Failing in Notarization a pkg file

Code Signing Notarization
mtnview OP
Created Mar ’22
Replies 5
Boosts 0
Views 1.1k
Participants 3

I have a flattened pkg file to notarize.

It is signed at the build time by the Developer ID installer. Here is the output of a series of commands.

  1. check notarization status
  2. submit notarization and status
  3. check tatus of notarization after notarization complete.
mtnview@C02YC2G0JGH5 ~/D/s/d/h/c/pkgs>spctl -a -vvv -t install ./foo.mac11.x86_64.pkg
./foo.mac11.x86_64.pkg: rejected
source=Unnotarized Developer ID
origin=Developer ID Installer: foo, Inc. (69Q4FM6AL9)

mtnview@C02YC2G0JGH5 ~/D/s/d/h/c/pkgs> xcrun notarytool submit ./foo.mac11.x86_64.pkg --keychain-profile "AC_PASSWORD" --wait
Conducting pre-submission checks for foo.mac11.x86_64.pkg and initiating connection to the Apple notary service...
Submission ID received
  id: cc2d06be-fb07-4794-a92a-996ac07985fd
Successfully uploaded file
  id: cc2d06be-fb07-4794-a92a-996ac07985fd
  path: /Users/mtnview/Documents/shared_vm/dev/hawkeye/cmake-macos/pkgs/foo.mac11.x86_64.pkg
Waiting for processing to complete.
Current status: Accepted..........
Processing complete
  id: cc2d06be-fb07-4794-a92a-996ac07985fd
  status: Accepted

mtnview@C02YC2G0JGH5 ~/D/s/d/h/c/pkgs> spctl -a -vvv -t install ./foo.mac11.x86_64.pkg
./foo.mac11.x86_64.pkg: rejected
source=Unnotarized Developer ID
origin=Developer ID Installer: foo, Inc. (69Q4FM6AL9)

Apple says it is accepted, but the status still says unnotarized Devloerp ID and rejected? Here is the log

  "logFormatVersion": 1,
  "jobId": "cc2d06be-fb07-4794-a92a-996ac07985fd",
  "status": "Accepted",
  "statusSummary": "Ready for distribution",
  "statusCode": 0,
  "archiveFilename": "foo.mac11.x86_64.pkg",
  "uploadDate": "2022-03-17T13:35:11.753Z",
  "sha256": "d5fa4e165df10b548f111a193fbbddceadcdc6a68307884dd5ae5f57a6bbe73a",
Replies  5
Boosts  0
Views  1.1k
Participants  3
Systems Engineer OP
Apple
Mar ’22

A few follow up questions here to get some more insight on what could be going wrong:

  1. What is inside of your foo.mac11.x86_64.pkg? If it is a single app? Is it Developer ID signed?

  2. What does the code signture on your pkg archive look like?

    pkgutil --check-signature foo.mac11.x86_64.pkg

  3. When you install the pkg file, do you have an internet connection for the machine to reach out to the Notary service to get the Notary ticket? If not, do you have the ticket stapled to the pkg? xcrun stapler staple foo.mac11.x86_64.pkg

    You can validate that you have a stapled ticket with:

    xcrun stapler validate foo.mac11.x86_64.pkg

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
DTS Engineer OP
Apple
Mar ’22

Apple says it is accepted, but the status still says Unnotarized Developer ID and rejected ? [my emphasis]

But was it actually rejected by Gatekeeper? spctl isn’t a great test for that. Rather, I recommend that you test this as a user would. See my Testing a Notarised Product post for the details.

ps If you do step 3, that is, disconnect the Mac from the network, you must stapler your notarised ticket on to your installer package per Matt’s instructions.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
mtnview OP
Mar ’22

Thank you Matt. I Figured out something funny. After notarization succeeded, with status: Accepted it looks like there is a delay until the whole information is propagated.

After I wait a couple of mins, check the status again, now it says notarized.

Funny.

0
Systems Engineer OP
Apple
Mar ’22

I wait a couple of mins, check the status again, now it says notarized.

Okay, and everything is running and working as it should?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
mtnview OP
Mar ’22

yes. Just information update isn't real-time or as quick as I expected.

0
Failing in Notarization a pkg file
First post date Last post date
 
 
Q