We have developed an electron app which we want to extend with an action extension. The action extension is written in swift in Xcode. Our plan was to build the .appex file and insert it into the PlugIns folder in our electron app, but I don't think this is the right way to do it? If we insert the .appex file before notarization then we get an error that we are "replacing existing signature". If we manually insert it after the notarization then we get an error with the app is damaged and can’t be opened. Can anybody provide a procedure for this kind of merge I would imagine that it goes something like: Sign app Sign extension Add extension to App Notarize app For signing the app we use electron-builder.

Hi, can't activate system-extension. in any case getting Domain=OSSystemExtensionErrorDomain Code=8 "Invalid code signature or missing entitlements" (sometimes get code = 9) P.S. In debug running all is working. (The system is asking to activate sysex) Has to read huge amount of forum, samples, and docs. But no luck What and how i've tried steps which i've doing #- signing sysextension binaries with Developer ID Application #- signing system extension with Developer ID Application #- signing application with Developer ID Application #- checking all signatures with Developer ID Application #- building pkg installer #- signing installer with Developer ID Installer #- checking signing #- sending installer for notarization #- waiting for installer verification #- after success I call stapler staple #- When calling sysex activation I get (But the problem is persist when i've try to move signed app to application folder, or try to notarize zip) or in any case which possibly mention on forum, i've get sign command sample codesign --force --timestamp --options runtime --sign "Developer ID ***" Also has to tried with ** --deep,** but no luck. Result of steps descrribed here: App has System Extension compatibility, Sysex haven't System Extension. App is used the same bundle id as in AppStore (also has to tried separate one, but no luck) In console just two informative message regarding it, but nothing specific default 01:08:04.745310+0200 sysextd client activation request for com.company.appName.PacketTunnelMacExternal default 01:08:04.745330+0200 sysextd attempting to realize extension with identifier com.company.appName.PacketTunnelMacExternal default 01:08:04.750996+0200 appName-Mac-External [0x13a9496f0] invalidated because the current process cancelled the connection by calling xpc_connection_cancel() Could you please assits with solve issue?

