Hi everyone,
I'm hearing online that the macOS App Notarization service won't work for some Chinese app developers. They say that personal Apple Developer accounts in China (supposedly having membership subscription) are restricted from using this service or their macOS apps won't pass notarization process probably due to some "strict legal regulations". I want to ask if this is true? Or is it just they failed to follow some of the technical requirements of this process?
Notarization
RSS for tagNotarization is the process of scanning Developer ID-signed software for malicious components before distribution outside of the Mac App Store.
Post
Replies
Boosts
Views
Activity
Hi there, I've been working on a JUCE audio plugin project and have created an installer for the demo to release to the public outside of the App Store.
I have built the various forms of the plugin in Xcode (standalone, AU, vst3) and have the automatic signing set up with a Developer ID Application certificate. I have been using WhiteBox Packages to create the installer to install the AU component and the vst3 on a user's computer. I can successfully sign the installer with a Developer ID Installer certificate but when I submit it for notarization, the status returns as "invalid". When looking at the Notarytool log, it says that the binary is not signed with a valid Developer ID certificate for all versions of the plugin (for AU & vst3, and both architectures, arm64 & x86_64, as well).
I can use codesign and pkgutil to confirm that the files and installer are both signed including the contents within both the AU and vst3 bundles, but the notarization still fails. I have tried to notarize just a zipped version of the plugin but that fails too. In the Customizing The Notarization Workflow documentation, it is mentioned that custom third-party installers need two rounds of notarization. I'm assuming Packages is a custom third-party installer but I don't see how two rounds of notarization is possible when I can't even notarize a zipped version of the plugin.
I am still new to Xcode and Apple Developer so there is a possibility that it's something I missed or didn't do. I've read through quite a few other posts on both this forum and the JUCE forum about similar problems but I haven't found a solution that has worked so if anyone has any ideas on how to potentially get my installer notarized, I'd greatly appreciate the advice. Thanks.
I have been trying to notarize an app since yesterday tried about 20 times at various times of the day.
Most times it stops during the upload and produces an error message
"Couldn't communicate with a helper application" which occurs at various places while downloading.
Three times the upload appeared to complete but then produced an error
"This operation could not be completed (SotoS3.S3ErrorType.Multipart.error.1
I then looked in the status log which had several entries:
Prepared archive for uploading (green check to left)
Upload failed (red x to left)
Notary error (red x to left)
The operation couldn't be completed (SotoS3.S3ErrorType...)
In Progress (grey timer icon to left)
macOS application Mulligan's Eagle (403115926)
macOS deployment - macOS 10.14 (Mojave) through Sonoma 14.5
macOS targets - Mac App Store, ad hoc direct drag-to-install image
Xcode version 15.4, various development Macs (Intel, M1, M2)
Eagle delivered since pre-Mac App Store days - derived from System 7 MacApp development. App most recently delivered with min system Mac OS 10.12 through current Sonoma 14.5, dual target for Mac App Store automatically signed with Apple Development credentials and for outside release automatically signed with Developer ID credentials.
Recent revisions to the software to bump min system to 10.14 (Mojave) with typical continuing development for tech, reqm'ts, etc. Updates (a couple since previous release) to Xcode - now using version 15.4, which recommended some config changes that made sense, except min system. Popular application with lots of older (uh... elder) users running Macs servicing golfers.
The application is ready to distribute with automatic signing, but wasn't able to do so with Developer ID credentials, but Xcode note (and reading of tips in this forum and my poor understanding) managed to submit for notarization - failed.
Tried to manually sign...
and reviewed signing info in Xcode...
So I reviewed Certificate(s) etc. that should have been used when previously signing Dev ID for notarization and release. I have (I think) six Developer ID Application certs and six Developer ID Installer certs and I can't find any combination of those certificates - some with duplicate dates or expirations - that allows me to use one to automatically sign code to notarization or delivery. What do I do? I've lived a peaceful solo developer life for 25 years delivering and signing code for the Mac and as long as iOS has existed. I'm terrified about this issue however...
