--notarize-app now failing because of "com.apple.security.get-task-allow entitlement"

During the Mojave beta, I manually submitted our app for notarization and, after a few corrections, it worked!


Now I'm trying to fit the notarization process into our release build workflow and it's failing. Every executable in the package is getting rejected with the message


"The executable requests the com.apple.security.get-task-allow entitlement."


I've looked all over Xcode and our project settings and I can't find this entitlement anywhere.


Is this something I need to turn off, and if so how?


Notes: the successful tests were done in the Mojave beta using Xcode version 10, while the new build scripts are running in High Sierra and Xcode version 10.0 (10A255). Also, the submissions are being uploaded using the altool.

Replies

Slowing going in circles, but getting nowhere...


After some more research, it appears that the archive command is insufficient to produce a distributable product. Searching the (vague) Xcode and xcodebuild docs, it would appear that what I need to do in Xcode 10 is take the additional step of exporting the archive to create a distributable app, which I can then package into a dmg, and upload that dmg to be notarized.


I first create an archive using xcodebuild archive; the products are already signed using my Developer ID.


I created an ArchiveExport.plist with the following:

<plist version="1.0">

<dict>

<key>method</key>

<string>developer-id</string>

</dict>

</plist>


Then I executed the command

xcodebuild -exportArchive -archivePath release.xcarchive -exportPath ./release-export-dir -exportOptionsPlist ArchiveExport.plist

And was rewarded with this error:

error: exportArchive: exportOptionsPlist error for key 'method': expected one of {}, but found developer-id


According to xcodebuild -help, this key is described as

  method : String

  Describes how Xcode should export the archive. Available options: app-store, validation, ad-hoc, package,
 enterprise, development, developer-id, and mac-application. The list of options varies based on the type of archive.
 Defaults to development.


So I don't understand the error or what I'm doing wrong.

I'm pretty sure the "com.apple.security.get-task-allow" entitlement is automatically added to the final build product to enable debugging support, and Apple's notarization workflow (archive, upload, export) removes this entitlement when you submit the app for notarization. If you're trying to automate that workflow in your build system, you'll probably have to strip the entitlement manually and re-sign the product before submitting it for notarization.

Agreed. But nowhere can I find any documenation for this.


The WWDC18 video for notarization says you can build a DMG from your archived/exported app and submit that using the altool. But now that the final release is out, that's no longer working.


So while I agree that I need to "strip the com.apple.security.get-task-allow entitlement and resign my app," I can't find the tools/syntax that will do that. Isn't this what the xcodebuild -exportArchive command is supposed to do?

I've made some progress. The problem turned out to be with (a) limitations of the -exportArchive command and (b) Xcode's new workflow for notarization.


It appears that the command-line equivelent of generating an archive of your project, uploading it for notarization, and finally producing the finished (stapled) app package is thus:


xcodebuild \  
   -workspace MyApp.xcworkspace \  
   -scheme MyScheme \  
   -configuration Release \  
   -archivePath $Release/MyApp.xcarchive \  
   archive  
xcodebuild \  
   -exportArchive \  
   -archivePath $Release/MyApp.xcarchive \  
   -exportOptionsPlist ExportOptions.plist 

That performs the archive and uploads the app for notarization. The ExportOptions file will need to look like this:


<?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">  
<plist version="1.0">  
<dict>  
    <key>destination</key>  
    <string>upload</string>  
    <key>method</key>  
    <string>developer-id</string>  
    <key>signingStyle</key>  
    <string>automatic</string>  
    <key>teamID</key>  
    <string>Your team id</string>  
</dict>  
</plist> 

Note that in my project, the product is already signed so signingStyle and teamID are unnecessary.


Finally, once the notarization service is finished you can export that stapled app:


xcodebuild \  
  -exportNotarizedApp \  
  -archivePath $Release/MyApp.xcarchive \  
  -exportPath $Release/MyAppDistribution


This last step still isn't working for me, because even after I receive notification that the app has been notarized and is ready for release, the xcodebuild -exportNotarizedApp comand just reports "Ticket not found" errors.


Finally, the other stumbling block I was encountering is that all of this depends on exporting and uploading a *single* app for notarization. The export/upload will fail if there is more than one product in the archive. Our top-level build target produces all three apps that get distributed to our users.


So I had to refactor our build so that each app gets archived, uploaded, notarized, and exported individually.

It sounds like you worked out the command line usage. For future reference, we now have these guides to help:


https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow?language=objc

https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution?language=objc


For the "ticket not found" error, that sounds like an issue on macOS 10.13.6 with a stale cache that some developers may have hit. Workarounds are here:


https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/resolving_common_notarization_issues?language=objc

There are some extra steps needed to export a project from Xcode, which properly completes the work needed to prepare an app for distribution. It sounds like you worked out the command line usage. For future reference, we now have these guides to help:


https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow?language=objc

https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution?language=objc