Notarization failures with DMG wrapped app

Checking the app on the DMG I get this:

% codesign -d -vv /Volumes/emWave\ Pro/emWave\ Pro.app 

Executable=/Volumes/emWave Pro/emWave Pro.app/Contents/MacOS/emWaveMac
Identifier=com.heartmath.emwave
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=112672 flags=0x10000(runtime) hashes=3510+7 location=embedded
Signature size=8997
Authority=Developer ID Application: NNNNNNNN (GMxxxxxxxx) => obscured
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Jul 28, 2022 at 5:48:25 PM

Info.plist entries=30

TeamIdentifier=GMZxxxxxxxx

Runtime Version=12.3.0

Sealed Resources version=2 rules=13 files=1241

Internal requirements count=1 size=180

For the DMG I get:

% spctl -a -t open -vvv --context context:primary-signature *.dmg

emWave Pro.dmg: rejected
source=Unnotarized Developer ID
origin=Developer ID Application: HeartMath LLC (GMZxxxxx)
code-block

What exactly does this mean, since the same Developer ID: Installer and : Application works in all other combos?

source=Unnotarized Developer ID

Here is my validation for the app:

emWave Pro.app: accepted
source=Developer ID
origin=Developer ID Application: HeartMath LLC (GMZ3FT78RD)

Validation for the DMG shows Unnotarized:

spctl verification:
emWavePro.dmg: rejected
source=Unnotarized Developer ID
origin=Developer ID Application: HeartMath LLC (GMZ3FT78RD)

Here is what I get back from the portal:

{
  "logFormatVersion": 1,
  "jobId": "5b0c0eed-7a61-45ed-8a85-94fe16ec296e",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "emWavePro.dmg",
  "uploadDate": "2022-07-29T14:46:14Z",
  "sha256": "1bb8d490311e237280b29c28831c5078ae628ad1d54e5e70c0ffe8538ad23c42",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "emWavePro.dmg/emWave Pro.app/Contents/MacOS/emWaveMac",
      "message": "The signature of the binary is invalid.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "emWavePro.dmg/emWave Pro.app/Contents/MacOS/emWaveMac",
      "message": "The signature of the binary is invalid.",
      "docUrl": null,
      "architecture": "arm64"
    }
  ]
}

Here is what I get back from the portal

Well, the notary service is definitely grumpy about the copy of your app on the disk image. Try this:

1. Find the emWavePro.dmg that matches this notary log (it should have a SHA-256 checksum of 1bb8d490311e237280b29c28831c5078ae628ad1d54e5e70c0ffe8538ad23c42).

2. Mount it.

3. Use codesign to check the app on the mounted disk image volume:

   % codesign -v -vvv --strict --deep /Volumes/emWave\ Pro/emWave\ Pro.app
   

What do you get back?

You didn’t give any info about how you created this disk image. One common gotcha I’ve seen here is folks using cp -r to copy their app on to their disk image. That doesn’t do the right thing with symlinks, and macOS frameworks rely on symlinks, and so a copy like that will break the app if it contains frameworks.

If you’re copying your app around, use ditto.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Quinn Quinn,

Thanks for your help.

I tried two methods. Both work with our Installer PKG:

1. Script excerpt - we set up a folder and:

hdiutil create -srcfolder "$SRC_DIR" -volname "$VOLNAME" -fs HFS+ \
               -fsargs "-c c=64,a=16,e=16" -format UDRW "$TMP_DMG"

1. The other uses dropDMG from that folder.

All my build scripts use a form of 'ditto' to move or copy stuff.

All my build scripts use a form of ditto to move or copy stuff.

Cool.

What was the result of the test I proposed in the first half of my previous reply?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Oops. Sorry. I hate that when people only answer part of a question and here I am doing that. But that ****** is gone - so many attempts, to few moments in life.

Here is a fresh one:

• In target folder prior DropDMG (used for quick experimentation, I later bash a script for the QA builds):

% spctl -a -vvv emWave\ Pro.app
emWave Pro.app: accepted
source=Developer ID
origin=Developer ID Application: HeartMath LLC (GMZ3FT78RD)

• Build DMG and sign, mount, and check signature on it:

% spctl -a -vvv emWave\ Pro.app
emWave Pro.app: accepted
source=Developer ID
origin=Developer ID Application: HeartMath LLC (GMZ3FT78RD)```

• Send off to notarization:

https://osxapps-ssl.itunes.apple.com/itunes-assets/Enigma112/v4/68/cd/cc/68cdcc9c-0579-6c35-0d12-e39db9a94e5c/developer_log.json?accessKey=1659643471_4931801388376640712_m64RSh33h2i77lk0c2I0Gnoo%2BBssMltizD7ye7Qdh4BL9n4k6%2BtNEjergyK7I5c5jD%2FSd%2FZzpRxhXhuWv9d11bHUFwSMNuYBijbhQUeqOywgbJkVehljacihBej%2Bc6D6qe0iQgGO877nzBVDx6tuetRH9y8XeJpJV0Kr9y6ZFdE%3D

   RequestUUID: 256cc0c2-7eb2-4b8d-b54f-94b52b2a05f6

{
  "logFormatVersion": 1,
  "jobId": "256cc0c2-7eb2-4b8d-b54f-94b52b2a05f6",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "emWave+Pro.dmg",
  "uploadDate": "2022-08-02T13:59:15Z",
  "sha256": "d0240c577486929536bb8c4f72b0749023d4c2978fdca525ab03214c85ce9a08",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "emWave+Pro.dmg/emWave Pro.app/Contents/MacOS/emWaveMac",
      "message": "The signature of the binary is invalid.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "emWave+Pro.dmg/emWave Pro.app/Contents/MacOS/emWaveMac",
      "message": "The signature of the binary is invalid.",
      "docUrl": null,
      "architecture": "arm64"
    }
  ]
}

