Notarization

RSS for tag

Notarization is the process of scanning Developer ID-signed software for malicious components before distribution outside of the Mac App Store.

Notarization Documentation

Post

Replies

Boosts

Views

Activity

Notary Submission rejected without reason
I tried to submit my app via the Notary Service with this command: xcrun notarytool submit "${DMG_DIR}/${DMG_NAME}" --key "${APP_STORE_API_KEY}" --key-id "${KEY}" --issuer "${ISSUER}" --verbose and I called the API to get the status of the submission, and it said it was rejected without any meta data. I did codesign the app with this command: codesign --force --timestamp --deep --sign "Developer ID Application: MY_NAME" "${DMG_DIR}/${DMG_NAME}" Verify it with this command: codesign -vvv --deep --strict "${DMG_DIR}/${DMG_NAME}" The verification response: /Users/runner/work/1/a/cli/osx-x64/{DMGFILE}.dmg: valid on disk /Users/runner/work/1/a/cli/osx-x64/{DMGFILE}.dmg: satisfies its Designated Requirement Verify the timestamp with this command and response: Executable=/Users/runner/work/1/a/cli/osx-x64/{DMGFILE}.dmg Identifier={IDENTIFIER} Format=disk image CodeDirectory v=20200 size=297 flags=0x0(none) hashes=1+6 location=embedded Signature size=8975 Authority=Developer ID Application: MY_NAME Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=Feb 14, 2024 at 7:40:35 PM Info.plist=not bound TeamIdentifier=TEAM_ID Sealed Resources=none Internal requirements count=1 size=172 I wonder if I missed any steps. Thank you for the help.
3
0
632
Feb ’24
Notarytool webhook validation
In the developer documentation Customizing the notarization workflow it states that the notarytool supports a --webhook flag. When the notarization is complete the Apple notarization server will send the following webhook payload to the webserver that I configured. { "payload": "{\"completed_time\":\"2024-02-13T17:24:37.911Z\",\"event\":\"processing-complete\",\"start_time\":\"2024-02-13T17:24:02.743Z\",\"submission_id\":\"<submission-id>\",\"team_id\":\"<team-id>\"}", "signature": "<signature>", "cert_chain": "<base64-certchain>" } My question is how can I validate that this Webhook is coming from Apple? In that same developer documentation it states the various IP addresses that the stapler requires access too but those are not the same addresses that the notarytool webhook results are coming from. Presumably I should be able to use the signature to validate that the request is coming from Apple, however I have been unable to find any documentation about this webhook flag at all beyond the documentation stating that it exists.
0
1
503
Feb ’24
Error "Launch failed." after code signing with entitlements
Hello, I'm running into an issue when code signing my .app file on macOS. After introducing the --entitlements flag, I'm encountering an error that prevents the app from launching: Error Messages: App UI: "Cannot open the file" Terminal (using open file.app) The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x60000216d620 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}} Troubleshooting Details: Without code signing, the app launches and permission pop-ups function correctly (the file tauri generates). With code signing (but without --entitlements), the app launches but there are no permission pop-ups. All scenarios (without signing, with signing, with signing + --entitlements) all have Info.plist in the /Contents of the .app file Notarizing and stapling works fine when I do not include the --entitlements flag when signing. Code for signing with entitlements: codesign --timestamp --sign "Developer ID Application: ()" --options=runtime --entitlements ./src-tauri/Info.plist "${APP_FILE}" Specifications MacBook Air, M2, 16GB macOS Sonoma 14.3.1 Xcode 15.2 (Build version 15C500b)
3
0
1.9k
Feb ’24
Notarization status always shows "In Progress" this morning after Apple maintenance completed
After Apple's maintenance completed this morning I am trying to submit an app for notarization - but I continuously get the "In Progress" status. Normally, the result is returned within a minute or two. Is anyone else seeing this problem? Is there a server problem? I am using AppWraper to Notarize and also using the API to verify the results: https://appstoreconnect.apple.com/notary/v2/submissions/{id}
3
1
636
Feb ’24
Notarization is forever in progress for macOS app
