Some help with software signing and notarization.

Question

Created May ’22

Replies 5

Boosts 0

Views 1.2k

Participants 4

Hi.

I've read a lot of different topics on forums and websites about software signing and notarization, and there is progress, but I need some help.

1. From the beginning:

I am building an application on a Jenkins server and downloading the file 'example_app.dmg'.

I am enrolled in the Apple Developer Program.

2. Then I use the command to sign the software:

 codesign --force --sign "Developer ID Application: name_of_my_certificate_in_keychain (number)" example_app.dmg

3. Checking the status:

spctl -a -t open -vvv --context context: primary-signature example_app.dmg

Result:

example_app.dmg: rejected
source = Unnotarized Developer ID
origin = Developer ID Application: name_of_my_certificate_in_keychain (number)

Why is it rejected?

4. Then notarization:

xcrun altool --notarize-app \
             --primary-bundle-id "example" \
             --username "my_AppleID" \
             --password "@keychain: NOTARIZED" \
             --file "example_app.dmg"

NOTARIZED is in the keychain with the generated password on my Apple account.

5. I get:

No errors uploading 'example_app.dmg'.
RequestUUID = 'number_of_my_request'

6. I check the notarization status:

xcrun altool --notarization-info "number_of_my_request" \
             --username "my_AppleID" \
             --password "@keychain: NOTARIZED"

Result:

No errors getting notarization info.

          Date: 2022-05-10 14:15:35 +0000
          Hash: hash_number
    LogFileURL: link_to_log_file
   RequestUUID: number_of_my_request
        Status: invalid
   Status Code: 2
Status Message: Package Invalid

Inside the log_file, a lot of files have a status like:

The binary is not signed.
The signature does not include a secure timestamp.
The executable does not have the hardened runtime enabled.

Am I doing something wrong or what can I do better?

And how I can make empty line here (this forum)?

Boost

Answer 1

nk_kennedy OP

May ’22

Go to your web browser history and find all of the web sites you have used so far. Delete them.

Otherwise, I'm not sure what to tell you. There are many support pages for Notarization on the Apple developer site and in these forums. The specific forums that you tagged are absolutely full of great advice and step-by-step examples.

Maybe start here?

Look for practically any post by "eskimo" regarding notarization.

As for what you are doing wrong, I'm afraid it is virtually everything.

0

Answer 2

ssmith_c OP

May ’22

https://developer.apple.com/forums/thread/128166

also, read the man pages for codesign and spctl, carefully. Read the log files from your failed notarization attempt - they're telling you what is wrong. Your app isn't signed, you didn't add the timestamp flag, you didn't enable the Hardened Runtime.

0

Answer 3

DTS Engineer OP

Apple

May ’22

Others have posted some of these links, but I have them on hot keys so it’s easy to repost in an easy to follow sequence (-:

Finally, note that altool has been deprecated for the purposes of notarisation. Switch to notarytool; it’s better, stronger, and faster. For the details, see WWDC 2021 Session 10261 Faster and simpler notarization for Mac apps.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

krzysztof_w OP

May ’22

Thank you for your answer eskimo. Your documents are very useable, but I propably standed on the first of them :(

Project of my team is not simple, but complex. Could you tell me is it even possible codesign if in Contents/MacOS/ are files *.dylib, directories with dot? Or maybe is it the first problem I should solve?

0

Answer 5

DTS Engineer OP

Apple

May ’22

First up, a couple more resources for you:

This quote from Placing Content in a Bundle is critical:

If you put content in the wrong location, you may encounter hard-to-debug code signing and distribution problems. These problems aren’t always immediately obvious.

You wrote:

Or maybe is it the first problem I should solve?

Yes, solve that first. Otherwise you’ll be continually wondering whether the problems you’re hitting are caused by your bundle structure. Worse yet, you may end up revisiting this problem a few years down the line, as changes in our tooling cause non-standard structures to fail in new and exotic ways.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0