Hello! I'm dealing with a strange code signing issue which is preventing me from distributing a game through Steam. I'm able to sign and notarise the app in Xcode without any issues. I can verify that the app and all frameworks in /Contents/Frameworks/ are signed, and Gatekeeper allows the app to run without complaining. $ spctl --assess -vvv ~/Temp/CodeSigningTest/GoodApp.app /Users/ruairi/Temp/CodeSigningTest/GoodApp.app: accepted source=Notarized Developer ID origin=Developer ID Application: Ruairi Dorrity (3F97UA4BF8) $ codesign --verify -vvv ~/Temp/CodeSigningTest/GoodApp.app --prepared:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/ogg.framework/Versions/Current/. --validated:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/ogg.framework/Versions/Current/. --prepared:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/mpg123.framework/Versions/Current/. --validated:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/mpg123.framework/Versions/Current/. --prepared:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/libmodplug.framework/Versions/Current/. --validated:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/libmodplug.framework/Versions/Current/. --prepared:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/freetype.framework/Versions/Current/. --validated:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/freetype.framework/Versions/Current/. --prepared:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/Lua.framework/Versions/Current/. --validated:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/Lua.framework/Versions/Current/. --prepared:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/vorbis.framework/Versions/Current/. --validated:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/vorbis.framework/Versions/Current/. --prepared:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/OpenAL-Soft.framework/Versions/Current/. --validated:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/OpenAL-Soft.framework/Versions/Current/. --prepared:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/theora.framework/Versions/Current/. --validated:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/theora.framework/Versions/Current/. --prepared:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/love.framework/Versions/Current/. --validated:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/love.framework/Versions/Current/. --prepared:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/SDL2.framework/Versions/Current/. --validated:/Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/SDL2.framework/Versions/Current/. /Users/ruairi/Temp/CodeSigningTest/GoodApp.app: valid on disk /Users/ruairi/Temp/CodeSigningTest/GoodApp.app: satisfies its Designated Requirement However, if I zip the app and upload it to Steam, the app that the Steam client downloads is blocked by Gatekeeper ("damaged and can't be opened") and re-running the above commands shows that the code signing seal has been broken somehow on the downloaded app: $ spctl --assess -vvv ~/Temp/CodeSigningTest/BadApp.app /Users/ruairi/Temp/CodeSigningTest/BadApp.app: cannot find code object on disk $ codesign --verify -vvv ~/Temp/CodeSigningTest/BadApp.app /Users/ruairi/Temp/CodeSigningTest/BadApp.app: code object is not signed at all In subcomponent: /Users/ruairi/Temp/CodeSigningTest/BadApp.app/Contents/Frameworks/love.framework The second command can be re-run, showing a seemingly random framework from /Contents/Frameworks/ each time e.g. $ codesign --verify -vvv ~/Temp/CodeSigningTest/BadApp.app /Users/ruairi/Temp/CodeSigningTest/BadApp.app: code object is not signed at all In subcomponent: /Users/ruairi/Temp/CodeSigningTest/BadApp.app/Contents/Frameworks/ogg.framework Further investigation shows that these frameworks are now unsigned, when they were signed before uploading and downloading: $ codesign --verify -vvv ~/Temp/CodeSigningTest/BadApp.app/Contents/Frameworks/ogg.framework /Users/ruairi/Temp/CodeSigningTest/BadApp.app/Contents/Frameworks/ogg.framework: code object is not signed at all $ codesign --verify -vvv ~/Temp/CodeSigningTest/BadApp.app/Contents/Frameworks/love.framework /Users/ruairi/Temp/CodeSigningTest/BadApp.app/Contents/Frameworks/love.framework: code object is not signed at all ... $ codesign --verify -vvv ~/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/ogg.framework /Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/ogg.framework: valid on disk /Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/ogg.framework: satisfies its Designated Requirement $ codesign --verify -vvv ~/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/love.framework /Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/love.framework: valid on disk /Users/ruairi/Temp/CodeSigningTest/GoodApp.app/Contents/Frameworks/love.framework: satisfies its Designated Requirement I'm stumped as to what's happening here. Is is possible that the app is being modified being the scenes by Steam, which breaks the code signing? This seems unfathomable because it would surely break code signing on every Mac game on Steam, but I really can't understand what else would be going on. I'm sure I need to expand my knowledge on code signing; any pointers, suggestions or assistance is greatly appreciated! Thank you!

