Hello, We use GitHub actions to build, sign and notarize our app. Everything was working fine, but lately the notarization has been failing almost every time. Only about 10% of attempts are successful. We haven't made any changes to the signing and notarizing processes. Here is command we use xcrun notarytool submit app.zip --wait --apple-id *** --team-id *** --password *** > notarization_output.txt Here is the error /Users/runner/work/_temp/c0b6c8e4-86d1-4307-af86-43666fcf39c7.sh: line 1: 3158 Bus error: 10 xcrun notarytool submit app.zip --wait --apple-id *** --team-id *** --password *** > notarization_output.txt

Here is the situation: We are shipping an application bundle which is submitted to the notarization service for approval. The application bundle adheres to the notarization standards and is approved. Problem: We need to ship a zip file inside this application. This zip file has all the files that are signed. Most of the files are signed by us. However there are some 3P zip files which are not signed by us. We would rather not open these 3P zip files as there might be SLAs involved here. As a result we end up with a zip file which contains mixed signatures. This zip file needs to be part of that application that needs to be notarized. Question: What is the best way to do this in order for the notarization service to approve the application and ship the zip file as part of the application? Note: We don't know if all the files inside the 3P zips are correctly signed (example: With Hardened Runtime). They are all signed though Also, when the zip files contents are laid out onto the customer machine, they are all signed and validated. However, some files might not have hardened runtime. Thanks in advance.

I am packaging an app with QtWebEngine in it, after codesign the app and the QtWebEngine Framework, the app can run properly. The codesign result is: valid on disk staisfies its Designated requirements Then I notarized and stapled the dmg file, after the dmg installed on Mac, gatekeeper still failed the check. Here is the result for spctl: spctl -a -t open -vvv --context context:primary-signatue Remote\ Graphics\ Workstation_.dmg Remote Graphics Workstation_.dmg: rejected source=Insufficient Context Need help to identify the codesign process and the root cause why gatekeeper fail here, thanks.

Hello Apple Developer Community, I've been working on notarizing my macOS application, Deep Focus, built using Electron, but I'm encountering persistent issues with binary signatures being reported as invalid during the notarization process. I followed Apple's notarization documentation and ensured that all necessary configurations are in place, but I'm still seeing multiple "Invalid" errors in the notarization log. Here’s the process I've followed so far: 1. System and Tools Setup: macOS version: Apple M1 Pro Sonoma 14.5 macOS SDK: macOS 15.0 Xcode version: Version 16.0 (16A242d) (Using VSCode instead of XCode since this is an Electron /JavaScript project.) Link to source code for inspection 2. Notarization Process: Successfully stored credentials in Keychain using xcrun notarytool store-credentials. Signed all app components, including frameworks, using the command: for framework in "dist/Deep Focus-darwin-arm64/Deep Focus.app/Contents/Frameworks/"*.framework; do codesign --force --deep --options runtime --timestamp --sign "Developer ID Application: Timeo Williams (3Y4F3KTSJA)" "$framework" done Verified that Hardened Runtime is enabled and included the required entitlements. 3. Verification: Checked code signatures with codesign -vvv --deep --strict Deep Focus.app, which returned valid results for all components. Verified the presence of the _CodeSignature directory for each framework and confirmed proper entitlements using: codesign -d --entitlements - Deep Focus.app 4. Notarization Submission Compressed the app into a .zip file and submitted it with xcrun notarytool submit --keychain-profile "notary" --wait. Although the notarization log provided detailed error messages, it still reported the following issues: "The signature of the binary is invalid" for several frameworks, including Electron, ReactiveObjC, and Mantle. { "statusSummary": "Archive contains critical validation errors", "statusCode": 4000, "issues": [ { "path": "Deep Focus.zip/Deep Focus.app/Contents/Frameworks/Electron Framework.framework/Electron Framework", "message": "The signature of the binary is invalid.", "architecture": "arm64" }, ... ] } I've double-checked the signing process and attempted re-signing the frameworks, but the notarization continues to fail due to these invalid signatures. I’m not sure what’s causing the _CodeSignature file to be missing for some frameworks even after signing. [I also installed the Signet app to test verification. My Questions: What could be causing the binary signatures to be reported as invalid during notarization, despite the app satisfying its designated requirements according to codesign? Is there a specific way I should be handling Electron-based apps for macOS notarization that differs from standard macOS apps? Could the issue be related to the use of ARM64 architecture, and are there any additional steps required for signing on ARM-based systems? Are there any known compatibility issues with frameworks like ReactiveObjC, Mantle, or Squirrel that could affect the notarization process? Any guidance or troubleshooting steps would be greatly appreciated. Thank you in advance!

