I have signed and notarized a single executable file command line tool developed outside Xcode, and distributed outside of the App store by way of a download from a website as follows below, but nevertheless gatekeeper blocks running the tool with the usual message, just like without signing or notarization.
If I remove the com.apple.quarantine xattr, the tool runs as it should without gatekeeper interference, as expected.
I have browsed countless posts here, with similar issues, but in the end I can't find what's wrong with the process.
From what I gather, as long as the target Mac is connected to the Internet, stapling should not be required (I do understand I can't staple a single file executable command line tool), although Gatekeeper would be expected to complain in the case of the first run being done without Internet connection.
The certificate is a "Developer Id Application" certificate, installed and valid on the machine doing the signing.
It is unclear to me what the distinction is between "Developer Id Application" and "Developer Id Installer" certificates, but it's confusing that using -t install with spctl will actually accept the app.
The app is open source and available on GitHub (although the full distribution packaging is done in a separate build environment with some additional logic). The app used below as the target for signing and notarization is available to download from https://www.axantum.com/ in a .tar.gz archive.
Here follows a log of commands and output:
XecretsCli.plist: (This was necessary to add to the signing to avoid corruption of the executable by the code signing)
codesign -s GCXRMT5SQC -f --timestamp -s 0CF6800E595AA6DE9EBB905066619A9BFDD17A77 --entitlements XecretsCli.plist -o runtime XecretsCli
codesign -d -vvv --entitlements :- XecretsCli
Executable=/Users/svante/Downloads/XecretsCli-Osx-2.3.567 3/XecretsCli
Identifier=XecretsCli
Format=Mach-O thin (x86_64)
CodeDirectory v=20500 size=271478 flags=0x10000(runtime) hashes=8473+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b2
CandidateCDHashFull sha256=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b20c9e3c17e107f08c7ae75c5a
Hash choices=sha256
CMSDigest=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b20c9e3c17e107f08c7ae75c5a
CMSDigestType=2
CDHash=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b2
Signature size=8987
Authority=Developer ID Application: Axantum Software AB (GCXRMT5SQC)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Jun 20, 2024 at 13:26:05
Info.plist=not bound
TeamIdentifier=GCXRMT5SQC
Runtime Version=13.1.0
Sealed Resources=none
Internal requirements count=1 size=172
Warning: Specifying ':' in the path is deprecated and will not work in a future release
codesign -v -vvv --strict --deep XecretsCli
XecretsCli: valid on disk
XecretsCli: satisfies its Designated Requirement
zip XecretsCli.zip XecretsCli
adding: XecretsCli (deflated 63%)
xcrun notarytool submit "XecretsCli.zip" --keychain-profile "Notarize" --wait
Conducting pre-submission checks for XecretsCli.zip and initiating connection to the Apple notary service...
Submission ID received
id: e5990902-3101-42de-a1a6-b9ea40b944b8
Upload progress: 100.00% (12.4 MB of 12.4 MB)
Successfully uploaded file
id: e5990902-3101-42de-a1a6-b9ea40b944b8
path: /Users/svante/Downloads/XecretsCli-Osx-2.3.567 3/XecretsCli.zip
Waiting for processing to complete.
Current status: Accepted........
Processing complete
id: e5990902-3101-42de-a1a6-b9ea40b944b8
status: Accepted
spctl -a -vvv XecretsCli
XecretsCli: rejected (the code is valid but does not seem to be an app)
origin=Developer ID Application: Axantum Software AB (GCXRMT5SQC)
spctl -a -vvv -t install XecretsCli
XecretsCli: accepted
source=Notarized Developer ID
origin=Developer ID Application: Axantum Software AB (GCXRMT5SQC)
Trying to run the executable:
"XecretsCli" can't be opened
because the identity of the
developer cannot be confirmed.
Your security preferences allow
installation of only apps from the App
Store and identified developers.
Chrome downloaded this file today at
10:37.
OK
Notarization
RSS for tagNotarization is the process of scanning Developer ID-signed software for malicious components before distribution outside of the Mac App Store.
Post
Replies
Boosts
Views
Activity
Error code 1
"bundle format unrecognized, invalid, or unsuitable"
Yea, I'm trying to codesign a python app which has been bundled with py2app, but without success.
