Post not yet marked as solved
I am trying to package a Mac Electron app using Electron Forge capabilities. Code signing works fine, but there is a problem with notarising. I get
"Finalizing package Failed to staple your application with code: 65". The notarize component of my forge.config.js is:
"osxNotarize: {
tool: 'notarytool',
appBundleId: 'com.ImmersiveDSP.ImmerGo-StudioLive',
appleId: process.env.APPLE_ID,
appleIdPassword: process.env.APPLE_PASSWORD,
teamId: process.env.APPLE_TEAM_ID,
}"
I provide my Apple ID and the app password in a terminal message together with npm run make. This worked in May this year, but now not. In a JSON response, I do get " reason = "Record not found". Anyone else had this issue and resolved it?
Is there a way that I can view my notarize requests and see what the issue is?
Post not yet marked as solved
Notarizing was working fine on my account, but suddenly stopped working with this error message. I've contacted Apple Developer Program support and they told me it's an internal issue on their side, that their engineers are working on it and that they'll answer me when the engineers have an answer.
The thing is, this thing has been going for 3 months. Every time I email the support I get a bot message saying "our engineers are looking into it". And my account still is unable to notarize my app.
What's going on? I've message several other Apple Developers and none of them had to deal with this. Why is this happening to my account?
This is blocking the launch of my project(https://focuslit.app), which I worked months and have costumers asking about the new features, but I can't release a new version without notarizing.
What can I do? I'm seriously thinking about refunding everyone and dropping the project, I never felt this mistreated by a company(which I have all products and used to love) before.
I am having troubles notarizing an installer package.
I created an installer package using the pkgbuild and productbuild, and then I tried to notarize it with notarytool, but I got an error message.
The error message led me to Use a valid Developer ID certificate, which includes the statement
Sign installer packages with a Developer ID Installer certificate
The app is signed with the team Developer ID and is notarized (via Xcode).
I signed both packages (during pkgbuild and productbuild) with a certificate created when I clicked Mac Installer Distribution in the developer portal, and it created a certificate named "3rd Party Mac Developer Installer: my company"
Is this the wrong certificate?
If it is the wrong certificate, which one should I create in the developer portal? (I didn't see anything specified as "Developer ID Installer")
If it is the right certificate, any idea what I might have done wrong?
Note: The reason I am trying to notarize the installer package is because when I tried testing the installer in my test VM, I received the following message (I thought signing the pkg would have prevented this):
Post not yet marked as solved
I have changed our notarization script to use notarytool.
See here:
https://github.com/mixxxdj/mixxx/blob/32d918a8e64fffea7039356de0fa94799e3fcc7e/packaging/macos/sign_notarize_staple.sh#L30
The workflow run timed out after 5 minutes here:
https://github.com/mixxxdj/mixxx/actions/runs/6834172969/job/18586695826
The notarization request is still in progress:
https://appstoreconnect.apple.com/notary/v2/submissions/ef8cf93e-c084-43eb-be1d-7ec2f20f9377
I have tried again, with another request that sucks in a the "status": "In Progress"
I am using Xcode 13.2.1 and macOS 10.12 as deployment target on macOS 11.7.10
What could have gone wrong?
Post not yet marked as solved
I used ChatGPT to help me build a screensaver of 40 images to be shown randomly in Xcode. It works great but I get the error below when trying to deploy it on other Macs. I signed up for a developer account and a Gethub account and thought Xcode was walking me through how to notarize the software but am now stuck. I'm not a true programmer. Can someone assist me in getting this notarized as this is the last thing holding me up from launching my business - granulartraining.com
Error - “CyberSecurity Reminders.saver” can’t be opened because Apple cannot check it for malicious software.
Thanks.
Tom
I was reading through this post:
https://developer.apple.com/forums/thread/718583
I've been able to reproduce this behavior by double-clicking a DMG in the Finder while the Mac is Offline. I checked the Notarization status of the app via spctl and it shows "Notarized Developer ID". So sure enough, Quinn's comment about Gatekeeper "ingesting" the notarization ticket stapled to the DMG and automatically applying it to the app inside is 100% spot-on.
However, I can't seem to get the same behavior to happen when mounting the DMG via hdiutil in Terminal. While Offline, I do a:
hdiutil attach /path/to/my/dmg.dmg
and then
spctl -a -t exec -vvv /Volumes/path/to/my/mounted/dmg/myapp.app
After the spctl I'm seeing
/Volumes/path/to/my/mounted/dmg/myapp.app: rejected
source=Unnotarized Developer ID
origin=Developer ID Application: My Developer Creds (XXXXXXXXXX)
Is there a way to get Gatekeeper to "ingest" the notarization ticket stapled to the DMG when using hdiutil while Offline?
