Installer Package Notarization Fails -- Invalid Signature

With the stricter notarization requirements now in place, we're running into a problem with one of our installers. The main application distributed in that installer is signed with our Developer ID Application certificate. I can notarize the app directly by submitting the .app file to the notarization service. However as soon as I put that (signed) application in an installer .pkg file and sign the .pkg with the Developer ID Installer certificate, we are unable to notarize the .pkg getting an "invalid signature" error for the main application and every Framework it depends on (though it appears that the notarization service thinks that signature on the pkg itself is fine)


Is this a known issue? We're using:


/usr/bin/ditto -c -k --keepParent ./XWCSigned.pkg ./XWCCSigned.pkg.zip


to put the .pkg into a .zip file before sending up to the notarization service.


Thanks in advance for any info you can share!

--Ron D

Up vote post of XeroxRonD Down vote post of XeroxRonD
578 views
Posted by
XeroxRonD
Reply
Add a Comment

Replies

Tthe guidance from Apple is to sign everything, but only notarize the outmost container.

Posted by
john daniel
Up vote reply of john daniel Down vote reply of john daniel
Add a Comment

Thanks for the reminder! I had attempted to notarize the app directly just to see if there was a difference in the notarization response; that is, I wanted to see if something we were doing to build the installer was altering the application enough to invalidate the signatures.


As it turns out, that was exactly what was happening. Had a script at one point that attempted to copy the .app file (directory) with a "cp -r" command (to put the app in another directory before running pkgbuild, etc.) which, in hindsight, is an obvious mistake. Replaced that (temporarily) with an "mv" command which then resulted in a successful notarization of the Installer .pkg file.


I don't think we really need to move the file out of the build directory to build the installer anyway, so I'll be re-writing the script before our next official build.


Thanks!

--Ron D

Posted by
XeroxRonD
Up vote reply of XeroxRonD Down vote reply of XeroxRonD
Add a Comment