Hi Everyone,
Just a quick, and what is probably a really simple question.
Do I require a 'Paid' Apple Developer account if I just wish to notarise my application for use on my local network. I don't see myself needing to use the App Store in the near future.
I know I can manually add the app and authorise it, but I'd like to avoid this.
Kindly
Ryn
Notarization
RSS for tagNotarization is the process of scanning Developer ID-signed software for malicious components before distribution outside of the Mac App Store.
Post
Replies
Boosts
Views
Activity
When I submit my app for notarization, it takes more than 24 hours but still shows "In progress". Does anyone else experience the same issue?
Here is the history records:
Successfully received submission history.
history
--------------------------------------------------
createdDate: 2024-12-22T07:32:20.998Z
id: 81f36df5-21a2-4101-a264-9ac62e7b85a5
name: Gatsbi.zip
status: In Progress
--------------------------------------------------
createdDate: 2024-12-22T04:00:29.496Z
id: 6d99632c-7aef-4e46-bdef-d70845cd39b5
name: Gatsbi.zip
status: In Progress
--------------------------------------------------
createdDate: 2024-12-21T10:54:48.433Z
id: 1fdcd6c6-d707-4521-9b4d-4a5f3e03959a
name: Gatsbi.zip
status: In Progress
--------------------------------------------------
createdDate: 2024-12-21T10:05:02.700Z
id: 4237e15e-00e3-4884-9bdd-f7f900af2dc1
name: Gatsbi.zip
status: In Progress
--------------------------------------------------
createdDate: 2024-12-21T08:40:19.404Z
id: 102039b9-4a16-4fbb-8371-f9b6cb0e1a80
name: Gatsbi.zip
status: In Progress
--------------------------------------------------
createdDate: 2024-12-21T07:31:01.588Z
id: b6f82941-1ac2-4f5d-99ed-c44141934a0d
name: Gatsbi.zip
status: Accepted
I want to distribute a macOS application created with Electron to third parties, but I am currently unable to do so because the code signing is not working correctly.
From the following response, it appears that the code signing itself was successful:
$ codesign -dvvv dist/mac-arm64/AnySticky.app
Executable=/Users/myname/dev/electron-tutorial/dist/mac-arm64/AnySticky.app/Contents/MacOS/AnySticky
Identifier=com.electron.electron-tutorial
Format=app bundle with Mach-O thin (arm64)
CodeDirectory v=20500 size=778 flags=0x10000(runtime) hashes=13+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=e105ecd3c2051554239df404c185f00fca5900de
CandidateCDHashFull sha256=e105ecd3c2051554239df404c185f00fca5900de742e572c154aa889e9929186
Hash choices=sha256
CMSDigest=e105ecd3c2051554239df404c185f00fca5900de742e572c154aa889e9929186
CMSDigestType=2
CDHash=e105ecd3c2051554239df404c185f00fca5900de
Signature size=9083
Authority=Apple Development: MY NAME (66MDM239Z8)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Timestamp=Dec 18, 2024 at 20:26:03
Info.plist entries=30
TeamIdentifier=9C8S7XP2UN
Runtime Version=14.0.0
Sealed Resources version=2 rules=13 files=11
Internal requirements count=1 size=192
However, when I attempt to notarize the app, I receive an error stating that the app is not signed with a valid Developer ID certificate:
$ xcrun notarytool submit dist/mac-arm64/AnySticky.zip --keychain-profile "AnySticky" --wait
Excerpt from the error message:
{
"severity": "error",
"code": null,
"path": "AnySticky.zip/AnySticky.app/Contents/MacOS/AnySticky",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "AnySticky.zip/AnySticky.app/Contents/Frameworks/AnySticky Helper (Renderer).app/Contents/MacOS/AnySticky Helper (Renderer)",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
...
I would greatly appreciate any guidance on how to resolve this issue.
Thanks.
I am reaching out regarding a persistent issue I have been facing with code signing. Despite extensive troubleshooting, I am unable to resolve the problem, and I would greatly appreciate your assistance.
When attempting to sign my electron application with codesign with the following command:
codesign --keychain ~/Library/Keychains/login.keychain --sign “Developer ID Application: MYNAME (DEV-ID)” --force --timestamp --options runtime --verbose=4 dist/mac-arm64/my.app
I receive the following error message:
“Warning: unable to build chain to self-signed root for signer ‘Developer ID Application: MYNAME (DEV-ID)‘“.