Note 1: If I use hdiutil while online, everything works as expected.
Note 2: I'm testing all this via a VM of macOS 12.7.1, if that makes any difference.
Thanks!
Post not yet marked as solved
I have been using XCODE to distribute macOS apps to a few "testers" by Archiving and then using the button Distribute App -> Developper ID -> using automatic signing and uploading to notary service.
I am aware that Altool is deprecated and stopped working - and of TN3147 - which explains how to migrate using command line/scripts.
However, since I upgraded to XCODE 14.3, I would have thought that the Distribute App button for the archived project no longer uses altool
AmI correct?
where in XCODE can I check if the Distribute App button uses Notary Tool?
or is the only way to transition is to implement the scripts discussed in TN3147 and never use the Distribute App button?
after today using Distribute App button - I have been suck in "In-Progress" for more than 1 hour - when I just made a rather small update to the code of this previously notarized app - which usually gets notarize very quickly.
I will get into svripts etc. per TN3147 if I have too - but I was just wondering why XCODE 14.3 Distribute App would not be already "wired" to use the notarytoll (as it used to be for altool in previous version?
Thanks
Post not yet marked as solved
I've been waiting over an hour at this point—is something down or is the pipeline just really, really backed up?
I'm trying to notarize a plug-in for Autodesk Maya (project type: Mach-O Bundle).
Over the past few years I was able to successfully notarize my plug-ins via command line scripts. I usually build the bundles outside XCode with a scripted process which then also automates the notarization procedure.
This has been a solid and working workflow.
Since yesterday, October 23rd 2023 the prior working 'altool' is now refused because of the new notarization process which starts November 1st, 2023!!!
While trying to follow the new procedure outlined here: https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow
I performed the following steps:
Create a ZIP archive suitable for notarization.
/usr/bin/ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH"
Upload for notarization.
xcrun notarytool submit $ZIP_PATH --keychain-profile "Notarization" --wait
The result is:
$ xcodebuild[2514:78653] Requested but did not find extension point with identifier Xcode.IDEKit.ExtensionSentinelHostApplications for extension Xcode.DebuggerFoundation.AppExtensionHosts.watchOS of plug-in com.apple.dt.IDEWatchSupportCore
$ xcodebuild[2514:78653] Requested but did not find extension point with identifier Xcode.IDEKit.ExtensionPointIdentifierToBundleIdentifier for extension Xcode.DebuggerFoundation.AppExtensionToBundleIdentifierMap.watchOS of plug-in com.apple.dt.IDEWatchSupportCore
Conducting pre-submission checks for myPlugin.bundle.zip and initiating connection to the Apple notary service...
Submission ID received
id: ***-***
Successfully uploaded file
id: ***-***
path: /Users/***/myPlugin.bundle.zip
Waiting for processing to complete.
Current status: Invalid........
Processing complete
id: ***-***
status: Invalid
My current assumption is that it's necessay to archive the bundle in XCode first as mentioned in the documentation:
"To prepare an app for notarization, you must export the app from Xcode."
But when I try to export the bundle after archiving I am not presented with the necessary options.
The Organizer only gives me the button to Distribute Content which leads to another window allowing me to select either Build Products (which only exports the archive's built products) or Archive (which only creates a copy).
Unfortunately neither then contains the necessary ExportOptions.plist, which is required as by the documentation.
I would very much appreciate of someone could shed some light on what's necessary to perform a successful notarization.
Thank you.
Post not yet marked as solved
I've developed and distributed a plugin for Unreal Engine (builds as a .dylib). The plugin dynamically loads an external library that is a .bundle
The plugin has been notarized successfully.
(Both the .dylib and the .bundle were signed with a Developer Application ID certificate.)
When the plugin is downloaded, both the .dylib and the .bundle get flagged with the quarantine attribute, however because it was notarized, the plugin is able to be loaded inside of Unreal Engine with no problem.
The issue occurs when the user moves the Unreal Engine project (with said plugin) to an external drive.
In this case, once the project is opened and tries to load the plugin, an error saying is "***.bundle is damaged and can’t be opened. You should move it to the Trash."
I'm wondering if this is an Unreal Engine issue, or a MacOS(notarization/signing/entitlements/etc) issue.
Feels like if the .bundle is placed on an external drive, the OS does not check for notarization.
If i move the project back to the HD of the laptop, everything works as expected.
