Post not yet marked as solved
Hello @eskimo (or whoever can help): our company builds a product which is delivered outside the app store as pkg. It contains a launch daemon which is a .NET build on an external build server and signed. Then the whole pkg is notarized.
The build server is macOS 10.15.7 (Catalina)
On macOS 13.x I can launch the daemon in Terminal without problem, but on Sonoma public beta I get "killed by Signal:9" and in Console I get:
"standard 07:44:53.694349-0700 kernel ASP: Security policy would not allow process: 1377, /Library/PrivilegedHelperTools/com.ThinPrint.TPACCloud/TPACCloud.Service"
This happens on both Intel and Apple CPU VMs.
Besides, when I disable SIP the error does not show up anymore and the binary runs like a charm.
What has changed between macOS 13 and macOS 14 ?
The binary entitlements:
com.apple.security.cs.allow-jit
com.apple.security.cs.allow-unsigned-executable-memory
com.apple.security.cs.disable-executable-page-protection
com.apple.security.cs.allow-dyld-environment-variables
com.apple.security.cs.disable-library-validation
The command to code sign:
/usr/bin/codesign --force --options=runtime --timestamp --entitlements "#{absolutePathToEntitlement}" --sign "#{applicationCertname}" "#{tPACCLOUD_ARTEFACTS_X64}/#{item}"
where #{item} are the binaries and .dylibs
Post not yet marked as solved
MyPythonExe is a compiled file coming from a python script compiled with using pyinstaller. After compiled, it was signed using codesign:
codesign -s "Developer ID TTT", -o runtime -f --timestamp MyPythonExe
Once signed, the exe was placed in a Zip container (exeZip), and then successfully notarized using the following:
xcrun notarytool submit exeZip --keychain-profile "MyNotarProf" --wait
It was accepted.
Now, when try to run it, the following error was thrown (oddly, the compiled unsigned Exe runs in the same computer without any issues):
/Users/admin/Downloads/MyPythonExe ; exit;
admin@admins-MacBook-Air ~ % /Users/admin/Downloads/MyPythonExe ; exit;
[1767] Error loading Python lib '/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python': dlopen: dlopen(/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python, 0x000A): tried: '/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python' (code signature in <88BFFD37-99D8-36AB-9B95-9F54B30BD667> '/private/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python' not valid for use in process: mapped file has no Team ID and is not a platform binary (signed with custom identity or adhoc?)), '/System/Volumes/Preboot/Cryptexes/OS/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python' (no such file), .... (+ a couple of similar errors)
No, the said exe file (MyPythonExe) was signed and successfully notarized. Oddly, the very same file, but unsigned runs perfectly well (after being authorized so it can surpass Gatekeeper, of course). What could be going on here? Any hint on how to overcome this issue?
<Security`Security::CodeSigning::Requirement::Interpreter::eval(int)> sysextd: (Security) [com.apple.securityd:SecError] Error checking with notarization daemon: 3
sysextd: bundle code signature is not valid - does not satisfy requirement: -67050
Hello, when our customer is trying to install our product on his computer with bigsur 11.6 build 20G165, system denies our system extension with the errors mentioned above.
Extension verification then ends with error 8 (signature invalid).
This extension however installs without any issues on other machines, and it is correctly signed and notarized.
Could you please provide some info about these errors?
specifically [com.apple.securityd:SecError] Error checking with notarization daemon: 3 and error NSOSStatusErrorDomain Code=-67050
Thank you, Jakub
Post not yet marked as solved
I have a sandboxed/hardened app that is distributed outside of the MacAppStore. I want to allow the app to auto-update itself.
I currently have the ability in the app to figure out if there is a newer version which then informs the user and gives them an option to download the app (currently it downloads to ~/Downloads in the app container). The app comes as a simple zip file that only includes the app itself. Once downloaded, then NSWorkspace.shared.open(URLtoDownloadedUpdate) will expand the zip and place the app in ~/Downloads.
What I want is it to replace the current version of the app w/ this newly downloaded version. Is this possible?
First, how do I find out where the old app is stored? And then how do I replace it with the new version when the old app is still running?
I realize many people use Sparkle to do this instead of rolling their own. I simply do not want to depend on a third party.
Post not yet marked as solved
Hi there,
I could use some help with notarizing. I'm developing a Python module in the Rust programming language. The extension of the resulting library file is .so, which is necessary for Python to see it, instead of the regular .dylib. I compile this library for both apple silicon and intel.
When a user first imports the library which in turn imports the library, and the user is confronted with Gatekeeper.
So I guess I need to notarize the module file. And that's where I'm stuck. I created an Apple developer account, created a "Developer ID Application" certificate and used codesign to sign the .so file with it. That worked.
I then used ditto to create a zip file with just the .so file: "ditto -c -k --keepParent my_module.so my_module.zip"
The 600 kb file quickly uploads to Apple and I get an ID for checking the logs later on. Then I wait for the progress........ And nothing happens for hours on end. When I check the logs for the provided ID I get this message: "Submission log is not yet available or submissionId does not exist"
I also checked if perhaps the notarization did work regardless of the above, with "spctl -a -t exec -vvv ./my_module.so". Says it's rejected, source=Unnotarized Developer ID.
There is not much that I can work with, because I don't get an error message. Any ideas?
Have fun,
Wybren
Post not yet marked as solved
I'm integrating Notary API, in our CI/CD pipelines.
It all works well for notarization, but there is no mention of how to obtain the signing ticket nor how to staple it to the dmg.
Do I need to use for that the:
xcrun stapler staple
I was hoping that with use of the Notary API, I can avoid requiring xtools and developer id on the machine.
Hi,
I have notarised system extension for MacOS, we use network extension for content filter. in debug it works and ask permission. but when I notarised it doest work any more...
any help appreciate..
Post not yet marked as solved
I am having an issue trying to notarize app with a bundled binary using notarytool. Everything is signed properly, but the notarization status of every submission I've tried over the past two days have just been stuck on In Progress. I even tried submitting something else but this is also stuck on In Progress.
Successfully received submission history.
history
--------------------------------------------------
createdDate: 2023-10-01T15:34:36.959Z
id: 8461c5b0-51d0-4c00-8391-4dcb541f2ccf
name: flot.zip
status: In Progress
--------------------------------------------------
createdDate: 2023-10-01T15:13:46.537Z
id: 4fd3e79c-74e2-4824-bc5c-c63c305243c3
name: flot.zip
status: Invalid
--------------------------------------------------
createdDate: 2023-10-01T14:29:52.668Z
id: fc8bc0ae-8e17-4286-86b5-48d71d08175c
name: flot-Mac-2.0.0-Installer.dmg
status: In Progress
Post not yet marked as solved
When I try to store my credentials using the notary tool, I get the following:
/Applications/Xcode.app/Contents/Developer/usr/bin/notarytool store-credentials --verbose
[00:44:33.975Z] Debug [MAIN] Running notarytool version: 1.0.0 (27), date: 2023-10-03T00:44:33Z, command: /Applications/Xcode.app/Contents/Developer/usr/bin/notarytool store-credentials --verbose
This process stores your credentials securely in the Keychain. You reference these credentials later using a profile name.
Profile name:
build
We recommend using App Store Connect API keys for authentication. If you'd like to authenticate with an Apple ID and app-specific password instead, leave this unspecified.
Path to App Store Connect API private key:
./private_keys/AuthKey_QHBB38VH7L.p8
App Store Connect API Key ID:
storieddata
App Store Connect API Issuer ID:
69a6de6f-872e-47e3-e053-5b8c7c11a4d1
Validating your credentials...
[00:45:08.825Z] Info [API] Initialized Notary API with base URL: https://appstoreconnect.apple.com/notary/v2/
[00:45:08.826Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/test?, Parameters: [:], Custom Headers: private<Dictionary<String, String>>
[00:45:08.827Z] Debug [JWT] Generating new JWT for key ID: storieddata.
[00:45:08.829Z] Info [JWT] Caching newly generated JWT. key ID: storieddata, JWT: private<String>
[00:45:08.830Z] Debug [AUTHENTICATION] Authenticating request with App Store Connect API credentials. Key ID: storieddata, Issuer ID: 69a6de6f-872e-47e3-e053-5b8c7c11a4d1
[00:45:08.831Z] Debug [TASKMANAGER] Starting Task Manager loop to wait for asynchronous HTTP calls.