HERE IS THE COMPLETE LOG FROM THE SYSTEM.. please help me with the issue. Downloads % xcrun notarytool submit appName.pkg --apple-id “appleid --team-id <app_id> --wait --verbose [17:21:08.220Z] Debug [MAIN] Running notarytool version: unknown (0), date: 2024-09-09T17:21:08Z, command: /Applications/Xcode.app/Contents/Developer/usr/bin/notarytool submit _090624.pkg --apple-id <apple_id_hidden>--team-id <app_id> --wait --verbose Conducting pre-submission checks for _090624.pkg and initiating connection to the Apple notary service... [17:21:08.222Z] Debug [PREFLIGHT] _090624.pkg is a flat installer package. [17:21:08.223Z] Debug [PREFLIGHT] Finished completing determination of file type for _090624.pkg. Operation took 1ms. Password for <apple_id_hidden>: [17:21:13.354Z] Info [API] Initialized Notary API with base URL: https://appstoreconnect.apple.com/notary/v2/ [17:21:13.357Z] Debug [CTXMGR] Created temporary directory at: file:///var/folders/bj/ct_f469n03b2l596c_00n27c0000gp/T/TemporaryItems/NSIRD_notarytool_hkXwCu/ [17:21:13.359Z] Debug [CTXMGR] Copied _090624.pkg -- file:///Users/w525362/Downloads/ to file:///var/folders/bj/ct_f469n03b2l596c_00n27c0000gp/T/TemporaryItems/NSIRD_notarytool_hkXwCu/_090624.pkg [17:21:13.360Z] Debug [FILEHASH] Generating md5 and sha256 digest with buffer size 1048576 for file:///var/folders/bj/ct_f469n03b2l596c_00n27c0000gp/T/TemporaryItems/NSIRD_notarytool_hkXwCu/_090624.pkg [17:21:13.486Z] Debug [FILEHASH] MD5 digest: bd49fd77dfe36a9bbfb4c7efc329c6fe [17:21:13.486Z] Debug [FILEHASH] Base64-encoded MD5 Digest: vUn9d9/japu/tMfvwynG/g== [17:21:13.487Z] Debug [FILEHASH] SHA256 digest: 03466bf60dc33f57a2bbb2ba54402eb882529085e98f9d18e1e42ceeecd9d0aa [17:21:13.487Z] Debug [FILEHASH] Finished generating file hashes for _090624.pkg. Operation took 126ms. [17:21:13.487Z] Debug [API] Sending submissions payload: submissionPayload(submissionName: "_090624.pkg", md5: "bd49fd77dfe36a9bbfb4c7efc329c6fe", sha256: "03466bf60dc33f57a2bbb2ba54402eb882529085e98f9d18e1e42ceeecd9d0aa", notifications: []) [17:21:13.488Z] Info [API] Preparing POST request to URL: https://appstoreconnect.apple.com/notary/v2/submissions?, Custom Headers: private<Dictionary<String, String>> [17:21:13.488Z] Debug [AUTHENTICATION] Delaying current request to refresh app-specific password token. [17:21:13.488Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/asp?, Parameters: [:], Custom Headers: private<Dictionary<String, String>> [17:21:13.488Z] Debug [AUTHENTICATION] Authenticating request to '/notary/v2/asp' with Basic Auth. Username: appleID, Password: private, Team ID: <app_id> [17:21:13.489Z] Debug [TASKMANAGER] Starting Task Manager loop to wait for asynchronous HTTP calls. [17:21:14.774Z] Debug [API] Received response status code: 401, message: unauthorized, URL: https://appstoreconnect.apple.com/notary/v2/asp?, Correlation Key: QHGCOMLZWZVN4SEAKHS3SBGLS4 [17:21:14.775Z] Error [TASKMANAGER] Completed Task with ID 2 has encountered an error. [17:21:14.775Z] Debug [TASKMANAGER] Ending Task Manager loop. [17:21:14.783Z] Debug [CTXMGR] Removed temporary directory: Optional(file:///var/folders/bj/ct_f469n03b2l596c_00n27c0000gp/T/TemporaryItems/NSIRD_notarytool_hkXwCu/) Error: HTTP status code: 401. Invalid credentials. Username or password is incorrect. Use the app-specific password generated at appleid.apple.com. Ensure that all authentication arguments are correct.

I recently changed the architecture of my app by moving some of the logic into a helper app, which is embedded together with the main app. The main app's bundle looks like this: Main.app - Contents - MacOS - Main - Helper.app It all works fine during development, and I could successfully archive and notarize it. However, when I try to launch the notarized version of the helper app, it fails with the signing issues. failed to fetch Main.app/Contents/MacOS/Helper.app/Contents/_CodeSignature/CodeRequirements-1 error=-10 I have tried a few things, but could not find any working solution. Any help is appreciated!

Hi, we have .pkg install package consisting of various sub packages. One of them contains presets and needs to be installed the the default preset location /Library/Audio/Presets. If this non-binary preset package is the only one in a .pkg choice notarization fails with: "logFormatVersion": 1, "jobId": "*", "status": "Invalid", "statusSummary": "Archive contains critical validation errors", "statusCode": 4000, "archiveFilename": "mypackage.pkg.zip", "uploadDate": "2024-08-22T21:24:03.251Z", "sha256": "*", "ticketContents": null, "issues": [ { "severity": "error", "code": null, "path": "mypackage.pkg.zip", "message": "Package mypackage.pkg.zip has no signed executables or bundles. No tickets can be generated.", "docUrl": null, "architecture": null }, { "severity": "warning", "code": null, "path": "mypackage.pkg.zip/mypackage.pkg", "message": "b\"Invalid component package: mypackage_vstpreset Distribution file's value: #com.mycompany.mypackage.vstpreset.pkg\\n\"", "docUrl": null, "architecture": null } ] } Not sure, but maybe its worth noting that the causing sub packge only generates a warning, but the parent package seems to escalate this into an error. How can a non-binary sub package be included in a notarized parent package? Any hints or thoughts are highly appreciated, Thanks!

