My app is notarised, still in quarantine

Question

Hello,

After building my app, I am notarizing it, and even getting a mail from Apple like:

----

Dear Cenk,

Your Mac software has been notarized. You can now export this software and distribute it directly to users.

Bundle Identifier: *****

Request Identifier: *****

----

If I run the command:

spctl -a -v MyApp.app

I am getting:

FluxTool.app: accepted
source=Notarized Developer ID

But when I open my app, I am getting the error as quarantine:

“MyApp” can’t be opened because the identity of the developer cannot be confirmed.

I am stuck at this point. I am doing everything right, but still, my app is quarantined. What can be the reason? Can anyone help?

1.4k

Posted by

cenkingunlugu

Reply

Add a Comment

Answer 1

I saw the same thing happen yesterday on 10.15 beta 3, but in my case it was a loadable bundle that couldn't be loaded instead of the main application. Also, in my situation, I had not stapled the ticket to the bundle--I was relying on Gatekeeper to pull information about notarization from online.

To "fix" the problem, I re-opened the .dmg file containing my application and loadable bundles, and copied everything in the .dmg to a new location. I then ran the new copy of the application, which loaded the bundle successfully. I then went back to the original version of the application which at first would not load and now it loaded just fine.

Just to be clear, both copies of the application and the loadable bundles were identical. Also, as in your case, spctl claimed that the loadable bundle was notarized, except when I tried to actually load it I got the same error dialog you got.

Posted by

RGB255

Add a Comment

Answer 2

Are you testing this on 10.14.5? Or 10.15 beta?

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Posted by

eskimo

Add a Comment

Answer 3

I am testing on macOS Mojave 10.14.5

Posted by

cenkingunlugu

Add a Comment

Answer 4

I have confirmed this behavior, can you please use Feedback Assistant to file a… feedback(?). Please include the UUID of your most recent submission in the feedback so it can be directed to the proper team.

Thanks!

FWIW, this occurs when any Mach-Os in an app use @rpath in their linker commands. @rpath is disabled when the hardened runtime is enabled due to security concerns and the launch will fail.

You can track down which file is causing the issue by running the following command in the Terminal after running the app:

log show --info --predicate "process =='XprotectService' and composedMessage contains 'rPathCommand'" --last 10m

Note that it'll only show the first failure, even if @rpath is used in multiple places.

Posted by

Security Engineer

Add a Comment

Answer 5

This is the result:

log show --info --predicate "process =='XprotectService' and composedMessage contains 'rPathCommand'" --last 10m

Filtering the log data using "process == "XprotectService" AND composedMessage CONTAINS "rPathCommand""

Skipping debug messages, pass --debug to include.

Timestamp Thread Type Activity PID TTL

--------------------------------------------------------------------------------------------------------------------

Log - Default: 0, Info: 0, Debug: 0, Error: 0, Fault: 0

Activity - Create: 0, Transition: 0, Actions: 0

Posted by

cenkingunlugu

Add a Comment

Answer 6

The command only looks at the last 10 minutes of errors (the --last 10m part) so it'll only catch the rejection if it you saw the dialog in the last 10 minutes. Increase the time to search further back. It's meant to be run in the "launch MyApp.app; see the 'unidentified developer' message; run the log command" order.

I limited it to the last 10 minutes because it can take awhile for the log command to search the logs and return results.

Posted by

Security Engineer

Add a Comment

My app is notarised, still in quarantine

Replies