Notarization not working?

We've notarized one of our apps via `altool` during the last few weeks and that did work alright but the last two attempts in the last few days simply never returned a result. The status remains "in progress". Anyone else having issues with notarization not finishing?

Replies

So the latest attempt did finish now… with "Package Invalid". But it did work in the past. Notarization still feels very fragile to me and wonder whether it's worth the effort.

I have seen the same issue today. It used to work previously. I am running the command from terminal. THe command gets stuck and doesnt return anything. After a while, when i check the notarization history, i see "Package Invalid"

I have two builds stuck in notarization purgatory right now. One is from Oct 5 and one from Oct 7. Previous builds were notarized in under an hour. Even worse, opening a previously notarized build seems to show the exact same "this came from the internet" scare warning that non-notarized builds would show, so I'm not sure the backend that checks the stapled tickets is working either.


I've opted to release non-notarized builds and I'll swap in notarized ones whenever it's working again. From an end-user POV, signing isn't even a feature once they've launched your app, and I think they'd rather just get the update.

If you get a response of "package invalid", please review the developer log for any issues that need to be addressed in the upload. Then re-upload.


https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/resolving_common_notarization_issues?language=objc

https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution?language=objc

The Gatekeeper warning ("this software was downloaded from the internet") still remains for notarized software. However, it also explains that the software was checked by Apple. See the first screenshot here for the new text: https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution


You can also check notarization status of a file with: spctl -a -v <file>

You should see "source=Notarized Developer ID" in the output.


I hope you'll try to notarize your software again soon. Thank you

I did staple my DMG, verified the "source=Notarized Developer ID".

After uploading it onto my server then downloading it, I see the warning saying Apple hasn't been able to check the DMG for malware...


It works fine for notarized .app, zipped, then downlaoded. Not for DMG unfortunately.

Please try again, being sure that the "xcrun stapler staple file.dmg" shows success. Then try to open it on another machine. You can test the notarized status of a dmg with "spctl -a -v -t open file.dmg"

I had the same issue. Notarization suddenly stopped working and I got a "package invalid" response.

I enabled "Hardened Runtime" in my targets to resolve it.