• Remount DMG and check, because ... superstition:

% spctl -a -vvv emWave\ Pro.app
emWave Pro.app: accepted
source=Developer ID
origin=Developer ID Application: HeartMath LLC (GMZ3FT78RD)

• Notarize the app by itself from the source folder, since the DMG is RO. My script returns:

[...] Downloaded ticket has been stored at file:///var/folders/1z/zdzqgk4s22s2wjy7ds9d21qm0000gn/T/93dc7955-57cf-4749-ae1c-14662a4fd3dd.ticket.
The validate action worked!

As I wrote, if I drop a signed installer into the same folder, it works. All this is using altool. I am converting scripts to notarize, but that should not make a difference.

Hmmmm, you seem to have not run the command I was looking for. To reiterate:

1. Find the emWavePro.dmg that matches this notary log (it should have a SHA-256 checksum of 1bb8d490311e237280b29c28831c5078ae628ad1d54e5e70c0ffe8538ad23c42).

2. Mount it.

3. Use codesign to check the app on the mounted disk image volume:

   % codesign -v -vvv --strict --deep /Volumes/emWave\ Pro/emWave\ Pro.app
   

What do you get back?

You’re running spctl, and in my experience it’s not a particularly useful tool [1].

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Something I call out in Testing a Notarised Product.

Oops. Thanks. That's what I used to use until reading some Apple docs. Everything's valid. I had to snip some stuff due to forum character limits.

% codesign -v -vvv --strict --deep /Volumes/emWave\ Pro/emWave\ Pro.app
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtCore.framework/Versions/Current/.
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtCore.framework/Versions/Current/.
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtDBus.framework/Versions/Current/.
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtDBus.framework/Versions/Current/.
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtGui.framework/Versions/Current/.
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtGui.framework/Versions/Current/.
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtMultimedia.framework/Versions/Current/.
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtMultimedia.framework/Versions/Current/.
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtMultimediaQuick.framework/Versions/Current/.
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtMultimediaQuick.framework/Versions/Current/.
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtMultimediaWidgets.framework/Versions/Current/.
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtMultimediaWidgets.framework/Versions/Current/.
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtNetwork.framework/Versions/Current/.
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtNetwork.framework/Versions/Current/.
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtOpenGL.framework/Versions/Current/.
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtOpenGL.framework/Versions/Current/.
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtPdf.framework/Versions/Current/.
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtPdf.framework/Versions/Current/.
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtPositioning.framework/Versions/Current/.
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtPositioning.framework/Versions/Current/.
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtPrintSupport.framework/Versions/Current/.
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtPrintSupport.framework/Versions/Current/.
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtQml.framework/Versions/Current/.
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtQml.framework/Versions/Current/.
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtQmlModels.framework/Versions/Current/.
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtQmlModels.framework/Versions/Current/.
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtQuick.framework/Versions/Current/.
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtQuick.framework/Versions/Current/.
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtQuickWidgets.framework/Versions/Current/.
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtQuickWidgets.framework/Versions/Current/.
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtSerialPort.framework/Versions/Current/.
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtSerialPort.framework/Versions/Current/.
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtSql.framework/Versions/Current/.
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtSql.framework/Versions/Current/.
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtSvg.framework/Versions/Current/.
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtSvg.framework/Versions/Current/.
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtVirtualkeyboard.framework/Versions/Current/.
[...] SNIPP!!!!
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtWebEngineWidgets.framework/Versions/Current/.
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtWebEngineWidgets.framework/Versions/Current/.
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtWebView.framework/Versions/Current/.
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtWebView.framework/Versions/Current/.
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtWidgets.framework/Versions/Current/.
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtWidgets.framework/Versions/Current/.
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtXml.framework/Versions/Current/.
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/QtXml.framework/Versions/Current/.
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/Sparkle.framework/Versions/Current/.
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/Sparkle.framework/Versions/Current/Autoupdate
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/Sparkle.framework/Versions/Current/Autoupdate
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/Sparkle.framework/Versions/Current/Updater.app
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/Sparkle.framework/Versions/Current/Updater.app
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/Sparkle.framework/Versions/Current/XPCServices/org.sparkle-project.Downloader.xpc
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/Sparkle.framework/Versions/Current/XPCServices/org.sparkle-project.Downloader.xpc
--prepared:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/Sparkle.framework/Versions/Current/XPCServices/org.sparkle-project.InstallerLauncher.xpc
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/Sparkle.framework/Versions/Current/XPCServices/org.sparkle-project.InstallerLauncher.xpc
--validated:/Volumes/emWave Pro/emWave Pro.app/Contents/Frameworks/Sparkle.framework/Versions/Current/.
/Volumes/emWave Pro/emWave Pro.app: valid on disk
/Volumes/emWave Pro/emWave Pro.app: satisfies its Designated Requirement

Thanks for that. And, yeah, everything looks good there.

At this point I’m out of ideas. I need to take a proper look at your submission, and I don’t have time to do that here on DevForums. Please open a DTS tech support incident and we can pick this up in that context.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks. Will try that in a bit under my corporate account harald + @ + heartmath + .com Need to first recover from a little hospital stay after a "cardiac episode."