Hello!
I've been facing an issue with notarizing a macOS app with an Enterprise API Key.
Due to some misunderstanding setting up the project some years ago, the notarization step was using a developer's accounts API Key. I am looking to fix it to have everything centralized in the Enterprise account we work with, but I get "Debug [JWT] Generating new JWT for key ID" with the new key. This is using the xcrun notarytool directly to get more input.
Using Fastlane it fails as:
Error polling for notarization info:
[11:29:25]: unexpected token at ''
The project is deployed via MDM, so we need it to prevent the security warning.
I used this documentation to create the key:
https://developer.apple.com/documentation/enterpriseprogramapi/creating-api-keys-for-enterprise-program-api
I have tried a Developer and an Admin access key, and the Account Holder has also created an Admin key but the errors keep the same.
I just updated my Fastlane script to use the new key with the updated values. The old developer account key still works.
I am not sure if I am missing any steps in the documentation or if this is not achievable.
Important to add that all the profiles and certificates were already set up properly in the Enterprise account, the only error was using an App Store Connect Key instead of an Enterprise Key.
Thanks in advance for the help.
Notarization
RSS for tagNotarization is the process of scanning Developer ID-signed software for malicious components before distribution outside of the Mac App Store.
Post
Replies
Boosts
Views
Activity
Hi,
I have built a MacOS application that I intend to distribute directly. I have created a disk image and code-signed successfully with the following response.
xcrun notarytool info --apple-id "" --password
"" --team-id ""
I have also submitted the app for notarisation which says it's accepted.
equipp@equipps-MacBook-Pro dist % xcrun notarytool submit SendFiles.dmg --keychain-profile "Sendfiles-Notarisation" --wait
Conducting pre-submission checks for SendFiles.dmg and initiating connection to the Apple notary service...
Submission ID received
id: a2941225-b036-47b3-a010-547b0dce6a1a
Upload progress: 100.00% (79.0 MB of 79.0 MB)
Successfully uploaded file
id: a2941225-b036-47b3-a010-547b0dce6a1a
path: /Users/equipp/Documents/GitHub/sendfiles/dist/SendFiles.dmg
Waiting for processing to complete.
Current status: Accepted................
Processing complete
id: a2941225-b036-47b3-a010-547b0dce6a1a
status: Accepted
When I run the application on a clean mac, I am still getting the error that this application is from an unidentified developer and might contain malware.(There's internet connection)
However, when I try to staple the application, I am getting an error 65. Unsure what's
going wrong with the notarisation.
equipp@equipps-MacBook-Pro dist % xcrun stapler staple SendFiles.dmg
Processing: /Users/equipp/Documents/GitHub/sendfiles/dist/SendFiles.dmg
Could not validate ticket for /Users/equipp/Documents/GitHub/sendfiles/dist/SendFiles.dmg
The staple and validate action failed! Error 65.
equipp@equipps-MacBook-Pro dist %
Can you please help?
Iam trying to notarize with notarytool command with app-specific password.
xcrun notarytool submit <Path> --apple-id <APPLE_ID> --password <APP_SPECIFIC_PASSWORD> --team-id <Team-ID>
But it fails with error Error: HTTP status code: 401. Unable to authenticate. Invalid session. Ensure that all authentication arguments are correct.
Tried generating new app-specific password, still failing.
Tried storing password in keychain with store-credentials option, again failing.
--verbose option with store-credentials showing below error
This process stores your credentials securely in the Keychain. You reference these credentials later using a profile name.
Validating your credentials...
[06:05:28.854Z] Info [API] Initialized Notary API with base URL: https://appstoreconnect.apple.com/notary/v2/\
[06:05:28.854Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/test?, Parameters: [:], Custom Headers: private<Dictionary<String, String>>
[06:05:28.855Z] Debug [AUTHENTICATION] Delaying current request to refresh app-specific password token.
[06:05:28.855Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/asp?, Parameters: [:], Custom Headers: private<Dictionary<String, String>>
[06:05:28.855Z] Debug [AUTHENTICATION] Authenticating request to '/notary/v2/asp' with Basic Auth. Username: , Password: private, Team ID:
[06:05:28.856Z] Debug [TASKMANAGER] Starting Task Manager loop to wait for asynchronous HTTP calls.