My early Mac OS using customers (since Lion - pre sandbox) still have serial numbers for this software and have bought a Mac every 6 - 10 years so they could get my latest release. We've never required that they re-purchase from the App Store... they have a perpetual license. Sandboxing was a shock they never felt - we kept delivering updates to them and if they decided sandboxing mattered, they purchased from Apple and we included the container-migration entitlement in the App Store version to move their data to the new sandbox. Pretty slick. Until we built an install disk to test it on an unsandboxed version of Eagle in our office. It "lost" its data - vanished by remaining in the old Application Support directory while the new hardened runtime version looked for it in the sandbox - finding nothing. Just imagine encountering that if you're 80 years old running a golf league.
How can I "reset" the futzed-up certificate Developer ID mess? I have multiple machines, all with varying subsets of what seem to be good certificates. And Xcode builds new provisioning profiles just for the heck of it, it seems. I'm afraid to revoke or throw out any certificates because I can't tell which ones are good, bad or duplicates - they're all valid. And I can't create any more Developer ID certs because there's a max to control certificate-miscreants like me (yes, I've read Quinn's protection of your Dev ID note - I screwed it up with only 1 employee). I depend on automatic signing because I'm still, after 58 years of coding, just a novice.
Is it true that I should still specify in my build settings that I'm using Developer ID credentials for my ad hoc development and distribution schemes? And that the proper settings for those should NOT enable hardened runtime or app sandboxing?
Sorry for my intensity here.... It's been 2 weeks since App Review bonked an initial submission with just an "it's broken" reject message, and DTS decided this is not such an emergency that the Developer Forum shouldn't be able to handle it. I'm truly hoping it's so.
Hi,
We are running xcrun staple on our pkg file. It gives the following message
We do not know how to deal with trailer version 9262. Exepected 1
Terminator Trailer size must be 0, not 1737
{magic: t8lr, version: 1, type: 2, length: 1737}
Found expected ticket at 8164385 with length of 1737
Sig Type is RSA. Length is 3
Sig Type is CMS. Length is 3
Package mypkg.pkg uses a checksum of size 20
*The staple and validate action worked!*
However, the command returns with -1 error code.
So, the questions I have are:
What does this return response mean?
Do we consider this as a success of failure scenario (specially because the message "...action worked"
I am getting rejected while notarizing.
{
"logFormatVersion": 1,
"jobId": "123456-123456-123456-123456",
"status": "Rejected",
"statusSummary": "Team is not yet configured for notarization. Please contact Developer Programs Support at developer.apple.com under the topic Development and Technical / Other Development or Technical Questions.",
"statusCode": 7000,
"archiveFilename": "AppName.dmg",
"uploadDate": "2024-07-26T18:51:25.866Z",
"sha256": "a37cd79",
"ticketContents": null,
"issues": null
}
Do let me know how I can configure my team for notarization.
File size is 103 MB. Made in Electron + Vue.
I am using Github Actions for signing and notarizing, but it's been stuck on notarizing for hours. I cancelled and retried but same thing happens. I am using Tauri which is running the notarize scripts.
Here is my main.yml:
name: macOS Build Script
on:
push:
branches:
- 'main'
permissions:
contents: write
issues: write
pull-requests: write
jobs:
build:
runs-on: macos-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Install Rust
uses: actions-rs/toolchain@v1
with:
toolchain: stable
profile: minimal
override: true
- name: Install Node.js
uses: actions/setup-node@v2
with:
node-version: '20'
- name: Install Node.js Dependencies
run: npm install
- name: Build the App
run: npm run tauri build
- name: List build artifacts
run: |
echo "Build artifacts:"
ls -R src-tauri/target/release/bundle/
- name: Create Release
uses: tauri-apps/tauri-action@v0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
with:
tagName: app-v__VERSION__
releaseName: 'App v__VERSION__'
releaseBody: 'macOS build. See the assets to download this version and install.'
releaseDraft: true
prerelease: false
- name: Create Release Manually
if: failure()
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: app-v0.0.0
release_name: App v0.0.0 (macOS)
draft: true
prerelease: false
id: create_release
- name: Upload Release Asset
if: failure()
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: ./src-tauri/target/release/bundle/dmg/mac-app_0.0.0_x64.dmg
asset_name: mac-app_0.0.0_x64.dmg
asset_content_type: application/x-apple-diskimage
Hi,
I am totally unaware of the new notarize mechanism and generally starting to sign my application after having ported it to M2.
I want to distribute the app without App Store - yet.
My application is an open source tool or better a more complex tool for the software development that contains dylibs and frameworks all within an app bundle.