Hi everyone, Been working with Apple's notarization process for a while, and we've recently noticed some unexpected behavior. It seems like the notarization service might be looking inside ZIP archives contained within my app's distribution package. In the past, we don't recall the notarization process digging into ZIP files like this—only the main app bundle and its contents were scanned for signatures. Has there been a recent change or update to the notarization service that now includes inspecting files within ZIP archives? If so, are there specific guidelines or documentation updates regarding this change? Can anyone point me to what to expect and how to adjust my workflow accordingly. While "signing all the files" is the default answer, is there a more cohesive answer to this question? Thanks

I've the common "Team is not yet configured for notarization" issue and I've had it since the beginning of last year, where I contacted Apple about the issue, after going through some generalized useless advice that the support agent gave me I was finally able to escalate the issue and they supposedly had their "engineers" working on it. About every month I would send 1-2 emails asking for status update and everytime the response was "the engineers are working on it", and about the 8th-9th month they stopped responding. Now I've paid for developer program again, I have the same issue, it has not been fixed. I am in fact being scammed at this point and I've opened an issue via the provided link in the related thread below, it's been a week, Apple has not responded and the fact is, this is the worst platform to develop for. I really am starting to hate this company.

I'm trying to submit my application to the notarization service for the 100th time, but I keep encountering the same error message. I'm feeling frustrated and unsure of what steps to take next...

I submitted my macOS app for notarization. Here's what I see: Successfully received submission info createdDate: 2024-08-21T11:25:46.063Z id: 9e787992-5737-4ca8-b8b5-23d267f6476c name: MacOSapp.zip status: Accepted What does it mean? Are there more stages in this process? The reason I am asking is because trying to staple a ticket gives me 'error 65' which means there is no ticket.

I am using Xcode Cloud to build my Mac Catalyst app for Developer ID Distribution as a DMG package that must be codesigned and notarized. I have a ci_post_xcodebuild.sh script that runs after the Archive action. This needs to perform the following tasks: Produce a DMG from the provided exported archive located at CI_DEVELOPER_ID_SIGNED_APP_PATH Codesign that DMG using the same certificate identity that Xcode Cloud used when automatic code signing the exported archive using cloud signing. Notarize that code signed dmg with the notary service Generate a Sparkle appcast.xml file Upload the DMG and appcast.xml file to s3 The issue I am having is that I do not have access to the cloud signing keychain identity that Xcode Cloud uses to automatically codesign the exported archive. I check for identities and none are found. Running: security find-identity -v -p codesigning There are no code signing identities available. Make sure you have a "Developer ID (Application)" certificate (with the private key) installed on your Mac with Keychain Access. How can I access the cloud signing identity in this script so I can sign my DMG file before notarizing it? I am currently experimenting with installing my own certificate in the build server keychain and run my own archive + export commands after the Build action completes. This is not ideal. Thanks, Andrew

