Is stapling a notarization ticket to a DMG sufficient or do I need to staple to the app within as well?

I'm receiving conflicting info on this. My impression from the docs was that only the DMG would need to be stapled. In a DTS interaction concerning other issues with notarization, the DTS engineer pointed out that my app wasn't stapled and that I should staple that as well.

Problem is that when I staple the app, I need to re-create the DMG package. After doing that, when trying to staple the DMG as well it fails with error 65. My guess is that it fails because the signature changed by stapling the app which leads to a bit of a catch-22 situation.

Do I really need to staple the app contents and if so, what is the correct procedure for re-packaging and stapling the outer DMG?
Up vote post of Mr_Noodle Down vote post of Mr_Noodle
936 views
Posted by
Mr_Noodle
Reply
Add a Comment

Replies

In theory, you could fully notarize the app and staple it, then add it to the dmg, notarize that and staple it. But you don't need to do that. I think either the DTS engineer was wrong or misunderstood what you were doing. Everything I have seen in this forum from Apple engineers says to only notarize and staple the outermost container, which would be your DMG.
Posted by
Etresoft
Up vote reply of Etresoft Down vote reply of Etresoft
Add a Comment

Is stapling a notarization ticket to a DMG sufficient

Please drop me a line via email (my address is in my signature). My sure to reference this thread because, as you might imagine, I get a lot of email (-:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment
I had a chat with Mr_Noodle about this offline. It seems that there was a bit of a mixup with the advice he got from DTS here. So, to clarify, Apple’s general recommendation is that you:

  1. Sign all your code from the inside out, up to and including any signable containers.

  2. Then notarise and staple the outermost container.

  3. Ship that stapled container.

So, for example, if you ship an app inside an installer package on a disk image, you’d sign the app, then the installer package, then the disk image, and then notarise and staple the disk image.

The ticket that you staple to the outermost container will cover any nested containers and code. The system ingests this ticket when you open the outermost container for the first time.

There are exceptions to this rule. Most of them are edge cases that most folks can ignore, but there’s one important one. If you ship an app inside a zip archive, you can’t sign your outermost container because zip archives don’t support signing. In that case you should:

  1. Sign the app.

  2. Zip that.

  3. Notarise that.

  4. Take the app from step 1 and staple that.

  5. Zip that.

  6. Ship the zip archive from step 5.

The system will ingest this ticket when the user first launches the app.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment
I’m dropping this link here as a breadcrumb for Future Quinn™.

noodlesoft.com/blog/2021/01/25/codesigning-notarization-woes/

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

I’m dropping this link here as a breadcrumb for Future Quinn™.

I don't know if that is such a good idea. People might infer that you are recommending that link as a source of useful information. It is a step-by-step instruction manual on how to shoot yourself in the foot.


Posted by
Etresoft
Up vote reply of Etresoft Down vote reply of Etresoft
Add a Comment