Several hours ago I've uploaded my simple Xcode Storyboard App on Apple Notarization Service. The upload process worked successfully and I could check the notarization status via xcrun notarytool info command. And a few minutes ago, I've met a following error when I execute the xcrun notarytool info command for checking the status of notarization: Error: internalError(statusCode: Optional(500), strData: nil, jsonData: Optional(["statusCode": 500, "errors": <__NSSingleObjectArrayI 0x600001d58ed0>( { code = "UNEXPECTED_ERROR"; detail = "<null>"; id = ISDIE4GVHVXLMO24V7L5LFUHXM; links = "<null>"; status = 500; title = "Uncaught server exception"; } How can I fix this error?

Hello, builds we've submitted for notarization have been stuck in the In-Progress stage for a while now. The process has taken less than 10 minutes in the past. The latest of which is id: 86916f85-b82f-4a95-982b-1232387a92e1. We haven't made any stark changes so we're not clear on what the issue is. Is the best way forward to submit a support ticket?

Hello. Last night, I was working on notarizing my macOS application. It succeeded for the first several requests, where I was submitting zipped applications. Then I tried to notarize a .pkg file. It has been in progress for 9+ hours, and the subsequent requests seem to be all waiting. Is there anything wrong with the notary service now? Is it true that subsequent requests will not proceed until the previous request is finished? Here's the log: createdDate: 2024-10-03T14:39:48.607Z id: 9739a538-1426-4036-971d-850f202306e0 name: <Redacted> status: In Progress -------------------------------------------------- createdDate: 2024-10-03T14:34:17.276Z id: c12e54d8-f362-4301-b099-ffcd51c27a91 name: <Redacted> status: In Progress -------------------------------------------------- createdDate: 2024-10-03T14:28:43.293Z id: 9a5b5c6b-37af-4761-944c-8ada884f6714 name: <Redacted> status: In Progress -------------------------------------------------- createdDate: 2024-10-03T13:56:35.675Z id: 32d46395-c5e3-4af5-9e02-01c1d8ae4865 name: <Redacted> status: In Progress -------------------------------------------------- createdDate: 2024-10-03T05:08:17.658Z id: 2c042894-79c8-4cc9-ab2b-a08920158023 name: <Redacted> status: In Progress

Hello,I have been using Apple’s notarization services for some time, but for some reason, it has been failing for the last two days. Please find the command and it's output. Conducting pre-submission checks for Espressif-IDE-macosx-cocoa-aarch64.dmg and initiating connection to the Apple notary service... Submission ID received id: bde93f95-4208-45c2-b238-1bcf629648c7 Error: abortedUpload(resumeRequest: SotoS3.S3.ResumeMultipartUploadRequest(uploadRequest: SotoS3.S3.CreateMultipartUploadRequest(acl: nil, bucket: "notary-submissions-prod", bucketKeyEnabled: nil, cacheControl: nil, contentDisposition: nil, contentEncoding: nil, contentLanguage: nil, contentType: nil, expectedBucketOwner: nil, _expires: SotoCore.OptionalCustomCoding<SotoCore.HTTPHeaderDateCoder>(value: nil), grantFullControl: nil, grantRead: nil, grantReadACP: nil, grantWriteACP: nil, key: "prod/AROARQRX7CZS3PRF6ZA5L:bde93f95-4208-45c2-b238-1bcf629648c7", metadata: nil, objectLockLegalHoldStatus: nil, objectLockMode: nil, _objectLockRetainUntilDate: SotoCore.OptionalCustomCoding<SotoCore.ISO8601DateCoder>(value: nil), requestPayer: nil, serverSideEncryption: nil, sSECustomerAlgorithm: nil, sSECustomerKey: nil, sSECustomerKeyMD5: nil, sSEKMSEncryptionContext: nil, sSEKMSKeyId: nil, storageClass: nil, tagging: nil, websiteRedirectLocation: nil), uploadId: "C18xItDUHLkciEHQt_ctoMujceWSoVDz6_V8GRjSPhb2JI4YghXecKH3AVdBVKfTiPXInPr_TbF1aIfWJVKGkuIPtmKm6yzybc1mXTJDWlO.306kjAf5sNxO2H5ksNuy6Jqluc9gXAt3FFJKJZrf1CO3g_mIdfwGNUvQsAP3NpyoOWyDX6E4Ti36IdEZrlOj", completedParts: [SotoS3.S3.CompletedPart(eTag: Optional("\"089a88c4fb3c6844234dc2a89c027da7\""), partNumber: Optional(1)), SotoS3.S3.CompletedPart(eTag: Optional("\"e0e74de26a56733b7a1a5dd48e1f4184\""), partNumber: Optional(2))]), error: The operation couldn’t be completed. (Network.NWError error 54 - Connection reset by peer)) [log.txt](https://developer.apple.com/forums/content/attachment/ccc54854-9f87-4b44-bcac-8fd5efb53e81)