I am runnning persistent notarization issues with my macOS Electron application. Despite multiple attempts to resolve these issues, the notarization status remains "Invalid," and the errors in the report are consistent. What I'm doing Sign the code like this codesign --sign "Apple Distribution: Name Lastname (123456)" --deep --force --timestamp=auto path/to/Application.app I then get: Application.app: replacing existing signature I then verify the signing with: codesign --verify --deep --strict --verbose=4 path/to/Application.app I then get: --prepared:/path/to/Application.app/Contents/Frameworks/SomeFramework.framework --validated:/path/to/Application.app/Contents/Frameworks/SomeFramework.framework --prepared:/path/to/Application.app/Contents/Frameworks/AnotherFramework.framework --validated:/path/to/Application.app/Contents/Frameworks/AnotherFramework.framework Application.app: valid on disk Application.app: satisfies its Designated Requirement I then build: npm build I then package: zip -r Application.zip Application.app I then upload: xcrun notarytool submit Application.zip --apple-id your-apple-id --team-id your-team-id --password your-app-specific-password Then I check for status and I get: Successfully received submission info createdDate: 2024-08-15T18:21:31.520Z id: 55daf39a-4be9-4dd6-a490-1890d33f9e75 name: Application.zip status: Invalid In the report generated I get issues like: "path": "path/to/Application.app/Contents/Frameworks/SomeFramework.framework/SomeFramework", "message": "The signature of the binary is invalid.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735", "architecture": "arm64" and "path": "path/to/Application.app/Contents/Frameworks/SomeFramework.framework/Versions/Current/Helpers/chrome_crashpad_handler", "message": "The signature does not include a secure timestamp.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733", "architecture": "arm64" What am I doing wrong? I tried signing each issue separately and rerun the entire process, it's not working.

I am in the process of notarizing a dmg file. We are getting some errors in the process. These errors can be retrieved from the notarytool -log option. However, I would like to get the error in a link form like we used to get with altool so that I could share it with my team. Does anyone know how to get a link for the failure log?

I have been trying to notarize an app since yesterday tried about 20 times at various times of the day. Most times it stops during the upload and produces an error message "Couldn't communicate with a helper application" which occurs at various places while downloading. Three times the upload appeared to complete but then produced an error "This operation could not be completed (SotoS3.S3ErrorType.Multipart.error.1 I then looked in the status log which had several entries: Prepared archive for uploading (green check to left) Upload failed (red x to left) Notary error (red x to left) The operation couldn't be completed (SotoS3.S3ErrorType...) In Progress (grey timer icon to left)

macOS application Mulligan's Eagle (403115926) macOS deployment - macOS 10.14 (Mojave) through Sonoma 14.5 macOS targets - Mac App Store, ad hoc direct drag-to-install image Xcode version 15.4, various development Macs (Intel, M1, M2) Eagle delivered since pre-Mac App Store days - derived from System 7 MacApp development. App most recently delivered with min system Mac OS 10.12 through current Sonoma 14.5, dual target for Mac App Store automatically signed with Apple Development credentials and for outside release automatically signed with Developer ID credentials. Recent revisions to the software to bump min system to 10.14 (Mojave) with typical continuing development for tech, reqm'ts, etc. Updates (a couple since previous release) to Xcode - now using version 15.4, which recommended some config changes that made sense, except min system. Popular application with lots of older (uh... elder) users running Macs servicing golfers. The application is ready to distribute with automatic signing, but wasn't able to do so with Developer ID credentials, but Xcode note (and reading of tips in this forum and my poor understanding) managed to submit for notarization - failed. Tried to manually sign... and reviewed signing info in Xcode... So I reviewed Certificate(s) etc. that should have been used when previously signing Dev ID for notarization and release. I have (I think) six Developer ID Application certs and six Developer ID Installer certs and I can't find any combination of those certificates - some with duplicate dates or expirations - that allows me to use one to automatically sign code to notarization or delivery. What do I do? I've lived a peaceful solo developer life for 25 years delivering and signing code for the Mac and as long as iOS has existed. I'm terrified about this issue however... My early Mac OS using customers (since Lion - pre sandbox) still have serial numbers for this software and have bought a Mac every 6 - 10 years so they could get my latest release. We've never required that they re-purchase from the App Store... they have a perpetual license. Sandboxing was a shock they never felt - we kept delivering updates to them and if they decided sandboxing mattered, they purchased from Apple and we included the container-migration entitlement in the App Store version to move their data to the new sandbox. Pretty slick. Until we built an install disk to test it on an unsandboxed version of Eagle in our office. It "lost" its data - vanished by remaining in the old Application Support directory while the new hardened runtime version looked for it in the sandbox - finding nothing. Just imagine encountering that if you're 80 years old running a golf league. How can I "reset" the futzed-up certificate Developer ID mess? I have multiple machines, all with varying subsets of what seem to be good certificates. And Xcode builds new provisioning profiles just for the heck of it, it seems. I'm afraid to revoke or throw out any certificates because I can't tell which ones are good, bad or duplicates - they're all valid. And I can't create any more Developer ID certs because there's a max to control certificate-miscreants like me (yes, I've read Quinn's protection of your Dev ID note - I screwed it up with only 1 employee). I depend on automatic signing because I'm still, after 58 years of coding, just a novice. Is it true that I should still specify in my build settings that I'm using Developer ID credentials for my ad hoc development and distribution schemes? And that the proper settings for those should NOT enable hardened runtime or app sandboxing? Sorry for my intensity here.... It's been 2 weeks since App Review bonked an initial submission with just an "it's broken" reject message, and DTS decided this is not such an emergency that the Developer Forum shouldn't be able to handle it. I'm truly hoping it's so.

