We're having failures reported back to us from the notarization service as of the 4th of September. It's complaining about binaries inside .jar files, saying some aren't signed and others aren't signed with a valid developer certificate. These are third party jars; we unzip the unsigned binaries from these jars, sign them then put them back in using "jar -ufv". Notarizing is only complaining about binaries inside jars and not anything else, which implies our certificates are valid.
Nothing has changed regarding these jars between the notarizing service accepting and rejecting our app. To confirm our suspicions that the notarizing service may be behaving differently, we sent it an app package that previously had succeeded in notarizing. Now the notarizing service fails, citing issues with the same jars as described above.
Are you able to confirm whether anything has changed? Any ideas on what we could look at?
Sorry about not replying sooner; DevForums has an ongoing problem where it fails to notify me of thread updates (r. 131905835)-:
Hmmm, lemme start with an explanation of what you should do, and then come back to the history.
All native code [1] included in a Developer ID product must be signed and notarised. If the code isn’t included in the ticket issued by the notary service, the system won’t run it. Notarisation Fundamentals explains the how and why of this in more detail.
If the native code is embedded in an archive:
-
You must use an archive format that the notary service understands.
-
The code must be signed appropriately.
I discuss this in detail in the Executable Code Inside Archives section of Notarisation Fundamentals.
If the notary service is complaining about the native code within an archive, you have two options:
-
Unpack the archive, sign the code, and repack it.
-
Remove the code from the archive.
Note Don’t discount that last point. If this native code wasn’t previously being covered by your notarised ticket, meaning it could never be executed, and your product actually worked, it’s quite possible that you don’t need that code at all.
Coming back to the history of this, it’s clear that something changed with the notary service recently. The weird thing is that I remember the notary service previously rejecting JAR archives containing code that wasn’t correctly signed. That’s why I included a discussion of this in Notarisation Fundamentals, which dates from 2022. Indeed, I looked through my records and found this post, where I explained this process all the way back in 2020.
So it’s possible we’re in a “gone back to metric” situation [2], where the notary service was previously enforcing this, then stopped, and is now enforcing it again. Regardless of that, the path forward here is the same: Sign and notarise your native code.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] In this context I’m using the term native code to refer to a Mach-O image. This is a binary containing code that the system can load and run directly. See An Apple Library Primer for an explicit definition of that term.
[2] https://www.youtube.com/watch?v=JB6k-fatJmI