Hello, I'm currently facing issues with the notarization process for my macOS app, which has been in progress for several days without completion. I’ve submitted multiple builds over the past few days, but they all remain stuck in "In Progress" status. { "message": "Successfully received submission history.", "history": [ { "status": "In Progress", "id": "3bab3c0e-203d-4d66-87e5-e9c46e366a6c", "name": "Offer鸡.zip", "createdDate": "2024-09-29T19:20:39.240Z" }, { "createdDate": "2024-09-29T18:28:08.522Z", "status": "In Progress", "name": "Offer鸡.zip", "id": "9bb19fae-e7c2-485b-90c5-7158a1639225" }, { "createdDate": "2024-09-29T12:31:52.458Z", "name": "Offer鸡.zip", "id": "ff0ec784-7014-412e-9e42-30feae65b546", "status": "In Progress" }, { "status": "In Progress", "id": "4be0d351-e3db-43cb-a2ce-71ebdecd623a", "createdDate": "2024-09-29T05:39:23.409Z", "name": "Offer鸡.zip" }, { "status": "In Progress", "createdDate": "2024-09-28T18:15:00.601Z", "name": "Offer鸡.zip", "id": "2a4947e0-3a4b-45e0-832a-723fdf221cbf" }, { "id": "e50fbd60-8448-4f12-8539-22dcf24caee5", "name": "offerji.zip", "createdDate": "2024-09-27T07:47:50.919Z", "status": "In Progress" }, { "createdDate": "2024-09-26T21:45:10.596Z", "name": "offerji.zip", "status": "Rejected", "id": "fc3490e9-3ff5-49f8-a08a-5bfac7cca81d" }, { "createdDate": "2024-09-26T06:59:51.950Z", "id": "d003f48c-01ec-48f7-89e0-8b8f5ad700bd", "name": "offerji.zip", "status": "Invalid" } ] } I also encountered two previous submission failures: offerji.zip (submitted on 2024-09-26 at 21:45) - Rejected offerji.zip (submitted on 2024-09-26 at 06:59) - Invalid Could anyone provide insight into what might have caused the earlier failures? And is it common for notarization to take this long? Any advice on how to expedite or resolve this issue would be greatly appreciated! Thanks in advance for your help.

