Invalid notarization without log

I signed my application with a "Developer ID Application: ***" certificate. The "runtime" option is enabled. Entitlements plist file is:


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>com.apple.security.cs.disable-library-validation</key>

<true/>

<key>com.apple.security.cs.allow-jit</key>

<true/>

<key>com.apple.security.cs.allow-unsigned-executable-memory</key>

<true/>

</dict>

</plist>


The application starts normally. Then i create dmg and sign it:

productbuild --component APP.app /Applications APP.dmg

codesign --verbose -f -o runtime --entitlements entitlements.plist -s "Developer ID Application: ***" APP.dmg


And after notarization I get:

Date: 2020-02-11 09:53:14 +0000
RequestUUID: dba8abd3-f80b-438c-8d26-db6d4654cdca
Status: invalid


What is wrong and where is the log?

Up vote post of k.s.a1991@yandex.ru Down vote post of k.s.a1991@yandex.ru
390 views
Posted by
k.s.a1991@yandex.ru
Reply
Add a Comment

Replies

As to what’s happened to your installer log, my experience is that it can take a few minutes for the log to show up after the notarisation request has completed. If you wait a few minutes and then run 

--notarization-info
, does it show up? If not, you should file a bug against the notary service. Make sure to include the request’s UUID.

And if you do file a bug, please post your bug number, just for the record.

As to what’s going wrong with your notarisation, I’m confused by your description of the steps you took. You wrote:

productbuild --component APP.app /Applications APP.dmg

but 

productbuild
creates an installer package, not a disk image.

I’m also confused by this:

codesign --verbose -f -o runtime --entitlements entitlements.plist -s "Developer ID Application: ***" APP.dmg

There is no situation where it makes sense to set the hardened runtime flag and apply entitlements to a disk image code signature.

I recommend that you have a read through my Signing a Mac Product For Distribution post, which explains the correct steps for each of these operations.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment