Recently I had the same issue. The Apple developer support told me that it should not be a problem if the country is "US" instead of "DE" or similar. Anyway, certificates with correct country code can be created using requests generated by openssl (see stackoverflow threads), e. g. openssl genrsa -out ios-dev.key 2048 openssl req -new -key ios-dev.key -out ios-dev.csr After creating and installing the certificate (.cer) I could further import the private key via security import ios-dev.key

At the end of this day, we still don't have a legal working resolution: notarytool and app-specific password -> still not working, HTTP 500 altool -> not contained in newest xcode command line tools (xcode-select --install), depreciated by notarytool App Store Connect API -> not legal to use (as far as I understand the license) @Apple Developer Support: We paid for a membership but are still unable to create running apps. PLEASE FIX IT!

As to the current situation, I get the following, maybe it helps for debuging: macmini:test$ xcrun notarytool history --keychain-profile "my_profile" -vvvv [10:22:32.154Z] Debug [MAIN] Running notarytool version: 1.0.0 (21), date: 2022-05-24T10:22:32Z, command: /Library/Developer/CommandLineTools/usr/bin/notarytool history --keychain-profile my_profile -vvvv [10:22:32.167Z] Debug [KEYCHAIN] Attempting to load Keychain data for profile name: my_profile [10:22:32.180Z] Debug [KEYCHAIN] Found Keychain password item "my_profile" with ID XXXXXXXXXX:YYYYY. [10:22:32.187Z] Info [API] Initialized Notary API with base URL: https://appstoreconnect.apple.com/notary/v2/ [10:22:32.188Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/submissions?, Parameters: [:] [10:22:32.189Z] Debug [AUTHENTICATION] Delaying current request to refresh app-specific password token [10:22:32.191Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/asp?, Parameters: [:] [10:22:32.192Z] Debug [AUTHENTICATION] Authenticating request with Basic Auth. Username: YYYYY, Password: private, Team ID: XXXXXXXXXX [10:22:32.195Z] Debug [TASKMANAGER] Starting Task Manager loop to wait for asynchronous HTTP calls. [10:22:32.938Z] Debug [API] Received response status code: 500, message: internal server error, URL: https://appstoreconnect.apple.com/notary/v2/asp?, Correlation Key: RFD32TYXONHX7XXXXXTWFTT5RQ [10:22:32.939Z] Error [TASKMANAGER] Completed Task with ID 2 has encountered an error. [10:22:32.940Z] Debug [TASKMANAGER] Ending Task Manager loop. Error: HTTP status code: 500. Internal server error. Error communicating with authentication service. Please try again at a later time.

Same for me, server seems down for 12 hours now. Same problem occured obviously earlier, see https://developer.apple.com/forums/thread/698401. If altool is a valid replacement, could someone please post the substitution for these lines here? xcrun notarytool submit "my.dmg" --wait --keychain-profile "my_profile" xcrun stapler staple "my.dmg"

Ok, I solved my problem: After the update to MacOS Monterey there were two warning windows "ServiceRecords.app" and "ReceiverHelper.app" popping up again and again. Instead of looking closer at the warnings I just moved them almost out of the screen and continued working. Bad idea: Since MacOS seems to show only one warning window at the same time, this window always stopped showing other warning windows. Including the window popping up after clicking the .app within the .dmg asking me "This application was loaded from the internet, do you really want to open it?". This, in turn, made it impossible to me to start the app. Oddly, right click on the bouncing app icon on the bottom and choose "Show all windows" told me "There are now windows" ;-) So, four days later, two lesson learned: Read the warnings, and move the two apps to trash according to https://discussions.apple.com/thread/251153859. Thanks for reading :)

Again me, some good new this time, after some coffee ;-) Short summary: The obvious way of downloading of and starting a .dmg was NOT working on my machine (bouncing dock icon without starting the app). I went on with copying the .dmg (let's call it "test.dmg") from /Downloads into a new folder and did a "open test.dmg". This doesn't work either (same effect). Now, again I went on with "hdiutil attach test.dmg", followed by one of the following launch commands: /Volumes/test/test.app/Contents/MacOS/test open "/Volumes/test/test.app/Contents/MacOS/test" open "/Volumes/test/test.app" And suddenly everything works, for all apps. Cool! Now I can start apps downloaded with a browser, without quarantine bit modifications. But for "normal" customers also the "click" solution without mounting should work since nobody wants to open a terminal and start scripting ;-) So, the last, and completely different open question is: Why is the .dmg not launched using the intuitively way: clicking the .dmg, (move the .app to /Applications and) click the .app?

