The staple and validate action failed! Error 65.

Error 65 means that there is no ticket for the thing you’re trying to staple. The usually means that your notarisation failed but, as you’ve shown here, the notarisation actually succeeded. So either you’re stapling something that you didn’t notarise or the notary service didn’t recognise all of your code, and thus failed to include the relevant value in your ticket.

Before you start debugging this specific problems, there are two parts to your process that you need to fix. The first is this:

codesign --deep --force --options runtime …

Don’t sign code with --deep. See --deep Considered Harmful for an explanation as to why that’s bad. For advice on how to sign and package your code, see:

• Creating distribution-signed code for macOS

• Packaging Mac software for distribution

The second fix relates to this:

ditto -c -k --sequesterRsrc --keepParent dist/mac-arm64/Modelist.app dist/mac-arm64/Modelist.zip

The --sequesterRsrc option is wrong. I talk about what that attribute does in Extended Attributes and Zip Archives. It’s wrong here because:

• Apps shouldn’t rely on extended attributes. In some cases that’s unavoidable, but in the vast majority of cases there shouldn’t be any extended attributes to sequester.

• The notary service doesn’t recognised sequestered extended attributes, so if there are any important attributes in there then things are going to end badly.

I recommend that you start by investigating what extended attributes your app has. There are two that particularly problematic:

• Quarantine attribute — That is, com.apple.quarantine.

• Code signature attributes — That is, com.apple.cs.*. See TN3126 Inside Code Signing: Hashes for more on that.

If you have the quarantine attribute, you should remove it. Don’t just strip it from the app you submit, but track down how your build system added it and then remove it from the source.

If you have any code signature attributes then lemme know, because those are more subtle.

Once you’ve dealt with the above, you can retry this process. If you continue to have problems, check that the following cdhash values line up:

• The value for the app you’re trying to stapler. Dump this using codesign --display -vvv.

• The value that stapler is looking for. Add a -v option to the command to get it to show you the value.

• The values in the notarised ticket. You’ll see these in the notary log. See Fetching the Notary Log for info on how to get that.

I have a lot more info about this stuff in Notarisation Resources. Specifically, check out Notarisation Fundamentals.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks Quinn! I appreciate your detailed response and all the links. I followed your advice and I dropped the --deep and the --sequesterRsrc attributes and tried again. As well checked everything recommended. Unfortunately, no difference to end result.

Further on exploring, I did a few more small steps. As I believe it's something with the setup on my machine. I removed every single certificate that even remotely resembles app building/signing from KeyChain and added them back in from XCode (double-checked again its latest version). I did also what I would do on Windows - restarted the machine. Re-set the keychain, env variables, etc...

Still, stuck at the same error.

I've attached a log of my process and outputs if anyone can spot something I missed and I'm doing it wrong. Much appreciated!

The steps

• build a fresh app
• sign all the components first, then the app
• make sure everything is signed
• delete the old one and create a new zip package
• send for notarization
• stapling... Error 65

All the IDs I've checked, match. All the timestamps are there. Even used --preserve-metadata with signing...

Funny thing is, even though my build script is not entirely correct, on GitHub Actions with the same vars and certs (copy&paste), and it staples the damn thing. Not the flow I prefer, but I guess I'll have to make that one work.