Hi, We are running xcrun staple on our pkg file. It gives the following message We do not know how to deal with trailer version 9262. Exepected 1 Terminator Trailer size must be 0, not 1737 {magic: t8lr, version: 1, type: 2, length: 1737} Found expected ticket at 8164385 with length of 1737 Sig Type is RSA. Length is 3 Sig Type is CMS. Length is 3 Package mypkg.pkg uses a checksum of size 20 *The staple and validate action worked!* However, the command returns with -1 error code. So, the questions I have are: What does this return response mean? Do we consider this as a success of failure scenario (specially because the message "...action worked"

When checking that a .dmg file is correctly stapled with the command xcrun stapler validate -v file.dmg I intermittently get errors like Properties are { NSURLIsDirectoryKey = 0; NSURLIsPackageKey = 0; NSURLIsSymbolicLinkKey = 0; NSURLLocalizedTypeDescriptionKey = "Disk Image"; NSURLTypeIdentifierKey = "com.apple.disk-image-udif"; "_NSURLIsApplicationKey" = 0; } Codesign offset 0x1eb82c90 length: 15891 Stored Codesign length: 15891 number of blobs: 5 Total Length: 15891 Found blobs: 5 Props are { cdhash = {length = 20, bytes = 0x07d207070853a23966374ae1b36e921148b3a5f3}; digestAlgorithm = 2; flags = 73728; secureTimestamp = "2024-07-26 06:08:31 +0000"; signingId = "SIGNED-file.dmg... [ Message content over the limit has been removed. ] } Headers: { "Content-Type" = "application/json"; } Response is (null) error is Error Domain=NSURLErrorDomain Code=-1001 "The request timed out." UserInfo={_kCFStreamErrorCodeKey=-2102, NSUnderlyingError=0x6000012b4a80 {Error Domain=kCFErrorDomainCFNetwork Code=-1001 "(null)" UserInfo={_kCFStreamErrorCodeKey=-2102, _kCFStreamErrorDomainKey=4}}, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <82266119-065E-480C-B012-F30B48DB0F44>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask <82266119-065E-480C-B012-F30B48DB0F44>.<1>" ), NSLocalizedDescription=The request timed out., NSErrorFailingURLStringKey=https://api.apple-cloudkit.com/database/1/com.apple.gk.ticket-delivery/production/public/records/lookup, NSErrorFailingURLKey=https://api.apple-cloudkit.com/database/1/com.apple.gk.ticket-delivery/production/public/records/lookup, _kCFStreamErrorDomainKey=4} I am not able to pin down the cause of this, could it be rate limiting on the API? Any other thoughts as to the cause? Thanks.

