To clarify what I'm trying to do, in the hope that additional information can help others help me and to provide an example with "step-by-steps" of what I'm doing in case others are attempting similar things and having the same problems, here is what I'm doing in terms of the scenario, instructions I'm following, and what I've done so far. Scenario:  I have an application add-on that I'm looking to distribute to customers via an online purchase, then a DMG download, and installation to the  "/Users/Shared" folder.  The add-on is a single file, that if you right-click on has contents to it that makes it run.  I am using DropDMG to sign my DMG file, however, I need to code sign the application add-on for GateKeeper to allow the application to run it.  I have a Developer Application ID certificate and a Developer ID Installer certificate installed on my Mac which I can view in Keychain. I use the Developer Application ID certificate in the DropDMG application to sign the DMG file. After installing during testing and seeing that GateKeeper doesn't recognize the application add-on file it won't let it run. So I realize that I need to code-sign the application add-on. However, since this wasn't built in Xcode I'm unsure how I can sign the file since that seems to be the primary method. I've read the following articles: -Notarizing macOS Software Before Distribution  https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution - Customizing the Notarization Workflow https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow - Manually Sign an App https://help.apple.com/xcode/mac/current/#/dev1bf96f17e - Code Signing Guide: Section: How to Code Sign Manually https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW6 From this research and some testing, I was able to run the following command in Terminal. _codesign -s 'Developer ID Application: Example ID' -v "/Users/Shared/examplefile.pvm” This runs, in that, I don't get any syntax errors, but it doesn't give me feedback even though I'm using "-v" for feedback. I have read further that I will need a "plist" for signing to be possible. However, this again takes me back to Xcode where I'm not sure how to do that with my product add-on, since it's not an "application" per say. I hope this helps others and if there are suggestions or help I would really appreciate it. This is the ONLY thing at this point prohibiting me from selling my product. I just need to get the application add-on signed, add the signed add-on to my DMG, create and sign the DMG, and then submit the signed DMG file with the signed application add-on to Apple's notarization service, and customers should be able to then use my product. Help! Calling out an SOS!

Quin, Thanks for your reply. I appreciate your providing me the link to the post you compiled since it's perfectly constructed and very clear directions. Here's where things stand. I've been able to sign my product add-on since it's a bundle (a .PVM file) that contains an app that I've signed. Since this is what the Application runs, this should be the correct file (it also has the necessary "info.plist" file and accompanying resource with correct structure). I then created a zip file of the signed item simply by using "compress file". Will that work, or should I use the command-line tool in your guide? I was going to then place that app inside my DMG, sign the DMG, create a zip of that complete package since that's what I'm distributing, and submit that for notarization by using: % sudo xcode-select -s /path/to/Xcode13.app (From: https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow ) Or should I simply submit the DMG file, without creating a zip-compressed file before submitting it? If you can help me with these remaining questions I should be on my way to completing this signing, notarization, and distribution process. Again, THANK YOU for your reply and assistance! - Ted

As an additional update I've followed the instructions in the "customizing notarizing workflow" with the specific instructions for code 12 : https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow/notarizing_apps_from_the_command_line_with_xcode_12_and_earlier Since that appears to be what I'm running. I've created the app-specific password and can login when I do the "xcrun altool --list-providers" command, however, when I try to notarize my DMG file it fails saying the username and password aren't specified. Is this because I'm trying to upload a DMG file? Also, I am trying to notarize a DMG file from a specific path by adding the "-f" argument and including the path (defined by dragging the file into terminal and copying the full path from that to my command). So I am trying now uploading a zip of the DMG to see if that helps, but I'm guessing the unique path is probably the bigger problem. Any suggestions I need to do to correct things and get the notarization working? Thank you Esc

Eskimo1 How do I specify the location for it to know what file to upload? Also, when I do the --list providers it DOES come back with my information and authenticates correctly, so why does it say the credentials are incorrect when I try to notarise? Any help you can offer I could really use. I'm desperate to get this notarization and stapling done today. “Help me Eskimo1, you’re my only hope!” Ted

As an update, I updated to XCode 13. I then restarted Terminal. After some trial and error, and a lot of help reading through: xcrun notarytool submit --help Eventually I was able to successfully submit for notarization using the following command with "verbose" feedback that is allowing me to see the details of the submission currently. In the below statement, the items in "quotes" are just holder text that is specific to my particular example. If others want to replicate, they can simply enter the specifics in those values to perform the same. xcrun notarytool submit /“folder-path”/Installer.dmg --verbose --apple-id “developer ID login” --password “ --team-id “developer team id” --progress Once this completes I will attempt to "staple" the files with the results, barring any major issues identified in notarizing, and provide the updates/results. Thanks again!