hi, team, we used the py2app to build the mac app, the app works well before the codesign. But when I codesign it with the --options runtime the app can't startup. with the below error: /petoi-mac-app/Petoi\ Desktop\ App.app/Contents/MacOS/Petoi\ Desktop\ App ; exit; Traceback (most recent call last): File "/Petoi Desktop App.app/Contents/Resources/__boot__.py", line 147, in <module> _setup_ctypes() File "/petoi-mac-app/Petoi Desktop App.app/Contents/Resources/__boot__.py", line 140, in _setup_ctypes from ctypes.macholib import dyld File "<frozen importlib._bootstrap>", line 983, in _find_and_load File "<frozen importlib._bootstrap>", line 967, in _find_and_load_unlocked File "<frozen importlib._bootstrap>", line 668, in _load_unlocked File "<frozen importlib._bootstrap>", line 638, in _load_backward_compatible File "ctypes/__init__.pyc", line 551, in <module> File "ctypes/__init__.pyc", line 273, in _reset_cache MemoryError 2024-02-21 19:57:09.168 Petoi Desktop App[93968:1375266] Launch error 2024-02-21 19:57:09.168 Petoi Desktop App[93968:1375266] Launch error See the py2app website for debugging launch issues But if I removed the --options runtime I got the Notarizing Error below. { "severity": "error", "code": null, "path": "PetoiDesktopInstaller.pkg/PetoiDesktopInstaller.pkg Contents/Payload/Applications/Petoi Desktop App.app/Contents/MacOS/Petoi Desktop App", "message": "The executable does not have the hardened runtime enabled.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087724", "architecture": "x86_64" } I am looking forward to your insightful reply.

Recently, I completed development on an app that I hope to upload to Kickstarter. I am unsure whether Apple Developer Program Membership incorporates signage and notarization fees. In short, to package my app, will I need to find $99, or $300? Thanks in advance for any advice. Regards, Lar

I tried to submit my app via the Notary Service with this command: xcrun notarytool submit "${DMG_DIR}/${DMG_NAME}" --key "${APP_STORE_API_KEY}" --key-id "${KEY}" --issuer "${ISSUER}" --verbose and I called the API to get the status of the submission, and it said it was rejected without any meta data. I did codesign the app with this command: codesign --force --timestamp --deep --sign "Developer ID Application: MY_NAME" "${DMG_DIR}/${DMG_NAME}" Verify it with this command: codesign -vvv --deep --strict "${DMG_DIR}/${DMG_NAME}" The verification response: /Users/runner/work/1/a/cli/osx-x64/{DMGFILE}.dmg: valid on disk /Users/runner/work/1/a/cli/osx-x64/{DMGFILE}.dmg: satisfies its Designated Requirement Verify the timestamp with this command and response: Executable=/Users/runner/work/1/a/cli/osx-x64/{DMGFILE}.dmg Identifier={IDENTIFIER} Format=disk image CodeDirectory v=20200 size=297 flags=0x0(none) hashes=1+6 location=embedded Signature size=8975 Authority=Developer ID Application: MY_NAME Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=Feb 14, 2024 at 7:40:35 PM Info.plist=not bound TeamIdentifier=TEAM_ID Sealed Resources=none Internal requirements count=1 size=172 I wonder if I missed any steps. Thank you for the help.

In the developer documentation Customizing the notarization workflow it states that the notarytool supports a --webhook flag. When the notarization is complete the Apple notarization server will send the following webhook payload to the webserver that I configured. { "payload": "{\"completed_time\":\"2024-02-13T17:24:37.911Z\",\"event\":\"processing-complete\",\"start_time\":\"2024-02-13T17:24:02.743Z\",\"submission_id\":\"<submission-id>\",\"team_id\":\"<team-id>\"}", "signature": "<signature>", "cert_chain": "<base64-certchain>" } My question is how can I validate that this Webhook is coming from Apple? In that same developer documentation it states the various IP addresses that the stapler requires access too but those are not the same addresses that the notarytool webhook results are coming from. Presumably I should be able to use the signature to validate that the request is coming from Apple, however I have been unable to find any documentation about this webhook flag at all beyond the documentation stating that it exists.

