5 Replies
      Latest reply on Apr 24, 2019 1:31 AM by eskimo
      evitcejbo Level 1 Level 1 (0 points)

        Hello !

         

        I'm trying to automatize notarization of a complex product composed of a bunch of components in preparation of macOS 10.14.5

         

        The product is composed of a set of daemons, an app, and a kext. Everything use hardened runtime.

         

        We build everything via a big Xcode workspace and xcodebuild command. To notarize, I create a zip archive of the resulting xcarchive, then I upload this zip archive to Apple server with altool --notarize-app.

         

        It eventually finishes with success, and I receive the e-mail from Apple saying that my Mac software is ready to be distributed.

         

        To be safe if users are offline, I want to staple the notarization ticket to my binaries.

         

        I skip the daemons, because it seems it's not possible, for now, to attach a ticket to single Mach-O binaries (Error 73)

         

        I staple the ticket to the kext : it works fine (and it's loaded even if the 10.14.5 machine is offline).

         

        But when I try to staple the ticket to the app, I have this error :

        Processing: /xxx/MyApplication.app
        CloudKit query for MyApplication.app (2/[sha256]) failed due to "record not found".
        Could not find base64 encoded ticket in response for 2/[sha256]
        The staple and validate action failed! Error 65.

         

        Should be noted that MyApplication.app and MyApplication.app/Contents/MacOS/MyApplication are in the final Apple logs (as all other Mach-O files in the archive). And [sha256] is a real valid sha256 value (just redacted there).

         

        Should be noted too that if I zip directly MyApplication.app and upload this zip on Apple server with altool, then everything works as expected (I'm able to staple the notarization ticket to the application). So it seems to fail only when I notarize xcarchive, and only for .app bundles. I would still want to not do that, as each upload and notarization take time, so if it can be done in a single big step, it would be better.

         

        And should be noted, finally, that MyApplication.app is inside a .bundle, while the kext is not (myarchive.xcarchive/Products/Library/TheKext.kextmyarchive.xcarchive/Products/Library/MyProduct/MyProduct.bundle/Contents/MacOS/MyApplication.app)

         

        Any idea of what is happening there ?

         

        Can it be related to https://forums.developer.apple.com/thread/115657 ?

         

        Thank you !

        • Re: Notarization: stapler error 65
          Setag Apple Staff Apple Staff (0 points)

          The error means that the bundle that's being stapled doesn't have a notarization ticket for the given cdhash.

           

          If you're looking at the developer_log.json file for your successful notarization (altool --notarization-info <UUID>), there's a section for ticketContents. This shows the cdhashes for everything that was successfully notarized and can be stapled. Confirm that the cdhash for MyApplication.app (codesign -dvvv MyApplication.app) matches the cdhash for MyApplication.app in the ticketContents. Any changes to the code signature (including exporting in the organizer) will create a new cdhash.

           

          Although it is recommended that your export your app instead of submitting the raw xcarchive.

           

          Information about automating the export process can be found in Customizing the Notarization Workflow. There's also an entire script that can be used in a single big step to export everything and notarize it as part of an Archive phase post-action in Customizing the Xcode Archive Process.

           

          An Example:

          /usr/bin/xcodebuild -exportArchive -archivePath "$ARCHIVE_PATH" -exportOptionsPlist "$SRCROOT/ExportOptions.plist" -exportPath "$EXPORT_PATH"

           

          If this doesnt help, I can give more information for your specific issue with the Request UUID altool returned to you.

            • Re: Notarization: stapler error 65
              sstanley Level 1 Level 1 (20 points)

              The document 'Customizing the Notarization Workflow' says this:

               

              While you can notarize a ZIP archive, you can’t staple to it directly. Instead, run stapleragainst each individual item that you originally added to the archive.

               

              So I can successfully notarize a .zip file, but stapling fails every time.

               

              CloudKit query for TestingApp.app (2/56e0d4edb22fcebfdfcf2835a0c5d3b616cbdd02) failed due to "record not found".

