Post not yet marked as solved
yup, understood. thanks.I'll also add info to the bug report. the zip file is valid, but includes some unnecessary PK tags for the directory entries. the resulting zip file is valid, but clearly throws a wrench into some extraction tool used by the notarization service.
Post not yet marked as solved
Thanks for looking into this. I'll update the bug with info as you suggest. Thanks again!
Post not yet marked as solved
Bug submitted: FB7395461From that bug report:I've narrowed the problem down to a small test zip archive (we are notarizing pkgs, but I thought the zip test would be a simpler demonstration of the problem). The zip contains a folder with a simple .app, and a zip archive that contains a few JavaScript source files and a few .json files. If I just put the app in a zip it notarizes fine -- it's only there so the zip is considered "valid" by the notarization service. Also, if I expand the internal zip and just include the files directly in the container zip, notarization works.
Post not yet marked as solved
This is the one that's a few days old: 786837c6-e9af-4732-aa42-49973acedadaHere's the more recent one: f9444a87-f3c8-4e15-882f-da558c547623Thanks
Post not yet marked as solved
Here's the source for a simple tool that adds the RSA signature: https://gist.github.com/kurash/57e18d6e6e98f397f42086194b7b67bdThe command for compiling is at the top of the file. Usage is like: pkgresign mypackage.pkg
Post not yet marked as solved
Thanks for the clarification on stapling the pkgs. As for the dmg:If your users download the disk image, mount it, copy off the installer package, and then open the package on the same machine that mounted the disk image, notarising just the disk image will be fine. If the workflow is more complex, can you elaborate on what that is?We provide a dmg so there is just one file to download. The dmg contains installers for our server, admin tool, client, etc. So typically our customers will download the dmg and copy the installers to be used/distributed individually to various computers. The dmg also contains installers for Windows, LInux, etc. So the dmg is just a convenient container for those of our customers who prefer Macs. We also build a zip file with the exact same contents so customers who prefer other platforms can get all of our software in a single download. Also too, we provide each installer as a separate download for those who just need one component or another instead of all the things.
Post not yet marked as solved
I'm a bit late to the party, but I think the problem is that newer versions of packagesign put the RSA signature into the pkg, it only puts the CMS sig in place. Older versions of OSX only know to check the RSA signature.It is possible to add the RSA sig yourself, there's nothing magical about packagesign.Quinn (or anyone at Apple) if you are interested, see radar 47434137, which is now FB5386538 (?) As I wrote in that bug report, I have code that demonstrates the issue if that is needed. I still have that code sitting on my desktop.
Post not yet marked as solved
I ran into this same issue, although in my case the app is already not using ARC. I added the following to the "Other Liinker Flags" setting: -Xlinker -U -Xlinker _objc_loadClassrefI'm not sure this is a proper fix, but at least it gets the link to succeed and does not seem to cause any issues during run time. I'm using this just so I can get some work done, not necessarily as a final fix. I fear that leaving this in place might break the app on older OSs.Anyway, maybe this can get you back to a working build, at least until someone from Apple gives you a better answer...