[06:05:30.194Z] Debug [API] Received response status code: 401, message: unauthorized, URL: https://appstoreconnect.apple.com/notary/v2/asp?, Correlation Key:
[06:05:30.195Z] Error [TASKMANAGER] Completed Task with ID 2 has encountered an error.
[06:05:30.195Z] Debug [TASKMANAGER]Ending Task Manager loop.
Error: HTTP status code: 401. Unable to authenticate. Invalid session. Ensure that all authentication arguments are correct.
I'm trying to store credentials on my keychange by doing this: xcrun notarytool store-credentials --apple-id APPLE-ID --team-id TEAM-ID I then I'm asked for a profile name, and the the App-specific password for my apple-id. This is when I'm getting an error: "Invalid credentials. Username or password is incorrect. Use the app-specific password generated at appleid.apple.com. Ensure that all authentication arguments are correct.".
Now, I've generated the app specific pw by logging in here: https://account.apple.com/ but when I login to my Developers account, I do it here: https://developer.apple.com/account/
I've signed up for the "$99 a year"-program. Is there a problem that I've created the pw on what looks like my "private" page and not my "developer" page?
I'm trying to distribute my macOS application (a .dmg file) to customers, and I've followed all the steps to sign and notarize the application. However, when I try to install the .dmg containing the app, Gatekeeper rejects it with the error "AppName cannot be opened because developer is not verified". Even though I’ve signed the app with my Developer ID, notarized it, and verified the signature using codesign, I am still encountering issues when attempting to install or open the app on a clean macOS environment. Here’s the error I see when using spctl to check the .dmg:
spctl --assess --type open --verbose=4 output/App.dmg
output/App.dmg: rejected
source=Insufficient Context
When trying:
spctl -a -t open -vvv --context context:primary-signature output/App.dmg
output/Unbounded.dmg: accepted
source=Notarized Developer ID
origin=Developer ID Application:
My .app is signed and notarised by electron builder and I explicitly signed and notarised dmg too but still not working
Keys can vary; an account is not necessary, as only Team Keys are suitable for notarization.
It seems that Developer role is sufficient for notarization.
We have tried both keys and roles of Developer and Account Manager - the behavior is the same.
Multiline
There are two types of API keys:
Team
Access to all apps, with varying levels of access based on selected roles.
Individual
Access and roles of the associated user. Individual kevs aren't able to use Provisioning endpoints, access Sales and
Finance, or notaryTool.
BlockQuote
Here are the parameters used for notarization via API key:
`-k, --key key-path
App Store Connect API key. File system path to the private key.
-d, --key-id key-id
App Store Connect API Key ID. For most teams this will be a 10 character alphanumeric string.
-i, --issuer issuer
App Store Connect API Issuer ID. The issuer ID is a UUID format string.`
The notarization result shows as successful, and on the same machine, the package appears as notarized.
However, when the package is transferred to another system, it is displayed as not notarized.
...and some more simple command line utilities. I've code signed all executables and binary libraries I could find. This has got rid of most errors already.
Now I'm struggling with the "hardened runtime" requirements. I understand I can somehow add entitlements - but have no clue how to do that, and what to add. Somewhere there was reference to PCRE - I don't think Perl uses that itself, but certainly does deal with regexes a lot. How would I add eg. the JIT entitlement (if that was required)? Most documents refer to .mobileprovision files or similar - but I'm dealing with a desktop application.
And as all of this is rather non-standard, we don't use Xcode at all. So I wouldn't even know how to use Xcode to create a profile for an an app which is managed completely "outside" of a normal macOS development environment.
Hi all,
Occasionally, our systems grind to a halt because an agreement needs signed. As you can imagine this always happens at an inconvenient time. Is there a programmatic way we can know about this, before it happens? How is everyone else handling this?
From a search through threads here and documentation, I don't see anything and thus I don't think this is possible to script, but wanted to double check.