[00:45:09.243Z] Debug [API] **Received response status code: 401, message: unauthorized, URL: https://appstoreconnect.apple.com/notary/v2/test?,** Correlation Key: ZYHO7EDNX52XJBTRMIOUWGIVZI
[00:45:09.244Z] Error [API] Received non-JSON response body from Notary API, URL: https://appstoreconnect.apple.com/notary/v2/test?
[00:45:09.245Z] Error [TASKMANAGER] Completed Task with ID 1 has encountered an error.
[00:45:09.246Z] Debug [TASKMANAGER] Ending Task Manager loop.
Credential validation failed. Please verify your inputs.
I have double checked the input, and everything is correct.
Post not yet marked as solved
I signed my application in MacOS 13.4, and the signed objects include all the binary files I compiled myself, and notarizing also works. It can also run normally on my version 13.4 Mac. However, when I copied this application to a computer with Mac OS version 11.3, it couldn't run properly.
Dlopen will generate an error message, indicating that some of the dynamic libraries called by the program do not match the signature of the program itself. These dynamic libraries are from JRE, so I re-signed them and notarizing also works.
In MacOS 13.4, it still runs normally, but in MacOS 11.3, it will report another error:
Error occurred during initialization of VM
Could not reserve enough space for code cache
What is the reason for this and how should I handle it? Thank you in advance for any comments on this issue.
Post not yet marked as solved
I'm using the "notarytool store-credentials" command to store my access credentials for notarizing our apps from a build server through Jenkins.
The machine is a Mac Mini M1 running Ventura.
This works per se but for a reason I don't understand, I need to do this repeatedly.
When I store the credentials, it will work for the next hours but at some point the machine will "forget" the access credentials resulting in this error output:
Conducting pre-submission checks for <app name> and initiating connection to the Apple notary service...
Error: No Keychain password item found for profile: notarization
Run 'notarytool store-credentials' to create another credential profile.
I then have to run the store-credentials command again so I can use it again for the next few hours. This is obviously quite annoying especially since it's absolutely not obvious why it behaves that way.
The machine is on 24/7 and I don't see why the keychain item gets removed.
I'd appreciate any insight and would like to know what I have to do to store the credentials permanently.
Post not yet marked as solved
Hi there,
I want to build an application that can be run on different macos machines. That app uses libpython3.11.dylib.
It could not be just linked with libpython because in out binary path to library may be different:
/System/Library/Frameworks/Python.framework/...
/usr/local/Cellar/python/3.X.Y/Frameworks/Python.framework/Versions/...
/Library/Frameworks/Python.framework/Versions/...
$(pyenv root)/versions/{VERSION}
....
I need to ensure that the application uses the Python library corresponding to the Python version that the user is using.
Attempted to make a workaround by creating a symlink to the current library and setting the library path to @executable_path/../lib/libpython3.11.dylib, but it did not work. Here's the error I encountered:
% /Users/user/Downloads/xtensa-esp-elf-gdb/bin/xtensa-esp-elf-gdb-3.11
dyld[92502]: Library not loaded: @executable_path/../lib/libpython3.11.dylib
Referenced from: <F6F408DC-F698-3545-9C75-82486ADA77BE> /Users/user/Downloads/xtensa-esp-elf-gdb/bin/xtensa-esp-elf-gdb-3.11
Reason: tried: '/Users/user/Downloads/xtensa-esp-elf-gdb/lib/libpython3.11.dylib' (code signature in <666A28FE-7CD3-384C-A727-7DE3D98625A2> '/Library/Frameworks/Python.framework/Versions/3.11/Python' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), '/System/Volumes/Preboot/Cryptexes/OS@executable_path/../lib/libpython3.11.dylib' (no such file), '/Users/user/Downloads/xtensa-esp-elf-gdb/lib/libpython3.11.dylib' (code signature in <666A28FE-7CD3-384C-A727-7DE3D98625A2> '/Library/Frameworks/Python.framework/Versions/3.11/Python' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), '/usr/lib/libpython3.11.dylib' (no such file, not in dyld cache)
zsh: abort
I cannot distribute libpython within the application because it requires Python modules. Moreover, the application should use Python modules that are installed on the user's system.
