What is meaning of notarization warnings

I am notarizing SEPRemote.pkg, built following instructions here: https://knowledge.broadcom.com/external/article/181587

Notarization succeeds, but there are two warnings in the log:

{
      "severity": "warning",
	  
      "code": null,
      "path": "SEPRemote.pkg/SEPRemote.pkg Contents/Payload/private/tmp/Norton for Mac SKU.mpkg/SEPEG_SKU.UniversalESD.pkg Contents/Payload/Library/Application Support/Symantec/Silo/MES/SymUIAgent/Symantec.app/Contents/Resources/Norton.app",
      "message": "Unable to notarize SEPRemote.pkg/SEPRemote.pkg Contents/Payload/private/tmp/Norton for Mac SKU.mpkg/SEPEG_SKU.UniversalESD.pkg Contents/Payload/Library/Application Support/Symantec/Silo/MES/SymUIAgent/Symantec.app/Contents/Resources/Norton.app",
      "docUrl": null,
      "architecture": null
}

and

{
      "severity": "warning",
      "code": null,
      "path": SEPRemote.pkg/SEPRemote.pkg Contents/Payload/private/tmp/Norton for Mac SKU.mpkg/SEPEG_SKU.UniversalESD.pkg Contents/Payload/Applications/Symantec Endpoint Protection.app/Contents/Resources/ApplicationNorton.app",
      "message": "Unable to notarize SEPRemote.pkg/SEPRemote.pkg Contents/Payload/private/tmp/Norton for Mac SKU.mpkg/SEPEG_SKU.UniversalESD.pkg Contents/Payload/Applications/Symantec Endpoint Protection.app/Contents/Resources/ApplicationNorton.app",
      "docUrl": null,
      "architecture": null
 }

What are the consequences of these warnings? Will they cause problems with SEPRemote.pkg even though it reports notarization is successful?

Up vote post of gdeff Down vote post of gdeff
448 views
Posted by
gdeff
Reply
Add a Comment

Replies

Will they cause problems … ?

Very likely. The goal of notarisation is to create a notarised ticket. This ticket is a blob of data, signed by Apple, that tells a user’s Mac that the notary service has checked this software. The contents of this blob is a list of cdhash (code directory hash) values. So, when you notarise a product you want to make sure that the cdhash value for all native code within your product is covered by the ticket.

In this case it looks like /Applications/Symantec Endpoint Protection.app/Contents/Resources/ApplicationNorton.app is native code in which case this warning is bad, because it means that ticket does not include the cdhash for ApplicationNorton.app.

Is SEPRemote.pkg a product that you developed? Or are you using the installer to repackage a product from some other third party?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo

  • Thanks for your time. I'm not the developer but I support it and I don't know whether I can safely tell customers to ignore this warning. I will take this up with our developers, but why wouldn't the notarization fail if these problems are critical?

    gdeff
Add a Comment

why wouldn't the notarization fail if these problems are critical?

I’d have to look at the bundle to be sure, but I suspect that the ApplicationNorton.app directory looks enough like an app to convince the notary service that it should be notarising it, but then is ‘broken’ in some way that prevents notarisation. So it’s issuing a warning because it’s not sure whether this directory was intended to be treated as a bundle containing code.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment