1 Reply
      Latest reply on Feb 14, 2020 2:43 PM by john daniel
      3outchange Level 1 Level 1 (0 points)

        Hello,

         

        I am trying to notarize an application and I am running into an issue after using pkgbuild on the .app. Here are the steps in the build process:

         

        1. Generate .app using xcodebuild install

        2. Sign the .app

        3. Create component with pkgbuild

        4. Create installer product with productbuild

        5. Sign product using productsign

        6. Add .pkg to .dmg

        7. Sign .dmg

        8. Notarize .dmg

         

        I codesigned the .app, and verified that it is signed properly. I was able to notarize the .app successfully (done as a test, I am not including the notarized app in the build process). The issue comes after running pkgbuild. After using pkgbuild, RB App Checker Lite shows the following:

        "

        Evaluating the folder “55DB092F-7846-4EE8-9AA0-381C2A899086” inside the XAR package.

         

        The code signature is unreadable or missing.

         

        Error details: “-67028: bundle format unrecognized, invalid, or unsuitable” {

          The operation couldn’t be completed. (OSStatus error -67028.)

        }

         

        The folder is unsigned.

        "

         

        To get more data, I proceeded through the steps anyway and attempted to notarize the dmg, and here is the response:

         

        {

          "logFormatVersion": 1,

          "jobId": "xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

          "status": "Invalid",

          "statusSummary": "Archive contains critical validation errors",

          "statusCode": 4000,

          "archiveFilename": "MyApp.dmg",

          "uploadDate": "2020-02-13T16:07:13Z",

          "sha256": "9de80d3c39870bb249bbdbfb1f42c9755f22888e069f25d24cfd863373a4b803",

          "ticketContents": null,

          "issues": [

            {

              "severity": "error",

              "code": null,

              "path": "MyApp.dmg/MyApp.pkg/MyAppComponent.pkg Contents/Payload/Applications/MyCompany/MyApp.app/Contents/MacOS/MyApp",

              "message": "The binary is not signed with a valid Developer ID certificate.",

              "docUrl": null,

              "architecture": "x86_64"

            },

            {

              "severity": "error",

              "code": null,

              "path": "MyApp.dmg/MyApp.pkg/MyAppComponent.pkg Contents/Payload/Applications/MyCompany/MyApp.app/Contents/MacOS/MyApp",

              "message": "The signature does not include a secure timestamp.",

              "docUrl": null,

              "architecture": "x86_64"

            },

            {

              "severity": "error",

              "code": null,

              "path": "MyApp.dmg/MyApp.pkg/MyAppComponent.pkg Contents/Payload/Applications/MyCompany/MyApp.app/Contents/MacOS/libusb-1.0.0.dylib",

              "message": "The binary is not signed with a valid Developer ID certificate.",

              "docUrl": null,

              "architecture": "x86_64"

            },

            {

              "severity": "error",

              "code": null,

              "path": "MyApp.dmg/MyApp.pkg/MyAppComponent.pkg Contents/Payload/Applications/MyCompany/MyApp.app/Contents/MacOS/libusb-1.0.0.dylib",

              "message": "The signature does not include a secure timestamp.",

              "docUrl": null,

              "architecture": "x86_64"

            },

            {

              "severity": "error",

              "code": null,

              "path": "MyApp.dmg/MyApp.pkg/MyAppComponent.pkg Contents/Payload/Applications/MyCompany/MyApp.app/Contents/Frameworks/libswiftAppKit.dylib",

              "message": "The binary is not signed with a valid Developer ID certificate.",

              "docUrl": null,

              "architecture": "x86_64"

            },

            {

              "severity": "error",

              "code": null,

              "path": "MyApp.dmg/MyApp.pkg/MyAppComponent.pkg Contents/Payload/Applications/MyCompany/MyApp.app/Contents/Frameworks/libswiftAppKit.dylib",

              "message": "The signature does not include a secure timestamp.",

              "docUrl": null,

              "architecture": "x86_64"

            }

         

        and continues with this error for all of the .dylibs included in the upload.

         

        So to reiterate, I can see that the .app is signed and could be notarized, but the signing seems to be lost or affected after running pkgbuild. Any suggestions would be appreciated. Let me know if you need more information on the build, I'll be happy to provide anything I can.

         

        Thanks,

        Alex

        • Re: pkgbuild affecting app codesigning, preventing notarization
          john daniel Level 4 Level 4 (570 points)

          It sounds like your app is not signed properly. I'm sorry, but I've seen so many crazy things people are doing in this forum that I have a hard time accepting that people are really doing what they say they are doing. If you could post the actual commands you are running and the actual results, that would be really helpful.

           

          Do you have anything other than an app in this package? Do you really need an installer package and DMG? That install path in the pkg makes me suspicious.