The codesign process logs a whole bunch of files with the above error.
def sign_file(file_path, certificate_common_name, hardened_runtime=False):
sign_command = [
"codesign", "-s", certificate_common_name,
"--force", "--timestamp", "-v", file_path
]
if hardened_runtime:
sign_command.append("--options=runtime")
success, message = run_command(sign_command)
there are literally hundreds of files that fail, and the path may look something like this;
code/dist/Impulse.app/Contents/Resources/lib/python3.10/plotly/validators/splom/marker:
Needless to say that notorization returns "failed"
Any help would be greatly appreciated.
Steven
Error:
{
“logFormatVersion”: 1,
“jobId”: “1654af2a-ff0e-46ff-8839-5c374e63228b”,
“status”: “Invalid”,
“statusSummary”: “Archive contains critical validation errors”,
“statusCode”: 4000,
“archiveFilename”: “LocalApp-macosx.zip”,
“uploadDate”: “2024-06-12T05:33:53.719Z”,
“sha256”: “28ffff0e2c33b2f57a9f1c25677e84232bfa04b1ef5341130afbbf18093ba0ab”,
“ticketContents”: null,
“issues”: [
{
“severity”: “error”,
“code”: null,
“path”: “LocalApp-macosx.zip/LocalApp-macosx.app/Contents/Resources/Java/Disk1/InstData/Resource1.zip/$BUILD_ROOT$/Desktop/collaborator.app_zg_ia_sf.jar/Contents/MacOS/applet”,
“message”: “The signature of the binary is invalid.”,
“docUrl”: "“Resolving common notarization issues | Apple Developer Documentation ",
“architecture”: “i386”
},
{
“severity”: “error”,
“code”: null,
“path”: “LocalApp-macosx.zip/LocalApp-macosx.app/Contents/Resources/Java/Disk1/InstData/Resource1.zip/$BUILD_ROOT$/Desktop/collaborator.app_zg_ia_sf.jar/Contents/MacOS/applet”,
“message”: “The signature of the binary is invalid.”,
“docUrl”: ““Resolving common notarization issues | Apple Developer Documentation”,
“architecture”: “x86_64”
}
]
}
Why is the binary regarded as invalid and what remedy is recommended?
Hello, I've developed an application using ElectronNET with C# and Blazor Server. I have managed to deploy to both Windows and the web but having trouble deploying the application to my Mac users.
It's my first time deploying an application for Mac but feel like I'm stuck at the last hurdle and out of ideas so I'm reaching out for help.
My application is successfully signing but during the build and when my Notarize.js is running it seems to get stuck indefinitely.
I can check and see the status of the Notarize attempts but they seem to be stuck "In Progress". Here are the logs.
Successfully received submission history.
history
--------------------------------------------------
createdDate: 2024-06-12T22:16:35.362Z
id: 26192605-001b-46ae-b622-9a79c20e1e93
name: CustomerSupportDashboard.zip
status: In Progress
--------------------------------------------------
createdDate: 2024-06-12T18:51:21.772Z
id: 6a34501c-8f48-4986-ae5e-82a99320dcbc
name: CustomerSupportDashboard.zip
status: In Progress
--------------------------------------------------
createdDate: 2024-06-12T15:13:44.722Z
id: ea5cd928-8207-4d25-b74a-45b04960dbe0
name: CustomerSupportDashboard.zip
status: In Progress
--------------------------------------------------
createdDate: 2024-06-12T14:24:48.776Z
id: 00ccd1f9-daa4-4bba-9a86-9f577c51f26b
name: CustomerSupportDashboard.zip
status: In Progress
--------------------------------------------------
createdDate: 2024-06-12T14:07:43.116Z
id: bf5dfa9c-9702-413b-8fbb-94017e930bcf
name: CustomerSupportDashboard.zip
status: In Progress
These have been running for over 6hours now and it's my understanding it should take minutes, correct me if I'm wrong?
Here is my Notarize script if it helps diagnose what might be happening. Although the requests seem to be going through ok so it doesn't seem likely.
