Persistent Notarization Issues with Electron App

I am runnning persistent notarization issues with my macOS Electron application.

Despite multiple attempts to resolve these issues, the notarization status remains "Invalid," and the errors in the report are consistent.

What I'm doing

  1. Sign the code like this

codesign --sign "Apple Distribution: Name Lastname (123456)" --deep --force --timestamp=auto path/to/Application.app

I then get: Application.app: replacing existing signature

  1. I then verify the signing with:

codesign --verify --deep --strict --verbose=4 path/to/Application.app

I then get: --prepared:/path/to/Application.app/Contents/Frameworks/SomeFramework.framework --validated:/path/to/Application.app/Contents/Frameworks/SomeFramework.framework --prepared:/path/to/Application.app/Contents/Frameworks/AnotherFramework.framework --validated:/path/to/Application.app/Contents/Frameworks/AnotherFramework.framework Application.app: valid on disk Application.app: satisfies its Designated Requirement

  1. I then build:

npm build

  1. I then package:

zip -r Application.zip Application.app

  1. I then upload:

xcrun notarytool submit Application.zip --apple-id your-apple-id --team-id your-team-id --password your-app-specific-password

  1. Then I check for status and I get:

Successfully received submission info createdDate: 2024-08-15T18:21:31.520Z id: 55daf39a-4be9-4dd6-a490-1890d33f9e75 name: Application.zip status: Invalid

In the report generated I get issues like:

"path": "path/to/Application.app/Contents/Frameworks/SomeFramework.framework/SomeFramework", "message": "The signature of the binary is invalid.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735", "architecture": "arm64"

and

"path": "path/to/Application.app/Contents/Frameworks/SomeFramework.framework/Versions/Current/Helpers/chrome_crashpad_handler", "message": "The signature does not include a secure timestamp.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733", "architecture": "arm64"

What am I doing wrong? I tried signing each issue separately and rerun the entire process, it's not working.

Answered by DTS Engineer in 801664022

You are currently signing your code using --deep, which is something I specifically recommend against. See --deep Considered Harmful.

Apple has general advice on how to sign a Mac app correctly:

In this case, however, I recommend that you consult the support resources for your third-party tools, because this is a path than many other folks have walked down previously.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

You are currently signing your code using --deep, which is something I specifically recommend against. See --deep Considered Harmful.

Apple has general advice on how to sign a Mac app correctly:

In this case, however, I recommend that you consult the support resources for your third-party tools, because this is a path than many other folks have walked down previously.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Persistent Notarization Issues with Electron App
 
 
Q