TL;DR - What have I messed up on this notarization workflow? I'm completely new to Apple development. I have been trying to notarize an application I have written, that is then packaged as a .dmg. I am trying to notarize it using the command line tools (as it is an existing app, and not written in Xcode/Swift). My steps so far are as follows: All libraries, frameworks, and other executables have been signed (.dylib, .so etc.). I have avoided using --deep as I understand this is not recommended. The above includes all similar files included within zip archives (the cross platform framework I use places some inside a zip container). I have unzipped, signed, and rezipped. I have signed the main executable within "[NAME].app/MacOS" and the "[NAME].app" with an .entitlements file, and a certificate. codesign --verify --verbose --sign "$DEVELOPER_ID_APP_CERT" --timestamp --force --entitlements "$APP_NAME.entitlements" "$BUILD_DIR/$APP_NAME.app/Contents/MacOS/$APP_NAME" codesign --verify --verbose --sign "$DEVELOPER_ID_APP_CERT" --options runtime --entitlements "$APP_NAME.entitlements" "$BUILD_DIR/$APP_NAME.app" --force --timestamp echo "Checking for unsigned components..." codesign --verify --deep --verbose=4 "$BUILD_DIR/$APP_NAME.app" echo "Verifying entitlements..." codesign --display --entitlements :- "$BUILD_DIR/$APP_NAME.app" Both of the above checks come back as ok. Then, I have the following script lines which package the app as a .dmg and submit it to notarisation. hdiutil create -volname "$APP_NAME" -srcfolder $BUILD_DIR/$APP_NAME.app" -ov -format UDZO "$BUILD_DIR/$DMG_NAME" # Sign the DMG codesign --force --verify --verbose --sign "$DEVELOPER_ID_APP_CERT" "$BUILD_DIR/$DMG_NAME" # Notarize the DMG xcrun notarytool submit "$BUILD_DIR/$DMG_NAME" --key "[AUTH_KEY_LOCATION].p8" --key-id "[KEYID]" --issuer "[ISSUERID]" --wait # Staple the notarization ticket to the DMG xcrun stapler staple "$BUILD_DIR/$DMG_NAME" # Verify the notarization xcrun stapler validate "$BUILD_DIR/$DMG_NAME" After a 20 hour wait, I get the following back from the notarization service: id: 41931e00-2f34-4389-b5e1-fd76707c2162 status: Invalid Processing: [PATH]/[APP].dmg CloudKit query for [APP].dmg (2/a428f96446e143497380c0ae1f2b70661050aed6) failed due to "Record not found". Could not find base64 encoded ticket in response for 2/a428f96446e143497380c0ae1f2b70661050aed6 The staple and validate action failed! Error 65. Processing: [PATH]/[APP].dmg FotoLabAI.dmg does not have a ticket stapled to it. On a seperate submission, I noticed something about a note about audit.log not being found, but I can't find a reference to this on Google. So far as I understand, this is the file that is supposed to help me debug notarization errors. Normally I'd try more debugging myself, but I can't afford to wait 24h for feedback.

I have put my application for notarization and it's been more than 2 hours and it still shows in Progress to me. Is there any issue or way to notarize faster ?

I have requested for notarizatiohn of my application with "95a8605f-9854-4984-8c07-484ea5a6303f", it is taking more than 2 days of time, how can check about the progress status, like where exactly process is proceeding, right now we are in process darkness, how we can get some visibility on this?

I'm developing an electron app using electron-builder I code-signed and notarized it and can confirm with codesign and spctl commands like below: % codesign --verify --deep --verbose ./MyApp.app ./MyApp.app: valid on disk ./MyApp.app: satisfies its Designated Requirement % spctl -a -vvv -t install ./MyApp.app ./MyApp.app: accepted source=Notarized Developer ID origin=Developer ID Application: XXXXX.,Ltd. (XXXX) But I cannot open it as if weren't signed. "MyApp" can't be openend" If I try to open it in terminal with open command: The application cannot be opened for an unexpected reason, error=Error Domain=NSOSStatusErrorDomain Code=-10810 "kLSUnknownErr: Unexpected internal error" UserInfo={_LSFunction=_LSLaunchWithRunningboard, _LSLine=2735, NSUnderlyingError=0x600003aa0900 {Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x600003aa09c0 {Error Domain=NSPOSIXErrorDomain Code=1 "Operation not permitted" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}}} What could be wrong here? I'm strongly suspecting that my apple developer program and certificate has some issues. As this happened after I renew my program this month. Or could there be some other reason for this error?

We're having failures reported back to us from the notarization service as of the 4th of September. It's complaining about binaries inside .jar files, saying some aren't signed and others aren't signed with a valid developer certificate. These are third party jars; we unzip the unsigned binaries from these jars, sign them then put them back in using "jar -ufv". Notarizing is only complaining about binaries inside jars and not anything else, which implies our certificates are valid. Nothing has changed regarding these jars between the notarizing service accepting and rejecting our app. To confirm our suspicions that the notarizing service may be behaving differently, we sent it an app package that previously had succeeded in notarizing. Now the notarizing service fails, citing issues with the same jars as described above. Are you able to confirm whether anything has changed? Any ideas on what we could look at?

