Hi, Yes: john@Johns-MacBook-Pro 13 % pkgutil --check-signature Apache\ NetBeans\ 13.pkg Package "Apache NetBeans 13.pkg": Status: signed by a developer certificate issued by Apple for distribution Signed with a trusted timestamp on: 2022-02-25 21:16:15 +0000 Certificate Chain: 1. Developer ID Installer: The Apache Software Foundation (2GLGAFWEQD) Expires: 2025-05-29 13:28:11 +0000 SHA256 Fingerprint: B4 DF 1A CA F9 1F AF 40 E8 75 EC 6B 70 FE FB E7 28 9C A6 68 22 17 5A 8F 40 17 04 B8 8D 04 23 3E ------------------------------------------------------------------------ 2. Developer ID Certification Authority Expires: 2027-02-01 22:12:15 +0000 SHA256 Fingerprint: 7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03 F2 9C 88 CF B0 B1 BA 63 58 7F ------------------------------------------------------------------------ 3. Apple Root CA Expires: 2035-02-09 21:40:36 +0000 SHA256 Fingerprint: B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 68 C5 BE 91 B5 A1 10 01 F0 24 About the only change this time to all the other times, I've done this, is that I've upgraded to Monterey

developer_log.txt

Hi, So I removed the cpp package reference, and that has opened the floodgates to alot more errors from the notarization process: developer_log-after-cpp-removal.json I'm trying to sign Apache NetBeans 13.app but I am now getting an error saying that the certificate is not in Keychain: [echo] Signing App: codesign --verbose -s 'Developer ID Installer: The Apache Software Foundation (2GLGAFWEQD)' /Users/john/Apache/WIP/distpreparation/netbeans/installer/nbbuild/installer/mac/newbuild/netBeans/nbide/build/app/Apache NetBeans 13.app [exec] error: The specified item could not be found in the keychain. However I can see it there: I was going to see if we'd get away with the -deep option with codesign, I know you've a post saying its harmful1, however I just want to see if for at least this release we'd get away with it(I doubt it but got to try :))

Hi @eskimo So I got there in the end I believe... I'm attaching the latest notarization log, which shows that it was Accepted: curent-notarize-log-saturday.json.txt I also uploaded and downloaded the dmg from a remote location and I didn't get any error about the malicious software, I've asked @oyarzunc to see if he also has no issues. However, there are warnings in the logs, how can find out more info about these warnings? So that we don't run into the same issue later on, as in the warnings masking a major issue?