const { join } = require('path');
const fs = require('fs-extra');
exports.default = async function notarizing(context) {
const { electronPlatformName, appOutDir } = context;
if (electronPlatformName !== 'darwin') {
console.log("Not a macOS platform, skipping notarization.");
return;
}
const appName = context.packager.appInfo.productFilename;
const appPath = `${appOutDir}/${appName}.app`;
const zipPath = `${appOutDir}/${appName}.zip`;
console.log(`Zipping the app at path: ${appPath} to: ${zipPath}`);
// Zip the app
await new Promise((resolve, reject) => {
execFile('zip', ['-r', zipPath, appPath], (error, stdout, stderr) => {
if (error) {
console.error(`Failed to zip app: ${stderr || stdout}`);
reject(new Error(`Failed to zip app: ${stderr || stdout}`));
} else {
console.log(`Successfully zipped app: ${stdout}`);
resolve();
}
});
});
console.log(`Notarizing the app with Apple ID: *************.*****@*******.****`);
await new Promise((resolve, reject) => {
execFile('xcrun', [
'notarytool',
'submit',
zipPath,
'--apple-id', '*************.*****@*******.****',
'--password', '****-****-****-****',
'--team-id', '**********',
'--wait',
'--output-format', 'json'
], (error, stdout, stderr) => {
if (error) {
console.error(`Notarization failed: ${stderr || stdout}`);
reject(new Error(`Notarization failed: ${stderr || stdout}`));
} else {
console.log(`Successfully notarized: ${stdout}`);
resolve();
}
});
});
}; ```
Hi there,
My app detects connected BlackMagic devices on a user's machine and this is done using the DeckLink SDK which first tries to load /Library/Frameworks/DeckLinkAPI.framework using CFBundleCreate. I have not been able to create a notarized app which successfully detects the devices. Either the DeckLinkAPI works or the app starts up without showing "the developer cannot be verified" on my test computer but never both.
This is what I've tried so far:
signed app: DeckLinkAPI available
hardened runtime: DeckLinkAPI not available
hardened runtime + com.apple.security.cs.disable-library-validation: DeckLinkAPI available, notarization succeeds yet the "the developer cannot be verified"
I've also tried to use weak linking to DeckLinkAPI.framework instead of including the SDK's CFBundleCreate code but that made no difference: I still needed the com.apple.security.cs.disable-library-validation entitlement for that to work which caused "the developer cannot be verified".
DeckLinkAPI.framework is notarized:
> codesign --test-requirement="=notarized" --verify --verbose /Library/Frameworks/DeckLinkAPI.framework
/Library/Frameworks/DeckLinkAPI.framework: valid on disk
/Library/Frameworks/DeckLinkAPI.framework: satisfies its Designated Requirement
/Library/Frameworks/DeckLinkAPI.framework: explicit requirement satisfied
Is there any way to successfully notarize an app to use the DeckLink SDK or any other thirdparty notarized framework which is distributed seperately?
Hello there.
I'm having trouble with notarization in Xcode.
I'm developing a Swift Mac app with Xcode 14, but even when I enable Hardened Runtime and perform notarization, it displays the message "Hardened Runtime is not enabled" and I can't proceed.
The steps for notarization are [Window] -> [Organizer] -> [Distribute App] -> [Developer ID] [Next] -> [Upload].
Could you please tell me what I should check, or any other information?
I've attached screenshots.
Thank you.
Hi!
I am fairly new to Mac/ Python development. I have written a python script that includes the lovely customTkinter Library. the app works, I have checked it extensively, but after creating an executable with both Pyinstaller and Py2app, my app keeps failing notarization. I have the developer account, I have the Developer ID application: Name (xxxxxxxxxx).
My last attempt with py2app, I try to codesign the .app bundle with :
codesign --deep --force --verbose --options=runtime --timestamp --sign "Developer ID Application: Lennert Esser (5823RMSZ52)" XYZ\ 2\ OSC.app if I do that, I receive a clean message that XYZ 2 OSC.app: signed app bundle with Mach-O universal (x86_64 arm64) [com.myname.appname.app]
the verify of the code signature gives nice messages as well:
--prepared:/Users/lennert/Documents/SoftwareDevelopment/PythonLocal/Pozyx/dist/XYZ 2 OSC.app/Contents/MacOS/python
--validated:/Users/lennert/Documents/SoftwareDevelopment/PythonLocal/Pozyx/dist/XYZ 2 OSC.app/Contents/MacOS/python
....
XYZ 2 OSC.app: valid on disk
XYZ 2 OSC.app: satisfies its Designated Requirement
So I would say, so far so good...?
BUT.... if I try to notarize my archived .app bundle. the notarization fails, with looadddssss of errors, with both:
"The signature does not include a secure timestamp."
and
"The binary is not signed with a valid Developer ID certificate."
I am completely stuck. Believe me, I have tried everything. Google, ChatGTP, multiple tries to codesign everything separately with:
find /path/to/my/app/contents -type f -exec codesign -s "Developer ID application: Name (xxxxxxxxxx)" {} ;
please, please someone help me explain what I am doing wrong....
I am pretty much at a loss here...