I am using wxWidgets and stumbled upon the build process using install_name_tool temporary for each bundle and probably all libraries that I place into the application bundle to have an @executable_path and not an absolute path.
That works so far, but the notarize tool or better checking it with spctl rejects it.
A further test with spctl --assess or the like, I have the command lost, shows that are resources missing and I have a hint to use @rpath entries to be added.
I am using makefiles and a custom make system where I build up the make commands for each target. I won't modify the rules for each target type, if I could do this in a post build step for all the contents of the app bundle.
I have therefore a shell script that handles that additional task yet until code signing and it looks like as follows:
#!/bin/sh
# Copies together files for the Mac OS X application bundle and created a disk image
export prefix=$1
export VERSION=1.3.4
cp ../../../Database/*.sql wxWrapper.app/Contents/Resources
cp splash.png wxWrapper.app/Contents/Resources
mkdir wxWrapper.app/Contents/Resources/XSLT
cp -R ../../../AppDevelopmentDemo/DynamicApp/XSLT_Templates/include wxWrapper.app/Contents/Resources/XSLT/include
cp -R ../../../AppDevelopmentDemo/DynamicApp/XSLT_Templates/DMFToXMI wxWrapper.app/Contents/Resources/XSLT/DMFToXMI
cp -R ../../../AppDevelopmentDemo/DynamicApp/XSLT_Templates/XMIToDMF wxWrapper.app/Contents/Resources/XSLT/XMIToDMF
cp -R ../../../AppDevelopmentDemo/DynamicApp/XSLT_Templates/lbDMFDataViewModel wxWrapper.app/Contents/Resources/XSLT/lbDMFDataViewModel
cp -R ../../../AppDevelopmentDemo/DynamicApp/XSLT_Templates/lbDMFFixedFormular wxWrapper.app/Contents/Resources/XSLT/lbDMFFixedFormular
cp -R ../../../AppDevelopmentDemo/DynamicApp/XSLT_Templates/TurboVision wxWrapper.app/Contents/Resources/XSLT/TurboVision
cp -R ../../../AppDevelopmentDemo/DynamicApp/XSLT_Templates/wxActiveRecords wxWrapper.app/Contents/Resources/XSLT/wxActiveRecords
cp -R ../../../AppDevelopmentDemo/DynamicApp/XSLT_Templates/wxLua wxWrapper.app/Contents/Resources/XSLT/wxLua
cp ../../../AppDevelopmentDemo/DynamicApp/XSLT_Templates/include/XMISettingsTemplate.xsl wxWrapper.app/Contents/Resources/XSLT/XMIToDMF/XMISettings.xsl
cp -R ../../../AppDevelopmentDemo/DynamicApp/UMLSamples wxWrapper.app/Contents/Resources
mkdir wxWrapper.app/Contents/Resources/toolbarimages
# UGLY! Using environment that also is properly defined while jenkins build is better
cp -R $prefix/lib wxWrapper.app/Contents
cp -R $prefix/plugins wxWrapper.app/Contents/Resources
# How to access them?
cp toolbarimages/*.xpm wxWrapper.app/Contents/Resources/toolbarimages
cp toolbarimages/*.png wxWrapper.app/Contents/Resources/toolbarimages
#cp -R `wx-config --prefix`/lib/lib`wx-config --basename`-`wx-config --release`.0.6.0.dylib wxWrapper.app/Contents/lib
#cp -R `wx-config --prefix`/lib/lib`wx-config --basename`-`wx-config --release`.0.dylib wxWrapper.app/Contents/lib
cp -R `wx-config --prefix`/lib/lib`wx-config --basename`-`wx-config --release`.*.dylib wxWrapper.app/Contents/lib
cp -R `wx-config --prefix`/lib/lib`wx-config --basename`-`wx-config --release`.dylib wxWrapper.app/Contents/lib
cp Info.plist wxWrapper.app/Contents
codesign -f -v -s "Lothar Behrens" wxWrapper.app/Contents/Frameworks/lbHook.framework/Versions/A/lbHook
codesign -f -v -s "Lothar Behrens" wxWrapper.app/Contents/Frameworks/wxJson.framework/Versions/A/wxJson
codesign -f -v -s "Lothar Behrens" wxWrapper.app/Contents/Frameworks/wxWrapperDLL.framework/Versions/A/wxWrapperDLL