I'm experiencing consistent notarization issues with my macOS app, where my submissions are stuck "in progress". When I check the status after a while, I'm facing 404 errors, and the notarytool reports that the "submission Id does not exist." I've attempted to notarize it on different days, but with no success or clarifying error messages. Here are some of my notarization attempts that are still in progress: Jan 8, 2024: 25C31477-5893-4CAB-91AE-7900C261A1E4 Jan 15, 2024: Feb 7, 2024: 92B5B694-0952-4AE4-8BA3-2BBF54C96578 Feb 9, 2024: 3B3E047C-2B83-4499-9AE6-0B4F7922F5C2 Feb 10, 2024: C98A25BD-5A27-4112-AC99-6420599E30ED For an unknown reason I was able to notarize the app on 26 January, which was the only time it worked in 2024. As background, I had been notarizing this app without problem in 2023 for many months. I am able to correctly sign the app and export it without the notarization, and use it in my other Macbooks.
2
0
933
Feb ’24
VisionOS Codesigning
VisionOS was just released recently. I am looking for information regarding codesigning and notarization. How will codesigning work for VisionOS apps? What kind of signing tools will be used for VisionOS? Will there be a requirement for provisioning profiles for VisionOS apps? Thanks.
2
1
493
Feb ’24
Inquiry Regarding Notarization of Apps Without Apple Developer Program Membership
I am seeking clarification on the possibility of notarizing apps without an active Apple Developer Program membership, as I currently possess a 10-year installer signing certificate. However, when attempting to store credentials for notarization, I encounter the following error message: Error: HTTP status code: 403. A required agreement is missing or has expired. This request requires an in-effect agreement that has not been signed or has expired. Ensure your team has signed the necessary legal agreements and that they are not expired.
1
0
534
Jan ’24
Notarization fails on "missing agreement", but there is no missing agreement
After years of working flawlessly, notarization stopped working for me. Yesterday It suddenly gave me "Team is not yet configured for notarization", I contacted developer support as advised by the eskimo (no answer yet) but upon trying again today I got the following: Error: HTTP status code: 403. A required agreement is missing or has expired. This request requires an in-effect agreement that has not been signed or has expired. Ensure your team has signed the necessary legal agreements and that they are not expired. I signed the agreement, everything looks clean and nice, no notifications about any agreement pending approval but I still get this error.
2
1
2k
Jan ’24
Bash script to notarize Mac apps and create ZIP archive for distribution
Greetings, everyone! In case it proves helpful, I've crafted a Bash script to streamline the notarization process. Here's a breakdown of its features: Prompts you to select the app for notarization Offers optional codesigning before notarization Generates a ZIP file for notarization Requests your credentials (Apple ID, Team ID, and app-specific password) Submits the ZIP file for notarization Cleans up by deleting the ZIP file used for notarization Staples the app after notarization Creates a new ZIP file for distribution You can check it out on GitHub: Notarization Assistant
1
0
533
Dec ’23
questions about Apple's notarization
questions about Apple's notarization standards I've found that notarization seems to be based on the team ID, with a shared history. Is my understanding correct? If an app named ABC is initially notarized under team A, and then later updates are notarized under team B, will there be any issues? In my tests, notarizing the same app under teams A and B didn't cause any problems, but I'm curious about potential issues if there's a change in team IDs in the future. Is it possible to delete the notarization history or transfer it to a different team ID?
1
0
471
Dec ’23
The signature of the binary is invalid
What is the proper process for notarizing an installer package? I have tried every permutation I can find and it always returns "The signature of the binary is invalid". It's a Qt6 app if that is relevant. I've bundled and signed the app using: macdeployqt myapp.app \ -always-overwrite -verbose=1 \ -hardened-runtime \ -sign-for-notarization=\"$${sign_name}\" \ It verifies OK codesign -v --verify --deep myapp.app myapp.app: valid on disk myapp.app: satisfies its Designated Requirement I have successfully notarized and stapled it: ... The staple and validate action worked! This is where I'm not sure of the proper process. I've used pkgbuild to put the app into .pkg file and successfully signed that using an Installer ID. pkgutil --check-signature myapp-signed.pkg Package "myapp-signed.pkg": Status: signed by a developer certificate issued by Apple for distribution ... On attempting to notarise this packge I get The signature of the binary is invalid for every shared library and the executable in the package. That error message is not very useful so how do I diagnose the issue? So far I've tried a few things I've found on the forum but the error is always the same unhelpful one.
