Hi,
we are sending MacOS apps packaged in a ZIP archive or DMG disk image to the Notary Service.
Before we send the app for notarization, we check the code signature via command
codesign -vvv --deep --strict /path/to/app_or_bundle
The result is positive and it does not provide any gaps. (And yes, we are following the inside out code signing approach, mentioned at Using the codesign Tool's --deep Option Correctly)
Unfortunately, the result of the Notary service provided that one file has no signature, which was not detected by the signature verification command.
The path of the binary was in
<app_name>.app.zip/<app_name>.app/Contents/Resources/inst/<binary>
How I can be verify like a the Notary service does it on our side?
Best regards, Stefan
How I can be verify like a the Notary service does it on our side?
There’s no way to run all of the checks that the notary services before you submit. However, for the specific case of looking for incorrectly signed code, I believe that running syspolicy_check with the notary-submission subcommand would’ve found this.
As to why --deep failed in this case, that’s something I touch on in --deep Considered Harmful. Specifically, --deep doesn’t work if you put code in a place reserved for data, like Contents/Resources. This is one of the many “hard-to-debug code signing and distribution problems” mentioned by Placing content in a bundle.
Oh, and while TN2206 is a classic in the genre, it’s largely been supplanted by newer stuff. See Code Signing Resources.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"