Latest version of Xcode for 10.12.6 and notarization question

Hi, I am trying to notarize an installer package on 10.12.6 and I get the message "unable to find utility altool, not a developer tool or in PATH". I currently have Xcode 8 on this system. I have seen conflicting information about which is the earliest OS I can use to notarize, and which version of Xcode I need. Can somebody confirm the correct requirements?

I did try downloading XCode 10 but it won't run "This version of Xcode does not run on this mas OS"


What is this conflicting information? You aren't going to find any notarization tools in Xcode from before notarization existed. Apple isn't going to re-release those old versions. You can notarize existing binaries that are built for 10.9 or later, but you have to have a recent version of Xcode.
Ok... On this page:
https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution

"Notarization requires Xcode 10 or later. Building a new app for notarization requires macOS 10.13.6 or later. Stapling an app requires macOS 10.12 or later."

This would seem to be saying that notarization is possible on 10.12, or maybe it can literally only be stapled on 10.12 but not notarized (not sure if that makes sense).

Anyhow, I have an installer package that has been signed (on OS 10.12.6) and I would like to notarize it now (on OS 10.12.6). I am wondering if this is possible, if so presumably there is a command line tool set or Xcode version that I can download from my developer account. Hence my question.

not sure if that makes sense

I’m not sure it makes sense either )-: I was under the impression that stapler was part of the OS but a quick test indicates that it’s not. I think you can make this work by extracting stapler from a recent Xcode but it’s hard to be sure. Regardless, it doesn’t really matter here because the first hurdle is notarisation.

On that front, the other place you can get altool in is the Transporter app, but it also requires macOS 10.13.

Can you update your Mac to 10.13? If so, that’s seems like the best option. If not, you may be able to run 10.13 in a VM on 10.12 and then do your notarisation from there (although if your Mac is so old it can’t run 10.13 it may not be up for Mac-on-Mac virtualisation).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Thank you. I have updated to OS 10.13.6 now. XCode 10 now works, and I can successfully notarize an installer package.

However, I now have a problem stapling. (I have tried recompling and notarizing several times with same result)
When I enter this command after notarizing:

xcrun stapler staple -v "myInstaller.pkg"

I get this:

...
...
...
Downloaded ticket has been stored at file:///var/folders/pd/rf2jcjzj0g1f3hw04l19r1fcsq1r5/T/b65b63be-30e8-4ff6-986f-02682df537bc.ticket.
Attempting to attach a new ticket to myInstaller.pkg. Let’s see how that works out.
Processing: myInstaller.pkg
Properties are {
  NSURLIsDirectoryKey = 0;
  NSURLIsPackageKey = 0;
  NSURLIsSymbolicLinkKey = 0;
  NSURLLocalizedTypeDescriptionKey = “Installer package”;
  NSURLTypeIdentifierKey = “com.apple.installer-package-archive”;
  “
NSURLIsApplicationKey” = 0;
}
We do not know how to deal with trailer version 65055. Exepected 1
Although we wrote the ticket, the written data did not validate. Please restore myInstaller.pkg from backup to try again.
The staple and validate action failed! Error 73.



To add something that may be relevant after further testing...
On another dev computer that our team has (with Mojave), stapler does work.

When I type the following command for myInstaller.pkg (which HAS been successfully notarized) , I get a slightly different result on each machine.

spctl -a -t install -vvvv myInstaller.pkg

On the 10.13 machine:
myInstaller.pkg: accepted
source=Developer ID
origin=Developer ID Installer: myCompany

On the 10.14 machine:
myInstaller.pkg: accepted
source=Notarized Developer ID
origin=Developer ID Installer: myCompany

To add something that may be relevant after further testing...
On another dev computer that our team has (with Mojave), stapler does work. 

I don't see any relevancy. You are talking about doing development on operating systems that are 2 and 3 major versions behind. Don't do that. If you see a problem on Big Sur, that's something you need to worry about. Don't use 10.13 or 10.14 for anything except testing.



I get a slightly different result on each machine.

That’s pretty easy to explain. 10.13 knows nothing about notarisation and thus prints just Developer ID. Later versions of 10.14.x (I presume your machine isn’t running 10.14.0!) do know about notarisation and thus print Notarized Developer ID.

With regards the stapling issue, how are you building myInstaller.pkg? With an Apple tool? Which one?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
`

With regards the stapling issue, how are you building myInstaller.pkg? With an Apple tool? Which one?

pkgbuild was used to compile the pkg, and then it was signed by productsign. So to summarize where I stand:

All steps including notarization are successful on both OS 10.13 and 10.14.
Stapler fails on OS 10.13 with the error 73 message I reported in a previous message.

I don't see any relevancy. You are talking about doing development on operating systems that are 2 and 3 major versions behind. Don't do that.

Well my question WAS specifically about an older OS. At this point, I'm still not sure if stapler is compatible with 10.13. It seems like people expect it to work, but have not tried it.

We can likely upgrade the machine to 10.14, I will find out and report back with my findings.



We can likely upgrade the machine to 10.14

Realistically that’s likely to be your best option. Right now you’re operating at the very edge of the support envelope, so it’s not hard to see why you’re having these problems.

pkgbuild was used to compile the pkg, and then it was signed by
productsign.

Thanks.

In the error 73 case, was the package built and signed on 10.13? Or 10.14?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

In the error 73 case, was the package built and signed on 10.13? Or 10.14?

There was no difference which OS was used to build/sign.

We did upgrade the machine to OS 10.14 and stapling works now. Xcode 10 is still installed.

Apple should perhaps update the requirements on this page:
https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution
"Stapling an app requires macOS 10.12 or later."


There was no difference which OS was used to build/sign.

OK. That confirms that it’s a problem with the OS’s stapling process, not with the way that the package was built.

We did upgrade the machine to OS 10.14 and stapling works now.

Cool.

Apple should perhaps update the requirements on this page

Indeed. The best way to get that feedback to the right folks is to file a bug against the docs. Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
The feedback report number is FB8788850
Latest version of Xcode for 10.12.6 and notarization question
 
 
Q