As some parts where removed by the forum engine, I am provided the result of the certificate results again:Authority=Developer ID Application: <Team Name> (<Team Id>)Timestamp=<Date and Time>

Hi,heh, so you are reusing the same word "package" for different purposis even when their cotext is overlapping, right? It's even a "package" (a directory looking like a file) or a package (*.pkg).Am I understand correctly, that the plug-in package (directory) is considered as a (generic) bundle? So spctl is of no help?It seems that the codesign's --check-notarization argument is not available on 10.14 I'm running.I've copied the (signed and notarized) files to a virtualized 10.15 and got the following:./<pluginpath>: valid on disk./<pluginpath>: satisfies its Designated Requirement./<pluginpath>: explicit requirement satisfiedDoes that mean its correctly code-signed and notarized or not? I'm not sure.What does the "noratized" value in the R argument mean? I've checked man pages but they was of no help (it neither lists possible values nor it hints where to find and learn them).I have uploaded the zip sent to the notarization service to web and downloaded it on 10.15 via Safari to the folder the host app expects plug-ins. I started the third-party host app I got an error when the host app tries to load the plug-in:“<pluginpath>” can’t be opened because Apple cannot check it for malicious software.This software needs to be updated. Contact the developer for more information.What does that exactly mean? I've tried (?) button but it gives "The selected content is currently unavailable." in macOS User Guid window. I expect the wording is supposed for generic user, its not designed to be helpful to the developer.Why macOS complains? I've tried to get it code signed and notarized but it still complains. Have I missed anything?Thanks.

Hi,I've found these two sets of messages in Console which sounds relevant. I've get no hit when search for parts of them over the web.syspolicyd MacOS error: 3syspolicyd Error checking with notarization daemon: 3syspolicyd Error Domain=GatekeeperPolicyScanError Code=-67018 "Code did not match any currently allowed policy" UserInfo={NSURL=<private>, NSLocalizedDescription=Code did not match any currently allowed policy}syspolicyd MacOS error: 3syspolicyd Error checking with notarization daemon: 3syspolicyd rule 13 applies - allow=0I've trierd to find a way how to enable showing private info in logs but the page has no word nor link stating how to actually use it (moreover it states that System has a Enable-Private-Data property but when I show the System specific documentation it's not there). Based on this and this sounds like the option is no longer available to set on 10.15 and no workaround nor no substitute is known. Thanks.

I'll check. Any ideas from the log messages what might be the cause and how to address it?

It seems that the Swift's dylib files in Contents/Frameworks/ are triggering the issue. If I remove all Swift code so there is no longer a Frameworks folder in the product, the Gatekeeper allows the code to run.How to properly codesign and notarize a product containing the Swift's dylib files?

I've tried notarizing only the outer package but I failed. As I noted in the linked thread, everything started working when I removed all dylib from the plug-in. As official docs were of no help, I've searched web and I've found lots of thread stating issues if dylib files are present but missing any answer. Then I found this thread stating that if they notarized dylib files separatedly, it helped. So I've tried that and really, it made a progress.It's strange that the assessment fails unless I perform assessment on inside files first. I would expect that manually performing assessments on inside files would not change the outcome of the bundle-wide assessment as it should be either ok or not. The behaviour I experience is quite weird to me as it reports the exactly same binaries both as rejected and as accepted.

1. In production, I tar czf the whole directory which contains the bundle (the parent directory contains additional files like How to PDF etc.).2. While investigating, I was also trying the exactly same zip file sent for notarization by the xcrun altool --notarize-app command (the zip file was created calling ditto -c -k --keepParent --rsrc)

I've included the plug-in's file structure at the top of the question above. I've skipped just the files created by codesign and spctl.

After sending to a notarization service.% find MyPlugin.bundle MyPlugin.bundle MyPlugin.bundle/Contents MyPlugin.bundle/Contents/_CodeSignature MyPlugin.bundle/Contents/_CodeSignature/CodeResources MyPlugin.bundle/Contents/MacOS MyPlugin.bundle/Contents/MacOS/MyPlugin MyPlugin.bundle/Contents/Resources MyPlugin.bundle/Contents/Resources/[pdf, nib, pem files] MyPlugin.bundle/Contents/Resources/MyPlugin-Prefix.pch MyPlugin.bundle/Contents/Frameworks MyPlugin.bundle/Contents/Frameworks/libswiftObjectiveC.dylib MyPlugin.bundle/Contents/Frameworks/libswiftCore.dylib MyPlugin.bundle/Contents/Frameworks/libswiftCoreGraphics.dylib MyPlugin.bundle/Contents/Frameworks/libswiftDispatch.dylib MyPlugin.bundle/Contents/Frameworks/libswiftCoreFoundation.dylib MyPlugin.bundle/Contents/Frameworks/libswiftDarwin.dylib MyPlugin.bundle/Contents/Frameworks/libswiftIOKit.dylib MyPlugin.bundle/Contents/Frameworks/libswiftFoundation.dylib MyPlugin.bundle/Contents/Info.plist

