Notarization error: "The signature algorithm used is too weak"

Why don't you just include the framework in the appropriate location in your app bundle? Then it would get re-signed along with everything else. If it doesn't work when you do that, then that would be an eSellerate problem. You could try downloading the framework and dynamically loading it after the fact.

The notarisation system will look inside various container formats. I wasn’t aware that it knew about

.tar.gz

It’s weird that you have a framework embedded in a

.tar.gz

The signature algorithm used is too weak message indicates that the framework was signed with ancient developer tools. You’ll need to get a framework with a better signature. The best place to get this would be from your vendor. Have you asked them about this?

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Quinn, thanks for your answer.

The tar.gz thing is the way eSellerate distributed their licensing framework as part of their e-commerce system. They're in business since early 2000s. The framework location cannot be changed as it's connected to other libraries and classes that enable the licensing process.

eSellerate was a popular - if not the most popular - licensing and e-commerce platform for Mac software up to a few years ago. There must be still hundreds or thousands of apps that still contain those frameworks for backwards compatibility to support the customers who purchased their licenses via eSellerate.

You also mentioned that I need to "get a framework with a better signature". But as far as I understand what's important is the signature I'm using right now - as it's my responsibility to sign my app anyway. As I have several other 3rd party frameworks that I sign with no issues. I'm using the --force option with codesign that replaces any existing signatures anyway. Or am I missing something?

I'm on latest versions of Xcode and Mojave.

Thanks,

Leo

Thanks John - please see my reply to eskimo below.

I checked the eSellerate web site and they do mention that tarball. That's crazy. Apparently they say it is to keep the installer file smaller. You can use the EWSMac.framework itself without the tarball wrapper. You should do that.

Thanks John for taking your time and looking into this.

I now vaguely recall that when eSellerate introduced those new frameworks years ago I tried to use them - but it never worked out (for reasons I don't remember by now) - so I switched back to the tar.gz thing.

I downloaded and tried them again. Could compile the app. BUT now every time I got to the Upload stage in Xcode Organizer, Xcode crashed every time I clicked the Next button. Relaunched Xcode, restarted Mac - still crashes every time. Maybe it has something to do with the reason I never used those frameworks.

Fun.

Anyway, the issue is now solved - thanks to someone's advice on Stack Overflow.

I need to unpack the framework, sign it, then re-package as tar.gz again.

I added this process as a Run Script phase in Xcode. The app was eventually notarized.

Thanks again for looking into this.

Thanks Quinn,

The issue is now solved - I need to sign the framework first, then package as tar.gz (you can see my reply to John below).