In the past I used altool which worked. Not sure of related though, been a while since. But the same build script I use, just replaced altool with notarytool
I first codesigen
`MYNAME@MYMACNAME ~ % codesign --verbose --force --options runtime --timestamp --sign "COMPANYSIGN" "/Volumes/DiskW/projects-cool-MYNAME/MYPRODPATH/osx/final_MYPRODNAME-dist/mac-MYPRODNAME-files/MYPRODNAME.app"
/Volumes/DiskW/projects-cool-MYNAME/MYPRODPATH/osx/final_MYPRODNAME-dist/mac-MYPRODNAME-files/MYPRODNAME.app: replacing existing signature
/Volumes/DiskW/projects-cool-MYNAME/MYPRODPATH/osx/final_MYPRODNAME-dist/mac-MYPRODNAME-files/MYPRODNAME.app: signed app bundle with Mach-O thin (x86_64) [com.MYCOMPANY.MYPRODNAME]
MYNAME@MYMACNAME ~ % `
Then display entitlements:
MYNAME@MYMACNAME ~ % codesign --verbose --display --entitlements :- "/Volumes/DiskW/projects-cool-MYNAME/MYPRODPATH/osx/final_MYPRODNAME-dist/mac-MYPRODNAME-files/MYPRODNAME.app"
Executable=/Volumes/DiskW/projects-cool-MYNAME/MYPRODPATH/osx/final_MYPRODNAME-dist/mac-MYPRODNAME-files/MYPRODNAME.app/Contents/MacOS/MYPRODNAME
Identifier=com.MYCOMPANY.MYPRODNAME
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=127176 flags=0x10000(runtime) hashes=3967+3 location=embedded
Signature size=9057
Timestamp=16 May 2024 at 11.49.11
Info.plist entries=17
TeamIdentifier=MYTEAMID
Runtime Version=10.16.0
Sealed Resources version=2 rules=13 files=279
Internal requirements count=1 size=188
MYNAME@MYMACNAME ~ %
Then I try do notarization (see next post)
Hello,
I've been trying to update my application since days, tried everything, all my environment is unchanged except update to the latest xcode version, I only fixed a bug in my code, and updated my expired certifacates with the same IDs.
I've also been able to test the app with testflight.
The app is built successfuly, validated, uploaded to the apple connect, submited for review, accepted and published online on the mac app store.
I've been able to update the application with the mac app store.
Now here is the problem: if I delete the application, and try to reinstall it from the app store, it says: unable to install, try again later - then the mac app store is stuck, I need to quit / restart to be able to try a new install.
I also distribute my application outside of the mac app store, I've also signed and notarized my app successfully, with my developer id certificate, I tried with organizer, and also with xcrun notary on the command line, all is ok, but when I run the exported application, it says that the application is damaged (so right click/open works, and the app works well).
The only thing that I can see is this (compared with my previous version):
spctl -a -vvv -t install myapp.app:
myapp.app: rejected (invalid destination for symbolic link in bundle)
I don't have the error on my previous version.
I've checked all the links inside the package, I don't see any problem or invalid link (and the app can run perfectly.... )
I've also check the logs.json file after the notary result, no problem appears.
the whole structure of the application and files inside the .app is exactly the same between the previous version, and the new one with that problem.
hope that someone could help me to solve this problem :)
Hello, we have a pkg file which used to be easily notarized using a particular apple id, but after we shifted to another account it is taking like forever.
We have created an app-specific-password and made use of it. Anything that we have done incorrectly?
Current status: In Progress........................................................[12:12:27.335Z] Info [API] Waiting 20 seconds before next poll...
[12:12:47.337Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/submissions/***-xxxxxx?, Parameters: [:], Custom Headers: private<Dictionary<String, String>>
[12:12:47.338Z] Debug [AUTHENTICATION] Using cached token value for app-specific password request: xxxxx:xxxxx@***
[12:12:47.338Z] Debug [AUTHENTICATION] Authenticating request to '/notary/v2/submissions/***-xxxxxx' with WebServices Token. AppleID: xxxx@***, Team ID: xxxxxxxxxx, Token: private<String>
[12:12:47.339Z] Debug [TASKMANAGER] Starting Task Manager loop to wait for asynchronous HTTP calls.
[12:12:47.886Z] Debug [API] Received response status code: 200, message: no error, URL: https://appstoreconnect.apple.com/notary/v2/submissions/***-xxxxxx?, Correlation Key: GBCZEFTI5NQ3263GKRANCEPD4I
[12:12:47.887Z] Debug [TASKMANAGER] Completed Task with ID 58 has received a parsable response.
[12:12:47.887Z] Debug [TASKMANAGER] Ending Task Manager loop.
