Hi, I raised this ticket earlier: FB9943557 As to the signing issue I got a Application certificate sorted, as the Installer certificate wasn't able to sign the app according to the error message, when I ran it via Terminal. My errors are now pointing to mostly embedded(within JAR files) native libraries, which are being reported as not signed: { "severity": "error", "code": null, "path": "Apache-NetBeans-13-bin-macosx.dmg/Apache NetBeans 13.pkg/nbide-13.pkg Contents/Payload/Applications/NetBeans/Apache NetBeans 13.app/Contents/Resources/NetBeans/netbeans/platform/modules/lib/x86_64/libjnidispatch-nb.jnilib", "message": "The binary is not signed.", "docUrl": null, "architecture": "x86_64" }, { "severity": "error", "code": null, "path": "Apache-NetBeans-13-bin-macosx.dmg/Apache NetBeans 13.pkg/nbide-13.pkg Contents/Payload/Applications/NetBeans/Apache NetBeans 13.app/Contents/Resources/NetBeans/netbeans/platform/modules/lib/x86_64/libjnidispatch-nb.jnilib", "message": "The signature does not include a secure timestamp.", "docUrl": null, "architecture": "x86_64" } So I'll need to find all of these and update the process to sign them.

I've uploaded the log file from the altool. The warning we have, is one we've had before and never caused issues. I will remove a the reference in our build to that package and try again. I'll also look to move to notarytool

I don't think so but then again I don't think we've ever done that. I'm going through the logs and I do notice a warning: [exec] productbuild --distribution '/Users/john/Apache/WIP/distpreparation/netbeans/installer/nbbuild/installer/mac/newbuild/dist_pkg/distribution.xml' --package-path '/Users/john/Apache/WIP/distpreparation/netbeans/installer/nbbuild/installer/mac/newbuild/dist_pkg/packages' --resources '/Users/john/Apache/WIP/distpreparation/netbeans/installer/nbbuild/installer/mac/newbuild/dist_pkg/resources/' --sign 'Developer ID Installer: The Apache Software Foundation (2GLGAFWEQD)' '/Users/john/Apache/WIP/distpreparation/netbeans/installer/nbbuild/installer/mac/newbuild/dist_pkg/inst_package/Apache NetBeans 13.pkg' [exec] productbuild: Using timestamp authority for signature [exec] productbuild: Signing product with identity "Developer ID Installer: The Apache Software Foundation (2GLGAFWEQD)" from keychain /Users/john/Library/Keychains/login.keychain-db [exec] productbuild: Adding certificate "Developer ID Certification Authority" [exec] productbuild: Adding certificate "Apple Root CA" [exec] productbuild: Wrote product to /Users/john/Apache/WIP/distpreparation/netbeans/installer/nbbuild/installer/mac/newbuild/dist_pkg/inst_package/Apache NetBeans 13.pkg [exec] productbuild: [WARNING]: Specifying [allow-external-scripts='true'] is deprecated. [exec] Having this in your distribution will break the installability [exec] of this product in an upcoming release of macOS. [exec] Apple reserves the right to reject notarization of any product with this option. However the notarization process didn't reject this, and no idea if its shown previously.

Hi, I reran the staple on the DMG and got: john@Johns-MacBook-Pro 13 % xcrun stapler staple -v Apache-NetBeans-13-bin-macosx.dmg Processing: /Users/john/Apache/svn/dist/netbeans/netbeans-installers/13/Apache-NetBeans-13-bin-macosx.dmg The staple and validate action worked! I then uploaded the DMG and still have the same issue.

Hi @eskimo, I would have stapled the DMG after notarizing that (I'm not at my laptop so I cant provide the link to the report), it came back as approved We have a custom installer creation in Apache NetBeans, but no changes would have been made to this in a while as its always worked, it creates a DMG, which I then notarize and then staple.

Also I get: john@Johns-MacBook-Pro 13 % spctl -a -vvv -t install Apache\ NetBeans\ 13.pkg Apache NetBeans 13.pkg: rejected source=Unnotarized Developer ID origin=Developer ID Installer: The Apache Software Foundation (2GLGAFWEQD) Why would my Developer ID be Unnotarized?

Yes, See Answer below (Apologies I put my response in the wrong place)