If not possible, what kind of grace period is there between when developer.apple.com mentions something will need signed, and when it stops working? I'm not the one who can sign, so can a non-signer see this? This part is basically asking: How often does someone have to log on to "poll" for this and can this be me or does it have to be the person with access to sign the agreements.
Does the system maybe send out an email to the signer about these (in advance), that he's maybe not seeing?
Thanks!
I'll do my best to explain my situation. Basically I have a plugin I'm trying to sign notarize and staple. My plugin is a .component but right now it is currently not bundled so its a .component folder. I cant open it in Xcode to bundle it and therefore cannot successfully bundle it that way. other things I've tried are failing with the error message logs showing the following messages. - "The signature does not include a secure timestamp."
-"The binary is not signed."
-"The signature of the binary is invalid."
Those messages repeat several times and the very last one I receive is
-"The contents of the package at ***** could not be extracted."
So what I'd like to know is what can I do to my .component folder (all contents are in it so I can successfully sign it, timestamp it and submit successfully using notarytool? Thank you!
This afternoon notarization started throwing an error in terminal. I confirmed that the NOTARIZE_APP_LOG was created, but empty. I have been notarizing our apps on this machine (intel-12.7) with Xcode 13.4.1 for over a year without issue. Any suggestions would be greatly appreciated
9192 Bus error: 10 xcrun notarytool submit --apple-id "$ASC_USERNAME" --password "$ASC_PASSWORD" --team-id "$ASC_TEAM" "$ZIP_PATH" > "$NOTARIZE_APP_LOG" 2>&1
Translated Report (Full Report Below)
Process: notarytool [9192]
Path: /Library/Developer/CommandLineTools/usr/bin/notarytool
Identifier: notarytool
Version: ???
Code Type: X86-64 (Native)
Parent Process: bash [2167]
Responsible: Terminal [2142]
User ID: 501
Date/Time: 2024-07-02 16:29:33.5256 -0600
OS Version: macOS 12.7 (21G816)
Report Version: 12
Bridge OS Version: 8.0 (21P365)
Anonymous UUID: 9AFB52C6-5CA1-7AE0-C249-9D090ABDFD28
Time Awake Since Boot: 820 seconds
System Integrity Protection: enabled
Crashed Thread: 1 Dispatch queue: nio.nioTransportServices.connectionchannel
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000700009d77ff0
Exception Codes: 0x0000000000000002, 0x0000700009d77ff0
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace SIGNAL, Code 10 Bus error: 10
Terminating Process: exc handler [9192]
We've been notarizing apps for a while now and have been through agreement changes before. But we still keep getting the following error when trying to notarize:
Conducting pre-submission checks for myapp.dmg and initiating connection to the Apple notary service...
Error: HTTP status code: 403. A required agreement is missing or has expired. This request requires an in-effect agreement that has not been signed or has expired. Ensure your team has signed the necessary legal agreements and that they are not expired.
We've been through every document in our account to ensure it is signed. Is there any way to determine what document is not signed or what our issue is ? ...thanks
Hello,
We use GitHub actions to build, sign and notarize our app. Everything was working fine, but lately the notarization has been failing almost every time. Only about 10% of attempts are successful. We haven't made any changes to the signing and notarizing processes.
Here is command we use
xcrun notarytool submit app.zip --wait --apple-id *** --team-id *** --password *** > notarization_output.txt
Here is the error
/Users/runner/work/_temp/c0b6c8e4-86d1-4307-af86-43666fcf39c7.sh: line 1: 3158 Bus error: 10 xcrun notarytool submit app.zip --wait --apple-id *** --team-id *** --password *** > notarization_output.txt
We submit for notarization using:
xcrun notarytool submit --apple-id ACCOUNT --team-id XXXXXX --password NNNNNN application.zip
I have occasionally had success uploading one of the applications, but I have never been successful uploading the bigger one.
What is the reason for this? The files are not very large. The small file is only 6.0GB and the big file is only 17.5GB.
Of the past 100 failures:
72: error: HTTPClientError.deadlineExceeded
28: error: The operation couldn’t be completed. (Network.NWError error 54 - Connection reset by peer))
On average it takes me around 50 attempts (2 days of uploading) to get past the S3 client configuration.
