notary tool fails on same file that altool notarizes successfully

Just got my brand new M1 Max laptop and am excited to get with the times and use notary tool instead of altool as recommended by the mothership but when I try to notarize the same file that altool notarizes successfully it fails.

Here is is my sucessful altool command:

xcrun altool --notarize-app --primary-bundle-id "My Kool Tool" --username "***@***.com" -p "@keychain:ac_notary" --asc-provider XXXXXXXXXXXX --file *.zip && rm *.zip

and this is the notary tool command that fails on the same file:

xcrun notarytool submit *.zip --keychain-profile "XXXXXX Apple Developer" --wait && rm *.zip

Here is the output:

Conducting pre-submission checks for archive.zip and initiating connection to the Apple notary service...
Submission ID received
 id: e20c0438-5576-4361-a11a-2efeb8exxxxx
Successfully uploaded file
 id: e20c0438-5576-4361-a11a-2efeb8exxxxx
 path: /Users/***/Documents/archive.zip
Waiting for processing to complete.
Current status: Invalid..........
Processing complete
 id: e20c0438-5576-4361-a11a-2efeb8exxxxx
 status: Invalid

and the log:

xcrun notarytool log e20c0438-5576-4361-a11a-2efeb8exxxxx --keychain-profile "XXXXXX Apple Developer"
{
 "logFormatVersion": 1,
 "jobId": "e20c0438-5576-4361-a11a-2efeb8exxxxx",
 "status": "Invalid",
 "statusSummary": "Archive contains critical validation errors",
 "statusCode": 4000,
 "archiveFilename": "archive.zip",
 "uploadDate": "2021-12-07T18:57:23.193Z",
 "sha256": "505d76b420d46bfd01d56c724de1c8d20121d75b0ca6cee96a51549708ec46ee",
 "ticketContents": null,
 "issues": [
  {
   "severity": "error",
   "code": null,
   "path": "archive.zip",
   "message": "Package archive.zip has no signed executables or bundles. No tickets can be generated.",
   "docUrl": null,
   "architecture": null
  }
 ]
}

again, the same file notarizes with altool so it is properly signed

It is worth noting that if I don't include the --asc-provider in the altool command it fails so maybe I just need to do the same with the notary tool but can't find any documentation on how to do that.

Help Obi Wan

Well, that’s weird. Both altool and notarytool connect to the same notary service back end, and it shouldn’t matter how you transport your file to that back end. Moreover, the fact that you get a log response from notarytool indicates that your file made it to that back end.

Try this:

  1. Find the UUID of the request that you submitted via altool.

  2. Use the --notarization-info subcommand of altool to get the log file URL.

  3. Download that.

  4. Verify that the SHA-56 checksum (in the sha256 property) matches the one you posted in the notarytool log.

It is worth noting that if I don't include the --asc-provider in the altool command it fails so maybe I just need to do the same with the notarytool

No. The whole --asc-provider thing is a historical quirk and is not necessary for notarytool.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I'm posting this here because I believe it falls within the same use case. But what do I know!

Using terminal Xcode I am able to harden, notarize, pkg and validate my app for the distribution via the App Store, although I have not yet uploaded to the App Store.

Process #1:

  1. Harden myApp using ID: Developer ID Application
  2. Zip myApp
  3. Notarize myApp using altool
  4. Pkg myApp using productbuild ID: 3rd Party Mac Developer Installer
  5. Validate myApp for compatibility with App Store using altool.
  6. Test installing myApp using the pkg.

Success.

Attempting to notarize and pkg myApp using Xcode notarytool produces (two) different results depending on the ID used.

Process #2:

  1. Harden myApp using ID: Developer ID Application
  2. Pkg myApp using productbuild ID: 3rd Party Mac Developer Installer
  3. Notarize pkg generates a validation error:

    {       "severity": "error",       "code": null,       "path": "myApp.pkg",       "message": "The binary is not signed with a valid Developer ID certificate.",       "docUrl": null,       "architecture": null     }

Process #3:

  1. Harden myApp using ID: Developer ID Application
  2. Pkg myApp using productbuild ID: Developer ID Installer
  3. Notarize pkg. Successfully {

Conducting pre-submission checks for myApp.pkg and initiating connection to the Apple notary service... Submission ID received   id: 610ca3ff-e587-4434-xxxx Successfully uploaded file153 MB of 153 MB)       id: 610ca3ff-e587-4434-xxxx   path: myApp Waiting for processing to complete. Current status: Accepted..................... Processing complete   id: 610ca3ff-e587-4434-xxxx   status: Accepted }

  1. Validate myApp.pkg using altool --validate-app errors for it requires the pkg to be signed with 3rd Party Mac Developer Installer.

I need to be able to notarize and pkg myApp for the App Store.  

Thanks for being here: Be well

I need to be able to notarize and pkg myApp for the App Store.

That goal doesn’t make sense. There are two distribution channels for Mac software:

  • Mac App Store

  • Independent distribution

The latter requires notarisation; the former does not.