This prevents me from successfully completing the code signing and notarization process.
To resolve this, I have meticulously tried to troubleshoot the problem. Here are the steps taken so far:
Imported Certificates into Keychains:
I imported all necessary certificates (including Developer ID Application, Developer ID Certification Authority, Apple Root CA and Apple Root CA - G2) into the keychain.
I tested with both the System and Login keychains (one at a time to avoid errors due to duplicates)
Checked Trust Settings:
I confirmed that the trust settings for the certificates are properly configured to “Always Trust.”
I verified the private key is present in Keychain Access and is properly linked to the public certificate.
Ensured valid identity:
I ensured that the correct Developer ID identity is valid and the associated private key is available (security find-identity -v -p codesigning and security find-key -t private | grep “MY NAME”)
Ensured keychain access permissions:
I ensured that the respective keychain has access permissions (security set-key-partition-list -S apple-tool:,apple: -s -k ~/Library/Keychains/login.keychain)
Verified matching Issuer and Subject to build certificate chain:
I verified that the Issuer and Subject fields in the certificates show the correct references to build the certificate chain.
Deleted and Re-imported Certificates:
I deleted and re-imported the certificates multiple times to ensure there were no import issues or corruption in the certificates.
Tested simplified setup:
I attempted to sign simple files, such as a plain .txt file, using the Developer ID Application certificate
I also attempted signing with minimal flags to rule out any issues with the app structure or build configuration
Updated Xcode Command Line Tools
One potential factor is that I am signing the application on a different machine from the one where the certificates were originally generated. I included the private key when exporting the certificate as a .p12 file from the original computer and imported it into the second computer’s keychain. This second computer is not connected to iCloud, and I suspect this could potentially affect the signing process.
Despite all these efforts, the issue persists, and I am unable to identify the root cause. I would greatly appreciate your guidance on resolving this matter so I can successfully complete the code signing and notarization process.
Thank you for your time and support.
I built Mac app with Electron-forge and sign and notarize my app with Developer ID Application Certification and @electron/osx-sign, @electron/notarize module.
I built my app on macOS Sonoma 14.7.
Then I ran the built app on other mac with "App Store and identified developers" Gatekeeper of macOS version 12.7.3 And it worked well.
But when I ran it on another mac PC of macOS Sonoma 14.4.1, it said my app is damaged.
Why does it happen and How can I solve this issue?
After sending the app archive to apple notarization services, I received the following error: "The signature of the binary is invalid". This error is shown for both the arm64 and x86_64 builds of the app.
Some details about the project:
I have been able to notarize the app in the past, with the latest successful notarization at the start of October.
The organization does have a valid developer membership.
The app has no new dependencies since the last successful notarization.
The project uses automatic managed signing (no visible errors in xcode).
What has changed in app and development environment since the last notarization:
Updated macOS to macOS 15.
Updated to use new Xcode version (16)
The organizations membership did expire for a bit, but is now valid.
Changed apps target macOS version from 12.3 -> 13.5.
What I've tried to debug / resolve this issue:
Clean build folder and re-create archive.
Waiting a period of time and retrying the notarization.
Toggling 'automatic managed signing' off and on.
Tried to look through profiles, provisions, certs to see any issues.
Debug the issue with 'codesign -vvv --deep --strict /path/to/binary/or/bundle' CLI command (output said binary was valid). (https://developer.apple.com/documentation/security/resolving-common-notarization-issues)
Going back to last successful notarized commit and re-notarizing from that point, but that failed as well (changed version number).
Reverted a change of increasing the target macOS version (12.3 -> 13.5).
Compare failed notarization app's info.plist to previous info.plist for any obvious errors.
I tried to install the previous Xcode version, but it seems to be incompatible with macOS 15.
Tried looking online for any other options, but only found a couple similar issues and the suggestions I already tried.
I can provide further information if needed.
Trying to notarise a small VST3 application, but get the "invalid" status. Chrcked the logfile, and there are a few issues there. How should I resolve this?
