Sign and Notarization succeed, but package and installer is damaged

Question

Sovapps OP

Created 2w

Replies 3

Boosts 0

Participants 2

Hello,

I've been trying to update my application since days, tried everything, all my environment is unchanged except update to the latest xcode version, I only fixed a bug in my code, and updated my expired certifacates with the same IDs. I've also been able to test the app with testflight.

The app is built successfuly, validated, uploaded to the apple connect, submited for review, accepted and published online on the mac app store.

I've been able to update the application with the mac app store.

Now here is the problem: if I delete the application, and try to reinstall it from the app store, it says: unable to install, try again later - then the mac app store is stuck, I need to quit / restart to be able to try a new install.

I also distribute my application outside of the mac app store, I've also signed and notarized my app successfully, with my developer id certificate, I tried with organizer, and also with xcrun notary on the command line, all is ok, but when I run the exported application, it says that the application is damaged (so right click/open works, and the app works well).

The only thing that I can see is this (compared with my previous version):

spctl -a -vvv -t install myapp.app: myapp.app: rejected (invalid destination for symbolic link in bundle)

I don't have the error on my previous version.

I've checked all the links inside the package, I don't see any problem or invalid link (and the app can run perfectly.... )

I've also check the logs.json file after the notary result, no problem appears.

the whole structure of the application and files inside the .app is exactly the same between the previous version, and the new one with that problem.

hope that someone could help me to solve this problem :)

Boost

Answer 1

DTS Engineer OP

Apple

2w

There are two problems here:

Mac App Store re-install
Gatekeeper on your notarised variant

It’s possible that these are related but it’s hard to be sure based on the info we currently have available. I recommend that you start by focusing on the Gatekeeper issue. If you resolve that and then continue to have problem with your Mac App Store variant, you can start a new thread for that.

With regards the Gatekeeper issue, you wrote:

I've also check the logs.json file after the notary result, no problem appears.

Right. Passing notarisation does not guarantee that you’ll pass Gatekeeper.

The only thing that I can see is this

You’re not using spctl correctly here. I discuss this in Testing a Notarised Product, which describes my Gatekeeper acid test. I expect that’ll confirm the problem you’re seeing.

To investigate this, see the Gatekeeper sections in Resolving Trusted Execution Problems. The top of that post references the new syspolicy_check tool. What does that report?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

Sovapps OP

2w

thanks a lot for the answer, and sorry for mixing the problems, but as you said, that might be linked to the same problem.

So if I focus on the gatekeeper problem:

I made the archive of my app, automatic signing, then 'distribute app', direct distribution. all went ok, notarization as well, then I made an export of the app.

on this app: syspolicy_check reports a lot of fatal error: (on each .h of this mailcore-osx directory) Codesign Error File: Mia for Gmail.app/Contents/Resources/Headers/Public/mailcore2-osx/MailCore/MCAbstract.h Severity: Fatal Full Error: File modified after outer app bundle was codesigned. Type: Notary Error

not sure yet why it's happening as, for me, no files have been modified.

(this app is released since many years, and between now and the last version, I changed only a line of code to fix a bug, I guess something has changed in xcode or gatekeeper, and now it detects a problem.)

0

Answer 3

Sovapps OP

2w

I fixed that link problem during the build phase (problem which was only on my distribution target, not my macappstore target)

now syspolicy_check gives: App passed all pre-distribution checks and is ready for distribution.

this tool showed exactly what was the problem.

(regarding the macappstore reinstall, I also followed your suggestion with a clean OS, there is no problem there... so I guess it's only local between testflight test, distribution tests, something might cause that problem)

thanks a lot for the help !

0