Notarization started failing this week

Last week I was able to notarize my .pkg installer without any problems.


This week all attempts have failed. The two error message in the log file are:


  • "The binary is not signed with a valid Developer ID certificate."
  • "The signature does not include a secure timestamp."


This is despite the application being signed with a legitimate Developer ID (the same I used last week, date is still valid), and I've verified that it is there with codesign.


Anyone seeing anything similar to this?


Has something changed requiring me to make a change to my toolings/command set?


Current Xcode build is: Version 11.3.1 (11C504)


Thanks,

Accepted Reply

Thanks to everyone for your feedback. After reading your posts and following your links, I was able to figure it out. It turns out the fault was mine. (1) I did not have the necessary certificate, and (2) I had to do a manual codesign with the new certificate


Before when I did a codesign -dvvvv I could see that the binary was signed, but the "Apple Development" signing certificate (line 3 below) was not sufficient.


$ codesign -dvvv --entitlements :- /tmp/helloworld.dst/usr/local/bin/helloworld
...
Authority=Apple Development: XXXXXX (XXXXXXXXXX)


After requesting and getting a "Developer ID Application" certificate, and then manually signing the binary with that, notarization started working for me again.


$ codesign -s "Developer ID Application: XXXXXXXX (XXXXXXXXXX)" --options=runtime --force /tmp/helloworld.dst/usr/local/bin/helloworld


codesign -dvvv --entitlements :- /tmp/helloworld.dst/usr/local/bin/helloworld
...
Authority=Developer ID Application: XXXXXXX (XXXXXXXXXX)


So if the "Authority" field was "Apple Development: ...", notarization failed for me.


When the "Authority" field was "Developer ID Application: ...", notartization succeeded.


One last observation, I needed the --options=runtime option on the codesign command above to preserve the hardened runtime, another necessary condition for notarization.


Thanks again for everyone's help!

Replies

To provide a concrete example, I created a HelloWorld command-line program, ran


xcodebuild clean install


packaged it and sent it for notarization. The app had my Developer ID, TeamIdentifier, and a Signed Time.


$ codesign -dvvv --entitlements :- HelloWorld.dst/usr/local/bin/HelloWorld

Executable=/private/tmp/HelloWorld.dst/usr/local/bin/HelloWorld

Identifier=HelloWorld

Format=Mach-O thin (x86_64)

CodeDirectory v=20500 size=406 flags=0x10000(runtime) hashes=4+5 location=embedded

Hash type=sha256 size=32

CandidateCDHash sha256=946e6b1e139852546e7d3624b107c842c4f0522c

CandidateCDHashFull sha256=946e6b1e139852546e7d3624b107c842c4f0522c26f2dba7aea8b93c668f9f8d

Hash choices=sha256

CMSDigest=946e6b1e139852546e7d3624b107c842c4f0522c26f2dba7aea8b93c668f9f8d

CMSDigestType=2

CDHash=946e6b1e139852546e7d3624b107c842c4f0522c

Signature size=4736

Authority=Apple Development: XXXX XXXXXXX (XXXXXXXXXX)

Authority=Apple Worldwide Developer Relations Certification Authority

Authority=Apple Root CA

Signed Time=Feb 5, 2020 at 3:49:08 PM

Info.plist=not bound

TeamIdentifier=XXXXXXXXX

Runtime Version=10.15.0

Sealed Resources=none

Internal requirements count=1 size=176

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict/>

</plist>



And here is the Notarization error log


{

"logFormatVersion": 1,

"jobId": "909e8ba7-4df5-4120-b35a-c4c0b21e921b",

"status": "Invalid",

"statusSummary": "Archive contains critical validation errors",

"statusCode": 4000,

"archiveFilename": "HelloWorld.pkg",

"uploadDate": "2020-02-05T23:54:48Z",

"sha256": "d6cc95c1e32bb038b654aea96b683a6f0e704d72b530187ea6fa081276635235",

"ticketContents": null,

"issues": [

{

"severity": "error",

"code": null,

"path": "HelloWorld.pkg/HelloWorld.pkg Contents/Payload/usr/local/bin/HelloWorld",