{
"logFormatVersion": 1,
"jobId": "4438fc34-4900-4302-bf2f-dd2336f44b89",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "Abandoned Beta 4.vst3.zip",
"uploadDate": "2024-12-07T10:22:59.950Z",
"sha256": "25457e4fd6e7eae72e8a892e468cef916d173f2fb30d2156d8ff72e33d0f4fe3",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "Abandoned Beta 4.vst3.zip/Abandoned Beta 4.vst3/Contents/MacOS/Abandoned Beta 4",
"message": "The binary is not signed.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "Abandoned Beta 4.vst3.zip/Abandoned Beta 4.vst3/Contents/MacOS/Abandoned Beta 4",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "Abandoned Beta 4.vst3.zip/Abandoned Beta 4.vst3/Contents/MacOS/Abandoned Beta 4",
"message": "The signature of the binary is invalid.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "Abandoned Beta 4.vst3.zip/Abandoned Beta 4.vst3/Contents/MacOS/Abandoned Beta 4",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
}
]
}
I am developling a electron app, failed when notarize.
I filled in 3 fields:
appleId: my apple account email
apple id password: I generated it from https://account.apple.com/account/manage/section/security, the "app-specific password"
team id: I get it from https://developer.apple.com/account
How can I fix it?
Log:
{
"logFormatVersion": 1,
"jobId": "7bedcb38-5ca7-4d69-be96-1bd660b67942",
"status": "Rejected",
"statusSummary": "Team is not yet configured for notarization. Please contact Developer Programs Support at developer.apple.com under the topic Development and Technical / Other Development or Technical Questions.",
"statusCode": 7000,
"archiveFilename": "Samira.zip",
"uploadDate": "2024-12-04T11:34:01.999Z",
"sha256": "e9cea98493836dfd4c238a25e6d8dae31ed529ed353d4f8463313ee3d431c741",
"ticketContents": null,
"issues": null
}
I just paid for 99$ a year and it's already 48hrs ago since I've paid. But when I click on my name it still says "Pending" and on the main landingpage on https://developer.apple.com/account it still says this
"Purchase your membership.
To continue your enrollment, complete your purchase now
Your purchase may take up to 48 hours to process."
Do I need a membership to codesign and notarising my VST plugins? Cause that'a what I bought it for.
It has been 3 days and it is still in progress. As you can see in the history, I retried a few hours after the initial attempt, both are stuck.
For what it's worth, this is my first notary attempt on this Apple Developer Account, I am aware that first-time submission can take longer.
What should I do at this point? Wait another few days? Is there a human in the loop that needs to manually allow my submission?
I have seen posts about this for the last 2 years. Seems like Apple is not going to do anything about it,
xcrun notarytool history --keychain-profile '[redacted]'
Successfully received submission history.
history
--------------------------------------------------
createdDate: 2024-11-30T01:59:08.408Z
id: 3de4f35a-a950-4b34-8a74-21252b3e49a4
name: Notes.ai.zip
status: In Progress
--------------------------------------------------
createdDate: 2024-11-29T20:49:53.437Z
id: 268e5416-640c-419f-b22a-efe55212b50a
name: Notes.ai.zip
status: In Progress
Hello,
I've notarised my app like this:
`
codesign
codesign --force --deep --entitlements "/Users/username/myapp/myapp.app/Contents/app.entitlements" --sign "Developer ID Application: Username (my team id)" "/Users/username/myapp/myapp.app"
codesign -v /Users/username/myapp/myapp.app
`
`
create .zip file
ditto -c -k --keepParent "myapp.app" "myapp.zip"
`
`
submit binary to Apple
xcrun notarytool submit Shalloville.zip --apple-id "my icloud" --password "xxxx-xxxx-xxxx-xxxx" --team-id "my team id"
`
Is there anything wrong?
I submitted the .zip file on 27/11 and it's still "In Progress".
Successfully received submission history.
history
--------------------------------------------------
createdDate: 2024-11-29T16:05:44.609Z
id: eccf6248-4f2f-4cc1-bb90-88cf13aa08a0
name: Shalloville.zip
status: In Progress
--------------------------------------------------
createdDate: 2024-11-27T08:57:56.373Z
id: 7d9887dc-6bf8-4e39-bcbe-0f22d02dce4f
name: Shalloville.zip
status: In Progress
--------------------------------------------------
createdDate: 2024-11-27T07:05:05.544Z
id: 84c08d62-189d-48b2-80d9-170ddc3edb67
name: Shalloville.zip
status: In Progress
We've recently updated our build server to macOS 15.1.1 and ever since notarization sporadically fails. Notarytool says No Keychain password item found for profile: foo, even though that item is present.
I found out it works when I either log in using Remote Desktop (don't need to do anything else, just login and wait) or when running security unlock-keychain via SSH (but that one's not persistent, either).