We have an organization with multiple developers trying to develop apps. There are times where they want to find out if their app will pass notarization or not? We have a Developer ID Application certificate that we use to sign files right before production deployment and then for notarization approval. But this is not possible when developers are working in their sandboxes. Providing each developer their own Developer ID Application certificate for distribution is both not feasible and perhaps not very secure. Is there a way in which they can find out if their apps would pass the notarization tests without actually uploading to Apple?

I'm trying to get some people to test my application, but when they attempt to open it, it says "Malware blocked and moved to bin". Attempting to open it on my mac has no issues, but on theirs it will get flagged. Are there any solutions? I think this is to do with the signature, however this could be wrong. I am sending a direct archive through iMessage in a zip file.

Our company changed its name as a result of a merger, and the development group responsible for our mobile apps decided to migrate from our "legacy" Apple developer account to a new account associated with the new company name. I found this out last Friday when the notification step in the build script for our Mac applications stopped working — the notification server accepts the request but never responds; we were using the --wait flag with notarytool, and as a result it hangs indefinitely. Apparently our old developer account was deactivated unexpectedly, and while it's been temporarily turned back on to allow the mobile apps team to finish migrating their apps, the notarization step continues to hang. I haven't yet tried using the new team account, because my product requires an Endpoint Security entitlement, which is associated with the old Team ID. The long-term answer is probably to re-apply for a new entitlement, but that took over a month the last time we did this, and of course we were scheduled to release a product update in two weeks. At the moment we're dead in the water. Are there any other options to get us going again? (I considered opening a code-level support request, but as this issue isn't exactly "code-level", I was worried that would be a waste of time and/or money.)

Hi, can't activate system-extension. in any case getting Domain=OSSystemExtensionErrorDomain Code=8 "Invalid code signature or missing entitlements" (sometimes get code = 9) P.S. In debug running all is working. (The system is asking to activate sysex) Has to read huge amount of forum, samples, and docs. But no luck What and how i've tried steps which i've doing #- signing sysextension binaries with Developer ID Application #- signing system extension with Developer ID Application #- signing application with Developer ID Application #- checking all signatures with Developer ID Application #- building pkg installer #- signing installer with Developer ID Installer #- checking signing #- sending installer for notarization #- waiting for installer verification #- after success I call stapler staple #- When calling sysex activation I get (But the problem is persist when i've try to move signed app to application folder, or try to notarize zip) or in any case which possibly mention on forum, i've get sign command sample codesign --force --timestamp --options runtime --sign "Developer ID ***" Also has to tried with ** --deep,** but no luck. Result of steps descrribed here: App has System Extension compatibility, Sysex haven't System Extension. App is used the same bundle id as in AppStore (also has to tried separate one, but no luck) In console just two informative message regarding it, but nothing specific default 01:08:04.745310+0200 sysextd client activation request for com.company.appName.PacketTunnelMacExternal default 01:08:04.745330+0200 sysextd attempting to realize extension with identifier com.company.appName.PacketTunnelMacExternal default 01:08:04.750996+0200 appName-Mac-External [0x13a9496f0] invalidated because the current process cancelled the connection by calling xpc_connection_cancel() Could you please assits with solve issue?