Hello, I'm running into an issue when code signing my .app file on macOS. After introducing the --entitlements flag, I'm encountering an error that prevents the app from launching: Error Messages: App UI: "Cannot open the file" Terminal (using open file.app) The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x60000216d620 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}} Troubleshooting Details: Without code signing, the app launches and permission pop-ups function correctly (the file tauri generates). With code signing (but without --entitlements), the app launches but there are no permission pop-ups. All scenarios (without signing, with signing, with signing + --entitlements) all have Info.plist in the /Contents of the .app file Notarizing and stapling works fine when I do not include the --entitlements flag when signing. Code for signing with entitlements: codesign --timestamp --sign "Developer ID Application: ()" --options=runtime --entitlements ./src-tauri/Info.plist "${APP_FILE}" Specifications MacBook Air, M2, 16GB macOS Sonoma 14.3.1 Xcode 15.2 (Build version 15C500b)

I am facing a problem in electron's apps notarisations. I have submitted my NodeJS code and the validations takes a long time. Hope, anyone can clarify why it takes so long.

After Apple's maintenance completed this morning I am trying to submit an app for notarization - but I continuously get the "In Progress" status. Normally, the result is returned within a minute or two. Is anyone else seeing this problem? Is there a server problem? I am using AppWraper to Notarize and also using the API to verify the results: https://appstoreconnect.apple.com/notary/v2/submissions/{id}

I'm experiencing consistent notarization issues with my macOS app, where my submissions are stuck "in progress". When I check the status after a while, I'm facing 404 errors, and the notarytool reports that the "submission Id does not exist." I've attempted to notarize it on different days, but with no success or clarifying error messages. Here are some of my notarization attempts that are still in progress: Jan 8, 2024: 25C31477-5893-4CAB-91AE-7900C261A1E4 Jan 15, 2024: Feb 7, 2024: 92B5B694-0952-4AE4-8BA3-2BBF54C96578 Feb 9, 2024: 3B3E047C-2B83-4499-9AE6-0B4F7922F5C2 Feb 10, 2024: C98A25BD-5A27-4112-AC99-6420599E30ED For an unknown reason I was able to notarize the app on 26 January, which was the only time it worked in 2024. As background, I had been notarizing this app without problem in 2023 for many months. I am able to correctly sign the app and export it without the notarization, and use it in my other Macbooks.

I just tried submitting an app to be notarized. This app is actually only used by me internally (but I have other apps this question would be relevant to) and I can't submit for notarization. I get the following error: "Hardened Runtime is not enabled." Is the Hardened Runtime now required? I know it used to be optional (I believe the last time I submitted an app update a few months ago outside the Mac App Store I got no such error).

VisionOS was just released recently. I am looking for information regarding codesigning and notarization. How will codesigning work for VisionOS apps? What kind of signing tools will be used for VisionOS? Will there be a requirement for provisioning profiles for VisionOS apps? Thanks.

I am seeking clarification on the possibility of notarizing apps without an active Apple Developer Program membership, as I currently possess a 10-year installer signing certificate. However, when attempting to store credentials for notarization, I encounter the following error message: Error: HTTP status code: 403. A required agreement is missing or has expired. This request requires an in-effect agreement that has not been signed or has expired. Ensure your team has signed the necessary legal agreements and that they are not expired.