codesign -f -v -s "Lothar Behrens" wxWrapper.app/Contents/lib/*
codesign -f -v -s "Lothar Behrens" wxWrapper.app/Contents/Resources/plugins/*
xattr -cr wxWrapper.app
codesign -f -v -s "Lothar Behrens" wxWrapper.app/Contents/MacOS/wxWrapper
#codesign -dvv wxWrapper.app
codesign -f -v -s "Lothar Behrens" wxWrapper.app
#spctl -a -t exec -vvvv wxWrapper.app
#codesign -dvv wxWrapper.app
#codesign -vv --deep-verify wxWrapper.app
# Creating a new diskimage
hdiutil create -ov -size 200m -volname lbDMF-$VERSION lbDMF-$VERSION-`uname -p`.dmg -fs HFS+
sleep 5
hdiutil attach lbDMF-$VERSION-`uname -p`.dmg
# Copy stuff
#mkdir /Volumes/lbDMF-$VERSION/`uname -p`
#cp -R wxWrapper.app /Volumes/lbDMF-$VERSION/`uname -p`
cp -R wxWrapper.app /Volumes/lbDMF-$VERSION
mkdir /Volumes/lbDMF-$VERSION/toolbarimages
cp toolbarimages/*.xpm /Volumes/lbDMF-$VERSION/toolbarimages
cp toolbarimages/*.png /Volumes/lbDMF-$VERSION/toolbarimages
cp ../../../COPYING /Volumes/lbDMF-$VERSION
cp ../../../license-bindist.txt /Volumes/lbDMF-$VERSION
cp ../../../AppDevelopmentDemo/DynamicApp/Doc/ApplicationprototypingDokumentation.pdf /Volumes/lbDMF-$VERSION/
# Copying templates to an accessable place
cp -R wxWrapper.app/Contents/Resources/XSLT /Volumes/lbDMF-$VERSION/
cp -R wxWrapper.app/Contents/Resources/UMLSamples /Volumes/lbDMF-$VERSION/
mkdir /Volumes/lbDMF-$VERSION/.lbDMF
cp -R wxWrapper.app/Contents/Resources/*.sql /Volumes/lbDMF-$VERSION/.lbDMF
cat <<EOF >> /Volumes/lbDMF-$VERSION/Readme.txt
Dear Mac user!
...
Thanks
Lothar Behrens
EOF
rm -rf `find /Volumes/lbDMF-$VERSION -name CVS -print`
hdiutil detach /Volumes/lbDMF-$VERSION
rm lbDMF-$VERSION lbDMF-$VERSION-`uname -p`.dmg.zip
zip lbDMF.dmg.zip lbDMF-$VERSION lbDMF-$VERSION-`uname -p`.dmg
mv lbDMF.dmg.zip lbDMF-$VERSION-`uname -p`.dmg.zip
code-block
Testing the app bundle shows this:
spctl --assess -vvvvv --type execute wxWrapper.app
wxWrapper.app: rejected
origin=Apple Development: Lothar Behrens (********)
I need some help where to insert a proper notary tool command and a proper check before uploading that I can see, if I could do so.
Despite that I haven't had an active developer ID, I have that now and need to setup the Developer ID Distribution certificate into the keychain.
So I plan to add the @rpath values per framework/dylib/so as additional commands into the shell script above.
But how can I best verify for successful usage of notary tool?
Any help?
Thanks,
Lothar
Hello,
For my macOS app,
on Xcode version 15.4 (15F31d)
on macOS 14.5 (23F79)
I follow
Organizer > Distribute App > Direct Distribution, and I get a Notary Error "The operation couldn't be completed. (SotoS3.S3ErrorType.multipart error 1.)"
It's been happening since 3 days.
In the IDEDistribution.verbose.log file I see:
https://gist.github.com/atacan/5dec7a5e26dde0ec06a5bc4eb3607461
notarytool-2024-07-23-143951.ips
I
notarytool-2024-07-23-105410.ips
have two Mac machines and running the same Python script as a CGI script in an Apache webserver (httpd) installed via Homebrew.
The Python script calls the subprocess.run() method to call the notarytool via xcrun.
On one server the script runs as expected in the webserver environment and on the other machines it gets an exit code (-)4; SIGILL.
On the machines where it fails, the notarytool command works from console, as expected. Additionally, it works if I run the script directly with Python in the console.
I launch the same command in a Perl script in the webserver and the same exit code / issue occured.
