Post not yet marked as solved
We used openssl to create the signatures of the package and then xar to inject the signatures into the package.To expand on my question, I thought there might be some apple approved way of adding extra information to a package. For instance, it does not appear that xattrs break signing as it inserts things in an alternate file stream, so I thought there might be some way to add additional information to a pkg file after it is signed and notarized. I am not sure if xattrs breaks notarization.
Post not yet marked as solved
First, even if we can run osx in the cloud with those third parties the notarization process takes far too long to generate on the fly, as outlined in "1. It takes a long time and will fail peroidically."Second, With respect to distributing a static executable, we have no idea what customer specific resources to download if we cannot customize the package for the customer.Third, if timelines were not an issue, the question remains, is there an "Is there a Apple recommended method to provide custom packages for different customers? Some way to add additional parameters to a package without breaking the notarizartion/signing of it?"
Post not yet marked as solved
So with the new uuid I get a couple of "in progress" results followed by: RequestUUID: <redacted> Date: 2019-07-30 16:40:25 +0000 Status: invalid LogFileURL: (null)Which will be repeated if I continue to call it. There is never a valid LogFileUrl. Once I get the email, the staple will work.
Post not yet marked as solved
I am sorry, my question was not detailed enough.I am uploading a pkg file that has been recreated and resigned with pkgbuild, but with the same contents.Because of signature timestamps and such the file is not exactly the same (different MD5's each time), so it seems it allows the upload because the hash is different. It seems after it is uploaded the system does additional checks decides that it is a duplicate package.The email message looks like this:The Mac software that you uploaded could not be notarized due to processing errors. Please address the issues listed below and upload your software again.Bundle Identifier: <redacted>Request Identifier: ab59b3d2-4fba-4b90-a6ef-<redacted>ITMS-90732: Duplicate Upload - The software asset has already been uploaded. The upload ID is f5243c9f-ffcf-4b49-9734-<redacted>So it is generating a new request identifier on an upload that is sucessful.