What can I do to make this work properly? E.g. user have pythons installed:
/usr/local/Cellar/python/3.11.3/Frameworks/Python.framework/Versions/3.11...
/Library/Frameworks/Python.framework/Versions/3.11/...
Obviously, the user has only one active Python from this list. How can my application use the correct libpython?
Post not yet marked as solved
I'm attempting to notarize and distribute a game built with Love2D. Love2D is an engine which runs games written in Lua and bundled into .love files, which are identical to .zip files. Packaging a game for Mac distribution involves cloning the Love2D Xcode project, providing your built game.love file (the zipped game content), and then signing and notarizing as with any other Mac app (see more on the Love2D wiki: https://love2d.org/wiki/Game_Distribution#Creating_a_macOS_Application).
I'm encountering an issue because my game contains compiled C binaries which the game loads at runtime. These binaries are compiled for MacOS x86 and arm64, and work perfectly in development. I am able to successfully build and sign the game with my Developer ID Application certificate and provisioning profile, but notarization of the game fails because the compiled C binaries are not signed; below is an excerpt from the audit log:
{
"severity": "error",
"code": null,
"path": "Bang_Average_Football.zip/love.app/Contents/Resources/game.love/deps/gifcatlib_arm64.so",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
I can sign these binaries using codesign and the same certificate as the Mac app like so (with the correct name):
codesign --sign "Developer ID Application: Firstname Lastname" --verbose=4 gifcatlib_arm64.so
After signing the binaries, the app successfully builds, and is notarized successfully without reporting any code signing issues. Hooray! The issue is that the app doesn't actually run and crashes as soon as it attempts to use any of the now-signed binaries complaining that they haven't been signed correctly. Here's a link to the full crash log; the specific error is below:
Exception Type: EXC_BAD_ACCESS (SIGKILL (Code Signature Invalid))
Exception Codes: UNKNOWN_0x32 at 0x000000010a9c8000
Exception Codes: 0x0000000000000032, 0x000000010a9c8000
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace CODESIGNING, Code 2
The same error occurs even with Hardened Runtime disabled and 'Disable Library Validation' enabled.
Is there a likely cause of this crash? Why does notarization succeed but the app essentially instacrashes? Have I signed the binaries incorrectly? Is what I'm attempting not actually possible? (can signed and unsigned binaries not really be hotswapped like this?)
Please let me know if there's any more information I should provide.
Thanks,
Ruairi
Post not yet marked as solved
Hello.
I am doing a migration from altool to notarytool.
I am doing the above on an enterprise network which is not able to communicate with the outside world except for some URLs, ports.
Previously, when I was using altool to execute notarize, I requested the administrator to open url, port by referring to the document below, and so far, it is proceeding without any problem.
[https://support.apple.com/en-us/HT210060]
The problem is that when I use notarytool to notarize, it tries to access a new domain called appstoreconnect.apple.com, which is not in the documentation above.
Did I need to ask my network administrator to allow only the above URL or the other? Or is there another way to do notarize without accessing that URL?
If there is any additional documentation on opening hosts and ports that I am not aware of, I would appreciate it if you could point me to it.
Post marked as Apple Recommended
I've been trying to notarize an installer (.pkg file) on a new laptop. Previous versions have been notarized successfully on a previous Mac.
However, in spite of having the required certificates (same as the old Mac, generated for the new Mac) the submission gets stuck at "In Progress".
Doing it multiple times (even hours apart) doesn't help.
Is there a FAQ / suggested list of steps to help resolve this issue?