I have the same installed version and setup on both servers for
Homebrew
Apache Webserver (httpd)
Python version (3.9.6)
xcrun --version: xcrun version 61.
xcrun notarytool --version: 1.0.0 (27)
the Mac machines are identical, both are bought and set up at the same time
The see similar topics at:
https://forums.developer.apple.com/forums/thread/724995 Notarytool was used on a machine as an agent via Jenkins job
https://github.com/moses-palmer/pynput/issues/366#issuecomment-1364470827 used Python, gets the same exit code, used in multi-thread environment (maybe like a webserver)
After my application was singed on the mac runner, I got an error when my application was uploaded from my Mac runner to the Notarization service.
Here is my error:
Notarization ended with response: {"uuid":"my_uid","notarizationStatus":{"status":"ERROR","message":"Error happened while uploading file to Apple notarization service","moreInfo":"net.jodah.failsafe.FailsafeException: java.util.concurrent.ExecutionException: Error while parsing the output after the upload of the file to be notarized"}}
Does anyone know how to fix it?
Thank you very much!
Im using a git actions CI/CD pipeline for my automated deployment and I'd like to include notarisation in this process. Right now when I'm submitting for notarisation manually/locally it's taking around 24 hours and then is eventually successfully accepted. \
Using a git actions server to do this has a cost per minute (and an even higher cost at 10x per minute for a Mac-OS machine), so notarising with a 24hr turn around time is not feasible.
Ive submitted my application many times and it's been the same experience each time taking around 24 hours and then being accepted. How can I shorten the time frame on this or even find out what I might be doing wrong to cause such a long time for a response?
here my log:
{
"logFormatVersion": 1,
"jobId": "3ccf4652-60dc-4fd1-b281-23d49b2b7bb1",
"status": "Accepted",
"statusSummary": "Ready for distribution",
"statusCode": 0,
"archiveFilename": "AudioMap.dmg",
"uploadDate": "2024-07-14T16:51:02.848Z",
"sha256": "614c5992133d61094b39b6a5d00a225d2fc7efe78ab0e59cd47c78275602cb59",
"ticketContents": [
{
"path": "AudioMap.dmg",
"digestAlgorithm": "SHA-256",
"cdhash": "9d4f500a2fd49769b99f921d3fbe8ef753604abe"
},
{
"path": "AudioMap.dmg/AudioMap.app",
"digestAlgorithm": "SHA-256",
"cdhash": "b1fa9c86be805ef28c645f3b03631e2e5873ce77",
"arch": "arm64"
},
{
"path": "AudioMap.dmg/AudioMap.app/Contents/Frameworks/libsodium.26.dylib",
"digestAlgorithm": "SHA-256",
"cdhash": "6228e3fdcd29c080ae45d1bc5a6af10960db8938",
"arch": "arm64"
},
{
"path": "AudioMap.dmg/AudioMap.app/Contents/MacOS/AudioMap",
"digestAlgorithm": "SHA-256",
"cdhash": "b1fa9c86be805ef28c645f3b03631e2e5873ce77",
"arch": "arm64"
},
{
"path": "AudioMap.dmg/AudioMap.app/Contents/Frameworks/libsodium.26.dylib",
"digestAlgorithm": "SHA-256",
"cdhash": "6228e3fdcd29c080ae45d1bc5a6af10960db8938",
"arch": "arm64"
}
],
"issues": null
}
"My .dmg notarization has taken more than 12 hours. Who should I contact for assistance?"
Successfully received submission info
createdDate: 2024-07-09T13:01:15.078Z
id: 62b98f94-e554-4194-a84c-3ec621311d47
name: SecuCompRSA.dmg
status: In Progress
Xcode:15.3.
macOS:14.3(23D56)
Hi,
I am getting following error from following command, although I am 100% sure that I am entering the right credentials:
Command:
xcrun notarytool store-credentials "MY_PROFILE" --apple-id “***” --team-id "yyy" --password "zzz"
Error:
Error: HTTP status code: 401. Invalid credentials. Username or password is incorrect. Use the app-specific password generated at appleid.apple.com. Ensure that all authentication arguments are correct.
***->https://appleid.apple.com/account/manage/email and phone number -> apple id email (email address used for developer account)
yyy->https://developer.apple.com/account#MembershipDetailsCard/Team ID -> 10 digit nummer
zzz->https://appleid.apple.com/account/manage/App-Specific Passwords created and used
I just copy pasted every single item from the defined locations above.
