Recently, I completed development on an app that I hope to upload to Kickstarter.
I am unsure whether Apple Developer Program Membership incorporates signage and notarization fees.
In short, to package my app, will I need to find $99, or $300?
Thanks in advance for any advice.
Regards,
Lar
Notarization
RSS for tagNotarization is the process of scanning Developer ID-signed software for malicious components before distribution outside of the Mac App Store.
Post
Replies
Boosts
Views
Activity
I tried to submit my app via the Notary Service with this command:
xcrun notarytool submit "${DMG_DIR}/${DMG_NAME}" --key "${APP_STORE_API_KEY}" --key-id "${KEY}" --issuer "${ISSUER}" --verbose
and I called the API to get the status of the submission, and it said it was rejected without any meta data.
I did codesign the app with this command:
codesign --force --timestamp --deep --sign "Developer ID Application: MY_NAME" "${DMG_DIR}/${DMG_NAME}"
Verify it with this command:
codesign -vvv --deep --strict "${DMG_DIR}/${DMG_NAME}"
The verification response:
/Users/runner/work/1/a/cli/osx-x64/{DMGFILE}.dmg: valid on disk
/Users/runner/work/1/a/cli/osx-x64/{DMGFILE}.dmg: satisfies its Designated Requirement
Verify the timestamp with this command and response:
Executable=/Users/runner/work/1/a/cli/osx-x64/{DMGFILE}.dmg
Identifier={IDENTIFIER}
Format=disk image
CodeDirectory v=20200 size=297 flags=0x0(none) hashes=1+6 location=embedded
Signature size=8975
Authority=Developer ID Application: MY_NAME
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Feb 14, 2024 at 7:40:35 PM
Info.plist=not bound
TeamIdentifier=TEAM_ID
Sealed Resources=none
Internal requirements count=1 size=172
I wonder if I missed any steps.
Thank you for the help.
In the developer documentation Customizing the notarization workflow it states that the notarytool supports a --webhook flag. When the notarization is complete the Apple notarization server will send the following webhook payload to the webserver that I configured.
{
"payload": "{\"completed_time\":\"2024-02-13T17:24:37.911Z\",\"event\":\"processing-complete\",\"start_time\":\"2024-02-13T17:24:02.743Z\",\"submission_id\":\"<submission-id>\",\"team_id\":\"<team-id>\"}",
"signature": "<signature>",
"cert_chain": "<base64-certchain>"
}
My question is how can I validate that this Webhook is coming from Apple?
In that same developer documentation it states the various IP addresses that the stapler requires access too but those are not the same addresses that the notarytool webhook results are coming from.
Presumably I should be able to use the signature to validate that the request is coming from Apple, however I have been unable to find any documentation about this webhook flag at all beyond the documentation stating that it exists.
Hello,
I'm running into an issue when code signing my .app file on macOS. After introducing the --entitlements flag, I'm encountering an error that prevents the app from launching:
Error Messages:
App UI: "Cannot open the file"
Terminal (using open file.app)
The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x60000216d620 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}
Troubleshooting Details:
Without code signing, the app launches and permission pop-ups function correctly (the file tauri generates).
With code signing (but without --entitlements), the app launches but there are no permission pop-ups.
All scenarios (without signing, with signing, with signing + --entitlements) all have Info.plist in the /Contents of the .app file
Notarizing and stapling works fine when I do not include the --entitlements flag when signing.
Code for signing with entitlements:
codesign --timestamp --sign "Developer ID Application: ()" --options=runtime --entitlements ./src-tauri/Info.plist "${APP_FILE}"
Specifications
MacBook Air, M2, 16GB
macOS Sonoma 14.3.1
Xcode 15.2 (Build version 15C500b)
I am facing a problem in electron's apps notarisations. I have submitted my NodeJS code and the validations takes a long time.
Hope, anyone can clarify why it takes so long.
After Apple's maintenance completed this morning I am trying to submit an app for notarization - but I continuously get the "In Progress" status. Normally, the result is returned within a minute or two.
Is anyone else seeing this problem?
Is there a server problem?
I am using AppWraper to Notarize and also using the API to verify the results:
https://appstoreconnect.apple.com/notary/v2/submissions/{id}
I'm experiencing consistent notarization issues with my macOS app, where my submissions are stuck "in progress".
When I check the status after a while, I'm facing 404 errors, and the notarytool reports that the "submission Id does not exist."
