Codesign for Notarization Errors (test-requirement:)

Question

Created Apr ’21

Replies 5

Boosts 0

Views 1.6k

Participants 2

Hello,

I'm trying to Notarize my pkg which contains many binaries. Luckly all them seem to be suffering from the same errors. I I'm trying to fix just one so that I know all of which to fix.

The last one I'm having issues with is --

"message": "The binary is not signed with a valid Developer ID certificate.",

When I run the following, everything looks good.

Code Block codesign -dv --verbose=4

But when I run the following

Code Block codesign -vvvv -R="notarized" --check-notarization /path/to/MyBinar

I get the error

test-requirement: code failed to satisfy specified code requirement(s)

Honestly Apple has made this so confusing and complicated, I'm really losing patience.

Boost

Answer 1

DTS Engineer OP

Apple

Apr ’21

When I run the following, everything looks good.

What does that actually print? The message you’re seeing (The binary is not signed with a valid Developer ID certificate.) means that your binary is signed with something that’s not a Developer ID signing identity. When you dump the code signature you should see something like this:

Code Block  % codesign -d -vv /Applications/QProcessDock.app
…
Authority=Developer ID Application: Quinn Quinn (SKMME9E2Y8)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
…

But when I run the following

Right, because that command checks whether the item is properly notarised and clearly that’s not the case here.

What sort of product are you shipping? Something built in Xcode? Or something using a third-party build system?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

ceh329 OP

Apr ’21

Hi Quinn,
Thanks for the reply. But it is signed, thats whats killing me. My project is a Xcode project and I compile it via xcodebuild.

Code Block bash-3.2# codesign -d -vv /private/var/tmp/MPUpdater 
Executable=/private/var/tmp/MPUpdater
Identifier=com.mp.updater
Format=Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=11103 flags=0x10000(runtime) hashes=338+5 location=embedded
Signature size=9048
Authority=Apple Development: Charles Heizer (W42PNHC2DS)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Timestamp=Apr 8, 2021 at 3:02:23 PM
Info.plist entries=7
TeamIdentifier=BLZUAP2L36
Runtime Version=11.1.0
Sealed Resources=none
Internal requirements count=1 size=184

0

Answer 3

DTS Engineer OP

Apple

Apr ’21

But it is signed

Right, but check out the identity used in that signature:

Authority=Apple Development: Charles Heizer (W42PNHC2DS)

This is a Apple Development identity, and to notarise a product you need to use an Developer ID Application identity.

My project is a Xcode project and I compile it via xcodebuild.

How you proceed from there depends on sort of product this is. Earlier you wrote:

I'm trying to notarize my pkg which contains many binaries.

Are these all command-line tools? And does each tool have its own target in your Xcode project?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

ceh329 OP

Apr ’21

Oh wow, thanks cant believe I have been doing it wrong all this time - SMH. Yes, my project has multiple command-line tools and a couple of .app applications. All of the project is compiled via a bash script. Each of them has it's own target and Xcode project which are all tied to a Xcode workspace.

0

Answer 5

DTS Engineer OP

Apple

Apr ’21

Yes, my project has multiple command-line tools and a couple of .app
applications.

OK. I’m going to outline my normal recommendation for folks using Xcode, then explain why that won’t work for you, and then offer a suggestion that should work.

If you’re building your product with Xcode then I generally recommend that you use Xcode’s code signing support. For example, if you’re building a standard app you can do this using xcodebuild:

Use the archive action to create an Xcode archive for your app.
Use the the -exportArchive option to export that archive with Developer ID signing.

This uses exactly the same machinery as the Xcode Organizer. Specifically, step 1 is equivalent to Product > Archive and step 2 is equivalent to Distribute App > Developer ID > Export.

Unfortunately this won’t work for you. The problem is with step 2, which only works for apps. You can see this in the Organizer. If you do a Product > Archive on a command-line tool target you’ll see that the button in the Organizer says Distribute Content and clicking it doesn’t offer you the Developer ID > Export path.

So, here’s what you need to do:

For your app targets, use the workflow described above.
For your command-line tool targets, use step 1 of the workflow but replace step 2 with your own script that exports and re-signs the tool from the archive.
Finally, use your existing script to combine everything up into an installer package and then sign and notarise that package.

For help with this signing, see Signing a Mac Product For Distribution.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0