Notarization Failed for "The binary is not signed"

Code Signing Notarization
willys OP
Created Jun ’22
Replies 4
Boosts 0
Views 1.4k
Participants 2

Hi,

The notarization worked on last month but now it fails with the below information.

--------------------------------------------------
  createdDate: 2022-05-31T02:01:10.082Z
  id: 780d608d-a183-4caf-aa71-ee93db254e1f
  name: SonicWall Capture Client.4.0.1.Beta.pkg
  status: Accepted

And the submit logs show below error.

I am not sure why it complains about "The binary is not signed".

{
 "logFormatVersion": 1,
 "jobId": "0b893061-763a-4098-8a0b-a3cb003fa756",
 "status": "Invalid",
 "statusSummary": "Archive contains critical validation errors",
 "statusCode": 4000,
 "archiveFilename": "SonicWall Capture Client.4.0.3.Beta.pkg",
 "uploadDate": "2022-06-10T07:45:06.781Z",
 "sha256": "e8423747eb762a89b134f5ac4dd9f14b1b88f354dde9d3c24959b5cd829458a6",
 "ticketContents": null,
 "issues": [
  {
   "severity": "error",
   "code": null,
   "path": "SonicWall Capture Client.4.0.3.Beta.pkg/SESFiles.pkg Contents/Payload/Library/SonicWall/CaptureClient/SonicWall Capture Client.app/Contents/MacOS/SonicWall Capture Client",
   "message": "The binary is not signed.",
   "docUrl": null,
   "architecture": "x86_64"
  },
  {
   "severity": "error",
   "code": null,
   "path": "SonicWall Capture Client.4.0.3.Beta.pkg/SESFiles.pkg Contents/Payload/Library/SonicWall/CaptureClient/SonicWall Capture Client.app/Contents/MacOS/SonicWall Capture Client",
   "message": "The signature does not include a secure timestamp.",
   "docUrl": null,
   "architecture": "x86_64"
  },
  {
   "severity": "error",
   "code": null,
   "path": "SonicWall Capture Client.4.0.3.Beta.pkg/SESFiles.pkg Contents/Payload/Library/SonicWall/CaptureClient/SonicWall Capture Client.app/Contents/MacOS/SonicWall Capture Client",
   "message": "The executable does not have the hardened runtime enabled.",
   "docUrl": null,
   "architecture": "x86_64"
  },
  {
   "severity": "error",
   "code": null,
   "path": "SonicWall Capture Client.4.0.3.Beta.pkg/SESFiles.pkg Contents/Payload/Library/SonicWall/CaptureClient/SonicWall Capture Client.app/Contents/MacOS/SonicWall Capture Client",
   "message": "The binary is not signed.",
   "docUrl": null,
   "architecture": "arm64"
  },
  {
   "severity": "error",
   "code": null,
   "path": "SonicWall Capture Client.4.0.3.Beta.pkg/SESFiles.pkg Contents/Payload/Library/SonicWall/CaptureClient/SonicWall Capture Client.app/Contents/MacOS/SonicWall Capture Client",
   "message": "The signature does not include a secure timestamp.",
   "docUrl": null,
   "architecture": "arm64"
  },
  {
   "severity": "error",
   "code": null,
   "path": "SonicWall Capture Client.4.0.3.Beta.pkg/SESFiles.pkg Contents/Payload/Library/SonicWall/CaptureClient/SonicWall Capture Client.app/Contents/MacOS/SonicWall Capture Client",
   "message": "The executable does not have the hardened runtime enabled.",
   "docUrl": null,
   "architecture": "arm64"
  }
 ]
}

Basically what I did is use notatytool to submit

xcrun notarytool submit ./Installer/Build/4.0.1/SonicWall\ Capture\ Client.4.0.1.Beta.pkg --keychain-profile **** --wait --webhook "https://example.com/notarization"

And actually I think I have set the several necessary options.

export OTHER_CODE_SIGN_FLAGS\=--timestamp\ --options\=runtime

export CODE_SIGN_INJECT_BASE_ENTITLEMENTS\=NO

Any suggestions?

Thanks in advance

Answered by DTS Engineer in 716733022

Most of the time when the notary service complains that the binary it’s not sign that’s because… the binary is not signed. My advice here is:

  1. Find the archive that you submitted to notary. You can do this by matching the SHA-256 checksum in the sha256 property of the notary log:

    % shasum -a 256 "SonicWall Capture Client.4.0.3.Beta.pkg"

  2. Unpack it. For an installer I usually do that with Pacifist, but you can do that manually if you’re feeling particularly ‘caveman’.

  3. Check the signature of the binary. Specifically, what does this report:

    % codesign -v -vvv --strict --deep "SonicWall Capture Client.app"

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  4
Boosts  0
Views  1.4k
Participants  2
DTS Engineer OP
Apple
Jun ’22
Accepted Answer

Most of the time when the notary service complains that the binary it’s not sign that’s because… the binary is not signed. My advice here is:

  1. Find the archive that you submitted to notary. You can do this by matching the SHA-256 checksum in the sha256 property of the notary log:

    % shasum -a 256 "SonicWall Capture Client.4.0.3.Beta.pkg"

  2. Unpack it. For an installer I usually do that with Pacifist, but you can do that manually if you’re feeling particularly ‘caveman’.

  3. Check the signature of the binary. Specifically, what does this report:

    % codesign -v -vvv --strict --deep "SonicWall Capture Client.app"

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
willys OP
Jun ’22

Hi @eskimo,

Thank you for sharing me the debug process. And you are right, this file is indeed not signed.

With this lead I found that this file is used to make an installer package before it is signed. This explains the issue here.

So my next question is here we have two schemes, one for the app and the other one for the installer package.

During the execution of the installer package, we were trying to copy the product of app scheme.

We have a dependency within installer package scheme. And the app scheme is in the dependency.

But it looks like it could not guarantee that app is signed before used.

Do you know is there any way to make sure that the product of app scheme is signed before used/copied?

0
DTS Engineer OP
Apple
Jun ’22

So my next question is here we have two schemes, one for the app and the other one for the installer package.

That’s an unusual approach. The approach I recommend is based on Xcode archives. That is, you create an Xcode archive and then export from that archive. For the first step, use either Product > Archive or xcodebuild, and for the second use either the Xcode organiser or xcodebuild.

This approach has a bunch of advantages:

  • Xcode takes care of re-signing your app for the appropriate export destination.

  • And in the case of the Mac App Store it also creates your installer package.

  • You can fully automate it with xcodebuild.

  • You are left with an Xcode archive containing your build product, which is important for symbolication.

For more on this, see Packaging Mac Software for Distribution.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
willys OP
Jun ’22

Hmm, it sounds reasonable and I will try to figure out the approach you suggested for notarization.

Thanks again for all the detailed info, @eskimo

0
Notarization Failed for "The binary is not signed"
First post date Last post date
 
 
Q