I have tried 5 different internet providers for these uploads. None of them work any better, even ones that have great latency and connections to AWS.
I only have a limited number of Mac OS X machines so I have tried on all of the ones I can afford, but none of them work better or worse than my new Mac Book Pro (2021)
I have tried every single option and combination of options from man notarytool including disabling S3 acceleration, setting timeouts, trying to use wait. I have tried them all,
Can someone please help me figure this out? I'm getting desperate and this is making me look really ****** for pushing to have a Mac OS X port because Mac users are stuck waiting for the notarization service which lags the Mac updates by many days.
The error messages make it clear that notarytool is using Soto S3. The developer has indicated in multiple threads that the error HTTPClientError.deadlineExceeded is fixed by increasing the client timeout. Is there a way I can modify notarytool to apply this patch?
https://github.com/soto-project/soto/discussions/622
Is it possible to write our own S3 upload tool that bypasses Soto S3 and uses something more reliable?
Again, the files I am uploading are not very big none of them are bigger than 25GB. I don't understand why it doesn't work.
I am packaging an app with QtWebEngine in it, after codesign the app and the QtWebEngine Framework, the app can run properly.
The codesign result is:
valid on disk
staisfies its Designated requirements
Then I notarized and stapled the dmg file, after the dmg installed on Mac, gatekeeper still failed the check.
Here is the result for spctl:
spctl -a -t open -vvv --context context:primary-signatue Remote\ Graphics\ Workstation_.dmg
Remote Graphics Workstation_.dmg: rejected
source=Insufficient Context
Need help to identify the codesign process and the root cause why gatekeeper fail here, thanks.
Here is the situation:
We are shipping an application bundle which is submitted to the notarization service for approval.
The application bundle adheres to the notarization standards and is approved.
Problem: We need to ship a zip file inside this application. This zip file has all the files that are signed. Most of the files are signed by us. However there are some 3P zip files which are not signed by us. We would rather not open these 3P zip files as there might be SLAs involved here.
As a result we end up with a zip file which contains mixed signatures. This zip file needs to be part of that application that needs to be notarized.
Question: What is the best way to do this in order for the notarization service to approve the application and ship the zip file as part of the application? Note: We don't know if all the files inside the 3P zips are correctly signed (example: With Hardened Runtime). They are all signed though
Also, when the zip files contents are laid out onto the customer machine, they are all signed and validated. However, some files might not have hardened runtime.
Thanks in advance.
Hello Apple Developer Community,
I've been working on notarizing my macOS application, Deep Focus, built using Electron, but I'm encountering persistent issues with binary signatures being reported as invalid during the notarization process.
I followed Apple's notarization documentation and ensured that all necessary configurations are in place, but I'm still seeing multiple "Invalid" errors in the notarization log.
Here’s the process I've followed so far:
1. System and Tools Setup:
macOS version: Apple M1 Pro Sonoma 14.5
macOS SDK: macOS 15.0
Xcode version: Version 16.0 (16A242d)
(Using VSCode instead of XCode since this is an Electron /JavaScript project.)
Link to source code for inspection
2. Notarization Process:
Successfully stored credentials in Keychain using xcrun notarytool store-credentials.
Signed all app components, including frameworks, using the command:
for framework in "dist/Deep Focus-darwin-arm64/Deep Focus.app/Contents/Frameworks/"*.framework; do
codesign --force --deep --options runtime --timestamp --sign "Developer ID Application: Timeo Williams (3Y4F3KTSJA)" "$framework"
done
Verified that Hardened Runtime is enabled and included the required entitlements.
3. Verification:
Checked code signatures with codesign -vvv --deep --strict Deep Focus.app, which returned valid results for all components.
Verified the presence of the _CodeSignature directory for each framework and confirmed proper entitlements using:
codesign -d --entitlements - Deep Focus.app
4. Notarization Submission
Compressed the app into a .zip file and submitted it with xcrun notarytool submit --keychain-profile "notary" --wait.
Although the notarization log provided detailed error messages, it still reported the following issues:
"The signature of the binary is invalid" for several frameworks, including Electron, ReactiveObjC, and Mantle.