Here's what I see:
xcrun notarytool history --keychain-profile "(my profile name)"
results in (problem started with v4, the first version I've tried on this new Mac):
createdDate: 2023-10-17T01:34:36.911Z
id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name: xxxxxxxxxx-v4.pkg
status: In Progress
--------------------------------------------------
createdDate: 2023-10-17T01:33:59.191Z
id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name: xxxxxxxxxx-v4.pkg
status: In Progress
--------------------------------------------------
createdDate: 2023-10-16T21:01:25.832Z
id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name: xxxxxxxxxx-v4.pkg
status: In Progress
--------------------------------------------------
createdDate: 2023-10-16T19:57:44.776Z
id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name: xxxxxxxxxx-v4.pkg
status: In Progress
--------------------------------------------------
createdDate: 2023-10-02T14:17:34.108Z
id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name: xxxxxxxxxx-v3.pkg
status: Accepted
--------------------------------------------------
createdDate: 2023-09-28T14:04:46.211Z
id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name: xxxxxxxxxx-v2.pkg
status: Accepted
--------------------------------------------------
createdDate: 2023-09-20T17:28:46.168Z
id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name: xxxxxxxxxx-v1.pkg
status: Accepted
--------------------------------------------------
xcrun notarytool log xxxxxxxxxxxxxxxxxxxx --keychain-profile "(my profile name)" results in:
Submission log is not yet available or submissionId does not exist
id: xxxxxxxxxxxxxxxxxxxxxxxx
Hi there,
I'm in a process to move from altool to notarytool, following information found at TN3147.
First, TN3147 says the team-id is optional if my account has only one team membership, which is the case, but the notarytool says it's mandatory and I do have to use it (not an issue).
Now, the issue I face:
$ security unlock-keychain -p prorogue-stake-unused /Users/comp/Library/Keychains/my.keychain
$ xcrun altool --username $APPLEID --password "@keychain:MYPASSWORD" --notarization-history 0
.. it displays the notarization history as expected ..
but:
$ xcrun notarytool history --apple-id $APPLEID --team-id $TEAMID --password "@keychain:MYPASSWORD"
Error: HTTP status code: 401. Invalid credentials. Username or password is incorrect. Use the app-specific password generated at appleid.apple.com. Ensure that all authentication arguments are correct.
The password is supposed work with both tools, according to TN3147. What am I missing?
Besr regards,
Post not yet marked as solved
Ok so I've just swapped over from altool to notarytool and submitted my first app, notarytool tells me Successfully uploaded, and having waited 30mins (which would be some sort of record wait for altool) info tells me status:Accepted
I notice elsewhere that there are comments that the first submission can take some time - even days - but as I've done A LOT of notarizing over the last couple of years I wouldnt classify myself as submitting my first request... or is that more properly "my first request with notarytool"?
If so - happy to sit and wait for a couple of days this first time thru....
Post not yet marked as solved
I have created a .Net MAUI application that I have written for Windows and MacCatalyst. In my entitlements.plist I have com.apple.security.app-sandbox = no.
<PropertyGroup Condition="'$(Configuration)|$(TargetFramework)|$(Platform)'=='Debug|net7.0-maccatalyst|AnyCPU'">
<MtouchLink>SdkOnly</MtouchLink>
<EnableCodeSigning>True</EnableCodeSigning>
<EnablePackageSigning>true</EnablePackageSigning>
<CreatePackage>true</CreatePackage>
<CodesignKey>Developer ID Application: xxxxxxxxxx</CodesignKey>
<CodesignProvision>xxxxxxxx</CodesignProvision>
<CodesignEntitlements>Platforms\MacCatalyst\Entitlements.plist</CodesignEntitlements>
<PackageSigningKey>Developer ID Installer: xxxxxxxxx</PackageSigningKey>
<UseHardenedRuntime>true</UseHardenedRuntime>
<RuntimeIdentifier>maccatalyst-arm64</RuntimeIdentifier>
<MtouchInterpreter>-all</MtouchInterpreter>
</PropertyGroup>
I have a 3rd party executable that I manually codesigned:
codesign --force --verify --verbose --sign xxxxxx 3rdpartyApp --timestamp --deep --options runtime
Then I build the application in Visual Studio Mac. Everything is codesigned, etc. After building I am able to successfully notarize the pkg and then staple the the notarization to it.
When I take that pkg and install it in a test environment, everything installs fine, no warning. I am able to start my application and do what I need to do But when it tries to run that 3rd party executable, it just fails. At first I checked exec permissions. I chmod it to +x. within the .app container and also all the way at the beginning, and rebuilt the application, resigned, re-notarized, etc. I am working to get some logging out to see why it failed, but having an issue with that at the moment.
