I have an Avalonia application I want to distribute in-house. (Avalonia is a crossplatform GUI based on dotnet)
I followed the guide here: (https://docs.avaloniaui.net/docs/distribution-publishing/macos)
My notarization succeeds and I can get the notarization info using xcrun altool --notarization-info UUID -u myappleid
No errors getting notarization info.
Date: 2021-08-18 07:29:13 +0000
Hash: d1e8825c6571fff0bbcd11c5496b2a84ac1ad8b8a62b77771cde7a0eca286de9
LogFileURL: <Log URL>
RequestUUID: <UUID>
Status: success
Status Code: 0
Status Message: Package Approved
If I run codesign -dvvv "/Path/to/my app.app"
I can see
Executable=/Path/to/my app.app/Contents/MacOS/my app
Identifier=com.my.app
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=1126 flags=0x10000(runtime) hashes=24+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=3e5d21fdc6948b0d6cff4c94cd89fa441197182c
CandidateCDHashFull sha256=3e5d21fdc6948b0d6cff4c94cd89fa441197182c72119f76a8407aa2c2ce2f0e
Hash choices=sha256
CMSDigest=3e5d21fdc6948b0d6cff4c94cd89fa441197182c72119f76a8407aa2c2ce2f0e
CMSDigestType=2
CDHash=3e5d21fdc6948b0d6cff4c94cd89fa441197182c
Signature size=8980
Authority=Developer ID Application: company name (<TEAM ID>)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=18 Aug 2021 at 5:26:47 pm
Info.plist entries=11
TeamIdentifier=<TEAM ID>
Runtime Version=10.15.0
Sealed Resources version=2 rules=13 files=413
Internal requirements count=1 size=188
The cdhash 3e5d21fdc6948b0d6cff4c94cd89fa441197182c
is present in the developer log of notarization twice:
{
"path": "my_app.zip/my app.app/Contents/MacOS/my app",
"digestAlgorithm": "SHA-256",
"cdhash": "3e5d21fdc6948b0d6cff4c94cd89fa441197182c",
"arch": "x86_64"
},
{
"path": "my_app.zip/my app.app",
"digestAlgorithm": "SHA-256",
"cdhash": "3e5d21fdc6948b0d6cff4c94cd89fa441197182c",
"arch": "x86_64"
}
When I run the spctl /usr/sbin/spctl --assess --type exec -vv "/Path/to/my app.app"
I get
/Path/to/my app.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: company name (<TEAM ID>)
My codesign was run using Avalonia's bash script with added --deep
#!/bin/bash
APP_NAME="/Path/to/my app.app"
ENTITLEMENTS="/Path/to/entitlements/my_app.entitlements"
SIGNING_IDENTITY="Developer ID Application: company name (<TEAM ID>)"
find "$APP_NAME/Contents/MacOS/"|while read fname; do
if [[ -f $fname ]]; then
echo "[INFO] Signing $fname"
codesign --deep --force --timestamp --options=runtime --entitlements "$ENTITLEMENTS" --sign "$SIGNING_IDENTITY" "$fname"
fi
done
echo "[INFO] Signing app file"
codesign --deep --force --timestamp --options=runtime --entitlements "$ENTITLEMENTS" --sign "$SIGNING_IDENTITY" "$APP_NAME"
After notarization I receive an e-mail from Apple that my software was 'successfully notarized'.
However, when I run
xcrun stapler staple "/Path/to/my app.app"
I get
Processing: /Path/to/my app.app
Could not validate ticket for /Path/to/my app.app
The staple and validate action failed! Error 65.
If I run stapler with -v
I can see that the ticket is successfully downloaded.