notarization error : The signature of the binary is invalid

Question

PastCoder OP

Created Apr ’21

Replies 2

Boosts 0

Views 1.5k

Participants 2

I use below command to notarize my xxxx_setup.pkg

sudo xcrun altool --notarize-app --primary-bundle-id "net.xxxx.xxxx" --username "xxxx@gmail.com" --password "xxxxxxxxxx" --file ./xxxx_setup.pkg -itc_provider "XXXXXXXX"

Uploading is performed normally. And from the logFile of notarization-info command, I got the error message of my main executable file (yyyy) under xxxx.app/Contents/MacOS as below:

Code Block {
  "logFormatVersion": 1,
  "jobId": "34e7712f-8ebe-49a7-b10a-9863eba7c666",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "xxxx_setup.pkg",
  "uploadDate": "2021-04-06T14:07:55Z",
  "sha256": "944b56a56cb91c06b937b548fe9fbb6a2d039e4d4fe949819cac93d3821dff42",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "xxxx_setup.pkg/xxxx.pkg Contents/Payload/Applications/xxxx.app/Contents/MacOS/yyyy",
      "message": "The signature of the binary is invalid.",
      "docUrl": null,
      "architecture": "x86_64"
    }
  ]
}

I have used command below to check the binary yyyy

codesign -vvv --deep --strict /path/to/binary

and I get info below :

yyyy : valid on disk
yyyy : satisfies its designated requirement.

I use codesign -dvvv to validate the signature of the execuable file. All the timestamp and signed are there.

So who can help me to dig out these bugs.

Boost

Answer 1

PastCoder OP

Apr ’21

Anyone can give me some help to pass the notarization service?

Below is my codesign command for the bundle, and the --deep parameter affects the signature of the main executable file.

sudo codesign --force --deep --timestamp --options=runtime -s "Developer ID Application: Some Company (XXXXXX)" ./XXXX.app

And I also tried to codesign the single executable file yyyy directly, but the error remained. I need more info to move forward.

Or somebody can tell me how to connect with Apple Notarization Service Team. Their notarization response cannot point out what blocks my executable file.

0

Answer 2

DTS Engineer OP

Apple

Apr ’21

Or somebody can tell me how to connect with Apple Notarization Service
Team.

My organisation, DTS, supports the notary service. If you want formal support here, open a DTS tech support incident. I try to help out on DevForums as much as time allows but a TSI lets me allocate the time to help you out one-on-one.

the --deep parameter affects the signature of the main executable
file

I recommend against using --deep, for the reasons I outlined in --deep Considered Harmful. Rather, sign each code item separately, from the inside out. See Signing a Mac Product For Distribution for all the details.

If you still have problems you should unpack the installer package that you submitted to the notary service (it should have the SHA-256 checksum shown in your notarisation log) and check the code signature of the resulting app. Do this using codesign -vvv --deep --strict /path/to/your.app, that is, passing in the path to the app’s bundle not the app’s main executable.

See Unpacking Apple Archives for info on how to manually unpack an installer package.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0