Notarization: 'Unable to validate your application' error

Hi,


We have a Qt app and try to notarize it.

We run a virtual machine in VMWare Fusion with macOS Mojave 10.14.6, and all tools for the task are up to date, and we do all the building, codesigning, notarization steps from there.


The steps we follow:


- generate the app bundle

- codesign the app bundle with a Developer ID Application certificate

- we check that the signature is fine:


codesign --verify --deep --strict --verbose=2 signed.app
  -> it says valid on disk and satisfies its Designated Requirements


  spctl -a -t exec -vv signed.app/
     signed.app/: accepted
     source=Developer ID
     origin=Developer ID Application: .......


- zip the app bundle

- notarize the zip app bundle:


xcrun altool --notarize-app -t osx -f signed.zip --primary-bundle-id "com.acme" -u "my-managed-apple-id" -p "whatever"
--output-format xml

and the result is the following:


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>os-version</key>

<string>10.14.6</string>

<key>product-errors</key>

<array>

<dict>

<key>code</key>

<integer>-20528</integer>

<key>message</key>

<string>Error Description not available</string>

<key>userInfo</key>

<dict>

<key>NSLocalizedDescription</key>

<string>Error Description not available</string>

<key>NSLocalizedFailureReason</key>

<string>Unable to validate your application.</string>

</dict>

</dict>

</array>

<key>tool-path</key>

<string>/Applications/Xcode.app/Contents/Applications/Application Loader.app/Contents/Frameworks/ITunesSoftwareService.framework</string>

<key>tool-version</key>

<string>1.1.1138</string>

</dict>

</plist>


What does this error mean?

What's wrong with the app bundle to get this error?


Thanks in advance for any help,

Massimo

Replies

I noticed that you’re verifying your app with

--deep
. Are you also signing it that way? If so, you probably should change that, and switch to signing each Mach-O image separately, from the inside out, as described in Technote 2206 macOS Code Signing In Depth.

This is important because you’re using a third-party library that probably doesn’t follow the nested code rules outlined in TN2206. In that case,

--deep
generally doesn’t end well.

Having said that, such problems usually comes back from the notarisation servers, rather than from

altool
itself, so it’s probably not the root cause of the -20528 error. I’ve not seen that error before. I have some suggestions for teasing this apart:

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Following your suggestions, I can report that:


  • codesigning without --deep does not change the outcome;
  • If I leave off --output-format xml, I get the same error in a shorter format:

2019-09-04 11:38:40.484 altool[997:12878] *** Error: Unable to validate your application. Error Description not available

  • I created a test app in Xcode, and I was able to notarize it using the same credentials, and Developer ID cert;
  • I exported the test app and tried to notarize as described in Customizing the Notarization Workflow | Apple Developer Documentation
    by just running these commands on the command line:
    xcodebuild clean -project helloWorld.xcodeproj -configuration Release -target helloWorld
    xcodebuild archive -project helloWorld.xcodeproj -scheme helloWorld
    xcrun altool --notarize-app -t osx -f ./helloWorld.zip --primary-bundle-id "com.acme" -u "my-managed-apple-id" 
    -p "******"

and I get the same error from altool. xcodebuild archive logs no errors or warnings and terminates ok.


So, what could the problem be?

Let’s focus on your test app for the moment. If you can notarise it with Xcode, you should be able to notarise it with

altool
. I’m not sure why that’s failing.

Two things:

  • The commands in your last post go straight from

    xcodebuild archive
    to
    altool
    without showing how you build
    helloWorld.zip
    from the archive. Can you elaborate on that?
  • Is the Apple ID you’re using a member of multiple teams? If so, you should be using

    --asc_provider
    to make sure you’re targeting the right team. See this post.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Massimo,


have you signed with the hardened runtime entitlement file?

Codesign --verify doesn't care about hardened runtime, but notarisation does.


Greetings

Brigitte

Hi,


  1. I just created the post actions script for Archive in Xcode as described in https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow, so that's how I had the helloWorld.zip in the end, ready to be uploaded for notarization.
  2. My AppleID is associated to 1 team only. I use the name with its password when calling altool
  3. BTW, I do not have the option to create app specific passwords in my Apple ID page at appleid.apple.com



Cheers

Massimo

Hi Brigitte,


yes, I did.


Massimo

At this point I’m going to recommend that you open a DTS tech support incident so that I can allocate the time to look at your issue in depth.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi,


yes, just done:


Case ID: 720395801


Thanks,

Massimo

Hi,

Any update on the reported Case ID of - 720395801?

I'm getting the error code of 22016. I'm using Xcode 11.2 with OSX 10.14


Command

xcrun altool --notarize-app -t osx -f file.pkg --primary-bundle-id "org.abc" -u "email" -p "password" --output-format xml


Error

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>os-version</key>

<string>10.14.6</string>

<key>product-errors</key>

<array>

<dict>

<key>code</key>

<integer>-22016</integer>

<key>message</key>

<string>We are unable to create an authentication session.</string>

<key>userInfo</key>

<dict>

<key>NSLocalizedDescription</key>

<string>We are unable to create an authentication session.</string>

<key>NSLocalizedFailureReason</key>

<string>Unable to validate your application.</string>

</dict>

</dict>

</array>

<key>tool-path</key>

<string>/Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/Frameworks/AppStoreService.framework</string>

<key>tool-version</key>

<string>4.00.1181</string>

</dict>

</plist>

Hi,


no update so far, still waiting for something.

no update so far, still waiting for something.

OK, something has gone wrong here. Please contact me via email (the address is in my signature). Make sure to reference this thread, just for context.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

You need to use an app-specific password (for altool) as described here:


https://support.apple.com/en-us/HT204397

OK, something has gone wrong here.

Just to close the loop an this part of the issue, massimo225 got in touch and we worked out that the email address associated with their developer account was incorrect, so they never received any of DTS’s official response.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi, yes, in the end it was that. Apple Support/Quinn recommended the same (it's mandatory) and we were able to notarize the app.