We're using GitLab (via gitlab-runner on the build server) and so far notarization hasn't had much problems with the keychain. That started with macOS 15.1.
Are there any changes in 15.1 that we need to be aware of to make this stable?
Hello,
After my developer Id had expired after 5 years, I created a new one, codesigned the app successfully, but could not notarize:
xcrun notarytool submit mac_release/flow5.zip --keychain-profile "XFLR5" --wait
Conducting pre-submission checks for flow5.zip and initiating connection to the Apple notary service...
Error: HTTP status code: 401. Invalid credentials. Username or password is incorrect. Use the app-specific password generated at appleid.apple.com. Ensure that all authentication arguments are correct
I don't think I was using an app specific password before, but the last time I went through this process was 5 years ago.
Thanks in advance for any help.
Hello.
I am developing an electron app with vscode.
And I have some problems while signing and notarizing.
I signed it with electron-osx-sign command.
Then I tried notarize using xcrun notarytool submit .zip --keychian-profile "NotaryCredential" --wait.
but the result says it is invalid.
so I show the notarize log.
Below is the log file.
It says some framework bundles are not signatured.
Please check it and let me know what is the problem.
Thank you.
notarize log.txt
I try to notarize my package, everything works except one signature of a binary. But the output of codesign seems fine.
Notary log:
"logFormatVersion": 1,
"jobId": "350315e0-38ae-4224-a13b-1c4dc20c1cb7",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "VocalNet_Installer.pkg",
"uploadDate": "2024-11-26T18:07:57.042Z",
"sha256": "fc59a3c2c3669f641a18d6e6df9b91e9369f8cf9cd827d5a75762beb99dfbcfe",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "VocalNet_Installer.pkg/SLink.pkg Contents/Payload/Applications/SLink.app/Contents/MacOS/SLink",
"message": "The signature of the binary is invalid.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
"architecture": "arm64"
}
]
}
Codesign output:
Executable=/Users/200gaga/Main/VocalNet/SLink.app/Contents/MacOS/SLink
Identifier=SLink
Format=app bundle with Mach-O thin (arm64)
CodeDirectory v=20500 size=319089 flags=0x10000(runtime) hashes=9965+3 location=embedded
VersionPlatform=1
VersionMin=720896
VersionSDK=720896
Hash type=sha256 size=32
CandidateCDHash sha256=26dc42451d203f54e29de37a5f74b8d9f9ab30c2
CandidateCDHashFull sha256=26dc42451d203f54e29de37a5f74b8d9f9ab30c26bb1dcde85d3db13fcb9ab4f
Hash choices=sha256
CMSDigest=26dc42451d203f54e29de37a5f74b8d9f9ab30c26bb1dcde85d3db13fcb9ab4f
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=81920
Executable Segment flags=0x1
Page size=4096
CDHash=26dc42451d203f54e29de37a5f74b8d9f9ab30c2
Signature size=9058
Authority=Developer ID Application: SESSION LOOPS, INC. (29DGL5KQ37)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Nov 26, 2024 at 13:04:23
Info.plist entries=9
TeamIdentifier=29DGL5KQ37
Runtime Version=11.0.0
Sealed Resources version=2 rules=13 files=5060
Internal requirements count=1 size=168
Hi, I have been notarizing my code for several years with the same procedure, but today I have the following message :
Conducting pre-submission checks for FencingFox.zip and initiating connection to the Apple notary service...
Error: HTTP status code: 401. Invalid credentials. Username or password is incorrect. Use the app-specific password generated at appleid.apple.com. Ensure that all authentication arguments are correct.
CloudKit query for FencingFox.pkg (1/00a276f170785e1dcbfbd6873a00b9309672338b) failed due to "Record not found".
Could not find base64 encoded ticket in response for 1/00a276f170785e1dcbfbd6873a00b9309672338b
The staple and validate action failed! Error 65.
I have changed my apple password and migrated to Sequoia.
How should I investigate the issue ?
Hi,
I have built a MacOS application that I intend to distribute directly. I have created a disk image and code-signed successfully with the following response.
xcrun notarytool info --apple-id "" --password
"" --team-id ""
I have also submitted the app for notarisation which says it's accepted.
equipp@equipps-MacBook-Pro dist % xcrun notarytool submit SendFiles.dmg --keychain-profile "Sendfiles-Notarisation" --wait
Conducting pre-submission checks for SendFiles.dmg and initiating connection to the Apple notary service...
