Checking DMG notarization. Rejected, but works fine

Question

wnsoft OP

Created Mar ’21

Replies 7

Boosts 0

Views 5.5k

Participants 2

I have a misterous problem with checking DMG notarization.

It fails:

Code Block bash-3.2$ spctl -a -t open --context context:primary-signature -v MyApp.dmg
MyApp: rejected
source=no usable signature

However this DMG installs fine on Big Sur 11.2.2, macOS allows to run this app, and checking of notarization for installed app was passed:

Code Block bash-3.2$ spctl -a -v '/Applications/MyApp.app'
/Applications/MyApp.app: accepted
source=Notarized Developer ID

I checked other downloaded apps (Intel or Universal). Some DMG files pass DMG notarization (for example, Audacity), and some fails (PerfectTablePlan). Why?

For my app (Universal) I use the following code to codesign and notarize:

Code Block codesign --timestamp --options runtime --force --deep -s "Developer ID Application: MYCOMPANY" "My.app"
// Creating DMG with EULA license
xcrun altool --notarize-app --primary-bundle-id MyApp -u "my@email.com" -p "abc123" --file MyApp.dmg
xcrun stapler staple MyApp.dmg

Answered by DTS Engineer in 665166022

The notary service does not require that your disk image be signed. If the disk image is signed then it’ll include the image itself in the ticket (along with all the image’s content). If not, the ticket is built just from the image’s content.

Having said that, I do recommend that you sign your disk image. See Signing a Mac Product For Distribution for my advice on that front.

I checked other downloaded apps (Intel or Universal). Some DMG files
pass DMG notarization … and some fails

You are not checking notarisation here, you’re checking Gatekeeper compliance. And spctl is a poor way to check for that. See Testing a Notarised Product for my advice on how to do that.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Mar ’21

Accepted Answer

The notary service does not require that your disk image be signed. If the disk image is signed then it’ll include the image itself in the ticket (along with all the image’s content). If not, the ticket is built just from the image’s content.

Having said that, I do recommend that you sign your disk image. See Signing a Mac Product For Distribution for my advice on that front.

I checked other downloaded apps (Intel or Universal). Some DMG files
pass DMG notarization … and some fails

You are not checking notarisation here, you’re checking Gatekeeper compliance. And spctl is a poor way to check for that. See Testing a Notarised Product for my advice on how to do that.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1

Answer 2

wnsoft OP

Mar ’21

Quinn,

Thanks for your reply and advices!

I added codesign for a DMG image. And then spctl shows that DMG is correct:

Code Block MyApp.dmg: accepted
source=Notarized Developer ID

It seems that many Mac developers (including me) were not aware that it also necessary to codesign DMG in addition to codesigning of APP bundle and notarization.

2. Probably I found a typo in your article "Testing a Notarised Product". It says:

Code Block # Disk image
spctl -a -t open -vvv --context context:primary-signature WaffleVarnish.dmg

However this command shows nothing for any correctly notarized app (including my app, Chrome, Audacity, etc).

If I add "-v" to your command:

Code Block spctl -a -t open -vvv --context context:primary-signature WaffleVarnish.dmg -v

It shows a result for Chrome:

Code Block googlechrome.dmg: accepted
source=Notarized Developer ID

0

Answer 3

wnsoft OP

Mar ’21

Another question. I build a special ZIP with APP bundle for Auto Update feature. This ZIP is being notarized.

How I can check that APP bundle is notarized and a difference with only codesigned APP bundle?

Code Block spctl -a -t exec -vvv MyApp.app

always shows the same result for codesigned APP, regardless notarization:

Code Block MyApp.app/: accepted
source=Notarized Developer ID
origin=Developer ID Application: COMPANY (RDPXXXXXX)

0

Answer 4

wnsoft OP

Mar ’21

Sometimes codesign for a DMG doesn't work correctly:

Code Block codesign -s "Developer ID Application: COMPANY" --timestamp -i MyApp MyApp.dmg

I got an error:

Code Block "The timestamp service is not available."

and DMG was not completely signed. APP bundle was signed correctly (a minute earlier) and notarized (several minutes later).

I re-launched the script again and next time DMG was signed rightly.

0

Answer 5

DTS Engineer OP

Apple

Mar ’21

it also necessary to codesign DMG in addition to codesigning of APP
bundle and notarization.

It isn’t necessary to sign disk images. As I mentioned above, the notary service will accept an unsigned disk image and the resulting ticket will then cover just the disk image’s content.

Probably I found a typo in your article "Testing a Notarised Product".

The command works on my machine. Specifically, I just downloaded the latest Chrome disk image and here’s what I see:

Code Block  % sw_vers
ProductName:	macOS
ProductVersion:	11.2.1
BuildVersion:	20D74
% spctl -a -t open -vvv --context context:primary-signature googlechrome.dmg 
googlechrome.dmg: accepted
source=Notarized Developer ID
origin=Developer ID Application: Google, Inc. (EQHXZ8M8AV)

always shows the same result for codesigned APP, regardless notarization

Can you post more details about the exact workflow you’re using here?

Keep in mind that notarised tickets identify code via the cdhash. So, imagine a sequence like this:

Build your app.
Create a disk from the app in step 1.
Notarise that disk image.
Check its notarisation.
Create a ‘software update’ zip archive from the app in step 1.
Check its notarisation with spctl.

The check in step 6 will always succeed because the check in step 4 has caused your system to ingest a ticket that covers the app’s cdhash.

This is exactly the sort of thing that taught me to always test this stuff in a VM, where I can roll back the VM to a snapshot that’s never seen my software before.

The timestamp service is not available.

This means that codesign is unable to access the Apple timestamp service (timestamp.apple.com). I’ve seen two causes of this:

Network problems on the client side.
The timestamp service being down )-:

My experience is that the first one is the most common. You should use a packet trace to see what’s going on.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 6

DTS Engineer OP

Apple

Mar ’21

Then again, it’s possible that the timestamp service is having problems at the moment.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 7

wnsoft OP

Mar ’21

Quinn,

Thanks for your replies!

My workflow is the following:

Build my APP
Codesign my APP
Create a DMG from my APP
Notarize DMG...
Staple notarization to DMG
Create ZIP from APP (from step 1) for Auto-Update
Notarize ZIP...
Staple notarization to original APP (from step 1)
Delete ZIP
Create a new ZIP from APP.

Is it correct?

I've understood about timestamp servers.

I tried again a command from your article:

Code Block spctl -a -t open -vvv --context context:primary-signature googlechrome.dmg

and now it works on iMac (Intel) Big Sur 11.2.3. Earlier it didn't work on DTK with Big Sur 11.1.0

0