              Could not find base64 encoded ticket in response for 2/56e0d4edb22fcebfdfcf2835a0c5d3b616cbdd02

              The staple and validate action failed! Error 65.

               

              It seems people are having success using .dmg instead of .zip.

               

              Is the documentation wrong?

                • Re: Notarization: stapler error 65
                  eskimo Apple Staff Apple Staff (11,085 points)

                  It seems people are having success using .dmg instead of .zip.

                  Is the documentation wrong?

                  No, you can notarise a .zip just fine.  Here’s an example of me doing just that.  First I created my .zip:

                  $ /usr/bin/ditto -c -k --keepParent TestXXX.app TestXXX.zip

                  Then I ran altool to submit it:

                  $ xcrun altool --notarize-app -u eskimo1 -p "@keychain:altool-eskimo1" --primary-bundle-id com.example.apple-samplecode.TestXXX --file TestXXX.zip
                  2019-04-23 15:42:17.640 altool[73935:15163224] No errors uploading 'TestXXX.zip'.
                  RequestUUID = fee0fef0-be86-4646-84a3-XXXXXXXXXXXX

                  When it was done I ran altool to get the result:

                  $ xcrun altool --notarization-info fee0fef0-be86-4646-84a3-XXXXXXXXXXXX -u eskimo1 -p "@keychain:altool-eskimo1"
                  2019-04-23 15:45:09.560 altool[74113:15168593] No errors getting notarization info.
                  
                     RequestUUID: fee0fef0-be86-4646-84a3-XXXXXXXXXXXX
                            Date: 2019-04-23 14:42:18 +0000
                          Status: success
                      LogFileURL: https://osxapps-ssl.itunes.apple.com/itunes-assets/…
                     Status Code: 0
                  Status Message: Package Approved

                  Note the LogFileURL property.  Fetching that reveals the following:

                  $ curl https://osxapps-ssl.itunes.apple.com/itunes-assets/…
                  {
                    "logFormatVersion": 1,
                    "jobId": "fee0fef0-be86-4646-84a3-XXXXXXXXXXXX",
                    "status": "Accepted",
                    "statusSummary": "Ready for distribution",
                    "statusCode": 0,
                    "archiveFilename": "TestXXX.zip",
                    "uploadDate": "2019-04-23T14:42:18Z",
                    "sha256": "1e1661336138c9fbfb1da56daa4715c3883c47d54aed1925df70694af7a2d7b8",
                    "ticketContents": [
                      {
                        "path": "TestXXX.zip/TestXXX.app",
                        "digestAlgorithm": "SHA-256",
                        "cdhash": "e113e957d4c1368e88a3a3548f2b742eee4b3d85",
                        "arch": "x86_64"
                      },
                      {
                        "path": "TestXXX.zip/TestXXX.app/Contents/MacOS/TestXXX",
                        "digestAlgorithm": "SHA-256",
                        "cdhash": "e113e957d4c1368e88a3a3548f2b742eee4b3d85",
                        "arch": "x86_64"
                      }
                    ],
                    "issues": null

                  Look at the ticketContents > xxx > cdhash values.  These should match the equivalent (SHA-256) value in the code signature:

                  $ codesign -d -vvv TestXXX.app
                  …
                  CandidateCDHash sha1=8888aa4bbf524d047835cb27e44970fbcbd27abe
                  CandidateCDHash sha256=e113e957d4c1368e88a3a3548f2b742eee4b3d85
                  …
                  CDHash=e113e957d4c1368e88a3a3548f2b742eee4b3d85
                  …

                  Note In this context, cdhash means code directory hash, and it’s the part of the code signature that uniquely identifiers this code.

                  Earlier Setag wrote:

                  The error means that the bundle that's being stapled doesn't have a notarization ticket for the given cdhash.

                  When you staple a ticket to an item, the stapler tool gets the cdhash from the item and attempts to find a matching ticket.  If it can’t find such a ticket, you get this error 65.  This typically means that the code you’re trying to staple the ticket on to doesn’t match the code that you notarised.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                    • Re: Notarization: stapler error 65
                      sstanley Level 1 Level 1 (20 points)

                      > No, you can notarise a .zip just fine.

