New issue with notarization - included 3rd party binary in package

Code Signing General
MikeOz OP
Created Jul ’20
Replies 3
Boosts 0
Views 627
Participants 2
Up until today our notarization process was working fine. Please note this is for an application developed using Xamarin for Mac, so I don't use Xcode-based notarization, rather a command-line process.

Within our application we package 'wkhtmltopdf' to generate PDFs, and now it looks like this is causing an issue. Attempting to notarize now causes an issue, and the pertinent parts of the log file are like so:

Code Block "issues": [
		{
			"severity": "error",
			"code": null,
			"path": "OURAPP.zip/OURAPP.app/Contents/Resources/Util/wkhtmltopdf",
			"message": "The binary is not signed.",
			"docUrl": null,
			"architecture": "x86_64"
		},
		{
			"severity": "error",
			"code": null,
			"path": "OURAPP.zip/OURAPP.app/Contents/Resources/Util/wkhtmltopdf",
			"message": "The signature does not include a secure timestamp.",
			"docUrl": null,
			"architecture": "x86_64"
		},
		{
			"severity": "error",
			"code": null,
			"path": "OURAPP.zip/OUR.app/Contents/Resources/Util/wkhtmltopdf",
			"message": "The executable does not have the hardened runtime enabled.",
			"docUrl": null,
			"architecture": "x86_64"
		}
	]

Frankly, I'm not sure where to go from here. It looks to me as though I need to build and sign the wkhtmltopdf binary with our Developer ID - ?

Any advice would be appreciate, thanks!

Answered by DTS Engineer in 620125022

It looks to me as though I need to build and sign the wkhtmltopdf binary with our Developer ID?

That’s correct. Well, you don’t need to build it but you do need to sign it. All code in your product must be signed by a valid Developer ID. It must also have a secure timestamp. And main executables, like wkhtmltopdf, must enable the hardened runtime.

For a description of how to do that, see my Signing a Mac Product For Distribution.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Replies  3
Boosts  0
Views  627
Participants  2
DTS Engineer OP
Apple
Jul ’20
Accepted Answer

It looks to me as though I need to build and sign the wkhtmltopdf binary with our Developer ID?

That’s correct. Well, you don’t need to build it but you do need to sign it. All code in your product must be signed by a valid Developer ID. It must also have a secure timestamp. And main executables, like wkhtmltopdf, must enable the hardened runtime.

For a description of how to do that, see my Signing a Mac Product For Distribution.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
1
MikeOz OP
Jul ’20
Thank you very much, I shall have a crack at things after reading through the contents of your link.

0
MikeOz OP
Jul ’20
Thanks again, that did the trick, and I've noted that link for future reference if needed again.
0
New issue with notarization - included 3rd party binary in package
First post date Last post date
 
 
Q