In the meantime I have taken the non-notarized pkg, forced the install in the test environment and the 3rd party executable runs successfully.
So it seems the notarization process is causing this child process to fail?
When I run notarytool submit in my github workflow, I get what appears to be some kind of segmentation fault.
Here's a direct link to the exception output:
https://github.com/recyclarr/recyclarr/actions/runs/6594346352/job/17918152266#step:6:43
My project is open source, so you can also view the shell script I use in the workflow itself:
https://github.com/recyclarr/recyclarr/blob/update-notary-tool/ci/notarize.sh
The script above contains this:
#!/usr/bin/env bash
set -xe
user="$1"
pass="$2"
teamId="$3"
archivePath="$4"
function submit() {
xcrun notarytool submit --wait \
--apple-id "$user" \
--password "$pass" \
--team-id "$teamId" \
recyclarr.zip | \
awk '/id: / { print $2;exit; }'
}
function log() {
xcrun notarytool log \
--apple-id "$user" \
--password "$pass" \
--team-id "$teamId" \
"$1"
}
tar -cvf recyclarr.tar "$archivePath"
zip recyclarr.zip recyclarr.tar
submissionId="$(submit)"
rm recyclarr.zip recyclarr.tar
if [[ -z "$submissionId" ]]; then
exit 1
fi
echo "Submission ID: $submissionId"
until log "$submissionId"
do
sleep 2
done
The error (from the workflow run) is:
2023-10-21 01:24:18.817 notarytool[4894:25434] *** Terminating app due to uncaught exception 'NSFileHandleOperationException', reason: '*** -[_NSStdIOFileHandle writeData:]: Broken pipe'
*** First throw call stack:
(
0 CoreFoundation 0x00007ff8106c4773 __exceptionPreprocess + 242
1 libobjc.A.dylib 0x00007ff810424bc3 objc_exception_throw + 48
2 Foundation 0x00007ff8115b5962 -[NSConcreteFileHandle readDataUpToLength:error:] + 0
3 Foundation 0x00007ff811497590 -[NSConcreteFileHandle writeData:] + 263
4 notarytool 0x000000010bcff026 notarytool + 462886
5 notarytool 0x000000010bcb780d notarytool + 169997
6 notarytool 0x000000010bcd37c6 notarytool + 284614
7 notarytool 0x000000010bcea719 notarytool + 378649
8 notarytool 0x000000010bcd3d19 notarytool + 285977
9 notarytool 0x000000010bcd2a4e notarytool + 281166
10 notarytool 0x000000010bcd5009 notarytool + 290825
11 notarytool 0x000000010bc8fe66 notarytool + 7782
12 dyld 0x000000011781b52e start + 462
)
libc++abi: terminating with uncaught exception of type NSException
I do not get this error when I run this script directly on my 2023 MBP. It only appears to happen in my github workflow.
Is this a bug in notarytool? Notarization appears to still complete, and I also get a submission ID I can use for the notarytool log command I run after.
According to this helpful article, I should be able to extract notarytool for use on macOS 10.15 and later.
I've extracted notarytool and put it in a common location for use with a script that builds, signs, and notarizes plugin installers. The script previously relied on altool. The initial call to notarytool is: xcrun <path to notarytool> submit --apple-id <our id> --password <our password> --team-id <our ID> --wait <path to file>
This works fine on a machine running macOS 13.5.1, with Xcode 14.3 installed. The installers get built and notarized. However, on a machine running macOS 11.4, with Xcode 12 installed, I get this error:
xcrun: error: unable execute utility <path to notarytool> because it requires a newer version of macOS.
OK, I tried removing the initial xcrun command, and now I get this error:
dyld: Library not loaded: /usr/lib/swift/libswift_Concurrency.dylib
Referenced from: <path to notarytool>
Reason: image not found
The article linked above makes it sound like notarytool should work as a standalone tool from any machine running macOS 10.15 or higher. Is the existing Xcode installation interfering? Is there an OS/Xcode version agnostic way to run notarytool?
