How to I remove malicious software error ? Notarization does not work

Question

Created Jun ’20

Replies 3

Boosts 0

Participants 3

This question seems like it may have been asked before but I can't find the right answer.

I've bundled my app into a package which is signed and notarized, but when I trying to install it a see the error :

can’t be opened because Apple cannot check it for malicious software.

The package has been signed:
sudo pkgutil --check-signature [PKG_PATH]
yields

Code Block Status: signed by a developer certificate issued by Apple for distribution
...

After forcing it to install I see that the installed app is also signed:
sudo codesign -d --verbose=4 [APP_PATH]
yields

Code Block ...
CDHash=4ab0ad946f99b5bc54fe5203e91be9cb596e5b82
Signature size=8970
Authority=Developer ID Application: ______ (XXXXXX)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Jun 22, 2020 at 5:50:07 PM
...

The bundle is also notarized:
sudo spctl -a -vv [APP_PATH]
yields

Code Block source=Notarized Developer ID
origin=Developer ID Application: ___ (XXXXX)

What else could I have possibly missed ? How do I remove this error so I can install the product ?

Boost

Answer 1

Security Engineer OP

Apple

Jun ’20

The above command confirms that the app bundle is notarized, so the next step is to check whether the package was properly notarized. You can do that with the following command, which should also evaluate as properly notarized like the app bundle:

Code Block spctl -a -t install -vv [PKG_PATH]

0

Answer 2

RobHDt OP

Jun ’20

Output from spctl -a -t install -vv [PKG_PATH]:

Code Block rejected
source=Unnotarized Developer ID
origin=Developer ID Installer: ____ (XXXXX)

Output from spctl -a -t install -vv [APP_PATH] after force installing

Code Block accepted
source=Notarized Developer ID
origin=Developer ID Application: _____ (XXXXX)

So I take it from this that the package needs to be notarized as well as the app itself ?

FYI
I see there are a few threads about this with no solution
https://developer.apple.com/forums/thread/123480 or https://developer.apple.com/forums/thread/130237

0

Answer 3

DTS Engineer OP

Apple

Jun ’20

Our general advice is that you sign everything from the inside out and then notarise the outermost container. So if you plan to distribute the installer package to your end users, that’s what you should notarise. OTOH, if you plan to put that installer package on a disk image and distribute that to your end users, you should notarise the disk image.

For more specific advice, see Signing a Mac Product For Distribution.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0