{
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"issues": [
{
"path": "Deep Focus.zip/Deep Focus.app/Contents/Frameworks/Electron Framework.framework/Electron Framework",
"message": "The signature of the binary is invalid.",
"architecture": "arm64"
},
...
]
}
I've double-checked the signing process and attempted re-signing the frameworks, but the notarization continues to fail due to these invalid signatures. I’m not sure what’s causing the _CodeSignature file to be missing for some frameworks even after signing.
[I also installed the Signet app to test verification.
My Questions:
What could be causing the binary signatures to be reported as invalid during notarization, despite the app satisfying its designated requirements according to codesign?
Is there a specific way I should be handling Electron-based apps for macOS notarization that differs from standard macOS apps?
Could the issue be related to the use of ARM64 architecture, and are there any additional steps required for signing on ARM-based systems?
Are there any known compatibility issues with frameworks like ReactiveObjC, Mantle, or Squirrel that could affect the notarization process?
Any guidance or troubleshooting steps would be greatly appreciated. Thank you in advance!
Several hours ago I've uploaded my simple Xcode Storyboard App on Apple Notarization Service. The upload process worked successfully and I could check the notarization status via xcrun notarytool info command.
And a few minutes ago, I've met a following error when I execute the xcrun notarytool info command for checking the status of notarization:
Error: internalError(statusCode: Optional(500), strData: nil, jsonData: Optional(["statusCode": 500, "errors": <__NSSingleObjectArrayI 0x600001d58ed0>(
{
code = "UNEXPECTED_ERROR";
detail = "<null>";
id = ISDIE4GVHVXLMO24V7L5LFUHXM;
links = "<null>";
status = 500;
title = "Uncaught server exception";
}
How can I fix this error?
We're having failures reported back to us from the notarization service as of the 4th of September. It's complaining about binaries inside .jar files, saying some aren't signed and others aren't signed with a valid developer certificate. These are third party jars; we unzip the unsigned binaries from these jars, sign them then put them back in using "jar -ufv". Notarizing is only complaining about binaries inside jars and not anything else, which implies our certificates are valid.
Nothing has changed regarding these jars between the notarizing service accepting and rejecting our app. To confirm our suspicions that the notarizing service may be behaving differently, we sent it an app package that previously had succeeded in notarizing. Now the notarizing service fails, citing issues with the same jars as described above.
Are you able to confirm whether anything has changed? Any ideas on what we could look at?
Hello, builds we've submitted for notarization have been stuck in the In-Progress stage for a while now. The process has taken less than 10 minutes in the past.
The latest of which is id: 86916f85-b82f-4a95-982b-1232387a92e1.
We haven't made any stark changes so we're not clear on what the issue is. Is the best way forward to submit a support ticket?
Hello. Last night, I was working on notarizing my macOS application. It succeeded for the first several requests, where I was submitting zipped applications. Then I tried to notarize a .pkg file. It has been in progress for 9+ hours, and the subsequent requests seem to be all waiting. Is there anything wrong with the notary service now? Is it true that subsequent requests will not proceed until the previous request is finished?
Here's the log:
createdDate: 2024-10-03T14:39:48.607Z
id: 9739a538-1426-4036-971d-850f202306e0
name: <Redacted>
status: In Progress
--------------------------------------------------
createdDate: 2024-10-03T14:34:17.276Z
id: c12e54d8-f362-4301-b099-ffcd51c27a91
name: <Redacted>
status: In Progress
--------------------------------------------------
createdDate: 2024-10-03T14:28:43.293Z
id: 9a5b5c6b-37af-4761-944c-8ada884f6714
name: <Redacted>
status: In Progress
--------------------------------------------------
createdDate: 2024-10-03T13:56:35.675Z
id: 32d46395-c5e3-4af5-9e02-01c1d8ae4865
name: <Redacted>
status: In Progress
--------------------------------------------------
createdDate: 2024-10-03T05:08:17.658Z
id: 2c042894-79c8-4cc9-ab2b-a08920158023
name: <Redacted>
status: In Progress