Submission ID received
id: a2941225-b036-47b3-a010-547b0dce6a1a
Upload progress: 100.00% (79.0 MB of 79.0 MB)
Successfully uploaded file
id: a2941225-b036-47b3-a010-547b0dce6a1a
path: /Users/equipp/Documents/GitHub/sendfiles/dist/SendFiles.dmg
Waiting for processing to complete.
Current status: Accepted................
Processing complete
id: a2941225-b036-47b3-a010-547b0dce6a1a
status: Accepted
When I run the application on a clean mac, I am still getting the error that this application is from an unidentified developer and might contain malware.(There's internet connection)
However, when I try to staple the application, I am getting an error 65. Unsure what's
going wrong with the notarisation.
equipp@equipps-MacBook-Pro dist % xcrun stapler staple SendFiles.dmg
Processing: /Users/equipp/Documents/GitHub/sendfiles/dist/SendFiles.dmg
Could not validate ticket for /Users/equipp/Documents/GitHub/sendfiles/dist/SendFiles.dmg
The staple and validate action failed! Error 65.
equipp@equipps-MacBook-Pro dist %
Can you please help?
Iam trying to notarize with notarytool command with app-specific password.
xcrun notarytool submit <Path> --apple-id <APPLE_ID> --password <APP_SPECIFIC_PASSWORD> --team-id <Team-ID>
But it fails with error Error: HTTP status code: 401. Unable to authenticate. Invalid session. Ensure that all authentication arguments are correct.
Tried generating new app-specific password, still failing.
Tried storing password in keychain with store-credentials option, again failing.
--verbose option with store-credentials showing below error
This process stores your credentials securely in the Keychain. You reference these credentials later using a profile name.
Validating your credentials...
[06:05:28.854Z] Info [API] Initialized Notary API with base URL: https://appstoreconnect.apple.com/notary/v2/\
[06:05:28.854Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/test?, Parameters: [:], Custom Headers: private<Dictionary<String, String>>
[06:05:28.855Z] Debug [AUTHENTICATION] Delaying current request to refresh app-specific password token.
[06:05:28.855Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/asp?, Parameters: [:], Custom Headers: private<Dictionary<String, String>>
[06:05:28.855Z] Debug [AUTHENTICATION] Authenticating request to '/notary/v2/asp' with Basic Auth. Username: , Password: private, Team ID:
[06:05:28.856Z] Debug [TASKMANAGER] Starting Task Manager loop to wait for asynchronous HTTP calls.
[06:05:30.194Z] Debug [API] Received response status code: 401, message: unauthorized, URL: https://appstoreconnect.apple.com/notary/v2/asp?, Correlation Key:
[06:05:30.195Z] Error [TASKMANAGER] Completed Task with ID 2 has encountered an error.
[06:05:30.195Z] Debug [TASKMANAGER]Ending Task Manager loop.
Error: HTTP status code: 401. Unable to authenticate. Invalid session. Ensure that all authentication arguments are correct.
I'm trying to store credentials on my keychange by doing this: xcrun notarytool store-credentials --apple-id APPLE-ID --team-id TEAM-ID I then I'm asked for a profile name, and the the App-specific password for my apple-id. This is when I'm getting an error: "Invalid credentials. Username or password is incorrect. Use the app-specific password generated at appleid.apple.com. Ensure that all authentication arguments are correct.".
Now, I've generated the app specific pw by logging in here: https://account.apple.com/ but when I login to my Developers account, I do it here: https://developer.apple.com/account/
I've signed up for the "$99 a year"-program. Is there a problem that I've created the pw on what looks like my "private" page and not my "developer" page?
I'm trying to distribute my macOS application (a .dmg file) to customers, and I've followed all the steps to sign and notarize the application. However, when I try to install the .dmg containing the app, Gatekeeper rejects it with the error "AppName cannot be opened because developer is not verified". Even though I’ve signed the app with my Developer ID, notarized it, and verified the signature using codesign, I am still encountering issues when attempting to install or open the app on a clean macOS environment. Here’s the error I see when using spctl to check the .dmg:
spctl --assess --type open --verbose=4 output/App.dmg
output/App.dmg: rejected
source=Insufficient Context
When trying:
spctl -a -t open -vvv --context context:primary-signature output/App.dmg
output/Unbounded.dmg: accepted
source=Notarized Developer ID
origin=Developer ID Application:
My .app is signed and notarised by electron builder and I explicitly signed and notarised dmg too but still not working