Problem with Notarization after pkgbuild broking signature

Hi,

I have an app bundled with Electron 6.1.12, if I zip the app and upload it for notarization the notarization works flawless, but I have a makefile that take that app in order to create a .pkg, when I upload the .pkg for notarization, it fails:


{

"logFormatVersion": 1,

"jobId": "7927bcb8-fed3-4d52-bdad-1fa80ae3e56a",

"status": "Invalid",

"statusSummary": "Archive contains critical validation errors",

"statusCode": 4000,

"archiveFilename": "MyApp-2.1.2.pkg",

"uploadDate": "2020-06-03T12:42:48Z",

"sha256": "993601e0aa1df69cde348533c4db17ccccada8adca82f6989775f512ec08119b",

"ticketContents": null,

"issues": [

{

"severity": "error",

"code": null,

"path": "MyApp-2.1.2.pkg/cl.myapp.myapp.pkg Contents/Payload/Applications/MyApp.app/Contents/MacOS/MyApp",

"message": "The signature of the binary is invalid.",

"docUrl": null,

"architecture": "x86_64"

},

{

"severity": "error",

"code": null,

"path": "MyApp-2.1.2.pkg/cl.myapp.myapp.pkg Contents/Payload/Applications/MyApp.app/Contents/Frameworks/Mantle.framework/Versions/A/Mantle",

"message": "The signature of the binary is invalid.",

"docUrl": null,

"architecture": "x86_64"

}

]

}

I works in Catalina 10.15.4

Xcode 11.5

Build version 11E608c

this is my process

----------------------------

Packaging app for platform darwin x64 using electron v6.1.12

Bundles created:

/Users/alex/repo/work/myapprepo/build/MyApp-darwin-x64

> pkgbuild --analyze --root build/MyApp-darwin-x64 build/MyApp-darwin-x64.tmp/Info.plist

pkgbuild: Inferring bundle components from contents of build/MyApp-darwin-x64

pkgbuild: Writing new component property list to build/MyApp-darwin-x64.tmp/Info.plist

> plutil -replace BundleIsRelocatable -bool NO build/MyApp-darwin-x64.tmp/Info.plist

> pkgbuild \

--root build/MyApp-darwin-x64 \

--scripts scripts/pkg-scripts \

--filter "version" \

--filter "LICENSE" \

--filter "LICENSES.chromium.html" \

--identifier cl.myapp.myapp \

--version 2.1.2 \

--install-location /Applications \

--component-plist build/MyApp-darwin-x64.tmp/Info.plist \

build/MyApp-darwin-x64.tmp/cl.myapp.myapp.pkg

pkgbuild: Reading components from build/MyApp-darwin-x64.tmp/Info.plist

pkgbuild: Adding component at MyApp.app/Contents/Frameworks/Electron Framework.framework

pkgbuild: Adding component at MyApp.app/Contents/Frameworks/Mantle.framework

pkgbuild: Adding component at MyApp.app/Contents/Frameworks/MyApp Helper (Plugin).app

pkgbuild: Adding component at MyApp.app/Contents/Frameworks/MyApp Helper (Renderer).app

pkgbuild: Adding component at MyApp.app/Contents/Frameworks/MyApp Helper (GPU).app

pkgbuild: Adding component at MyApp.app/Contents/Frameworks/ReactiveCocoa.framework

pkgbuild: Adding component at MyApp.app/Contents/Frameworks/Squirrel.framework

pkgbuild: Adding component at MyApp.app

pkgbuild: Adding component at MyApp.app/Contents/Frameworks/MyApp Helper.app

pkgbuild: Adding top-level preinstall script

pkgbuild: Adding top-level postinstall script

pkgbuild: Wrote package to build/MyApp-darwin-x64.tmp/cl.myapp.myapp.pkg

> codesign -vvvv --force build/MyApp-darwin-x64/MyApp.app

--prepared:/Users/alex/repo/work/myapprepo/build/MyApp-darwin-x64/MyApp.app/Contents/Frameworks/MyApp Helper (Renderer).app

--validated:/Users/alex/repo/work/myapprepo/build/MyApp-darwin-x64/MyApp.app/Contents/Frameworks/MyApp Helper (Renderer).app

--prepared:/Users/alex/repo/work/myapprepo/build/MyApp-darwin-x64/MyApp.app/Contents/Frameworks/Squirrel.framework/Versions/Current/.

--validated:/Users/alex/repo/work/myapprepo/build/MyApp-darwin-x64/MyApp.app/Contents/Frameworks/Squirrel.framework/Versions/Current/.

