I'm trying to automatize notarization of a complex product composed of a bunch of components in preparation of macOS 10.14.5
The product is composed of a set of daemons, an app, and a kext. Everything use hardened runtime.
We build everything via a big Xcode workspace and xcodebuild command. To notarize, I create a zip archive of the resulting xcarchive, then I upload this zip archive to Apple server with altool --notarize-app.
It eventually finishes with success, and I receive the e-mail from Apple saying that my Mac software is ready to be distributed.
To be safe if users are offline, I want to staple the notarization ticket to my binaries.
I skip the daemons, because it seems it's not possible, for now, to attach a ticket to single Mach-O binaries (Error 73)
I staple the ticket to the kext : it works fine (and it's loaded even if the 10.14.5 machine is offline).
But when I try to staple the ticket to the app, I have this error :
Processing: /xxx/MyApplication.app CloudKit query for MyApplication.app (2/[sha256]) failed due to "record not found". Could not find base64 encoded ticket in response for 2/[sha256] The staple and validate action failed! Error 65.
Should be noted that MyApplication.app and MyApplication.app/Contents/MacOS/MyApplication are in the final Apple logs (as all other Mach-O files in the archive). And [sha256] is a real valid sha256 value (just redacted there).
Should be noted too that if I zip directly MyApplication.app and upload this zip on Apple server with altool, then everything works as expected (I'm able to staple the notarization ticket to the application). So it seems to fail only when I notarize xcarchive, and only for .app bundles. I would still want to not do that, as each upload and notarization take time, so if it can be done in a single big step, it would be better.
And should be noted, finally, that MyApplication.app is inside a .bundle, while the kext is not (myarchive.xcarchive/Products/Library/TheKext.kext — myarchive.xcarchive/Products/Library/MyProduct/MyProduct.bundle/Contents/MacOS/MyApplication.app)
Any idea of what is happening there ?
Can it be related to https://forums.developer.apple.com/thread/115657 ?
Thank you !