I would appreciate for an answer.
Best Regards
Hello,
I am currently developing a macOS application using macOS 10.15.7 and Xcode 11.1. My application is distributed directly to users via a server, not through the App Store. I recently came across the following announcement:
"Starting November 1, 2023, the Apple notary service no longer accepts uploads from altool or Xcode 13 or earlier. If you notarize your Mac software with the Apple notary service using the altool command-line utility or Xcode 13 or earlier, you need to transition to the notarytool command-line utility or upgrade to Xcode 14 or later."
Given this change, I understand that I need to use notarytool or upgrade to Xcode 14 or later for notarization. However, upgrading my current development environment is not feasible at the moment.
I would like to know if it is possible to build my application on my current environment (macOS 10.15.7 and Xcode 11.1) and then transfer the built application to a separate machine running macOS 11.0 or later with Xcode 14 or later installed, to perform the notarization using notarytool.
Could you please confirm if this approach is acceptable and if there are any specific steps or considerations I should be aware of when using notarytool on a separate machine for notarizing my application?
Thank you for your assistance.
Best regards,
WJohn
This afternoon notarization started throwing an error in terminal. I confirmed that the NOTARIZE_APP_LOG was created, but empty. I have been notarizing our apps on this machine (intel-12.7) with Xcode 13.4.1 for over a year without issue. Any suggestions would be greatly appreciated
9192 Bus error: 10 xcrun notarytool submit --apple-id "$ASC_USERNAME" --password "$ASC_PASSWORD" --team-id "$ASC_TEAM" "$ZIP_PATH" > "$NOTARIZE_APP_LOG" 2>&1
Translated Report (Full Report Below)
Process: notarytool [9192]
Path: /Library/Developer/CommandLineTools/usr/bin/notarytool
Identifier: notarytool
Version: ???
Code Type: X86-64 (Native)
Parent Process: bash [2167]
Responsible: Terminal [2142]
User ID: 501
Date/Time: 2024-07-02 16:29:33.5256 -0600
OS Version: macOS 12.7 (21G816)
Report Version: 12
Bridge OS Version: 8.0 (21P365)
Anonymous UUID: 9AFB52C6-5CA1-7AE0-C249-9D090ABDFD28
Time Awake Since Boot: 820 seconds
System Integrity Protection: enabled
Crashed Thread: 1 Dispatch queue: nio.nioTransportServices.connectionchannel
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000700009d77ff0
Exception Codes: 0x0000000000000002, 0x0000700009d77ff0
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace SIGNAL, Code 10 Bus error: 10
Terminating Process: exc handler [9192]
We've been notarizing apps for a while now and have been through agreement changes before. But we still keep getting the following error when trying to notarize:
Conducting pre-submission checks for myapp.dmg and initiating connection to the Apple notary service...
Error: HTTP status code: 403. A required agreement is missing or has expired. This request requires an in-effect agreement that has not been signed or has expired. Ensure your team has signed the necessary legal agreements and that they are not expired.
We've been through every document in our account to ensure it is signed. Is there any way to determine what document is not signed or what our issue is ? ...thanks
Good day,
I'm trying to get my app notarized, so I can distribute it, but my submissions get stuck on 'In Progess'.
On the 20th of June I made several submissions which seems to have disappeared. When I do 'xcrun notarytool history' they are not there anymore.
On the 21th Of June I made 2 new submission attempts with ids d68ca68e-ddfb-42c2-a491-0b24ac6efdc2 and 5f0118c9-0edd-4213-827b-a2ff53e40f27, which had been running for several hours last time I checked on the the 21th, but have also disappeared over the weekend from my history.
I checked the app with the steps described here: https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues, but all the checks were fine.
Since there is no error message or log, I have no clue why my submissions get stuck on 'In Progress' or disappear.
I've just submitted a new attempt with id 23a39a69-79a8-435c-a500-17ce1422c1fc and again it's stuck. Can anybody give any assistance?
I have signed and notarized a single executable file command line tool developed outside Xcode, and distributed outside of the App store by way of a download from a website as follows below, but nevertheless gatekeeper blocks running the tool with the usual message, just like without signing or notarization.
If I remove the com.apple.quarantine xattr, the tool runs as it should without gatekeeper interference, as expected.