Some more info what I tried at my free weekend to solve the problem: updated MacOS to Monterey 12.4 restarted the Mac multiple times downloaded DBeaver (one of the apps that didn't run, see initial post) via browser: https://dbeaver.io/files/dbeaver-ce-latest-macos-x86_64.dmg started by double-clicking the downloaded .dmg file in the browser and click the app icon (with and also without moving to /Applications): dock icon starts bouncing, Warning "CoreServicesUIAgent Connection from process XXXX does not have the required entitlement com.apple.private.iscsuia", dock icon stopped bouncing, app does not start (same behavior as in my initial post) opened the .dmg via terminal: open dbeaver-ce-latest-macos-x86_64.dmg -> same behavior started the .app via terminal: /Applications/DBeaver.app/Contents/MacOS/dbeaver - nothing happens, no output, terminal hangs forever. checked the executable (x) flags via ls -al - it is set checked and removed quarantine flag in DBeaver.app: within /Applications/DBeaver.app/Contents/MacOS: ls -al@, xattr -d com.apple.quarantine dbeaver, as well as xattr -r -d com.apple.quarantine DBeaver.app/ - done, but app doesn't start either downloaded the app via curl: curl -O -L https://dbeaver.io/files/dbeaver-ce-latest-macos-x86_64.dmg and started via Terminal "open dbeaver-ce-latest-macos-x86_64.dmg" or Doubleclick in Finder -> works as expected. downloaded again via web browser, removed the quarantine flag via "xattr -d com.apple.quarantine "dbeaver-ce-22.0.4-macos-x86_64 (1).dmg", clicked .dmg in web browser and clicked the .app without moving it into /Applications -> works! If clicked this .dmg in web browser, moved the .app to /Applications and run it from there, it does not start. mounted this .dmg via terminal hdiutil attach "dbeaver-ce-22.0.4-macos-x86_64 (1).dmg" and started via terminal "/Volumes/DBeaver Community/DBeaver.app/Contents/MacOS/dbeaver", the app started once normally and printed a lot of infos. ok I said, then I wanted to do the same with the .dmg with the other .dmg with the quarantine flag bit being set. But since then I'm unable to start any app successfully anymore: neither per browser, nor by terminal (open, curl, execute)! What's going on here? Apple seems to store hidden information which makes it impossible to debug and reproduce. btw., other apps seem to have the same problems on Bug Sur, e. g. here: https://github.com/beakerbrowser/beaker/issues/1861 I didn't try but I'm sure that all other apps shows same behavior. In the result, the quarantine bit seems to be one key of the problem. But, as written above, also downloads without that bit set being set didn't start anymore. Maybe someone could try to download one of the .dmg files in my initial post and try to start the app in Monterey and post here if it works? Thank you. I'm searching now for weeks for a solution and still don't know how to build a new version for our customers who are waiting for a solution.

@nk_kennedy: Thanks for your answer. Last two days I checked everything you said again and again. I built a minimal reproducable app according to all tutorials I cound find, added and verified all Hardened Runtime Exceptions, signed all dylibs, jars, app, dmg. Everything works without any errors. But, the problem exactly remains: I cannot download and start apps as .dmg via the browser - I just keep getting that error message above from CoreServicesUIAgent: "Connection from process XXXX does not have the required entitlement com.apple.private.iscsuia". And as I found out by chance, the exact same error comes with all tested standard apps that are available as .dmg download in the internet (I downloaded it via Safari and Chrome): https://www.mozilla.org/de/firefox/mac/ https://dbeaver.io/download/ https://www.openoffice.de/openoffice_download_macosx.php So, I guess that my code signing and notarization works actually well, but my MacOS Monterey is errorneous after the update to 12.3.1. What do you suggest, should I upgrade, downgrade, or something else? Could you try to download and install one of those apps to verify if they are not broken? Btw., the checkbox "Allow downloads from App Store and trusted developers" is of course checked. Thank you so much for further assistance!

@nk_kennedy (or anybody else): I'd like you to ask for little more help to solve the problem. My questions are: How are chances that I'm on the right track (see below)? What should I do next (So far, I didn't find anything useful in the internet)? Thank you very much for any help. According to your hint I took two log snapshots - one for the running, and one for the non-running app launch. Only in the non-running one I found one "entitlement"-related hint for pid 1250, followed by an GKQuarantineResolver, as shown here: ... standard 18:47:18.138921+0200 loginwindow -[ApplicationManager checkInAppContext:eventData:] | ApplicationManager: Checked in app : NAME_OF_OUR_APP.app standard 18:47:18.165987+0200 distnoted register name: com.apple.sharedfilelist.change object: com.apple.LSSharedFileList.RecentApplications token: 300000002 pid: 1250 ... standard 18:47:18.301726+0200 CoreServicesUIAgent Connection from process 1250 does not have the required entitlement com.apple.private.iscsuia standard 18:47:18.306516+0200 CoreServicesUIAgent : progressed to 0.00% standard 18:47:18.306582+0200 CoreServicesUIAgent : progressed to 60.00% standard 18:47:18.310178+0200 CoreServicesUIAgent -[GKQuarantineResolver malwareCheckEnded:result:forURL:]: XProtect defer executable analysis: true standard 18:47:18.310425+0200 CoreServicesUIAgent : progressed to 60.00% standard 18:47:18.310389+0200 CoreServicesUIAgent dismissing after minimum display time of 2.0000s, actual display time of -4.9936s standard 18:47:18.310817+0200 CoreServicesUIAgent -[GKQuarantineResolver malwareChecksFinished]_block_invoke: XProtect suppress first launch warning: true standard 18:47:18.312305+0200 open Entering exit handler. standard 18:47:18.312516+0200 open Exiting exit handler. ...

Thanks for the answer. Seems that jpackage and Apple are not best friends, and I wish that "Write once, run everywhere" would still be true in 2022. Thank you for the "streaming" hint, I will just try this out. I'm still wondering why there are different lower-level runtime checks being applied dependent on the kind of download (curl vs. web browser). Which leads me to the question: How can I be sure that my Notarization is valid? Is there any reliable tutorial, or at least a way to check a notarized app for validity without uploading and downloading for each test cycle?