--prepared:/Users/alex/repo/work/myapprepo/build/MyApp-darwin-x64/MyApp.app/Contents/Frameworks/MyApp Helper.app

--validated:/Users/alex/repo/work/myapprepo/build/MyApp-darwin-x64/MyApp.app/Contents/Frameworks/MyApp Helper.app

--prepared:/Users/alex/repo/work/myapprepo/build/MyApp-darwin-x64/MyApp.app/Contents/Frameworks/MyApp Helper (Plugin).app

--validated:/Users/alex/repo/work/myapprepo/build/MyApp-darwin-x64/MyApp.app/Contents/Frameworks/MyApp Helper (Plugin).app

--prepared:/Users/alex/repo/work/myapprepo/build/MyApp-darwin-x64/MyApp.app/Contents/Frameworks/MyApp Helper (GPU).app

--validated:/Users/alex/repo/work/myapprepo/build/MyApp-darwin-x64/MyApp.app/Contents/Frameworks/MyApp Helper (GPU).app

--prepared:/Users/alex/repo/work/myapprepo/build/MyApp-darwin-x64/MyApp.app/Contents/Frameworks/Electron Framework.framework/Versions/Current/.

--validated:/Users/alex/repo/work/myapprepo/build/MyApp-darwin-x64/MyApp.app/Contents/Frameworks/Electron Framework.framework/Versions/Current/.

--prepared:/Users/alex/repo/work/myapprepo/build/MyApp-darwin-x64/MyApp.app/Contents/Frameworks/Mantle.framework/Versions/Current/.

--validated:/Users/alex/repo/work/myapprepo/build/MyApp-darwin-x64/MyApp.app/Contents/Frameworks/Mantle.framework/Versions/Current/.

--prepared:/Users/alex/repo/work/myapprepo/build/MyApp-darwin-x64/MyApp.app/Contents/Frameworks/ReactiveCocoa.framework/Versions/Current/.

--validated:/Users/alex/repo/work/myapprepo/build/MyApp-darwin-x64/MyApp.app/Contents/Frameworks/ReactiveCocoa.framework/Versions/Current/.

build/MyApp-darwin-x64/MyApp.app: valid on disk

build/MyApp-darwin-x64/MyApp.app: satisfies its Designated Requirement

> productbuild \

--synthesize \

--component build/MyApp-darwin-x64/MyApp.app \

build/MyApp-darwin-x64.tmp/distribution.xml

productbuild: Adding component at /Users/alex/repo/work/myapprepo/build/MyApp-darwin-x64/MyApp.app

productbuild: Inferred install-location of /Users/alex/repo/work/myapprepo/build/MyApp-darwin-x64

productbuild: Wrote synthesized distribution to build/MyApp-darwin-x64.tmp/distribution.xml

> productbuild \

--package-path build/MyApp-darwin-x64.tmp \

--distribution build/MyApp-darwin-x64.tmp/distribution.xml \

dist/MyApp-darwin-x64/MyApp-2.1.2-unsigned.pkg

productbuild: Wrote product to dist/MyApp-darwin-x64/MyApp-2.1.2-unsigned.pkg

> productsign --sign "Developer ID Installer: MyApp Spa" dist/MyApp-darwin-x64/MyApp-2.1.2-unsigned.pkg dist/MyApp-darwin-x64/MyApp-2.1.2.pkg

productsign: using timestamp authority for signature

productsign: signing product with identity "Developer ID Installer: MyApp Spa (82MR2HB5GM)" from keychain /Library/Keychains/System.keychain

productsign: adding certificate "Developer ID Certification Authority"

productsign: adding certificate "Apple Root CA"

productsign: Wrote signed product archive to dist/MyApp-darwin-x64/MyApp-2.1.2.pkg

> ./notarize.sh dist/MyApp-darwin-x64/MyApp-2.1.2.pkg


the last line is my script for notarization

I would appreciate any help or tips.

Thanks

The first thing I do in situations like this is unpack the installer and check the signature of the items that the notary service is complaining about (using

codesign -v -vvv
). If it fails to verify then you know that something about your packaging is broken. In that case, you can diff it against a pre-packaging copy to see what’s actually broken. That should give you a clue as to what’s going wrong.

If the signature does verify then there’s something about your package that’s causing the notary service to unpack it wrongly. I’ve never seen that before but, hey, there’s a first time for everything. If that turns out to be the case then post back here and I’ll think about the next step.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks for your reply,


I installed the .pkg and then run codesign -v -vvv /Applications/MyApp.app, getting this:

