Notarization step fails due to not signed inner binary

I created a a .pkg installer from my node-js project which I later signed using productsign tool. Then during the notarization step I got the following error:

{
    "logFormatVersion": 1,
    "jobId": "...",
    "status": "Invalid",
    "statusSummary": "Archive contains critical validation errors",
    "statusCode": 4000,
    "archiveFilename": "....pkg",
    "uploadDate": "...",
    "sha256": "...",
    "ticketContents": null,
    "issues": [
        {
            "severity": "error",
            "code": null,
            "path": ".../keytar.node",
            "message": "The binary is not signed.",
            "docUrl": null,
            "architecture": "x86_64"
        },
        {
            "severity": "error",
            "code": null,
            "path": ".../keytar.node",
            "message": "The signature does not include a secure timestamp.",
            "docUrl": null,
            "architecture": "x86_64"
        }
    ]
}

Is there any way I can solve this problem?

Should I first sign this library using my "Developer ID Application" certificate?

Up vote post of artj Down vote post of artj
874 views
Posted by
artj
Reply
Add a Comment

Replies

Signing an installer package does not sign the contents of the package, and the notary service requires that all code be signed. You have two options to fix this:

  • Contact the vendor of the package and ask them to sign the code within it. The notary service will accept this. It requires that all code be signed with a valid Developer ID signing identity, but it doesn’t require that it all be signed with the same one.

  • Unpack the package, sign the code it contains, and then repack it.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment