15 Replies
      Latest reply on Oct 24, 2019 1:12 PM by aftercareapp
      Das Goravani Level 1 Level 1 (0 points)

        I have a notarized Mac OSX app in a code signed pkg (package) with some non executable files in there as well, like fonts, a website... but when I try to notarize the pkg file, no matter how much I look up answers and try different command line variations, I get


        Error: Unable to validate your application. We are unable to create an authentication session.


        The package is "valid on disk" and "satisfies all requirements" when checked.  So it's signed correctly.  The pkg does have a 'run at end' script in it, something that Packages the program, allows. 

        I have really tried everything, including putting the pkg in a dmg, signing that, and submitting that for notarization, I get the same error.


        I'm on Mojave 10.14.6, the latest, with the latest xcode, 11, and have installed the Command_Line_Tools_for_Xcode_11.dmg


        Remember, I was able to successfully notarize and staple my mac app, which in my case is Omnis, an app that makes applications, is a widely used product, they have hammered out all problems


        It's only trying to notarize my signed package that gives the error.


        Any ideas appreciated. Sincerely, "Goravani"

        • Re: Why: Unable to validate your application
          Das Goravani Level 1 Level 1 (0 points)

          Today is a day later, and I tried everything from the start. I have all my code signing commands in a text file so I can reproduce what has worked before. Before, I was able to notarize my app packaged in a zip file. This was during the week.  Today I try to reproduce that, doing exactly the same commands, and it won't work, gives the error


          Unable to validate your application. We are unable to create an authentication session.


          I have tried everything I can think of, everything I can find online, wrote a letter to Apple, to which I hope they respond meaningfully.


          I feel like being on the latest OS and xcode is working against me.

          • Re: Why: Unable to validate your application
            Das Goravani Level 1 Level 1 (0 points)

            Now downloading the xcode 11.2 beta and the command line tools for that beta, hopefully things will go better once I get them installed

            • Re: Why: Unable to validate your application
              KMT Level 9 Level 9 (15,395 points)

              You do have a currently valid paid Individual Developer Program account, correct?

                • Re: Why: Unable to validate your application
                  Das Goravani Level 1 Level 1 (0 points)

                  I do have a currently paid valid Developer Program account, the correct certificates, and app specific passwords in my keychain. I was able to Notarize my APP but...


                  Now today, Sunday Oct 6th, downloaded, installed, the xcode 11.2 beta and it's command line tools, rebooted, created a fresh copy of my app, was able to code sign it correctly, successfully, but...


                  When I try to submit it for notarization in a zip or pkg file, I still get the error


                  Unable to validate your application. We are unable to create an authentication session.


                  Which I was getting in xcode 11 and it's tools, too. The beta upgrade didn't help. In fact, I made it through Notarization ONE TIME using a zip file to present my app for notarization, one time it worked, in xcode 11, but I want to distribute in a pkg, so I put the notarized app into a pkg and got the above error, no matter what syntax I tried.


                  Now I can't even notarize the app in a zip file as I was ONCE able to, so I can't get to presenting the package for notarization


                  Furthermore, this is a separate but related issue, I have a pkg up on my website for distribution, it has in it a Notarized version of the app, the one I was able to notarize, and the pkg file is signed, successfully, but my users on Mojave are getting the Malware block, and have to right click to Open it.  I thought code signing was enough for Mojave, but apparently not.


                  To me in conclusion, the command line tools, the altool, and the notarization servers, are buggy, because I've tried everything from fresh forward... read tons of online docs, tried everybodys variation on the syntax of the altool command


                  What really doesn't make sense is that I was able to Notarize my app one time, and I kept the commands that worked in a text file for re use, and when I re use them, exactly as before, on a fresh copy of the app, it coughs when I come to the notarization command (after all the code signing and checking... meets requirements on disk.. satisfied, approved, after signing... won't notarize, using the apple given Terminal command, using other people's variations on that theme...


                  Macbook Pro, latest Mojave, latest xcode, I keep my mac in delivery condition, i dont install a lot of tools or things that show in the menu bar, I dont run things that might be blocking other things... quite sterile and pristine


                  Another Omnis developer (which is what I am, I develop in Omnis) was able to notarize a pkg, but I bet he wasn't using the latest OS or xcode... I notice people are not using the latest as I am..when I read their posts I see that, I think there are sweet periods and bad periods and right now the latest OS and xcode are a bad period, that's my take on it, given the trouble I'm having.