Hello, For my macOS app, on Xcode version 15.4 (15F31d) on macOS 14.5 (23F79) I follow Organizer > Distribute App > Direct Distribution, and I get a Notary Error "The operation couldn't be completed. (SotoS3.S3ErrorType.multipart error 1.)" It's been happening since 3 days. In the IDEDistribution.verbose.log file I see: https://gist.github.com/atacan/5dec7a5e26dde0ec06a5bc4eb3607461

notarytool-2024-07-23-143951.ips I notarytool-2024-07-23-105410.ips have two Mac machines and running the same Python script as a CGI script in an Apache webserver (httpd) installed via Homebrew. The Python script calls the subprocess.run() method to call the notarytool via xcrun. On one server the script runs as expected in the webserver environment and on the other machines it gets an exit code (-)4; SIGILL. On the machines where it fails, the notarytool command works from console, as expected. Additionally, it works if I run the script directly with Python in the console. I launch the same command in a Perl script in the webserver and the same exit code / issue occured. I have the same installed version and setup on both servers for Homebrew Apache Webserver (httpd) Python version (3.9.6) xcrun --version: xcrun version 61. xcrun notarytool --version: 1.0.0 (27) the Mac machines are identical, both are bought and set up at the same time The see similar topics at: https://forums.developer.apple.com/forums/thread/724995 Notarytool was used on a machine as an agent via Jenkins job https://github.com/moses-palmer/pynput/issues/366#issuecomment-1364470827 used Python, gets the same exit code, used in multi-thread environment (maybe like a webserver)

After my application was singed on the mac runner, I got an error when my application was uploaded from my Mac runner to the Notarization service. Here is my error: Notarization ended with response: {"uuid":"my_uid","notarizationStatus":{"status":"ERROR","message":"Error happened while uploading file to Apple notarization service","moreInfo":"net.jodah.failsafe.FailsafeException: java.util.concurrent.ExecutionException: Error while parsing the output after the upload of the file to be notarized"}} Does anyone know how to fix it? Thank you very much!

Im using a git actions CI/CD pipeline for my automated deployment and I'd like to include notarisation in this process. Right now when I'm submitting for notarisation manually/locally it's taking around 24 hours and then is eventually successfully accepted. \ Using a git actions server to do this has a cost per minute (and an even higher cost at 10x per minute for a Mac-OS machine), so notarising with a 24hr turn around time is not feasible. Ive submitted my application many times and it's been the same experience each time taking around 24 hours and then being accepted. How can I shorten the time frame on this or even find out what I might be doing wrong to cause such a long time for a response? here my log: { "logFormatVersion": 1, "jobId": "3ccf4652-60dc-4fd1-b281-23d49b2b7bb1", "status": "Accepted", "statusSummary": "Ready for distribution", "statusCode": 0, "archiveFilename": "AudioMap.dmg", "uploadDate": "2024-07-14T16:51:02.848Z", "sha256": "614c5992133d61094b39b6a5d00a225d2fc7efe78ab0e59cd47c78275602cb59", "ticketContents": [ { "path": "AudioMap.dmg", "digestAlgorithm": "SHA-256", "cdhash": "9d4f500a2fd49769b99f921d3fbe8ef753604abe" }, { "path": "AudioMap.dmg/AudioMap.app", "digestAlgorithm": "SHA-256", "cdhash": "b1fa9c86be805ef28c645f3b03631e2e5873ce77", "arch": "arm64" }, { "path": "AudioMap.dmg/AudioMap.app/Contents/Frameworks/libsodium.26.dylib", "digestAlgorithm": "SHA-256", "cdhash": "6228e3fdcd29c080ae45d1bc5a6af10960db8938", "arch": "arm64" }, { "path": "AudioMap.dmg/AudioMap.app/Contents/MacOS/AudioMap", "digestAlgorithm": "SHA-256", "cdhash": "b1fa9c86be805ef28c645f3b03631e2e5873ce77", "arch": "arm64" }, { "path": "AudioMap.dmg/AudioMap.app/Contents/Frameworks/libsodium.26.dylib", "digestAlgorithm": "SHA-256", "cdhash": "6228e3fdcd29c080ae45d1bc5a6af10960db8938", "arch": "arm64" } ], "issues": null }