10 Replies
      Latest reply on Feb 8, 2020 11:33 AM by Todd2
      Todd2 Level 1 Level 1 (0 points)

        Last week I was able to notarize my .pkg installer without any problems.

         

        This week all attempts have failed. The two error message in the log file are:

         

        • "The binary is not signed with a valid Developer ID certificate."
        • "The signature does not include a secure timestamp."

         

        This is despite the application being signed with a legitimate Developer ID (the same I used last week, date is still valid), and I've verified that it is there with codesign.

         

        Anyone seeing anything similar to this?

         

        Has something changed requiring me to make a change to my toolings/command set?

         

        Current Xcode build is: Version 11.3.1 (11C504)

         

        Thanks,

        • Re: Notarization started failing this week
          Todd2 Level 1 Level 1 (0 points)

          To provide a concrete example, I created a HelloWorld command-line program, ran

           

          xcodebuild clean install

           

          packaged it and sent it for notarization. The app had my Developer ID, TeamIdentifier, and a Signed Time.

           

          $ codesign -dvvv --entitlements :- HelloWorld.dst/usr/local/bin/HelloWorld

          Executable=/private/tmp/HelloWorld.dst/usr/local/bin/HelloWorld

          Identifier=HelloWorld

          Format=Mach-O thin (x86_64)

          CodeDirectory v=20500 size=406 flags=0x10000(runtime) hashes=4+5 location=embedded

          Hash type=sha256 size=32

          CandidateCDHash sha256=946e6b1e139852546e7d3624b107c842c4f0522c

          CandidateCDHashFull sha256=946e6b1e139852546e7d3624b107c842c4f0522c26f2dba7aea8b93c668f9f8d

          Hash choices=sha256

          CMSDigest=946e6b1e139852546e7d3624b107c842c4f0522c26f2dba7aea8b93c668f9f8d

          CMSDigestType=2

          CDHash=946e6b1e139852546e7d3624b107c842c4f0522c

          Signature size=4736

          Authority=Apple Development: XXXX XXXXXXX (XXXXXXXXXX)

          Authority=Apple Worldwide Developer Relations Certification Authority

          Authority=Apple Root CA

          Signed Time=Feb 5, 2020 at 3:49:08 PM

          Info.plist=not bound

          TeamIdentifier=XXXXXXXXX

          Runtime Version=10.15.0

          Sealed Resources=none

          Internal requirements count=1 size=176

          <?xml version="1.0" encoding="UTF-8"?>

          <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

          <plist version="1.0">

          <dict/>

          </plist>

           

           

          And here is the Notarization error log

           

          {

            "logFormatVersion": 1,

            "jobId": "909e8ba7-4df5-4120-b35a-c4c0b21e921b",

            "status": "Invalid",

            "statusSummary": "Archive contains critical validation errors",

            "statusCode": 4000,

            "archiveFilename": "HelloWorld.pkg",

            "uploadDate": "2020-02-05T23:54:48Z",

            "sha256": "d6cc95c1e32bb038b654aea96b683a6f0e704d72b530187ea6fa081276635235",

            "ticketContents": null,

            "issues": [

            {

            "severity": "error",

            "code": null,

            "path": "HelloWorld.pkg/HelloWorld.pkg Contents/Payload/usr/local/bin/HelloWorld",

            "message": "The binary is not signed with a valid Developer ID certificate.",

            "docUrl": null,

            "architecture": "x86_64"

            },

            {

            "severity": "error",

            "code": null,

            "path": "HelloWorld.pkg/HelloWorld.pkg Contents/Payload/usr/local/bin/HelloWorld",

            "message": "The signature does not include a secure timestamp.",

            "docUrl": null,

            "architecture": "x86_64"

            }

            ]

          }

          • Re: Notarization started failing this week
            slohiya Level 1 Level 1 (0 points)

            I am seeing the same issue starting Feb 4th. productsign, notarization and staple all fine last week. Now productsign is fine but notarization fails with below message

             

            The binary is not signed with a valid Developer ID certificate.

            The signature does not include a secure timestamp

            The signature algorithm used is too weak.

            • Re: Notarization started failing this week
              rw@cadimage Level 1 Level 1 (0 points)

              Also seeing the same - notarization worked fine up to 31 Jan (and codesign still confirms validity) but stopped on 3 Feb. Reply is:

              - The binary is not signed with a valid Developer ID certificate.

              - The signature does not include a secure timestamp

              • Re: Notarization started failing this week
                shailesh_lohiya Level 1 Level 1 (0 points)

                Anyone got any solution to this?

                • Re: Notarization started failing this week
                  kubaitis Level 1 Level 1 (0 points)

                  I got my notarizations working again but it took 2 days of trial and error to get it worked out:

                   

                  First I had to update to XCode 11.3 and update the command line tools then go into Software Update and update them again and it requires a lengthy reboot to get it all in order.

                   

                  My software is written in Java... turns out Java 8 is dead to Apple with these changes.  Some binaries in Java 8 were compiled with old versions of the SDK and will never pass notarization even if you re-codesign them all.

                   

                  So I had to update to Java 11.0.6 which required refactor a number of things because the language is different.  Ouch.

                   

                  Next I still had to re-codesign the java runtime files to get them to be accepted.

                   

                  The JMOD files in the java runtime still failed... I didn't need those to run my application so I deleted them from the runtime.

                   

                  Boom... notarization worked.

                   

                  This command is critical to getting notarization working again:

                   

                  xcrun altool --notarization-info RequestUUID --username USERNAME --password APP-PASSWORD

                   

                  It gives you a URL to an itemized list of problems notarization has with your distribution.  Largely you can just re-codesign the stuff it complains about to resolve them.  My jmod issue was trickier... just removing them if they aren't needed was the best option for me there.

                  • Re: Notarization started failing this week
                    Todd2 Level 1 Level 1 (0 points)

                    Thanks to everyone for your feedback. After reading your posts and following your links, I was able to figure it out. It turns out the fault was mine. (1) I did not have the necessary certificate, and (2) I had to do a manual codesign with the new certificate

                     

                    Before when I did a codesign -dvvvv I could see that the binary was signed, but the "Apple Development" signing certificate (line 3 below) was not sufficient.

                     

                    $ codesign -dvvv --entitlements :- /tmp/helloworld.dst/usr/local/bin/helloworld
                    ...
                    Authority=Apple Development: XXXXXX (XXXXXXXXXX)
                    

                     

                    After requesting and getting a "Developer ID Application" certificate, and then manually signing the binary with that, notarization started working for me again.

                     

                    $ codesign -s "Developer ID Application: XXXXXXXX (XXXXXXXXXX)" --options=runtime --force /tmp/helloworld.dst/usr/local/bin/helloworld

                     

                    codesign -dvvv --entitlements :- /tmp/helloworld.dst/usr/local/bin/helloworld
                    ...
                    Authority=Developer ID Application: XXXXXXX (XXXXXXXXXX)

                     

                    So if the "Authority" field was "Apple Development: ...", notarization failed for me.

                     

                    When the "Authority" field was "Developer ID Application: ...", notartization succeeded.

                     

                    One last observation, I needed the --options=runtime option on the codesign command above to preserve the hardened runtime, another necessary condition for notarization.

                     

                    Thanks again for everyone's help!