[12:12:47.888Z] Info [API] Received new status: In Progress
Up until about 6 months ago, I was receiving the Apple success or failed email notifications. I no longer get them and can't figure out why. I checked my email rules and even the quarantine in Exchange. What can cause this and what else can I check? I am an Admin on the account but not the Account holder though.
codesign --sign "Apple Development: deok cheul kim (DK46XUS3ZB)" --deep --force --options=runtime --entitlements ./entitlements.plist --timestamp ./mediasend_PC_module_mac_V1.app
codesign -vvv --deep --strict mediasend_PC_module_mac_V1.app
mediasend_PC_module_mac_V1.app: valid on disk
mediasend_PC_module_mac_V1.app: satisfies its Designated Requirement
spctl --assess --type execute --verbose mediasend_PC_module_mac_V1.app
mediasend_PC_module_mac_V1.app: rejected
xcrun notarytool store-credentials "kdcProfile" --apple-id "kdc07..." --password "emfc-lmhz-kynx-xqyy"
ditto -c -k --sequesterRsrc --keepParent mediasend_PC_module_mac_V1.app mediasend_PC_module_mac_V1.zip
xcrun notarytool submit "mediasend_PC_module_mac_V1.zip" --keychain-profile "kdcProfile" --wait
Conducting pre-submission checks for mediasend_PC_module_mac_V1.zip and initiating connection to the Apple notary service...
Submission ID received
id: 431e50cc-131a-48eb-be1e-6e1139dea347
Upload progress: 100.00% (15.7 MB of 15.7 MB)
Successfully uploaded file
id: 431e50cc-131a-48eb-be1e-6e1139dea347
path: /Users/sinaburo7/Desktop/appleCert/mediasend_PC_module_mac_V1.zip
Waiting for processing to complete.
Current status: Invalid............
Processing complete
id: 431e50cc-131a-48eb-be1e-6e1139dea347
status: Invalid
xcrun notarytool log 431e50cc-131a-48eb-be1e-6e1139dea347 --keychain-profile "kdcProfile"
{
"logFormatVersion": 1,
"jobId": "431e50cc-131a-48eb-be1e-6e1139dea347",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "mediasend_PC_module_mac_V1.zip",
"uploadDate": "2024-04-30T04:19:29.294Z",
"sha256": "0661974c3a2e073ab21b15bd0c65a8647bfe756fa42e07d2bb0522a20850de32",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "mediasend_PC_module_mac_V1.zip/mediasend_PC_module_mac_V1.app/Contents/MacOS/mediasend_PC_module_mac_V1",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "mediasend_PC_module_mac_V1.zip/mediasend_PC_module_mac_V1.app/Contents/Frameworks/libtcl8.6.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "mediasend_PC_module_mac_V1.zip/mediasend_PC_module_mac_V1.app/Contents/Frameworks/libssl.3.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
.
.
.
.
.
This is how it went.
I don't know why the error occurs.
For reference, the python app was installed using the script below.
pyinstaller --onedir --hidden-import=PIL --hidden-import=flask --hidden-import=psutil --hidden-import=requests --name mediasend_PC_module_mac_V1 --icon=logo3_iMf_icon.icns --noconsole --add- data="logo3_iMf_icon.icns:." --add-data="logo.png:." --add-data="wifi.gif:." --add-data="sleep.gif:." -d all album_mac.py
Previously, we did Notarization with the help of altool, but it has now been decommissioned by Apple. We need to use the Notary tool for Notarization.
My application is not on App-store.So I tried storing credentials in the keychain, but encountered an error after providing all the details, including appleid, app-specific password, and teamid. it is showing this below error.
Error: HTTP status code: 401. Unable to authenticate. The application is not allowed for primary authentication. Ensure that all authentication arguments are correct.
We created app- specific password using the same Apple ID account which also has the certificates with which we are trying to Notarize our application.
Initially, we were not able to access this Apple ID account because the employee that created this account has now left the organisation and we do not had enough information for access.
We contacted apple and we got Alisas to original Apple ID account after that we were able to create app-specific password.
We are not sure if this alias account access is affecting our issue or may be there is some particular setting that could affect the authorisation.
Below are the complete info regarding the issue.
mohd.faizan@KELLGGNLPTP1659 ~ % xcrun notarytool store-credentials --verbose --apple-id “XXXX" --password “YYYY” --team-id “ZZZZ”
[11:32:40.047Z] Debug [MAIN] Running notarytool version: unknown (0), date: 2024-04-23T11:32:40Z, command: /Applications/Xcode.app/Contents/Developer/usr/bin/notarytool store-credentials --verbose --apple-id XXXX --password private --team-id ZZZZ
This process stores your credentials securely in the Keychain. You reference these credentials later using a profile name.