Hello! I'm relatively new (started a week ago) to creating MacOS applications. I had built an application in Python for Windows devices, and now I'm looking to distribute the beta to some friends who use Mac devices. I don't intend to put the app on the App Store, so I think that means I won't need to sandbox it. I've figured out how to adapt all of the functionality of the app to work on MacOS. I'm able to get the app to run successfully after using py2app and setting the required permissions in my .plist file. However, I'm trying to sign and notarize the functioning application and I'm hitting some challenges. I've tried a few combinations of things, but to no avail and I'm hoping someone can help me. I start by running the following to build my .app bundle: python setup.py py2app from setuptools import setup import os APP = ['App Name.py'] DATA_FILES = [ ('static', ['path/to/icons', 'path/to/styles']), ('static/fonts/Inter', ['path/to/font']), ] OPTIONS = { 'argv_emulation': True, 'iconfile': 'App Name.icns', 'packages': ['chardet', 'charset_normalizer', 'soundfile', 'sounddevice', '_sounddevice_data'], 'plist': { 'CFBundleIdentifier': 'com.companyname.appname', 'CFBundleName': 'App Name', 'CFBundleVersion': '1.0.0', 'CFBundleShortVersionString': '1.0.0', 'CFBundleExecutable': 'App Name', 'CFBundleIconFile': 'App Name.icns', 'NSMicrophoneUsageDescription': 'We need access to your microphone to provide transcripts of what you say.', 'com.apple.security.cs.allow-unsigned-executable-memory': True, 'com.apple.security.cs.disable-library-validation': True, 'com.apple.security.cs.allow-jit': True, }, } setup( app=APP, data_files=DATA_FILES, options={'py2app': OPTIONS}, setup_requires=['py2app'], ) os.system('find "dist/App Name.app" -iname "*.so" -or -iname "*.dylib" | while read libfile; do codesign -s "DEVELOPER CERTIFICATE" --timestamp -o runtime --entitlements Info.plist "${libfile}"; done;') Note that I have some codesigning happening at the bottom based on what I'd seen in some of the other forum posts. After running this, the standalone app works as expected on my computer. I've tried a few things from here, including: Creating a .dmg of the .app and submitting that for notarization - the response from the notary service just says "invalid" and I'm not sure how to get more details on why the request was invalid. Codesigning the .app - in this case, the codesign action appears to work when I run it in the terminal. When I double click on the .app bundle after codesigning, the app encounters a fatal error when launching (no errors are reported when launching this from the terminal and no crash logs are created either). Creating a .dmg of the .app, codesigning the .dmg, and submitting that for notarization - this resulted in an "invalid" response from the notary service (same as #1), but it wasn't clear why my request had failed. My codesign script looks like this. I've tried this with and without the entitlements record. I've also tried this with and without the --deep flag which seems to be a thing that other people have tried. For the Info.plist, I copied over the one that was automatically generated by py2app during the creation of the .app bundle, which looked to have all of the permissions my app needed. codesign \ -vvv \ --strict \ --force \ --timestamp \ --options runtime \ --entitlements "Info.plist" \ --sign "Developer ID Application: MY NAME (LETTERS_AND_NUMBERS)" \ "dist/App Name.app" My notarization request looks like this. xcrun notarytool --vvv submit --wait --keychain-profile "profilename" "dist/App Name.dmg" xcrun stapler staple "dist/App Name.dmg" I had previously successfully codesigned and notarized a simple "hello world" app, so I'm fairly sure my credentials are correct for both my codesign and notarytool.

What is the way to update notarized app distributed outside the MAC Appstore in .zip format?

I have an non-appstore application, using developer id which I want to transfer to another developer account. How can I go about doing this? How do I transfer the app ID? Will past versions of that app signed with the old account continue to work? Will I have to re-sign them?

After years of working flawlessly, notarization stopped working for me. Yesterday It suddenly gave me "Team is not yet configured for notarization", I contacted developer support as advised by the eskimo (no answer yet) but upon trying again today I got the following: Error: HTTP status code: 403. A required agreement is missing or has expired. This request requires an in-effect agreement that has not been signed or has expired. Ensure your team has signed the necessary legal agreements and that they are not expired. I signed the agreement, everything looks clean and nice, no notifications about any agreement pending approval but I still get this error.

Hello, I need to notarize my java application in order to upload it to brew. The files that need to notarize are: "uber.jar" file shell script file without any file type. To my understanding those files are not notarizable files, what can i do in order to solve it?

Greetings, everyone! In case it proves helpful, I've crafted a Bash script to streamline the notarization process. Here's a breakdown of its features: Prompts you to select the app for notarization Offers optional codesigning before notarization Generates a ZIP file for notarization Requests your credentials (Apple ID, Team ID, and app-specific password) Submits the ZIP file for notarization Cleans up by deleting the ZIP file used for notarization Staples the app after notarization Creates a new ZIP file for distribution You can check it out on GitHub: Notarization Assistant

I have create an installer with self app and some app in public domain (such as GIMP). The installer and self app are all signed without error. But after notarisation, it reported that the app in public domain has error. (The signature of the binary is invalid.) But my self app has no error. I had checked the app in public domain is signed also. What is the possible problem and how can I fix it?

questions about Apple's notarization standards I've found that notarization seems to be based on the team ID, with a shared history. Is my understanding correct? If an app named ABC is initially notarized under team A, and then later updates are notarized under team B, will there be any issues? In my tests, notarizing the same app under teams A and B didn't cause any problems, but I'm curious about potential issues if there's a change in team IDs in the future. Is it possible to delete the notarization history or transfer it to a different team ID?