                       

                      Yes, notarising is not the problem -- stapling is the problem.

                       

                      Here's my log:

                      {
                        "logFormatVersion": 1,
                        "jobId": "9624e80f-b08a-4ca6-84c2-954f6796a5ee",
                        "status": "Accepted",
                        "statusSummary": "Ready for distribution",
                        "statusCode": 0,
                        "archiveFilename": "TestingApp.zip",
                        "uploadDate": "2019-04-23T12:05:52Z",
                        "sha256": "6ce0361e6fd9318c89ea79558ec0b250d8711e994d2d11e7089ef229694ba488",
                        "ticketContents": [
                          {
                            "path": "TestingApp.zip/TestingApp.app",
                            "digestAlgorithm": "SHA-256",
                            "cdhash": "84ce1594c511d31a0abf41544284e0fc42b86c70",
                            "arch": "i386"
                          },
                          {
                            "path": "TestingApp.zip/TestingApp.app",
                            "digestAlgorithm": "SHA-256",
                            "cdhash": "56e0d4edb22fcebfdfcf2835a0c5d3b616cbdd02",
                            "arch": "x86_64"
                          },
                          {
                            "path": "TestingApp.zip/TestingApp.app/Contents/MacOS/applet",
                            "digestAlgorithm": "SHA-256",
                            "cdhash": "84ce1594c511d31a0abf41544284e0fc42b86c70",
                            "arch": "i386"
                          },
                          {
                            "path": "TestingApp.zip/TestingApp.app/Contents/MacOS/applet",
                            "digestAlgorithm": "SHA-256",
                            "cdhash": "56e0d4edb22fcebfdfcf2835a0c5d3b616cbdd02",
                            "arch": "x86_64"
                          }
                        ],
                        "issues": null
                      }

                       

                      And here's the signature stuff:

                       

                      CandidateCDHash sha1=e81934dfb5eb04e9321a9dbac2d7502a38f1b90c
                      CandidateCDHash sha256=56e0d4edb22fcebfdfcf2835a0c5d3b616cbdd02
                      ...
                      CDHash=56e0d4edb22fcebfdfcf2835a0c5d3b616cbdd02

                       

                      It all matches. But when I try to staple to the app it fails. The docs say "run stapleragainst each individual item that you originally added to the archive", so I try to staple to the signed app:

                       

                      /usr/bin/xcrun stapler staple -v /Users/shane/Desktop/Testing\ notary/TestingApp.app

                       

                      And the result is:

                       

                      CloudKit query for TestingApp.app (2/56e0d4edb22fcebfdfcf2835a0c5d3b616cbdd02) failed due to "record not found".
                      Could not find base64 encoded ticket in response for 2/56e0d4edb22fcebfdfcf2835a0c5d3b616cbdd02
                      The staple and validate action failed! Error 65.

                       

                      The JSON Response is:

                       

                      JSON Response is: {
                          records =     (
                                      {
                                  reason = "record not found";
                                  recordName = "2/2/56e0d4edb22fcebfdfcf2835a0c5d3b616cbdd02";
                                  serverErrorCode = "NOT_FOUND";
                              }
                          );
                      }

                       

                      Would you mind trying to staple your test app, to see what response you get there?

                        • Re: Notarization: stapler error 65
                          eskimo Apple Staff Apple Staff (11,085 points)

                          Would you mind trying to staple your test app, to see what response you get there?

                          I did a bunch of stapling yesterday and it all worked fine.

                          "path": "TestingApp.zip/TestingApp.app/Contents/MacOS/applet",

                          OK, this is makes it clear that you’re dealing with an AppleScript app (it should have been obvious based on your comments on the other thread, but I missed that).  I tried running through exactly the same process with an AppleScript app and I see the same problem you do.

                          Given that this is specific to AppleScript apps, I’m going to respond over on that other thread.

                          Share and Enjoy

                          Quinn “The Eskimo!”
                          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                          let myEmail = "eskimo" + "1" + "@apple.com"