILD_DIR/$DMG_NAME" After a 20 hour wait, I get the following back from the notarization service: id: 41931e00-2f34-4389-b5e1-fd76707c2162 status: Invalid Processing: [PATH]/[APP].dmg CloudKit query for [APP].dmg (2/a428f96446e143497380c0ae1f2b70661050aed6) failed due to "Record not found". Could not find base64 encoded ticket in response for 2/a428f96446e143497380c0ae1f2b70661050aed6 The staple and validate action failed! Error 65. Processing: [PATH]/[APP].dmg FotoLabAI.dmg does not have a ticket stapled to it. On a seperate submission, I noticed something about a note about audit.log not being found, but I can't find a reference to this on Google. So far as I understand, this is the file that is supposed to help me debug notarization errors. Normally I'd try more debugging myself, but I can't afford to wait 24h for feedback.
1
0
356
Sep ’24