Here is the situation:
We are shipping an application bundle which is submitted to the notarization service for approval.
The application bundle adheres to the notarization standards and is approved.
Problem: We need to ship a zip file inside this application. This zip file has all the files that are signed. Most of the files are signed by us. However there are some 3P zip files which are not signed by us. We would rather not open these 3P zip files as there might be SLAs involved here.
As a result we end up with a zip file which contains mixed signatures. This zip file needs to be part of that application that needs to be notarized.
Question: What is the best way to do this in order for the notarization service to approve the application and ship the zip file as part of the application? Note: We don't know if all the files inside the 3P zips are correctly signed (example: With Hardened Runtime). They are all signed though
Also, when the zip files contents are laid out onto the customer machine, they are all signed and validated. However, some files might not have hardened runtime.
Thanks in advance.
Post
Replies
Boosts
Views
Activity
We have an organization with multiple developers trying to develop apps. There are times where they want to find out if their app will pass notarization or not? We have a Developer ID Application certificate that we use to sign files right before production deployment and then for notarization approval. But this is not possible when developers are working in their sandboxes.
Providing each developer their own Developer ID Application certificate for distribution is both not feasible and perhaps not very secure.
Is there a way in which they can find out if their apps would pass the notarization tests without actually uploading to Apple?
I am in the process of notarizing a dmg file. We are getting some errors in the process. These errors can be retrieved from the notarytool -log option. However, I would like to get the error in a link form like we used to get with altool so that I could share it with my team. Does anyone know how to get a link for the failure log?
Hi everyone,
Been working with Apple's notarization process for a while, and we've recently noticed some unexpected behavior.
It seems like the notarization service might be looking inside ZIP archives contained within my app's distribution package.
In the past, we don't recall the notarization process digging into ZIP files like this—only the main app bundle and its contents were scanned for signatures.
Has there been a recent change or update to the notarization service that now includes inspecting files within ZIP archives?
If so, are there specific guidelines or documentation updates regarding this change? Can anyone point me to what to expect and how to adjust my workflow accordingly. While "signing all the files" is the default answer, is there a more cohesive answer to this question?
Thanks