--prepared:/Applications/MyApp.app/Contents/Frameworks/Squirrel.framework/Versions/Current/.
--validated:/Applications/MyApp.app/Contents/Frameworks/Squirrel.framework/Versions/Current/.
--prepared:/Applications/MyApp.app/Contents/Frameworks/MyApp Helper (Renderer).app
--validated:/Applications/MyApp.app/Contents/Frameworks/MyApp Helper (Renderer).app
--prepared:/Applications/MyApp.app/Contents/Frameworks/MyApp Helper (GPU).app
--validated:/Applications/MyApp.app/Contents/Frameworks/MyApp Helper (GPU).app
--prepared:/Applications/MyApp.app/Contents/Frameworks/MyApp Helper.app
--validated:/Applications/MyApp.app/Contents/Frameworks/MyApp Helper.app
--prepared:/Applications/MyApp.app/Contents/Frameworks/MyApp Helper (Plugin).app
--validated:/Applications/MyApp.app/Contents/Frameworks/MyApp Helper (Plugin).app
--prepared:/Applications/MyApp.app/Contents/Frameworks/ReactiveCocoa.framework/Versions/Current/.
--validated:/Applications/MyApp.app/Contents/Frameworks/ReactiveCocoa.framework/Versions/Current/.
--prepared:/Applications/MyApp.app/Contents/Frameworks/Mantle.framework/Versions/Current/.
--validated:/Applications/MyApp.app/Contents/Frameworks/Mantle.framework/Versions/Current/.
--prepared:/Applications/MyApp.app/Contents/Frameworks/Electron Framework.framework/Versions/Current/.
--validated:/Applications/MyApp.app/Contents/Frameworks/Electron Framework.framework/Versions/Current/.
/Applications/MyApp.app: a sealed resource is missing or invalid
file missing: /Applications/MyApp.app/Contents/Resources/app/remote/semantic/.versions
file missing: /Applications/MyApp.app/Contents/Resources/app/remote/semantic/LICENSE



but also run codesign -vvv --deep --strict /Applications/MyApp.app

--prepared:/Applications/MyApp.app/Contents/Frameworks/MyApp Helper (Renderer).app
--validated:/Applications/MyApp.app/Contents/Frameworks/MyApp Helper (Renderer).app
--prepared:/Applications/MyApp.app/Contents/Frameworks/Squirrel.framework/Versions/Current/.
--prepared:/Applications/MyApp.app/Contents/Frameworks/MyApp Helper (Plugin).app
--validated:/Applications/MyApp.app/Contents/Frameworks/MyApp Helper (Plugin).app
--validated:/Applications/MyApp.app/Contents/Frameworks/Squirrel.framework/Versions/Current/.
--prepared:/Applications/MyApp.app/Contents/Frameworks/Mantle.framework/Versions/Current/.
--prepared:/Applications/MyApp.app/Contents/Frameworks/MyApp Helper (GPU).app
--validated:/Applications/MyApp.app/Contents/Frameworks/MyApp Helper (GPU).app
--prepared:/Applications/MyApp.app/Contents/Frameworks/ReactiveCocoa.framework/Versions/Current/.
--validated:/Applications/MyApp.app/Contents/Frameworks/ReactiveCocoa.framework/Versions/Current/.
--prepared:/Applications/MyApp.app/Contents/Frameworks/Electron Framework.framework/Versions/Current/.
--validated:/Applications/MyApp.app/Contents/Frameworks/Electron Framework.framework/Versions/Current/.
/Applications/MyApp.app: a sealed resource is missing or invalid
In subcomponent: /Applications/MyApp.app/Contents/Frameworks/Mantle.framework
file missing: /Applications/MyApp.app/Contents/Frameworks/Mantle.framework/Versions/Current/Headers/NSValueTransformer+MTLInversionAdditions.h



codesign -v -vvv /Applications/MayApp.app/Contents/Frameworks/Mantle.framework/Versions/A/Mantle

/Applications/MyApp.app/Contents/Frameworks/Mantle.framework/Versions/A/Mantle: a sealed resource is missing or invalid
file missing: /Applications/MyApp.app/Contents/Frameworks/Mantle.framework/Versions/A/Headers/NSValueTransformer+MTLInversionAdditions.h



Thank you, although still have the problem I think this narrow the scope

With regards

a sealed resource is missing or invalid
, a sealed resource is an item that’s covered by the code signature. When you sign a bundle, the code signing mechanism looks through the bundle to build a list of files that should be covered by that signature. If you get this error it means that one of those files has either gone missing or has been modified since you signed the bundle. As illustrated by the listings you posted, if you apply enough
-v
flags,
codesign
will print the path to the problematic item.

There’s really only there possibilities here:

  • These files were missing before you started this process (A).

  • These files were dropped by the tool that creating your installer package (B).

  • These files were dropped by the installation process (C).

I suspect that A applies, but that’s just a guess. The best way to investigate this is to list the contents of the installer package. That’ll let you rule out C.

Personally I do this sort of thing with the Pacifist app but, if you don’t have that, you can use

pkgutil
. For example:
% pkgutil --payload-files PrivilegedTool.pkg 
.
./usr
./usr/local
./usr/local/bin
./usr/local/bin/PrivilegedTool

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"
Problem with Notarization after pkgbuild broking signature
 
 
Q