I've attempted to notarize it on different days, but with no success or clarifying error messages. Here are some of my notarization attempts that are still in progress:
Jan 8, 2024: 25C31477-5893-4CAB-91AE-7900C261A1E4
Jan 15, 2024:
Feb 7, 2024: 92B5B694-0952-4AE4-8BA3-2BBF54C96578
Feb 9, 2024: 3B3E047C-2B83-4499-9AE6-0B4F7922F5C2
Feb 10, 2024: C98A25BD-5A27-4112-AC99-6420599E30ED
For an unknown reason I was able to notarize the app on 26 January, which was the only time it worked in 2024. As background, I had been notarizing this app without problem in 2023 for many months.
I am able to correctly sign the app and export it without the notarization, and use it in my other Macbooks.
VisionOS was just released recently. I am looking for information regarding codesigning and notarization.
How will codesigning work for VisionOS apps? What kind of signing tools will be used for VisionOS?
Will there be a requirement for provisioning profiles for VisionOS apps?
Thanks.
I am seeking clarification on the possibility of notarizing apps without an active Apple Developer Program membership, as I currently possess a 10-year installer signing certificate. However, when attempting to store credentials for notarization, I encounter the following error message:
Error: HTTP status code: 403. A required agreement is missing or has expired. This request requires an in-effect agreement that has not been signed or has expired. Ensure your team has signed the necessary legal agreements and that they are not expired.
After years of working flawlessly, notarization stopped working for me.
Yesterday It suddenly gave me "Team is not yet configured for notarization", I contacted developer support as advised by the eskimo (no answer yet) but upon trying again today I got the following:
Error: HTTP status code: 403. A required agreement is missing or has expired. This request requires an in-effect agreement that has not been signed or has expired. Ensure your team has signed the necessary legal agreements and that they are not expired.
I signed the agreement, everything looks clean and nice, no notifications about any agreement pending approval but I still get this error.
Hello,
I need to notarize my java application in order to upload it to brew.
The files that need to notarize are:
"uber.jar" file
shell script file without any file type.
To my understanding those files are not notarizable files, what can i do in order to solve it?
Greetings, everyone!
In case it proves helpful, I've crafted a Bash script to streamline the notarization process.
Here's a breakdown of its features:
Prompts you to select the app for notarization
Offers optional codesigning before notarization
Generates a ZIP file for notarization
Requests your credentials (Apple ID, Team ID, and app-specific password)
Submits the ZIP file for notarization
Cleans up by deleting the ZIP file used for notarization
Staples the app after notarization
Creates a new ZIP file for distribution
You can check it out on GitHub: Notarization Assistant
questions about Apple's notarization standards
I've found that notarization seems to be based on the team ID, with a shared history. Is my understanding correct?
If an app named ABC is initially notarized under team A, and then later updates are notarized under team B, will there be any issues? In my tests, notarizing the same app under teams A and B didn't cause any problems, but I'm curious about potential issues if there's a change in team IDs in the future.
Is it possible to delete the notarization history or transfer it to a different team ID?
What is the proper process for notarizing an installer package? I have tried every permutation I can find and it always returns "The signature of the binary is invalid".
It's a Qt6 app if that is relevant.
I've bundled and signed the app using:
macdeployqt myapp.app \
-always-overwrite -verbose=1 \
-hardened-runtime \
-sign-for-notarization=\"$${sign_name}\" \
It verifies OK
codesign -v --verify --deep myapp.app
myapp.app: valid on disk
myapp.app: satisfies its Designated Requirement
I have successfully notarized and stapled it:
...
The staple and validate action worked!
This is where I'm not sure of the proper process.
I've used pkgbuild to put the app into .pkg file and successfully signed that using an Installer ID.
pkgutil --check-signature myapp-signed.pkg
Package "myapp-signed.pkg":
Status: signed by a developer certificate issued by Apple for distribution
...
On attempting to notarise this packge I get The signature of the binary is invalid for every shared library and the executable in the package.
That error message is not very useful so how do I diagnose the issue? So far I've tried a few things I've found on the forum but the error is always the same unhelpful one.
I know I have to be doing something wrong. I've been trying notarize my app for a few days.
I've bundled my app and am able to sign with hardened runtime. When I submit for notary with this command
/Applications/Xcode.app/Contents/Developer/usr/bin/notarytool submit /path/to/your/file.zip --wait --key "/path/to/your/AuthKey_ABCD1234.p8" --key-id "ABCD1234" --issuer "uuid-issuer-id"
it just eventually times out with no feedback or error report.
We have developed a secure desktop app using QT, we are developing and delivering this app for more than 2 years. While deploying app we perform codesigning and notarization of app and we use Ventura on build system. So the issue we observed is that if we install this app on any macOS version below Sonoma it works as expected and in Apparency we can see code signature is verified and also app in notarized. But if we install the same app on Sonoma and check in Apparency, it shows signature can't be verified.