2
0
779
Dec ’23
Help with Notary tool
I know I have to be doing something wrong. I've been trying notarize my app for a few days. I've bundled my app and am able to sign with hardened runtime. When I submit for notary with this command /Applications/Xcode.app/Contents/Developer/usr/bin/notarytool submit /path/to/your/file.zip --wait --key "/path/to/your/AuthKey_ABCD1234.p8" --key-id "ABCD1234" --issuer "uuid-issuer-id" it just eventually times out with no feedback or error report.
1
0
516
Dec ’23
macOS Sonoma signature verification failed
We have developed a secure desktop app using QT, we are developing and delivering this app for more than 2 years. While deploying app we perform codesigning and notarization of app and we use Ventura on build system. So the issue we observed is that if we install this app on any macOS version below Sonoma it works as expected and in Apparency we can see code signature is verified and also app in notarized. But if we install the same app on Sonoma and check in Apparency, it shows signature can't be verified.
1
1
744
Dec ’23
Error on notarizing app in Electron JS
Throws an eroor [2023-12-07 07:55:36 UZT] DBG-X: parameter MetadataChecksum = 62c853b5b00cf96f96576b4d48ce6d0a [2023-12-07 07:55:36 UZT] DBG-X: parameter MetadataCompressed = (suppressed) [2023-12-07 07:55:36 UZT] DBG-X: parameter MetadataInfo = {app_platform=osx, primary_bundle_identifier=ocean.drive.app, device_id=, bundle_identifier=, packageVersion=software5.9, apple_id=, asset_types=[developer-id-package], bundle_version=, bundle_short_version_string=} [2023-12-07 07:55:36 UZT] DBG-X: parameter OSIdentifier = Mac OS X 12.2.1 (x86_64); jvm=14.0.2+12-iTunesOpenJDK-8; jre=14.0.2+12-iTunesOpenJDK-8 [2023-12-07 07:55:36 UZT] DBG-X: parameter PackageName = 0b641208d73f17697b28370fa99ad8a7.itmsp [2023-12-07 07:55:36 UZT] DBG-X: parameter PackageSize = 228662271 [2023-12-07 07:55:36 UZT] DBG-X: parameter StatisticsClientStartDateTimeZoneISO = 2023-12-07T07:55:36+05:00 [2023-12-07 07:55:36 UZT] DBG-X: parameter TransporterArguments = -m upload -u @@@@ -vp json -DTxHeaders=eyJqZW5nYSI6dHJ1ZX0= -sessionid @env:8A006125-AC15-400B-9FC2-C4D609DB7FA1 -sharedsecret hidden value -itc_provider PROVIDER -f /var/folders/g9/kz8cw8b57rg14vlnwhc77j840000gn/T/F75419E9-DDDB-4F74-BC71-B970FD924FB4/0b641208d73f17697b28370fa99ad8a7.itmsp -indicator true -v eXtreme -Dtransporter.client=altool -Dtransporter.client.version=5.329 (1309) [2023-12-07 07:55:36 UZT] DBG-X: parameter Version = 3.3.0 [2023-12-07 07:55:36 UZT] DBG-X: parameter iTMSTransporterMode = upload [2023-12-07 07:55:36 UZT] INFO: id = 20231207075536-140 [2023-12-07 07:55:36 UZT] INFO: iTMSTransporter Correlation Key: f33460ff-fc03-4158-bed2-b2e99ffd521c-0001 [2023-12-07 07:55:36 UZT] DEBUG: SMART-CLIENT: Host HTTP header: contentdelivery01.itunes.apple.com [2023-12-07 07:55:36 UZT] DBG-X: Apple's web service operation return value: [2023-12-07 07:55:36 UZT] DBG-X: parameter Errors = [Unable to process validateMetadata request at this time due to a general error (1019)] [2023-12-07 07:55:36 UZT] DBG-X: parameter RestartClient = false [2023-12-07 07:55:36 UZT] DBG-X: parameter ErrorCode = 1019 [2023-12-07 07:55:36 UZT] DBG-X: parameter ErrorMessage = Unable to process validateMetadata request at this time due to a general error (1019) [2023-12-07 07:55:36 UZT] DBG-X: parameter ShouldUseRESTAPIs = false [2023-12-07 07:55:36 UZT] DBG-X: parameter Success = false [2023-12-07 07:55:36 UZT] ERROR: Unable to process validateMetadata request at this time due to a general error (1019) [2023-12-07 07:55:36 UZT] DBG-X: The error code is: 1019 [2023-12-07 07:55:36 UZT] INFO: JSON:{"msg":{"phase":"Upload","count":2,"description":"Operation failed","index":2},"messageType":"VerifyProgress"} [2023-12-07 07:55:36 UZT] DBG-X: Returning 1 2023-12-07 07:55:36.750 Out: Package Summary: 1 package(s) were not uploaded because they had problems: /var/folders/g9/kz8cw8b57rg14vlnwhc77j840000gn/T/F75419E9-DDDB-4F74-BC71-B970FD924FB4/0b641208d73f17697b28370fa99ad8a7.itmsp - Error Messages: Unable to process validateMetadata request at this time due to a general error (1019) 2023-12-07 07:55:36.797 *** Error: Notarization failed for '/var/folders/g9/kz8cw8b57rg14vlnwhc77j840000gn/T/electron-notarize-LC5Kmm/OceanDrive.zip'. 2023-12-07 07:55:36.797 *** Error: Unable to process validateMetadata request at this time due to a general error (1019) (1019) 2023-12-07 07:55:36.797 *** Warning: altool has been deprecated for notarization and starting in late 2023 will no longer be supported by the Apple notary service. You should start using notarytool to notarize your software. (-1030)