I have browsed countless posts here, with similar issues, but in the end I can't find what's wrong with the process.
From what I gather, as long as the target Mac is connected to the Internet, stapling should not be required (I do understand I can't staple a single file executable command line tool), although Gatekeeper would be expected to complain in the case of the first run being done without Internet connection.
The certificate is a "Developer Id Application" certificate, installed and valid on the machine doing the signing.
It is unclear to me what the distinction is between "Developer Id Application" and "Developer Id Installer" certificates, but it's confusing that using -t install with spctl will actually accept the app.
The app is open source and available on GitHub (although the full distribution packaging is done in a separate build environment with some additional logic). The app used below as the target for signing and notarization is available to download from https://www.axantum.com/ in a .tar.gz archive.
Here follows a log of commands and output:
XecretsCli.plist: (This was necessary to add to the signing to avoid corruption of the executable by the code signing)
codesign -s GCXRMT5SQC -f --timestamp -s 0CF6800E595AA6DE9EBB905066619A9BFDD17A77 --entitlements XecretsCli.plist -o runtime XecretsCli
codesign -d -vvv --entitlements :- XecretsCli
Executable=/Users/svante/Downloads/XecretsCli-Osx-2.3.567 3/XecretsCli
Identifier=XecretsCli
Format=Mach-O thin (x86_64)
CodeDirectory v=20500 size=271478 flags=0x10000(runtime) hashes=8473+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b2
CandidateCDHashFull sha256=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b20c9e3c17e107f08c7ae75c5a
Hash choices=sha256
CMSDigest=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b20c9e3c17e107f08c7ae75c5a
CMSDigestType=2
CDHash=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b2
Signature size=8987
Authority=Developer ID Application: Axantum Software AB (GCXRMT5SQC)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Jun 20, 2024 at 13:26:05
Info.plist=not bound
TeamIdentifier=GCXRMT5SQC
Runtime Version=13.1.0
Sealed Resources=none
Internal requirements count=1 size=172
Warning: Specifying ':' in the path is deprecated and will not work in a future release
codesign -v -vvv --strict --deep XecretsCli
XecretsCli: valid on disk
XecretsCli: satisfies its Designated Requirement
zip XecretsCli.zip XecretsCli
adding: XecretsCli (deflated 63%)
xcrun notarytool submit "XecretsCli.zip" --keychain-profile "Notarize" --wait
Conducting pre-submission checks for XecretsCli.zip and initiating connection to the Apple notary service...
Submission ID received
id: e5990902-3101-42de-a1a6-b9ea40b944b8
Upload progress: 100.00% (12.4 MB of 12.4 MB)
Successfully uploaded file
id: e5990902-3101-42de-a1a6-b9ea40b944b8
path: /Users/svante/Downloads/XecretsCli-Osx-2.3.567 3/XecretsCli.zip
Waiting for processing to complete.
Current status: Accepted........
Processing complete
id: e5990902-3101-42de-a1a6-b9ea40b944b8
status: Accepted
spctl -a -vvv XecretsCli
XecretsCli: rejected (the code is valid but does not seem to be an app)
origin=Developer ID Application: Axantum Software AB (GCXRMT5SQC)
spctl -a -vvv -t install XecretsCli
XecretsCli: accepted
source=Notarized Developer ID
origin=Developer ID Application: Axantum Software AB (GCXRMT5SQC)
Trying to run the executable:
"XecretsCli" can't be opened
because the identity of the
developer cannot be confirmed.
Your security preferences allow
installation of only apps from the App
Store and identified developers.
Chrome downloaded this file today at
10:37.
OK
Error code 1
"bundle format unrecognized, invalid, or unsuitable"
Yea, I'm trying to codesign a python app which has been bundled with py2app, but without success.
The codesign process logs a whole bunch of files with the above error.
def sign_file(file_path, certificate_common_name, hardened_runtime=False):
sign_command = [
"codesign", "-s", certificate_common_name,
"--force", "--timestamp", "-v", file_path
]
if hardened_runtime:
sign_command.append("--options=runtime")
success, message = run_command(sign_command)
there are literally hundreds of files that fail, and the path may look something like this;
code/dist/Impulse.app/Contents/Resources/lib/python3.10/plotly/validators/splom/marker:
Needless to say that notorization returns "failed"
Any help would be greatly appreciated.
Steven