"message": "The binary is not signed with a valid Developer ID certificate.",

"docUrl": null,

"architecture": "x86_64"

},

{

"severity": "error",

"code": null,

"path": "HelloWorld.pkg/HelloWorld.pkg Contents/Payload/usr/local/bin/HelloWorld",

"message": "The signature does not include a secure timestamp.",

"docUrl": null,

"architecture": "x86_64"

}

]

}

I am seeing the same issue starting Feb 4th. productsign, notarization and staple all fine last week. Now productsign is fine but notarization fails with below message


The binary is not signed with a valid Developer ID certificate.

The signature does not include a secure timestamp

The signature algorithm used is too weak.

Also seeing the same - notarization worked fine up to 31 Jan (and codesign still confirms validity) but stopped on 3 Feb. Reply is:

- The binary is not signed with a valid Developer ID certificate.

- The signature does not include a secure timestamp

In case you are not already aware of this - Notarization requirements were temporarily loosened so that it would succeed in spite of warnings. This is no longer the case

Interesting.


Either they haven't rolled out these changes to all of their notarization servers or they loosened the requirements again.


I just now got an app notarized with several of these warnings.

I am still seeing this issue with notarization. I see that when we use productsign it takes identity which is SHA1 only. I wonder the issue with notarization is that the signature needs to be SHA256. If thats the case how do I use productsign command to sign using using SHA256?

Anyone got any solution to this?

I got my notarizations working again but it took 2 days of trial and error to get it worked out:


First I had to update to XCode 11.3 and update the command line tools then go into Software Update and update them again and it requires a lengthy reboot to get it all in order.


My software is written in Java... turns out Java 8 is dead to Apple with these changes. Some binaries in Java 8 were compiled with old versions of the SDK and will never pass notarization even if you re-codesign them all.


So I had to update to Java 11.0.6 which required refactor a number of things because the language is different. Ouch.


Next I still had to re-codesign the java runtime files to get them to be accepted.


The JMOD files in the java runtime still failed... I didn't need those to run my application so I deleted them from the runtime.


Boom... notarization worked.


This command is critical to getting notarization working again:


xcrun altool --notarization-info RequestUUID --username USERNAME --password APP-PASSWORD


It gives you a URL to an itemized list of problems notarization has with your distribution. Largely you can just re-codesign the stuff it complains about to resolve them. My jmod issue was trickier... just removing them if they aren't needed was the best option for me there.

Thanks to everyone for your feedback. After reading your posts and following your links, I was able to figure it out. It turns out the fault was mine. (1) I did not have the necessary certificate, and (2) I had to do a manual codesign with the new certificate


Before when I did a codesign -dvvvv I could see that the binary was signed, but the "Apple Development" signing certificate (line 3 below) was not sufficient.


$ codesign -dvvv --entitlements :- /tmp/helloworld.dst/usr/local/bin/helloworld
...
Authority=Apple Development: XXXXXX (XXXXXXXXXX)


After requesting and getting a "Developer ID Application" certificate, and then manually signing the binary with that, notarization started working for me again.


$ codesign -s "Developer ID Application: XXXXXXXX (XXXXXXXXXX)" --options=runtime --force /tmp/helloworld.dst/usr/local/bin/helloworld


codesign -dvvv --entitlements :- /tmp/helloworld.dst/usr/local/bin/helloworld
...
Authority=Developer ID Application: XXXXXXX (XXXXXXXXXX)


So if the "Authority" field was "Apple Development: ...", notarization failed for me.


When the "Authority" field was "Developer ID Application: ...", notartization succeeded.


One last observation, I needed the --options=runtime option on the codesign command above to preserve the hardened runtime, another necessary condition for notarization.


Thanks again for everyone's help!