I am now trying to get the status of the request and when I use the following command it gives me the subsequent error: (Note: items in italics are just "anonymized" to hide my particular details) xcrun notarytool info "submission-ID-#" --apple-id "username" --password "password" -team-id "teamID" --progress Error: The value "teamID" is invalid for '-i ': "teamID" must be a valid UUID Why is it requiring an Apple Connect ID and issuer when I'm using my login credentials, not the API. Below is the help information and I'm confused as to why this is requiring this or mixing up the two items. USAGE: notarytool info ARGUMENTS:           Notary Submission ID (UUID)  OPTIONS:   -v, --verbose   -k, --key         App Store Connect API key. File system path to the private key.    -d, --key-id   App Store Connect API Key ID. Usually 10 alphanumeric characters.    -i, --issuer   App Store Connect API Issuer ID. UUID format.    --apple-id   Developer Apple ID.    --password   App-specific password for your Apple ID. You will be given a secure prompt on the command line if                           Apple ID and Team ID are provided and '--password' option is not specified.    --team-id     Developer Team ID.    -p, --keychain-profile                           Authenticate with credentials stored in the Keychain. Use the profile name you provided in the                           "store-credentials" command.    --keychain   Pass the path to a keychain file to use for reading the keychain item. If the specified keychain is                           locked, you'll be prompted to unlock it.    -f, --output-format                           Desired output format. Note that 'json' and 'plist' are incompatible with '--progress'; a single                           update will be output at the end of the operation. Choices: ["normal", "json", "plist"] (default:                           normal)   --progress/--no-progress                           Display progress indicators. Only compatible with normal output format (default) and will be                           otherwise suppressed. (default: true)   --version               Show the version.   -h, --help              Show help information.

First, yes I am using "--team id", just an annoying autocorrect that TextEdit does for some reason. I've been able to submit my application add-on inside the DMG to Apple. The 1st time it failed because the add-on contained in the DMG didn't have "hardened-runtime" enabled. I found the answer in the following post: https://developer.apple.com/forums/thread/129544 I resigned the app inside the product add-on, using the following command to enable hardened-runtime: codesign --options=runtime -s "Developer ID Application: Whoeveryouare" -v /path/to/executable Once I did that, I resubmitted it to be notarized, and it came back successful. Once it was notarized successfully, and I was able to staple that to the DMG file. However, when I copy the add-on from the DMG to a test computer, the file still fails to load because Apple says it's unrecognized. I then zipped the .app file and submitted it for notarization. I got a response that the notarization failed due to "Package has no signed executables or bundles. No tickets can be generated." I did some research and found another post that seems to cover a similar scenario: https://developer.apple.com/forums/thread/119801 I tried making the modifications to the .app contained in my .pvm bundle (these are Parallels Virtual Machines (.pvm) that contain a machine named .app, that inside of that is the info.plist file that I made the following recommended modifications: set CFBundlePackageType to BNDL deleted the CFBundleSignature key I then re-zipped the whole .pvm file and submitted it for notarization, again I got the response: "Package has no signed executables or bundles. No tickets can be generated." If I submit the PVM inside the DMG, the DMG gets notarized but the PVM/App doesn't and won't run when I load it. How can I get the .pvm bundle that contains the machine named .app bundle ( I may be using the wrong terminology using "bundle") so I can re-sign with hardened runtime, add to the DMG, and get BOTH the .pvm bundle for the virtual machine and the DMG that contains it to be notarized and allow me to staple the results so it can be distributed without Gatekeeper stopping them? Right now, when I launch the virtual machine I get the following error which is due to Gatekeeper not allowing the file to run: https://kb.parallels.com/en/111693 If you need additional details please let me know. I'm simply trying to distribute the PVM on the DMG to save space when distributing it across the network of machines I manage using JAMF. Gatekeeper has made what once was a simple "copy paste" function into an incredibly difficult process. My alternative is to run Parallels one-by-one, manually on each Mac, following a step-by-step process by hand, that is highly error-prone or results in varying configurations. I've built these PVMs and simply want to distribute the images uniformly. Another thing I was looking at was whether when I run the "codesign --options=runtime ", is it possible to specify additional runtime exceptions like the ones specified here? https://developer.apple.com/documentation/security/hardened_runtime Or are those only options via Xcode? I would assume there are methods via Terminal since everything in Xcode is just a GUI to what's possible via the command line, however, I can't find any documentation for that. I'm wondering if these exceptions or lack thereof is part of the problem. Any help you can provide would be really helpful. I've banged my head against the wall for a week now and the headache (not to mention resulting headache this has caused) is becoming unbearable. Currently, my office is expecting me to roll out the new machines starting next week due to the office being closed starting Wednesday for the 4th of July holiday. Right now I'm very worried I'm not going to be able to meet that deadline and lose the argument of "Why are we using Macs in the office when PCs might be cheaper/easier to manage?" that my boss and I have been having since I proposed it. My view is "Macs are harder upfront, but easier long term and dual environment meet every possible user need". His view is "Macs are for people's homes, not the office. Windows are more work long-term, but that's your problem to manage as the administrator not mine as the IT Director." Help me Eskimo1, you're my only hope (and everyone's since on every discussion link I've added you seem to be THE ONLY Apple expert who's able to provide answers. Question: are you the ONLY resource Apple has devoted to answering these "outside of the AppStore" distribution questions? Kind of seems like they need more of you).

Just in case you’re commenting around this time since that’s been the case previously this week, I’m up and awake currently in hopes we might be able to run through options. If you’re able to offer any suggestions I can try I’d really appreciate it. Nothing I’ve tried since Wednesday night has worked or changed things.