Thanks ssmith_c. I understand .app is a bundle. I thought the .dSYM file was supposed to live in Contents/Resources/DWARF/. I tried to put it in there before notarization but then notarization rejected the app. Ed

I opened a TSI which allowed more time and effort into finding the solution and it turned out to be very simple. In my ExportOptions.plist file, I needed: <key>method</key> <string>developer-id</string>

@eskimo - Did I not reply correctly?

Thank you for the DevForums tip. I shared the entire script I'm using. All being done via the command line.

I guess this ends as an unsolved (undoable?) issue. :(

Just to clarify:

@eskimo - Did I lose you? :(

# Developer email address dev_account=$(cat ~/.altoolid) # App-specific password dev_passwd=$(cat ~/.altoolpw) # Team ID 7**..... dev_teamid=$(cat ~/.altooltm) # Developer ID Application: First Last or SHA value via security find-identity -p codesigning -v dev_codesign=$(cat ~/.altoolcs) xcrun notarytool store-credentials --apple-id "$dev_account" --team-id="$dev_teamid" --password "$dev_passwd" notary-scriptingosx # xcodebuild -help echo "{" > exportOptions.plist echo "\tdestination = export;" >> exportOptions.plist echo "\tsigningCertificate = \"Developer ID Application\";" >> exportOptions.plist echo "\tsigningStyle = automatic;" >> exportOptions.plist echo "\tteamID = ${dev_teamid};" >> exportOptions.plist echo "}" >> exportOptions.plist # Builds with **Apple Development**, not **Developer ID Application** # xcodebuild -project Meteorologist.xcodeproj -scheme Meteorologist -configuration Release -derivedDataPath ./Build -allowProvisioningUpdates --options=runtime clean archive -archivePath ./Build/Archive.xcarchive xcodebuild -exportArchive -archivePath ./Build/Archive.xcarchive -exportOptionsPlist exportOptions.plist -exportPath ./Build/Release # Display signing, look for runtime and Developer ID #codesign -dv --verbose=4 ./Build/Release/Meteorologist.app #security find-identity -p codesigning -v # Display entitlements #codesign -d --entitlements - --xml ./Build/Release/Meteorologist.app | plutil -convert xml1 -o - - # Create a ZIP archive suitable for notarization. /usr/bin/ditto -c -k --keepParent ./Build/Release/Meteorologist.app ./Build/Release/Meteorologist.zip # notarize xcrun notarytool submit ./Build/Release/Meteorologist.zip --wait --keychain-profile "notary-scriptingosx" > xcodebuild.log uuid=$(grep -m 1 -w "id:" xcodebuild.log | awk '{print $2}') echo "UUID=${uuid}" rm xcodebuild.log # Show results...needs uuid from above xcrun stapler staple "./Build/Release/Meteorologist.app"

Thank you. I did not understand that. Let me see what I can do, unless you have some sample code you can get me started. Ed

If I open the invalid .app (after the codesign), in Contents/info.plist, I see the entitlements saying 7... (my Developer ID) but the certificates all say Apple Development (4...) Is that what's wrong?

I have found that I can sign using the key: codesign -s "A6BED0BFC51147B1D08CF9C38E568B58546928D0" --timestamp -f -o runtime ./Build/Release/Meteorologist.app That gets me around the ambiguous match. Before the codesign, /Build/Release/Meteorologist.app runs fine (albeit with Apple Developer). After the codesign, the app launches but immediately says: Location services are denied. This is covered in the existing entitlements. I found that I can ensure the entitlement is added/replaced as part of codesign by adding --entitlements: codesign -s "A6BED0BFC51147B1D08CF9C38E568B58546928D0" --timestamp --entitlements ./Meteorologist/Meteorologist.entitlements -f -o runtime ./Build/Release/Meteorologist.app But then I get the message: The application "Meteorologist can't be opened. Looking around in the Console, I see this: mac_vnode_check_signature: /Users/ed/Documents/Xcode-Projects/meteorologist/trunk/Build/Release/Meteorologist.app/Contents/MacOS/Meteorologist: code signature validation failed fatally: When validating /Users/ed/Documents/Xcode-Projects/meteorologist/trunk/Build/Release/Meteorologist.app/Contents/MacOS/Meteorologist: Code has restricted entitlements, but the validation of its code signature failed. Unsatisfied Entitlements: com.apple.developer.weatherkit While makes me think I'm back to square 1, except that when I use the Xcode GUI, it does work.

I'm building via a sh script. Using Xcode GUI is not what I'm shooting for.

xcodebuild Doing my best to follow here: https://developer.apple.com/forums/thread/701514 First, I did these two steps: xcodebuild -project Meteorologist.xcodeproj -scheme Meteorologist -configuration Release -derivedDataPath ./Build -allowProvisioningUpdates --options=runtime clean archive -archivePath ./Build/Archive.xcarchive xcodebuild -exportArchive -archivePath ./Build/Archive.xcarchive -exportOptionsPlist exportOptions.plist -exportPath ./Build/Release I then get to this step: security find-identity -p codesigning -v which yields: 1) 1135D8B42869FDE86A1AC385DAE5D8193FF9FAB7 "Apple Development: Edward Danley (4..)" (CSSMERR_TP_CERT_REVOKED) 2) 6BD49D05978A4EB8ED7AC2E80685D346F4631D3A "Apple Development: Edward Danley (4..)" 3) A6BED0BFC51147B1D08CF9C38E568B58546928D0 "Developer ID Application: Edward Danley (7..)" 4) 0C34E70124438F42668E9E3097E888B0E0390A8C "Developer ID Application: Edward Danley (7..)" When I get to: codesign -s "Developer ID Application: Edward Danley" ./Build/Release/Meteorologist.app I receive: Developer ID Application: Edward Danley (7..): ambiguous (matches "Developer ID Application: Edward Danley (7..)" and "Developer ID Application: Edward Danley (7..)" in /Users/ed/Library/Keychains/login.keychain-db) How do I clean up my certificates? You have another article here: https://developer.apple.com/forums/thread/674115 I was following the article you referenced here: https://help.apple.com/xcode/mac/11.4/index.html?localePath=en.lproj#/dev8a2822e0b and all I managed to do was end up with 3 copies of Developer ID :( Ed

Ah, another big change from ALTOOL. You no longer receive an email notification from Apple (like I've been waiting for). The message the Xcode window quietly changes and allows you to click the Export button. Still no progress on getting xcodebuild working in my batch build script.

I did the second part. In Xcode, Product > Archive, select the new archive, click on Distribute App, selected Developer ID, Upload, Automatically Manage Signing, wait, then click on Upload. Message says "Uploaded "Meteorologist" to Apple notary service. You will receive a notification when your app is ready for distribution." I've done this 3 times now and never received any messages from Apple.