Notarize and staple ticket to unix executable

This query on how to staple ticket with unix executable after notarization. I am new to MAC OSX environment. Following steps are used to notarize and staple unix executable :-

1) Enabled hardened runtime to already created unix executable with command :- codesign --force --option runtime --sign "Developer ID Application: Company LLP" <unix executable>

2) Created the directory codesign_utilities

2) Added all the codesigned unix executables into it and compressed it to zip file as :- zip -r codesign_utilities.zip codesign_utilities

3) Run command for notarization:- xcrun altool --notarize-app --primary-bundle-id "com.def.ghi" --username <developer ID> --password <related password> --file codesign_utilities.zip. I am able to notarize the zip file.

4) Later, I am trying to staple the ticket with unix executables part of zip file with command:- xcrun stapler staple <unix executable>. But, it is throwing error as

"Could not remove existing ticket from <unix executable>/Contents/CodeResources ... {Error Domain=NSPOSIXErrorDomain Code=20 "Not a directory"}}

The staple and validate action failed! Error 73.

I believe the error is occuring because it is just unix executable and not a executable bundle in .app format.

Query:-

- Can you help me what are the best ways to staple the ticket with unix executable?

- Is it mandatory to create executable bundle for notarization and stapling? If yes, please provide the steps?

Replies

I have the same question... Hope someone can answer.

https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow?language=objc


"Although tickets are created for standalone binaries, it’s not currently possible to staple tickets to them."

You probably want to either create disk images or `.pkg` installers since these two can be notarized and stapled. Notarize the disk image (or installer package), staple the ticket to it, and distribute the Unix executables that way.

Follow up here -

I've been attempting to use the .dmg solution suggested to no avail of late. I have a small c++ unix exe that I've code signed and placed into a disk image. That image is then signed and notarized (successfully - no issues listed in the log). I can then staple a ticket to the dmg file and everything running codesign/xcrun stapler validation checks out fine.

Downloading the dmg file from web hosting however results in failure to run the exe after opening it. This is a somewhat critical piece of infrastructure for us that our developers need to use on their machines to help them get set up. Does anyone have any ideas?