Hello,
I am the author of xcnotary, an open source tool to help developers automate their notarization workflow. I wanted to clarify the following behavior to make sure I'm providing users with correct instructions.
I can see that the notarization service inspects the content inside .pkg/.dmg submissions. For example, if I attempt to notarize a signed package containing an improperly signed .app bundle, the service correctly fails.
The service does also appear to notarize the enclosed bundle (checked using "spctl -a -t exec -v"). However, the bundle isn't stapled, and so would need a network request on the first run (checked using stapler validate -v with network turned off.)
My question is: what is the general "contract" the notarization service expects to provide:
- Will it always notarize enclosed bundles?
- Is it expected that it won't be stapling them?
If so, in the interest of shipping bundles that are already stapled, should the build process always be two-step as follows?
- Notarize and staple the .app bundle.
- Package it into a container (.dmg/.pkg), and then notarize and staple that container.
Thank you,
David