Notarization log (I've just stripped jobId, uploadDate, sha256 and cdhash, renamed actual zip and bundle names to a dummy names):{ "logFormatVersion": 1, "status": "Accepted", "statusSummary": "Ready for distribution", "statusCode": 0, "archiveFilename": "MyPlugin.zip", "ticketContents": [ { "path": "MyPlugin.zip/MyPlugin.bundle/Contents/MacOS/MyPlugin", "digestAlgorithm": "SHA-256", "arch": "x86_64" }, { "path": "MyPlugin.zip/MyPlugin.bundle/Contents/Frameworks/libswiftObjectiveC.dylib", "digestAlgorithm": "SHA-256", "arch": "x86_64" }, { "path": "MyPlugin.zip/MyPlugin.bundle/Contents/Frameworks/libswiftCore.dylib", "digestAlgorithm": "SHA-256", "arch": "x86_64" }, { "path": "MyPlugin.zip/MyPlugin.bundle/Contents/Frameworks/libswiftCoreGraphics.dylib", "digestAlgorithm": "SHA-256", "arch": "x86_64" }, { "path": "MyPlugin.zip/MyPlugin.bundle/Contents/Frameworks/libswiftDispatch.dylib", "digestAlgorithm": "SHA-256", "arch": "x86_64" }, { "path": "MyPlugin.zip/MyPlugin.bundle/Contents/Frameworks/libswiftCoreFoundation.dylib", "digestAlgorithm": "SHA-256", "arch": "x86_64" }, { "path": "MyPlugin.zip/MyPlugin.bundle/Contents/Frameworks/libswiftDarwin.dylib", "digestAlgorithm": "SHA-256", "arch": "x86_64" }, { "path": "MyPlugin.zip/MyPlugin.bundle/Contents/Frameworks/libswiftIOKit.dylib", "digestAlgorithm": "SHA-256", "arch": "x86_64" }, { "path": "MyPlugin.zip/MyPlugin.bundle/Contents/Frameworks/libswiftFoundation.dylib", "digestAlgorithm": "SHA-256", "arch": "x86_64" } ], "issues": null }

I am not sure but I think the plug-in is loaded within the host app's process.Deployment target is 10.14.Swift language version is Swift 5.I'm aware of the possible compatibility issues if different Swift runtimes are present in a process. The host app is pure Objective-C and our plug-in is the only plug-in using Swift. We re in a process of moving the Swift part to Objective-C. The replacement is not ready yet so we need to get the Swift version working in Catalina for a while.

I've then copied the zip file sent to the notarization service to the 10.15 virtual machine, unzipped and run spctl --assess:% spctl --assess --type install -vvvv MyPlugin.bundle MyPlugin.bundle: rejected source=Unnotarized Developer ID origin=Developer ID Application: OurTeamName (OutTeamId) % spctl --assess --type exec -vvvv MyPlugin.bundle MyPlugin.bundle: rejected (the code is valid but does not seem to be an app) origin=Developer ID Application: OurTeamName (OutTeamId) % spctl --assess -vvvv MyPlugin.bundle MyPlugin.bundle: rejected (the code is valid but does not seem to be an app) origin=Developer ID Application: OurTeamName (OutTeamId)

