notarytool rejects bundle with non-ascii filename

My company is used to sign and notarize our software using altool and more recently notarytool. Our application is built as an .app bundle which is then distributed as a .dmg file.

A few days ago the notary step started failing with this error : "The signature of the binary is invalid.". This referred to the main binary of our application.

Of course, the bundle had just been signed with codesign which reported that everything was in order.

Nothing had changed in this binary so we started investigating the code signing toolchain, our dev cerficate, changes in the Apple notarization policy, etc ... all this cost us a lot of time for nothing.

Finally the tracked down the issue : a file with non-ascii filename had been introduced in the bundle. I can reproduce the issue simply by putting an empty file named "é.txt" in the bundle.

So this either a bug in notarytool (.app and .dmg are supposed to support non-ascii characters, aren't they ?) or a known limitation but in that case the error message should be changed.

So please, I kindly ask that Apple :

  • investigates the issue and fixes it if utf-8 support is expected (or at least latin-1).
  • improves the errors messages ; a binary signing issue has nothing to do with filename encoding issue. It is totally misleading.
  • puts in place regression tests so that this does not happen again ; I believe that most apple users use a non-ascii language. Unicode filenames have been around since the 90's. This should be tested.

Best regards

I have an app which main binary has no latin characters whatsoever and it just got notarized correctly with notarytool (macOS 13.2.1, XCode 14.2), I don't think it's an encoding issue.

This is not the place to ask Apple to fix a bug. Use Feedback Assistant.

The underlying issue here is Apple’s code signing infrastructure. The notary service is just an innocent bystander (-: For more background on this problem, see this post.

You should feel free to file a bug against notary service for it to give you a better error message but, as JWWalker says, you need to use Feedback Assistant for that. See my Bug Reporting: How and Why? post for more.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

notarytool rejects bundle with non-ascii filename
 
 
Q