                  I am a newbie to things like unix, i dont know C or xcode, Omnis is it's own IDE and I mostly know it... so when it comes to making installers, I start to get outside of my comfort zone, this unix notarization stuff is definitely new to me, command line is new to me, but I've learned, I get it so far, i was able to notarize one time but couldn't get it to recognize a pkg container on my notarized app, same error as above always.


                  I'm definitely open to being put on the spot with questions like the one asked, if I'm a developer or not... that's quite fine, any other as well... no big ego here.

                    • Re: Why: Unable to validate your application
                      KMT Level 9 Level 9 (15,395 points)

                           >in conclusion, the command line tools, the altool, and the notarization servers, are buggy,


                      In that case, be sure to file bugs using the link below to see what comes back. Also check the release notes for the latest tools, and, if you have a project that demonstrates the issue(s), you might consider using a support ticket w/DTS via the Member Center to ask them to take a look.


                      So far tho, I suspect your assumptions are correct and it's just another example of how the tools can vary in brittleness from one release to yet another.


                      Good luck and pls. keep us posted if you have time.



                        • Re: Why: Unable to validate your application
                          Das Goravani Level 1 Level 1 (0 points)

                          Okay, here's an update, things have changed.


                          Frustrated with xcode 11 not even uploading, I downloaded version 10 of xcode and it's command line tools, installed them, rebooted, and immediately got better results. I was able to:


                          Sign my app of course

                          Place it in a zip

                          Notarize that

                          Staple the app

                          Place that in a final pkg for distribution

                          Sign that

                          Notarize that


                          But, it failed the notarization test before and after stapling it


                          So I'm confused. It's notarized, and fails the test immediately. I staple it and it says the signature is invalid.


                          All commands worked, gave positive feedback, but they don't seem to work when test.


                          I test using this command and this is the results:


                          Testing right after it says its notarized:


                          spctl -a -t open --context context:primary-signature -v /Users/Das\'s/Desktop/Deploying/build/Jyotish\ Studio\ 5.pkg

                          /Users/Das's/Desktop/Deploying/build/Jyotish Studio 5.pkg: rejected

                          source=Unnotarized Developer ID


                          and after stapling it to see if that helps


                          spctl -a -t open --context context:primary-signature -v /Users/Das\'s/Desktop/Deploying/build/Jyotish\ Studio\ 5.pkg

                          /Users/Das's/Desktop/Deploying/build/Jyotish Studio 5.pkg: invalid signature (code or signature have been modified)


                          If I resign it to see if that helps it doesn't, it still says it's an unnotarized developer ID


                          So with xcode 10 I'm able to do everything, notarize, no problem, but it doesn't pass muster.


                          So I don't know what I'm left with... all this work and it's still going to get the malware warning... I sure hope Apple leaves the Right Click and Open capability on installers in Catalina... I read that it's there in the beta... I hope it stays... because with this process being so brittle we need it.


                          Right now on my website for download I have a pkg that has a notarized and stapled app inside it, and the pkg is signed... people have Mojave and when they download it they get the malware warning.. I thought signing was enough on Mojave.. this is a separate issue of course but it's related.. the app inside is notarized, I didn't put the pkg through notarization, but here today I have, and it fails.


                          In case I can't find it, could you give me the link for opening a ticket with the right people at Apple. I want to share my experience because it is the path that all developers who have apps outside of xcode will have to take.  I believe we are blocked at this point by these seeming bugs. It's pretty straightforward, the notarization command and resultant email from Apple... and stapling is a bit confusing.. how does it know what to staple onto the pkg, the command just says staple staple... and path... and it says it worked... but shouldn't you have to give the UUID or something to indicate what to staple?  Confusing.


                          So I don't know what I have at the end of this here.


                          I'm grateful that version 10 of xcode at least lets me notarize, though it isn't testing as successful yet.


                          I appreciate you Ken.