Thanks for the pch recommendation. I'll remove it from the bundle after we fix the notarization.Neither the disk image's ticket has an entry for the overall bundle - it contains every entry present in the zip's ticket (the executable file and the dylib files) plus an entry for the dmg file, but not for the overall bundle. It also has issues: null.The bundle file structure is in an above reply. If I understand Bundle Structures correctly, our bundle is a Loadable Bundle and all the paths are standard and all the required files of Loadable Bundle are there.Here's the dmg content:% find /Volumes/1 /Volumes/1 /Volumes/1/MyPlugin.bundle /Volumes/1/MyPlugin.bundle/Contents /Volumes/1/MyPlugin.bundle/Contents/_CodeSignature /Volumes/1/MyPlugin.bundle/Contents/_CodeSignature/CodeResources /Volumes/1/MyPlugin.bundle/Contents/MacOS /Volumes/1/MyPlugin.bundle/Contents/MacOS/MyPlugin /Volumes/1/MyPlugin.bundle/Contents/Resources /Volumes/1/MyPlugin.bundle/Contents/Resources/[pdf, nib, pem files] /Volumes/1/MyPlugin.bundle/Contents/Resources/MyPlugin-Prefix.pch /Volumes/1/MyPlugin.bundle/Contents/Frameworks /Volumes/1/MyPlugin.bundle/Contents/Frameworks/libswiftObjectiveC.dylib /Volumes/1/MyPlugin.bundle/Contents/Frameworks/libswiftCore.dylib /Volumes/1/MyPlugin.bundle/Contents/Frameworks/libswiftCoreGraphics.dylib /Volumes/1/MyPlugin.bundle/Contents/Frameworks/libswiftDispatch.dylib /Volumes/1/MyPlugin.bundle/Contents/Frameworks/libswiftCoreFoundation.dylib /Volumes/1/MyPlugin.bundle/Contents/Frameworks/libswiftDarwin.dylib /Volumes/1/MyPlugin.bundle/Contents/Frameworks/libswiftIOKit.dylib /Volumes/1/MyPlugin.bundle/Contents/Frameworks/libswiftFoundation.dylib /Volumes/1/MyPlugin.bundle/Contents/Info.plistHere's the Info.plist. / It looks exactly the same as the Info.plist file in a bundle in which I have removed all Swift code (so that bundle no longer contains the Frameworks directory) and in which the notarization works as expected - it gets notarized and makes Gatekeepr happy. /% cat Info.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>BuildMachineOSBuild</key> <string>18G3020</string> <key>CFBundleDevelopmentRegion</key> <string>en</string> <key>CFBundleExecutable</key> <string>MyPlugin</string> <key>CFBundleIdentifier</key> <string>com.MyPlugin</string> <key>CFBundleInfoDictionaryVersion</key> <string>6.0</string> <key>CFBundleName</key> <string>MyPlugin</string> <key>CFBundleShortVersionString</key> <string>1.0</string> <key>CFBundleSignature</key> <string>????</string> <key>CFBundleSupportedPlatforms</key> <array> <string>MacOSX</string> </array> <key>CFBundleVersion</key> <string>1</string> <key>DTCompiler</key> <string>com.apple.compilers.llvm.clang.1_0</string> <key>DTPlatformBuild</key> <string>11C504</string> <key>DTPlatformVersion</key> <string>GM</string> <key>DTSDKBuild</key> <string>19B90</string> <key>DTSDKName</key> <string>macosx10.15</string> <key>DTXcode</key> <string>1130</string> <key>DTXcodeBuild</key> <string>11C504</string> <key>LSMinimumSystemVersion</key> <string>10.14</string> <key>NSPrincipalClass</key> <string>MyPlugin</string> </dict> </plist>

The plug-in is built solely by Xcode itself. There is no script outside of Xcode nor there are "complications" intentionally added into the built process. I just call xcode archive. If theres anything non-standard or not-recommended, please, let me know what, ideally with tips how to correct it. Thanks.There are 5 build phases in Xcode:Dependencies (0 items) Compile sources (x items - m and swift files) Link Binary With Libraries (2 items - Swift and the host app SDK) Copy Bundle Resources (x items - pdf, xib, pem, pch) Copy Files (0 items)These are Release's Build Settings (I've copied everything from Build Settings - Customized - Combined):COMBINE_HIDPI_IMAGES = YES DSTROOT = (-PathWhereHostAppExpectsPlugins-) INSTALL_PATH = / MACOSX_DEPLOYMENT_TARGET = 10.14 LD_RUNPATH_SEARCH_PATHS = $(inherited) @executable_path/../Frameworks @loader_path/../Frameworks DEFINES_MODULE = YES INFOPLIST_FILE = $(SRCROOT)/MyPlugin/Info.plist PRODUCT_BUNDLE_IDENTIFIER = com.MyPlugin PRODUCT_NAME = $(TARGET_NAME) WRAPPER_EXTENSION = bundle FRAMEWORK_SEARCH_PATHS = $(SYSTEM_APPS_DIR)/(-HostApp-).app/Contents/Frameworks CODE_SIGN_IDENTITY = Developer ID Application CODE_SIGN_STYLE = Manual DEVELOPMENT_TEAM = (-TeamID-) ENABLE_HARDENED_RUNTIME = YES PROVISIONING_PROFILE_SPECIFIER = GCC_PREFIX_HEADER = MyPlugin/MyPlugin-Prefix.pch CLANG_ENABLE_MODULES = YES SWIFT_OBJC_BRIDGING_HEADER = MyPlugin/MyPlugin-Bridging-Header.h SWIFT_VERSION = 5.0 SWIFT_INCLUDE_PATHS =Here's what otool prints out (LC_LOAD_DYLIB and LC_RPATH only):Load command 9 cmd LC_LOAD_DYLIB cmdsize 80 name @rpath/(-HostApp-).framework/Versions/A/(-HostApp-)Core (offset 24) time stamp 2 Thu Jan 1 01:00:02 1970 current version 0.0.0 compatibility version 1.0.0 Load command 10 cmd LC_LOAD_DYLIB cmdsize 88 name /System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa (offset 24) time stamp 2 Thu Jan 1 01:00:02 1970 current version 23.0.0 compatibility version 1.0.0 Load command 11 cmd LC_LOAD_DYLIB cmdsize 96 name /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (offset 24) time stamp 2 Thu Jan 1 01:00:02 1970 current version 1673.126.0 compatibility version 300.0.0 Load command 12 cmd LC_LOAD_DYLIB cmdsize 56 name /usr/lib/libobjc.A.dylib (offset 24) time stamp 2 Thu Jan 1 01:00:02 1970 current version 228.0.0 compatibility version 1.0.0 Load command 13 cmd LC_LOAD_DYLIB cmdsize 56 name /usr/lib/libSystem.B.dylib (offset 24) time stamp 2 Thu Jan 1 01:00:02 1970 current version 1281.0.0 compatibility version 1.0.0 Load command 14 cmd LC_LOAD_DYLIB cmdsize 88 name /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit (offset 24) time stamp 2 Thu Jan 1 01:00:02 1970 current version 1894.10.126 compatibility version 45.0.0 Load command 15 cmd LC_LOAD_DYLIB cmdsize 104 name /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (offset 24) time stamp 2 Thu Jan 1 01:00:02 1970 current version 1673.126.0 compatibility version 150.0.0 Load command 16 cmd LC_LOAD_DYLIB cmdsize 104 name /System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics (offset 24) time stamp 2 Thu Jan 1 01:00:02 1970 current version 1348.12.4 compatibility version 64.0.0 Load command 17 cmd LC_LOAD_DYLIB cmdsize 96 name /System/Library/Frameworks/Security.framework/Versions/A/Security (offset 24) time stamp 2 Thu Jan 1 01:00:02 1970 current version 59306.41.2 compatibility version 1.0.0 Load command 18 cmd LC_LOAD_DYLIB cmdsize 56 name @rpath/libswiftCore.dylib (offset 24) time stamp 2 Thu Jan 1 01:00:02 1970 current version 1100.8.255 compatibility version 1.0.0 Load command 19 cmd LC_LOAD_DYLIB cmdsize 64 name @rpath/libswiftCoreGraphics.dylib (offset 24) time stamp 2 Thu Jan 1 01:00:02 1970 current version 0.0.0 compatibility version 1.0.0 Load command 20 cmd LC_LOAD_DYLIB cmdsize 56 name @rpath/libswiftFoundation.dylib (offset 24) time stamp 2 Thu Jan 1 01:00:02 1970 current version 0.0.0 compatibility version 1.0.0 Load command 21 cmd LC_LOAD_DYLIB cmdsize 56 name @rpath/libswiftObjectiveC.dylib (offset 24) time stamp 2 Thu Jan 1 01:00:02 1970 current version 0.0.0 compatibility version 1.0.0 Load command 22 cmd LC_RPATH cmdsize 32 path /usr/lib/swift (offset 12) Load command 23 cmd LC_RPATH cmdsize 48 path @executable_path/../Frameworks (offset 12) Load command 24 cmd LC_RPATH cmdsize 40 path @loader_path/../Frameworks (offset 12)Is everything as expected? What other places to look else for potential issues?

I've tried to set the deployment target to 14.4.4. Yes, the Swift's dylibs disappeard from the bundle but the notarization log still misses include the overall bundle in the list.