1
0
624
Dec ’23
Notarytool failed to authenticate
Hi Guys, I am facing a problem I find difficult to debug. I had a company Apple ID, member of team, that I used for notaryzation of an app via: res=$(xcrun notarytool submit ${file_to_notarize} --apple-id stepan.svoboda@memsource.com --password ${password} --team-id PK8H4S4HPF --wait 2>&1) But I will be leaving the company soon so we created new apple ID. desktop@phrase.com We invited this ID to team. And assigned it admin role. I generated app specific password and I am using it with this new apple ID But then running: res=$(xcrun notarytool submit ${file_to_notarize} --apple-id desktop@phrase.com --password ${password} --team-id PK8H4S4HPF --wait 2>&1) Fails with: Error: HTTP status code: 401. Unable to authenticate. Invalid session. Ensure that all authentication arguments are correct. And I run out of ideas what to check, what could be wrong.
1
0
553
Dec ’23
Using notarytool with app specific password throws 401
Hi, I want to use notarytool to let my installer *pkg being notarized by apple. The app is a swift desktop app, not supposed to be distributed through the app store. It is already signed and notarized through xcode. Verification done and it has been aproved. So the process should be working. I'm facing an issue when using notarytool to store cretentials. I followed the steps for described here https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow My app specific password I created here: https://appleid.apple.com/account/manage When I try to strore credentials I get a 401, what did I miss here? xcrun notarytool store-credentials --verbose [07:21:52.672Z] Debug [MAIN] Running notarytool version: 1.0.0 (32), date: 2023-12-01T07:21:52Z, command: /Applications/Xcode.app/Contents/Developer/usr/bin/notarytool store-credentials --verbose This process stores your credentials securely in the Keychain. You reference these credentials later using a profile name. Profile name: notarytool-pw We recommend using App Store Connect API keys for authentication. If you'd like to authenticate with an Apple ID and app-specific password instead, leave this unspecified. Path to App Store Connect API private key: Switching prompts to app-specific password credentials. Developer Apple ID: <my developer Apple ID> App-specific password for <my developer Apple ID>: <the app specific password I created earlier> Developer Team ID: <my developer team ID> Validating your credentials... [07:31:40.888Z] Info [API] Initialized Notary API with base URL: https://appstoreconnect.apple.com/notary/v2/ [07:31:40.890Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/test?, Parameters: [:], Custom Headers: private<Dictionary<String, String>> [07:31:40.890Z] Debug [AUTHENTICATION] Delaying current request to refresh app-specific password token. [07:31:40.891Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/asp?, Parameters: [:], Custom Headers: private<Dictionary<String, String>> [07:31:40.891Z] Debug [AUTHENTICATION] Authenticating request to '/notary/v2/asp' with Basic Auth. Username: <my developer Apple ID>, Password: private<String>, Team ID: <my developer team ID> [07:31:40.892Z] Debug [TASKMANAGER] Starting Task Manager loop to wait for asynchronous HTTP calls. [07:31:41.921Z] Debug [API] Received response status code: 401, message: unauthorized, URL: https://appstoreconnect.apple.com/notary/v2/asp?, Correlation Key: 6WYAHNFB6NYEVPPJOT5KJMNPAE [07:31:41.922Z] Error [TASKMANAGER] Completed Task with ID 2 has encountered an error. [07:31:41.922Z] Debug [TASKMANAGER] Ending Task Manager loop. Error: HTTP status code: 401. Unable to authenticate. Invalid session. Ensure that all authentication arguments are correct.
1
0
649
Dec ’23
Failed to staple your application with code: 65
I am trying to package a Mac Electron app using Electron Forge capabilities. Code signing works fine, but there is a problem with notarising. I get "Finalizing package Failed to staple your application with code: 65". The notarize component of my forge.config.js is: "osxNotarize: { tool: 'notarytool', appBundleId: 'com.ImmersiveDSP.ImmerGo-StudioLive', appleId: process.env.APPLE_ID, appleIdPassword: process.env.APPLE_PASSWORD, teamId: process.env.APPLE_TEAM_ID, }" I provide my Apple ID and the app password in a terminal message together with npm run make. This worked in May this year, but now not. In a JSON response, I do get " reason = "Record not found". Anyone else had this issue and resolved it? Is there a way that I can view my notarize requests and see what the issue is?
2
0
1.1k
Nov ’23