                          Das Goravani

                          das at goravani dot com

                    • Re: Why: Unable to validate your application
                      Das Goravani Level 1 Level 1 (0 points)

                      I'm 60 so I get a little latitude in terms of being retrospective so here goes:


                      I've been developing in Omnis on a Mac (and Windows only because I have to for sales) for 30 years or since 87.  I love the Mac and only use it for everything. In fact I run Windows in VMWare's Fusion on my Mac and only touch it when I have to check my software there and make Windows installers. I really can't stand Windows.  The very feel of it's mouse drives me nuts. It seems flimsy and brittle. 


                      I have owned many Macs, but now it's a MacBook Pro for everything.  I grew up in the San Francisco Bay Area and watched Apple start and blossom in my lifetime. I've worked at 3 Mac stores in my life. So I helped quite a few people get into their first Mac.


                      I love Omnis, it's a great development tool.  I don't use xcode, that level of coding, lower than I'm used to, is hard for me to like, but I respect it as it is harder than what I do (Omnis is higher level).


                      I think Apple tends to make the right decisions. The one decision I didn't like was that they discontinued iWeb. I still use it on Mojave despite the warnings that it won't run on Catalina, which was released today.


                      I don't mind having to tell our users to Right Click and Open with...Installer, in order to install our application. I'm sure the bugs in Notarization will be worked out soon enough.  I surely did struggle with Terminal and the code signing and notarization commands, and bugs, greatly, for the last week.


                      I'm a bit concerned about what I think from reading forums is the Huge Amount of installers from tons of companies that will be blocked as I don't think everybody is ready with working notarized installers.  I think even large companies will have to have their tech support working overtime just to tell people to right click. This is one transition that hasn't been handled successfully on time, but hey, that's ok. We'll make it through.


                      I think we should take a moment and realize that the world isn't ready for Catalina and also that a lot of developers have given up their business due to the 64 bit requirement of Catalina.  One of my competitors called it a day I know.  One of the largest, most successful music software companies, Izotope, their website and letters recommend staying on Mojave, because they are ready.  I had to pay a C coder to upgrade my externals to 64 bit and Unicode in order to be ready for this day.  Apple, unlike Microsoft who really stays with backwards compatibility, has pushed us forward, in an aggressive way, off of 32 bit applications. 


                      For me this transition has not been prohibitive because Omnis sees to it that they are 64 bit now, and they released a doc that made notarizing clear and easy... when you use a Tool from a for profit company they tend to do what they can to keep the tool useable and alive for the developer community.


                      Computers and digital gadgets like iPhones rule our day and age in a big way. I'm glad Apple exists to make them more friendly and nicely working. Windows users spend much more time maintaining and messing with the nuts and bolts of their device than Mac users have to. The Mac is like a sheet of clean white paper with beautiful type on it, and Windows is like an industrial sheet of paper with mono spaced bit mapped type on it. Windows computers can be bought for a few hundred bucks. That's one advantage. They are way cheaper. I still bought a Macbook Pro recently.  The difference is phenomenal.



                      • Re: Why: Unable to validate your application
                        ariestav Level 1 Level 1 (0 points)

                        I'm also getting this on a .pkg that I'm trying to notarize.  You can use the --verbose flag on the altool to inspect errors.


                        I still haven't solved the "Unable to validate your application. We are unable to create an authentication session." error, but when I use the --verbose flag on the altool command, I do get an error message in json like so:

                        "Please sign in with an app-specific password. You can create one at appleid.apple.com. (-22910)"


                        I thought I was able to use my Apple ID that I used to sign up for a paid account developer.apple.com but apparently not?

                        • Re: Why: Unable to validate your application
                          Das Goravani Level 1 Level 1 (0 points)



                          I now have an installer up on my website which is both Mojave and Catalina compatible, which does not get the Malware Block.  I achieved this with xcode 10, because 11 and 11.2 wouldn't notarize for me. I downloaded 10 and it worked right away.  I ran into problems using Packages the program, to make my pkg, it did something to my app, it corrupted my app, so I switched to DropDMG as my dmg maker and made my installer that way. So I notarized my app with a zip file, then stapled my original app, put it in a dmg with an applications folder alias for them to drag it onto, that method, which DropDMG makes easy, and then signed, notarized, and stapled that final dmg, and that was the ticket to no malware blocks. The system ultimately worked for me. I now get how it works, and how to do it. I'm done for now. Now it's time to work on a bug fix update and then go through this all over again, which is fine. Thanks.