Throws an eroor
[2023-12-07 07:55:36 UZT] DBG-X: parameter MetadataChecksum = 62c853b5b00cf96f96576b4d48ce6d0a
[2023-12-07 07:55:36 UZT] DBG-X: parameter MetadataCompressed = (suppressed)
[2023-12-07 07:55:36 UZT] DBG-X: parameter MetadataInfo = {app_platform=osx, primary_bundle_identifier=ocean.drive.app, device_id=, bundle_identifier=, packageVersion=software5.9, apple_id=, asset_types=[developer-id-package], bundle_version=, bundle_short_version_string=}
[2023-12-07 07:55:36 UZT] DBG-X: parameter OSIdentifier = Mac OS X 12.2.1 (x86_64); jvm=14.0.2+12-iTunesOpenJDK-8; jre=14.0.2+12-iTunesOpenJDK-8
[2023-12-07 07:55:36 UZT] DBG-X: parameter PackageName = 0b641208d73f17697b28370fa99ad8a7.itmsp
[2023-12-07 07:55:36 UZT] DBG-X: parameter PackageSize = 228662271
[2023-12-07 07:55:36 UZT] DBG-X: parameter StatisticsClientStartDateTimeZoneISO = 2023-12-07T07:55:36+05:00
[2023-12-07 07:55:36 UZT] DBG-X: parameter TransporterArguments = -m upload -u @@@@ -vp json -DTxHeaders=eyJqZW5nYSI6dHJ1ZX0= -sessionid @env:8A006125-AC15-400B-9FC2-C4D609DB7FA1 -sharedsecret hidden value -itc_provider PROVIDER -f /var/folders/g9/kz8cw8b57rg14vlnwhc77j840000gn/T/F75419E9-DDDB-4F74-BC71-B970FD924FB4/0b641208d73f17697b28370fa99ad8a7.itmsp -indicator true -v eXtreme -Dtransporter.client=altool -Dtransporter.client.version=5.329 (1309)
[2023-12-07 07:55:36 UZT] DBG-X: parameter Version = 3.3.0
[2023-12-07 07:55:36 UZT] DBG-X: parameter iTMSTransporterMode = upload
[2023-12-07 07:55:36 UZT] INFO: id = 20231207075536-140
[2023-12-07 07:55:36 UZT] INFO: iTMSTransporter Correlation Key: f33460ff-fc03-4158-bed2-b2e99ffd521c-0001
[2023-12-07 07:55:36 UZT] DEBUG: SMART-CLIENT: Host HTTP header: contentdelivery01.itunes.apple.com
[2023-12-07 07:55:36 UZT] DBG-X: Apple's web service operation return value:
[2023-12-07 07:55:36 UZT] DBG-X: parameter Errors = [Unable to process validateMetadata request at this time due to a general error (1019)]
[2023-12-07 07:55:36 UZT] DBG-X: parameter RestartClient = false
[2023-12-07 07:55:36 UZT] DBG-X: parameter ErrorCode = 1019
[2023-12-07 07:55:36 UZT] DBG-X: parameter ErrorMessage = Unable to process validateMetadata request at this time due to a general error (1019)
[2023-12-07 07:55:36 UZT] DBG-X: parameter ShouldUseRESTAPIs = false
[2023-12-07 07:55:36 UZT] DBG-X: parameter Success = false
[2023-12-07 07:55:36 UZT] ERROR: Unable to process validateMetadata request at this time due to a general error (1019)
[2023-12-07 07:55:36 UZT] DBG-X: The error code is: 1019
[2023-12-07 07:55:36 UZT] INFO: JSON:{"msg":{"phase":"Upload","count":2,"description":"Operation failed","index":2},"messageType":"VerifyProgress"}
[2023-12-07 07:55:36 UZT] DBG-X: Returning 1
2023-12-07 07:55:36.750 Out:
Package Summary:
1 package(s) were not uploaded because they had problems:
/var/folders/g9/kz8cw8b57rg14vlnwhc77j840000gn/T/F75419E9-DDDB-4F74-BC71-B970FD924FB4/0b641208d73f17697b28370fa99ad8a7.itmsp - Error Messages:
Unable to process validateMetadata request at this time due to a general error (1019)
2023-12-07 07:55:36.797 *** Error: Notarization failed for '/var/folders/g9/kz8cw8b57rg14vlnwhc77j840000gn/T/electron-notarize-LC5Kmm/OceanDrive.zip'.