If your goal is to distribute via the Mac App Store:

  1. Sign with App Store distribution signing identities, not Developer ID ones.

  2. Optionally validate it with the --validate-app in altool.

  3. Don’t notarise.

  4. Submit to the Mac App Store using --upload-app.

For specific advice on the first step, see Creating Distribution-Signed Code for Mac and Packaging Mac Software for Distribution.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hello, I have same issue, the altool works and notarytool don't on the same IPA:

Conducting pre-submission checks for trader_view_app.ipa and initiating connection to the Apple notary service...
Submission ID received
  id: e5970fee-b91a-4d70-ad98-d24ba117b733
Successfully uploaded file47.9 MB of 47.9 MB)
  id: e5970fee-b91a-4d70-ad98-d24ba117b733
  path: /Users/michal/Development/!TRADER_VIEW/trader_view_app/build/ios/ipa/trader_view_app.ipa
Waiting for processing to complete.
Current status: Invalid..........
Processing complete
  id: zzzzzzzzzzzzzzzzzz
  status: Invalid
michal@Michals-MacBook-Pro~/Development/!TRADER_VIEW/trader_view_app $ xcrun notarytool log  e5970fee-b91a-4d70-ad98-d24ba117b733 --keychain-profile "NotaryKeyApi"
{
  "logFormatVersion": 1,
  "jobId": "e5970fee-b91a-4d70-ad98-d24ba117b733",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "trader_view_app.ipa",
  "uploadDate": "2022-10-01T16:20:20.465Z",
  "sha256": "??????????",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "trader_view_app.ipa",
      "message": "Package trader_view_app.ipa has no signed executables or bundles. No tickets can be generated.",
      "docUrl": null,
      "architecture": null
    }
  ]
}

and then with altool:

michal@Michals-MacBook-Pro~/Development/!TRADER_VIEW/trader_view_app $ xcrun altool --upload-app --type ios -f build/ios/ipa/*.ipa --apiKey yyyyyyyy --apiIssuer xxxxxxxxxxx
No errors uploading 'build/ios/ipa/trader_view_app.ipa'

and app is processing just fine ? Exactly same IPA, no changes.

Exactly same IPA, no changes.

Ah, um, that’s not right. AFAIK there are no circumstances where it makes sense to notarise a .ipa file. Such files are used when you upload an iOS app to the App Store, but why would you want to notarise that?

Note that the two commands you’re using are not equivalent. notarytool targets the notary service, but altool --upload-app targets App Store Connect.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hello @eskimo , thank you for the last answer! Could we please continue this discussion if you have some time? The results of this discussion are still not clear for me, unfortunately.

I noticed in my altool that it throws "altool has been deprecated for notarization and starting in late 2023 will no lo\U2026". I suppose that this is the main reason of why guys want to use notarytool instead of the altool.

So, the last thing you said is: "Note that the two commands you’re using are not equivalent. notarytool targets the notary service, but altool --upload-app targets App Store Connect."

Could you please give us a hint, what can we do to make the notarytool targets App Store Connect and behaves the same as altool (altool was uploading .ipa directly to the testflight)? Unfortunately, I have no opportunity to upload builds with help of XCode, since I use a non-common approach of making iOS builds.

Thank you!

Hello again @eskimo After some investigation I found out that the next message:

"Notarization":{"Message":"altool has been deprecated for notarization and starting in late 2023 will no longer be supported by the Apple notary service. You should start using notarytool to notarize your software.","Status":"DEPRECATED"}

is just a warning about notarization that is related only to macOS software (https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution).

But the warning doesn't mean that the altool itself will be deprecated. It seems like altool is still valid for uploading .ipa files to TestFlight and notarytool is needed for macOS .pkg files.

Please correct me if I'm wrong. Thank you!

But the warning doesn't mean that the altool itself will be deprecated. It seems like altool is still valid for uploading .ipa files to TestFlight

Correct. And not just TestFlight, but the App Store in general.

The message says “altool has been deprecated for notarization” and that’s exactly what it means. The tool has a bunch of subcommands, and the ones related to notarisation — so --notarize-app, --notarization-info, and --notarization-history — are deprecated and will stop work later this year. All the other subcommands, like --upload-package, are related to the App Store and will continue working.

If you’re looking to move from altool to notarytool, see TN3147 Migrating to the latest notarization tool.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

@eskimo To make thing more clear, do you mean that the notarytool can not be used for uploading ipa to appstore? cause i have the same issue as others currently.

`{ "logFormatVersion": 1, "jobId": "538b39b5-181d-4519-acb6-b9e272a5041b", "status": "Invalid", "statusSummary": "Archive contains critical validation errors", "statusCode": 4000, "archiveFilename": "demo.ipa", "uploadDate": "2024-01-12T06:21:52.276Z", "sha256": "2b0dfcc260068bb1b8d39444f7f8a93d7dc8e218d5feb87589450014a518c7a9", "ticketContents": null, "issues": [ { "severity": "error", "code": null, "path": "Seismic.ipa", "message": "Package demo.ipa has no signed executables or bundles. No tickets can be generated.", "docUrl": null, "architecture": null } ] }

@eskimo To make thing more clear, do you mean that the notarytool can not be used for uploading ipa to appstore? cause i have the same issue as others currently.

{
  "logFormatVersion": 1,
  "jobId": "538b39b5-181d-4519-acb6-b9e272a5041b",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "Seismic.ipa",
  "uploadDate": "2024-01-12T06:21:52.276Z",
  "sha256": "2b0dfcc260068bb1b8d39444f7f8a93d7dc8e218d5feb87589450014a518c7a9",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "Seismic.ipa",
      "message": "Package Seismic.ipa has no signed executables or bundles. No tickets can be generated.",
      "docUrl": null,
      "architecture": null
    }
  ]
}
notary tool fails on same file that altool notarizes successfully
 
 
Q