HERE IS THE COMPLETE LOG FROM THE SYSTEM.. please help me with the issue. Downloads % xcrun notarytool submit appName.pkg --apple-id “appleid --team-id <app_id> --wait --verbose [17:21:08.220Z] Debug [MAIN] Running notarytool version: unknown (0), date: 2024-09-09T17:21:08Z, command: /Applications/Xcode.app/Contents/Developer/usr/bin/notarytool submit _090624.pkg --apple-id <apple_id_hidden>--team-id <app_id> --wait --verbose Conducting pre-submission checks for _090624.pkg and initiating connection to the Apple notary service... [17:21:08.222Z] Debug [PREFLIGHT] _090624.pkg is a flat installer package. [17:21:08.223Z] Debug [PREFLIGHT] Finished completing determination of file type for _090624.pkg. Operation took 1ms. Password for <apple_id_hidden>: [17:21:13.354Z] Info [API] Initialized Notary API with base URL: https://appstoreconnect.apple.com/notary/v2/ [17:21:13.357Z] Debug [CTXMGR] Created temporary directory at: file:///var/folders/bj/ct_f469n03b2l596c_00n27c0000gp/T/TemporaryItems/NSIRD_notarytool_hkXwCu/ [17:21:13.359Z] Debug [CTXMGR] Copied _090624.pkg -- file:///Users/w525362/Downloads/ to file:///var/folders/bj/ct_f469n03b2l596c_00n27c0000gp/T/TemporaryItems/NSIRD_notarytool_hkXwCu/_090624.pkg [17:21:13.360Z] Debug [FILEHASH] Generating md5 and sha256 digest with buffer size 1048576 for file:///var/folders/bj/ct_f469n03b2l596c_00n27c0000gp/T/TemporaryItems/NSIRD_notarytool_hkXwCu/_090624.pkg [17:21:13.486Z] Debug [FILEHASH] MD5 digest: bd49fd77dfe36a9bbfb4c7efc329c6fe [17:21:13.486Z] Debug [FILEHASH] Base64-encoded MD5 Digest: vUn9d9/japu/tMfvwynG/g== [17:21:13.487Z] Debug [FILEHASH] SHA256 digest: 03466bf60dc33f57a2bbb2ba54402eb882529085e98f9d18e1e42ceeecd9d0aa [17:21:13.487Z] Debug [FILEHASH] Finished generating file hashes for _090624.pkg. Operation took 126ms. [17:21:13.487Z] Debug [API] Sending submissions payload: submissionPayload(submissionName: "_090624.pkg", md5: "bd49fd77dfe36a9bbfb4c7efc329c6fe", sha256: "03466bf60dc33f57a2bbb2ba54402eb882529085e98f9d18e1e42ceeecd9d0aa", notifications: []) [17:21:13.488Z] Info [API] Preparing POST request to URL: https://appstoreconnect.apple.com/notary/v2/submissions?, Custom Headers: private<Dictionary<String, String>> [17:21:13.488Z] Debug [AUTHENTICATION] Delaying current request to refresh app-specific password token. [17:21:13.488Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/asp?, Parameters: [:], Custom Headers: private<Dictionary<String, String>> [17:21:13.488Z] Debug [AUTHENTICATION] Authenticating request to '/notary/v2/asp' with Basic Auth. Username: appleID, Password: private, Team ID: <app_id> [17:21:13.489Z] Debug [TASKMANAGER] Starting Task Manager loop to wait for asynchronous HTTP calls. [17:21:14.774Z] Debug [API] Received response status code: 401, message: unauthorized, URL: https://appstoreconnect.apple.com/notary/v2/asp?, Correlation Key: QHGCOMLZWZVN4SEAKHS3SBGLS4 [17:21:14.775Z] Error [TASKMANAGER] Completed Task with ID 2 has encountered an error. [17:21:14.775Z] Debug [TASKMANAGER] Ending Task Manager loop. [17:21:14.783Z] Debug [CTXMGR] Removed temporary directory: Optional(file:///var/folders/bj/ct_f469n03b2l596c_00n27c0000gp/T/TemporaryItems/NSIRD_notarytool_hkXwCu/) Error: HTTP status code: 401. Invalid credentials. Username or password is incorrect. Use the app-specific password generated at appleid.apple.com. Ensure that all authentication arguments are correct.

So I'm trying to maintain free open-source macOS tools. These two tools are sandboxed and hardened runtime. One is an image viewer that writes out a perftrace file into the sandbox folder (in Containers). Then another app tries to open that perftrace file (json). When the perftrace file is opened in Xcode (signed and notarized), the file opens fine the first and all subsequent times. When the opening app is kram-profile (signed not notaraized), the file opens once and then nothing can ever open it again. The app has attribute com.apple.quarantine set on it. The only workaround to then open this file is to remove the attribute xattr -d com.apple.quarantine <filename> This is my tool build in Xcode, and having to sign let alone notarize an app is a large amount of complexity. Also this app is available on github.