2023-12-07 07:55:36.797 *** Error: Unable to process validateMetadata request at this time due to a general error (1019) (1019)
2023-12-07 07:55:36.797 *** Warning: altool has been deprecated for notarization and starting in late 2023 will no longer be supported by the Apple notary service. You should start using notarytool to notarize your software. (-1030)
Hi Guys, I am facing a problem I find difficult to debug.
I had a company Apple ID, member of team, that I used for notaryzation of an app via:
res=$(xcrun notarytool submit ${file_to_notarize} --apple-id stepan.svoboda@memsource.com --password ${password} --team-id PK8H4S4HPF --wait 2>&1)
But I will be leaving the company soon so we created new apple ID.
desktop@phrase.com We invited this ID to team.
And assigned it admin role.
I generated app specific password and I am using it with this new apple ID
But then running:
res=$(xcrun notarytool submit ${file_to_notarize} --apple-id desktop@phrase.com --password ${password} --team-id PK8H4S4HPF --wait 2>&1)
Fails with:
Error: HTTP status code: 401. Unable to authenticate. Invalid session. Ensure that all authentication arguments are correct.
And I run out of ideas what to check, what could be wrong.
Hi,
I want to use notarytool to let my installer *pkg being notarized by apple.
The app is a swift desktop app, not supposed to be distributed through the app store. It is already signed and notarized through xcode. Verification done and it has been aproved. So the process should be working.
I'm facing an issue when using notarytool to store cretentials. I followed the steps for described here https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow
My app specific password I created here: https://appleid.apple.com/account/manage
When I try to strore credentials I get a 401, what did I miss here?
xcrun notarytool store-credentials --verbose
[07:21:52.672Z] Debug [MAIN] Running notarytool version: 1.0.0 (32), date: 2023-12-01T07:21:52Z, command: /Applications/Xcode.app/Contents/Developer/usr/bin/notarytool store-credentials --verbose
This process stores your credentials securely in the Keychain. You reference these credentials later using a profile name.
Profile name:
notarytool-pw
We recommend using App Store Connect API keys for authentication. If you'd like to authenticate with an Apple ID and app-specific password instead, leave this unspecified.
Path to App Store Connect API private key:
Switching prompts to app-specific password credentials.
Developer Apple ID:
<my developer Apple ID>
App-specific password for <my developer Apple ID>:
<the app specific password I created earlier>
Developer Team ID:
<my developer team ID>
Validating your credentials...
[07:31:40.888Z] Info [API] Initialized Notary API with base URL: https://appstoreconnect.apple.com/notary/v2/
[07:31:40.890Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/test?, Parameters: [:], Custom Headers: private<Dictionary<String, String>>
[07:31:40.890Z] Debug [AUTHENTICATION] Delaying current request to refresh app-specific password token.
[07:31:40.891Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/asp?, Parameters: [:], Custom Headers: private<Dictionary<String, String>>
[07:31:40.891Z] Debug [AUTHENTICATION] Authenticating request to '/notary/v2/asp' with Basic Auth. Username: <my developer Apple ID>, Password: private<String>, Team ID: <my developer team ID>
[07:31:40.892Z] Debug [TASKMANAGER] Starting Task Manager loop to wait for asynchronous HTTP calls.
[07:31:41.921Z] Debug [API] Received response status code: 401, message: unauthorized, URL: https://appstoreconnect.apple.com/notary/v2/asp?, Correlation Key: 6WYAHNFB6NYEVPPJOT5KJMNPAE
[07:31:41.922Z] Error [TASKMANAGER] Completed Task with ID 2 has encountered an error.
[07:31:41.922Z] Debug [TASKMANAGER] Ending Task Manager loop.
Error: HTTP status code: 401. Unable to authenticate. Invalid session. Ensure that all authentication arguments are correct.
I am trying to package a Mac Electron app using Electron Forge capabilities. Code signing works fine, but there is a problem with notarising. I get
"Finalizing package Failed to staple your application with code: 65". The notarize component of my forge.config.js is:
"osxNotarize: {
tool: 'notarytool',
appBundleId: 'com.ImmersiveDSP.ImmerGo-StudioLive',
appleId: process.env.APPLE_ID,
appleIdPassword: process.env.APPLE_PASSWORD,
teamId: process.env.APPLE_TEAM_ID,
}"
I provide my Apple ID and the app password in a terminal message together with npm run make. This worked in May this year, but now not. In a JSON response, I do get " reason = "Record not found". Anyone else had this issue and resolved it?
Is there a way that I can view my notarize requests and see what the issue is?