How to correctly check notarization

Code Signing Notarization
wnsoft OP
Created Feb ’23
Replies 3
Boosts 0
Views 1.6k
Participants 2

Hi,

How to correctly check notarization for my product for DMG and APP bundle?

For APP, if I use this command:

spctl -a -v 'MyProduct.app'

It shows OK for my Mac where I compiled and signed this APP, even if this APP was NOT notarized.

And this command correctly detects missing or failed notarization:

spctl -a -vvv -t install 'MyProduct.app'

For DMG I used this command:

spctl -a -t open --context context:primary-signature MyProduct.dmg -v

However I'm not sure that all these commands on 100% validate successful/absent/failed notatization.

Answered by DTS Engineer in 745653022

The goal of notarisation is to pass Gatekeeper. My advice is that you not test notarisation per se, but rather than you test whether you pass Gatekeeper or not. I describe my preferred way to do that in Testing a Notarised Product.

This is important because passing notarisation does not guarantee that you pass Gatekeeper. Notably, the problem described in Resolving Gatekeeper Problems Caused by Dangling Load Command Paths is one of my biggest ‘call drivers’.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  3
Boosts  0
Views  1.6k
Participants  2
DTS Engineer OP
Apple
Feb ’23
Accepted Answer

The goal of notarisation is to pass Gatekeeper. My advice is that you not test notarisation per se, but rather than you test whether you pass Gatekeeper or not. I describe my preferred way to do that in Testing a Notarised Product.

This is important because passing notarisation does not guarantee that you pass Gatekeeper. Notably, the problem described in Resolving Gatekeeper Problems Caused by Dangling Load Command Paths is one of my biggest ‘call drivers’.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1
wnsoft OP
Feb ’23

Hi Quinn,

Thanks for your fast reply and suggested solution.

I will keep using spctl command, because use of a clean VM is very complicated.

Why Apple cannot simply modify Gatekeeper to add a special mode for developers for testing apps? In this special mode any caching would not be used.

I believe that building a software package should be fully automated to save time of developers.

0
DTS Engineer OP
Apple
Feb ’23

Why Apple cannot simply modify Gatekeeper to add a special mode for developers for testing apps?

I can’t answer ‘why’ questions but:

  • In general, if you’d like to see Apple improve things then your first step should be to file an enhancement request describing your requirements.

  • However, that’s not necessary in this case. The folks involved already understand the need for better developer insight into its behaviour (r. 60626159).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1
How to correctly check notarization
First post date Last post date
 
 
Q