Profile name:
NotaryProfile
Validating your credentials...
[11:32:48.390Z] Info [API] Initialized Notary API with base URL: https://appstoreconnect.apple.com/notary/v2/
[11:32:48.392Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/test?, Parameters: [:], Custom Headers: private<Dictionary<String, String>>
[11:32:48.393Z] Debug [AUTHENTICATION] Delaying current request to refresh app-specific password token.
[11:32:48.393Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/asp?, Parameters: [:], Custom Headers: private<Dictionary<String, String>>
[11:32:48.394Z] Debug [AUTHENTICATION] Authenticating request to '/notary/v2/asp' with Basic Auth. Username: XXXX, Password: private, Team ID: ZZZZ
[11:32:48.396Z] Debug [TASKMANAGER] Starting Task Manager loop to wait for asynchronous HTTP calls.
[11:32:50.102Z] Debug [API] Received response status code: 401, message: unauthorized, URL: https://appstoreconnect.apple.com/notary/v2/asp?, Correlation Key: 5WDGB4XPJJAUCMTFMR6TUYYRPI
[11:32:50.103Z] Error [TASKMANAGER] Completed Task with ID 2 has encountered an error.
[11:32:50.103Z] Debug [TASKMANAGER] Ending Task Manager loop.
Error: HTTP status code: 401. Unable to authenticate. The application is not allowed for primary authentication. Ensure that all authentication arguments are correct.
Can anyone help me in resolving this issue?
What steps do I need to take to fix this?
Thanks in advance for the help.
I'm encountering a peculiar issue with my macOS installer application when hardened runtime is enabled (--options runtime) during code signing, and I'm hoping to get some guidance on how to resolve it.
Issue Description:
My installer application is designed to prompt users for system credentials upon launch. After entering the correct credentials and clicking "OK", users should see the next screen to proceed with the installation process. However, with hardened runtime enabled, the application stops responding after the credential entry step. The next screen, where users should proceed with installation, does not appear. If I codesign without using hardened runtime, my installer works fine. However it fails during notarization.
What I've Tried:
I have reviewed Apple's documentation on hardened runtime and notarization to ensure I'm following best practices.
I've checked the Console logs for any relevant error messages or warnings, but haven't found any conclusive information.
Additional Information:
The application is an installer built using bitrock installbuilder.
It relies on prompting users for system credentials using standard macOS authentication mechanisms.
Initially the installer is in tar.gz format which I extract to get .app file. This file is codesigned. Next I create a .DMG of the codesigned .app file and codesign the DMG before sending it for notarization.
Request for Assistance:
I'm seeking guidance on how to address this issue with my installer application not proceeding after credential entry when hardened runtime is enabled. Are there any specific configurations, entitlements, or best practices that I might be missing? Or are there alternative approaches I should consider to ensure compatibility while still meeting Apple's security requirements for notarization?
Any insights or advice from your experiences would be greatly appreciated. Thank you in advance for your help!
I am building plug-ins for audio software.
I am using the JUCE framework and I am building with VScode / CMake / Ninja / LLVM
I want to package the output, which are two bundles "Sinensis.component" (the AU plugin) and "Sinensis.vst3" (the vst3 plugin)
I am using this script :
codesign -s "Developer ID Application: $DEVELOPER_ID" --timestamp --force -o runtime -i "$PLUGIN_NAME".component "$PLUGIN_NAME".component/Contents/MacOs/"$PLUGIN_NAME" #--options=runtime
pkgbuild --install-location /Library/Audio/Plug-Ins/Components --sign "Developer ID Installer: $DEVELOPER_ID" --timestamp --identifier "$IDENTIFIER"au --version "$VERSION" --root "$PLUGIN_NAME".component "$PLUGIN_NAME"_au.pkg
codesign -s "Developer ID Application: $DEVELOPER_ID" --timestamp --force -o runtime -i "$PLUGIN_NAME".vst3 "$PLUGIN_NAME".vst3/Contents/MacOs/"$PLUGIN_NAME" #--options=runtime
pkgbuild --install-location /Library/Audio/Plug-Ins/VST3 --sign "Developer ID Installer: $DEVELOPER_ID" --timestamp --identifier "$IDENTIFIER"vst3 --version "$VERSION" --root "$PLUGIN_NAME".vst3 "$PLUGIN_NAME"_vst3.pkg
productbuild --synthesize --package "$PLUGIN_NAME"_au.pkg --package "$PLUGIN_NAME"_vst3.pkg distribution.xml
productbuild --distribution distribution.xml --resources Resources/ "$PLUGIN_NAME".pkg
productsign --sign "Developer ID Installer: $DEVELOPER_ID" "$PLUGIN_NAME".pkg "$PLUGIN_NAME"_installer.pkg --timestamp
xcrun notarytool submit --keychain-profile "thomas" "$PLUGIN_NAME"_installer.pkg --wait
xcrun stapler staple "$PLUGIN_NAME"_installer.pkg
feeding it distribute.sh Sinensis "Thomas Xxxxxx (<personal identifier>)" <indentifier for the package> 101
I am using --force because of a post on the juce forum that I strangely cannot link to here. tl;dr the binary is signed at the build stage and need --force to overwrite with my signature
But it ends up with error 65
Conducting pre-submission checks for Sinensis_installer.pkg and initiating connection to the Apple notary service...
Submission ID received
id: 38ba301b-f857-4408-b665-9e11e8647ca1
Upload progress: 100,00 % (6,10 MB of 6,10 MB)
Successfully uploaded file
id: 38ba301b-f857-4408-b665-9e11e8647ca1
path: /Users/thomas/Desktop/Sinensis_installer.pkg
Waiting for processing to complete.
Current status: Invalid............
Processing complete
id: 38ba301b-f857-4408-b665-9e11e8647ca1
status: Invalid
Processing: /Users/thomas/Desktop/Sinensis_installer.pkg
CloudKit query for Sinensis_installer.pkg (1/dc8136b4b82a4e9c9f7b5e6064238488e97f04ad) failed due to "Record not found".
Could not find base64 encoded ticket in response for 1/dc8136b4b82a4e9c9f7b5e6064238488e97f04ad
The staple and validate action failed! Error 65.
Looking at the log via xcrun notarytool log return
{
"logFormatVersion": 1,
"jobId": "75fa5853-d19d-42a5-9069-4ed0d8f735be",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "Sinensis_installer.pkg",
"uploadDate": "2024-04-19T10:11:07.372Z",
"sha256": "da6457f73d1b93995392f844a25f4b9bc9750eac0555ae72854b14e270e32685",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "Sinensis_installer.pkg/Sinensis_au.pkg Contents/Payload/Library/Audio/Plug-Ins/Components/Contents/MacOS/Sinensis",
"message": "The signature of the binary is invalid.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "Sinensis_installer.pkg/Sinensis_vst3.pkg Contents/Payload/Library/Audio/Plug-Ins/VST3/Contents/MacOS/Sinensis",
"message": "The signature of the binary is invalid.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
"architecture": "arm64"
}
]
}
codesign -vvv --deep --strict Sinensis.vst3 returns
Sinensis.vst3: valid on disk
Sinensis.vst3: satisfies its Designated Requirement
pkgutil --check-signature Sinensis_installer.pkg returns
Package "Sinensis_installer.pkg":
Status: signed by a developer certificate issued by Apple for distribution
Signed with a trusted timestamp on: 2024-04-19 10:21:59 +0000
Certificate Chain:
1. Developer ID Installer: Thomas Guillory (53B2GD4XYM)
Expires: 2027-02-01 22:12:15 +0000
SHA256 Fingerprint:
E8 D7 4A 6D CD 19 56 A2 39 C9 15 00 09 06 EA 98 01 B0 AF 85 59 AA
AE 26 71 89 56 9B 54 EF 48 B3
------------------------------------------------------------------------
2. Developer ID Certification Authority
Expires: 2027-02-01 22:12:15 +0000
SHA256 Fingerprint:
7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03
F2 9C 88 CF B0 B1 BA 63 58 7F
------------------------------------------------------------------------
3. Apple Root CA
Expires: 2035-02-09 21:40:36 +0000
SHA256 Fingerprint:
B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C
68 C5 BE 91 B5 A1 10 01 F0 24
I tried to unpack the .pkg using pacifist as recommended in multiple thread but the bundle wasn't recognized as such, I may have not follow the correct procedure.
I've read the man page for productbuild, codesign and productsign.
I've also read the MacOS code signing technical note althought I didn't understood everything clearly (especially on the nested part, which seems relevant).
The closest thing I could find was this forum post but the bundles seems to be correctly seen by MacOs as a bundle and not as a folder
I really lost at this point
may Eskimo come shed some enlightenment on my poor newbie soul 🙏
Have a nice day !
Hello, I apologize for my poor English.
Due to the discontinuation of the altool command line tool for notarizing client applications on Mac, we are transitioning from the altool command line to the notarytool command line.
However, when attempting to add a profile to Keychain, the following command returns an error if the userID or password is incorrect:
xcrun notarytool store-credentials "AC_PASSWORD" --apple-id "mailadress" --team-id "TEAMID" --password xxxx-xxxx-xxxx-xxxx
Although the password and other credentials have been entered correctly multiple times, it is possible that a step is being missed.
The current process is as follows:
Belonging to the Apple Developer Program of the client.
Generating an app-specific password from the apple ID account page with TEAMID.
Adding a profile to Keychain with the above information using the notarytool command line, where the error occurs.
If anyone has experience using the notarytool or has notarized Mac applications using an alternative method, any advice on the steps would be greatly appreciated.
Thank you in advance.
I’m new to Mac packaging, and am confused by the multi-part signing and packaging process.
I have built an app, using third party software, that I would like to upload to the Mac store for trial/testing purposes.
I have joined the Apple Developers Programme, but am unsure whether I need to invest in third-party certification (e.g. Verisign) or can self-certify my app package.
I would be obliged if someone would outline the sequence of steps that I need to follow to create a package that can be offered to users, and confirm whether my AD License is sufficient for me to follow same.
Thanks in advance for any advice.
Regards,
L
We submit for notarization using:
xcrun notarytool submit --apple-id ACCOUNT --team-id XXXXXX --password NNNNNN application.zip
I have occasionally had success uploading one of the applications, but I have never been successful uploading the bigger one.
What is the reason for this? The files are not very large. The small file is only 6.0GB and the big file is only 17.5GB.
Of the past 100 failures:
72: error: HTTPClientError.deadlineExceeded
28: error: The operation couldn’t be completed. (Network.NWError error 54 - Connection reset by peer))
On average it takes me around 50 attempts (2 days of uploading) to get past the S3 client configuration.
I have tried 5 different internet providers for these uploads. None of them work any better, even ones that have great latency and connections to AWS.
I only have a limited number of Mac OS X machines so I have tried on all of the ones I can afford, but none of them work better or worse than my new Mac Book Pro (2021)
I have tried every single option and combination of options from man notarytool including disabling S3 acceleration, setting timeouts, trying to use wait. I have tried them all,
Can someone please help me figure this out? I'm getting desperate and this is making me look really ****** for pushing to have a Mac OS X port because Mac users are stuck waiting for the notarization service which lags the Mac updates by many days.
The error messages make it clear that notarytool is using Soto S3. The developer has indicated in multiple threads that the error HTTPClientError.deadlineExceeded is fixed by increasing the client timeout. Is there a way I can modify notarytool to apply this patch?
https://github.com/soto-project/soto/discussions/622
Is it possible to write our own S3 upload tool that bypasses Soto S3 and uses something more reliable?
Again, the files I am uploading are not very big none of them are bigger than 25GB. I don't understand why it doesn't work.
I've been getting a notarization error for about a month and it's not resolved. (Case ID:
102252824962)
The error message I received is as I wrote in the title: "Team is not yet configured for notarization". when I contact the support team by phone, they say that this error message is not correct and that there is no problem with my individual account.
When i contacted the support team by phone, their only answer is that "Your case has been escalated to the engineers, and they’re working on it."
By the way, the support team never even responds to my email support requests.
The application I wrote is very very small and simple, I don't understand why it is taking so long to be analyzed and why the support team can't give any explanation?
I started the notarization process last night with the following command
xcrun notarytool submit --wait --keychain-profile "Developer ID Application: ..." --verbose Open\ Interface.zip
When I check its status, it still shows as it's in progress over 16 hours later
xcrun notarytool history --keychain-profile "Developer ID Application: ..."
Successfully received submission history.
history
--------------------------------------------------
createdDate: 2024-04-09T03:49:07.620Z
id: 8fcf8111-c18c-4941-acb6-f447d86735a2
name: Open Interface.zip
status: In Progress
--------------------------------------------------
createdDate: 2024-04-09T03:23:58.816Z
id: 93461030-f230-4225-b9f2-5d9472904858
name: Open Interface.zip
status: In Progress
Does anyone know what might be going wrong?
My .zip file is available here: https://github.com/AmberSahdev/Open-Interface/releases/download/0.5.0/Open-Interface-v0.5.0-MacOS.zip
Thanks!