xcrun stapler validate command show app is not notarized even after dmg is notarized

Hi,

I have notarized the dmg which has a .app inside. After that I stapped the dmg.

xcrun stapler staple ~/Desktop/Packages/Notarize/***.dmg

Processing: /Users/***/Desktop/Packages/Notarize/***.dmg

Processing: /Users/***/Desktop/Packages/Notarize/***.dmg

The staple and validate action worked!


I verified the dmg and app with following command.

App verification

spctl -vvv --assess /Volumes/***/***.app/

/Volumes/***/***.app: accepted

source=Notarized Developer ID

origin=Developer ID Application: *** Inc (xxxx)


dmg verification:

spctl -a -t open --context context:primary-signature -v /Users/***/Desktop/Packages/Notarize/***.dmg

/Users/***/Desktop/Packages/Notarize/fsm.dmg: accepted

source=Notarized Developer ID


After this I was able to open notarized downloaded dmg and run the application.


xcrun stapler validate <path to dmg> command shows the it is valid

Processing: /Users/***/Desktop/Packages/Notarize/***.dmg

The validate action worked!


But xcrun stapler validate <path to app> command shows the following message:

Processing: /Volumes/***/***.app

***.app does not have a ticket stapled to it.


Could you please help me why stapler command shows no ticket is associated with app? Do I need to staple the ticket with .app as well? or we need to send induvidual applications in package for Notarization? What is the recommentation from Apple? Our package 15 apps.


regards

PK

Up vote post of OneTwoThree Down vote post of OneTwoThree
3.6k views
Posted by
OneTwoThree
Reply
Add a Comment

Replies

Could you please help me why 

stapler
command shows no ticket is associated with app?

Because the ticket was stapled to the 

.dmg
, not to the app.

Do I need to staple the ticket with 

.app
as well?

Probably not. In general, we recommend that you notarise and staple the outmost container. That ticket should cover all of the contents of that container.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi Quinn,

Thank you. I have a followup query.

In case we are not stapling the ticket with .app file, does the app continue to work if internet connection is not there when app is launched?


regards

PK

Posted by
OneTwoThree
Up vote reply of OneTwoThree Down vote reply of OneTwoThree
Add a Comment

In case we are not stapling the ticket with .app file, does the app continue to work if internet connection is not there when app is launched?

If you staple the ticket to the 

.dmg
, the system will ingest that ticket when the quarantined 
.dmg
is mounted.

Still, if you’re concerned about a specific scenario, my recommendation is that you test it. I’ve found testing in a VM to be very helpful in situations like this:

  • You can disable its access to the network without disrupting the day-to-day use of your main machine.

  • You can restore to a clean snapshot after each test, so there’s no risk of test N affecting testing N+1.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment