The signature of the binary is invalid but codesign says otherwise

Hi


I'm trying to notarize my app. I've been signing mutiple binaries and libs and I'm left with two binaries related to JxBrowser (browsercore and browsercore-helper).


The notarization process returns an error on those two binaries saying "The signature of the binary is invalid.".

When I extract the binaries from the .dmg file and check them with:

codesign -vvv --deep --strict <binary_name>

The output is:

browsercore: valid on disk
browsercore: satisfies its Designated Requirement


What am I doing wrong and how can I pass them through the notarization process?

Best regards

Up vote post of Majonez69 Down vote post of Majonez69
7.3k views
Posted by
Majonez69
Reply
Add a Comment

Replies

What does spctl say?


The standard reference for these issues is: https://developer.apple.com/library/archive/technotes/tn2206/_index.html

Posted by
john daniel
Post not yet marked as solved Up vote reply of john daniel Down vote reply of john daniel
Add a Comment

The most common cause of problems like this is that you have nested code in the wrong location. Nested code should be placed according to the rules outlined in the Nested Code section of Technote 2206 macOS Code Signing In Depth.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

If the app is signed correctly on your computer, make sure the zipping command you are using is not destroying the UTF8 encoding and the signature is then seen incorrectly on your submission to Apple.


When preapring the zip archive for notarizaion use ditto and "–sequesterRsrc" option.


/usr/bin/ditto -c -k –sequesterRsrc --keepParent "$APP_PATH" "$ZIP_PATH"


Regards,

Conor

Posted by
Bruji
Post not yet marked as solved Up vote reply of Bruji Down vote reply of Bruji

  • Thank you! I've spent hours on this and --keepParent solved the problem for me!

    trojanfoe
Add a Comment
Answer from Bruji solved my problem. Thank you.
But there is a small mistake in the command. There should be two dashes -- (minus symbols) in front of sequesterRsrc

Code Block 
/usr/bin/ditto -c -k --sequesterRsrc --keepParent "$APP_PATH" "$ZIP_PATH"

Posted by
JaroslaHolan
Post not yet marked as solved Up vote reply of JaroslaHolan Down vote reply of JaroslaHolan
Add a Comment

There should be two dashes -- (minus symbols) in front of
sequesterRsrc

This is more evidence that you have nested code problems. Except under unusual circumstances, like shipping an Automator action, a code signature should end up in resource fork. If it does, it’s commonly because you are signing data as code, which is not a good look.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment
Thank you, @Bruji. This solved my problem too.
Posted by
Richard_Fairhurst
Up vote reply of Richard_Fairhurst Down vote reply of Richard_Fairhurst
Add a Comment