If i move the project to an external drive AND manually remove the com.apple.quarantine attribue (via terminal), then everything works as expected.
Hi there,
I'm in a process to move from altool to notarytool, following information found at TN3147.
First, TN3147 says the team-id is optional if my account has only one team membership, which is the case, but the notarytool says it's mandatory and I do have to use it (not an issue).
Now, the issue I face:
$ security unlock-keychain -p prorogue-stake-unused /Users/comp/Library/Keychains/my.keychain
$ xcrun altool --username $APPLEID --password "@keychain:MYPASSWORD" --notarization-history 0
.. it displays the notarization history as expected ..
but:
$ xcrun notarytool history --apple-id $APPLEID --team-id $TEAMID --password "@keychain:MYPASSWORD"
Error: HTTP status code: 401. Invalid credentials. Username or password is incorrect. Use the app-specific password generated at appleid.apple.com. Ensure that all authentication arguments are correct.
The password is supposed work with both tools, according to TN3147. What am I missing?
Besr regards,
According to this helpful article, I should be able to extract notarytool for use on macOS 10.15 and later.
I've extracted notarytool and put it in a common location for use with a script that builds, signs, and notarizes plugin installers. The script previously relied on altool. The initial call to notarytool is: xcrun <path to notarytool> submit --apple-id <our id> --password <our password> --team-id <our ID> --wait <path to file>
This works fine on a machine running macOS 13.5.1, with Xcode 14.3 installed. The installers get built and notarized. However, on a machine running macOS 11.4, with Xcode 12 installed, I get this error:
xcrun: error: unable execute utility <path to notarytool> because it requires a newer version of macOS.
OK, I tried removing the initial xcrun command, and now I get this error:
dyld: Library not loaded: /usr/lib/swift/libswift_Concurrency.dylib
Referenced from: <path to notarytool>
Reason: image not found
The article linked above makes it sound like notarytool should work as a standalone tool from any machine running macOS 10.15 or higher. Is the existing Xcode installation interfering? Is there an OS/Xcode version agnostic way to run notarytool?
Post not yet marked as solved
Hi there,
I want to build an application that can be run on different macos machines. That app uses libpython3.11.dylib.
It could not be just linked with libpython because in out binary path to library may be different:
/System/Library/Frameworks/Python.framework/...
/usr/local/Cellar/python/3.X.Y/Frameworks/Python.framework/Versions/...
/Library/Frameworks/Python.framework/Versions/...
$(pyenv root)/versions/{VERSION}
....
I need to ensure that the application uses the Python library corresponding to the Python version that the user is using.
Attempted to make a workaround by creating a symlink to the current library and setting the library path to @executable_path/../lib/libpython3.11.dylib, but it did not work. Here's the error I encountered:
% /Users/user/Downloads/xtensa-esp-elf-gdb/bin/xtensa-esp-elf-gdb-3.11
dyld[92502]: Library not loaded: @executable_path/../lib/libpython3.11.dylib
Referenced from: <F6F408DC-F698-3545-9C75-82486ADA77BE> /Users/user/Downloads/xtensa-esp-elf-gdb/bin/xtensa-esp-elf-gdb-3.11
Reason: tried: '/Users/user/Downloads/xtensa-esp-elf-gdb/lib/libpython3.11.dylib' (code signature in <666A28FE-7CD3-384C-A727-7DE3D98625A2> '/Library/Frameworks/Python.framework/Versions/3.11/Python' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), '/System/Volumes/Preboot/Cryptexes/OS@executable_path/../lib/libpython3.11.dylib' (no such file), '/Users/user/Downloads/xtensa-esp-elf-gdb/lib/libpython3.11.dylib' (code signature in <666A28FE-7CD3-384C-A727-7DE3D98625A2> '/Library/Frameworks/Python.framework/Versions/3.11/Python' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), '/usr/lib/libpython3.11.dylib' (no such file, not in dyld cache)
zsh: abort
I cannot distribute libpython within the application because it requires Python modules. Moreover, the application should use Python modules that are installed on the user's system.
What can I do to make this work properly? E.g. user have pythons installed:
/usr/local/Cellar/python/3.11.3/Frameworks/Python.framework/Versions/3.11...
/Library/Frameworks/Python.framework/Versions/3.11/...
Obviously, the user has only one active Python from this list. How can my application use the correct libpython?
When I run notarytool submit in my github workflow, I get what appears to be some kind of segmentation fault.
Here's a direct link to the exception output:
https://github.com/recyclarr/recyclarr/actions/runs/6594346352/job/17918152266#step:6:43
My project is open source, so you can also view the shell script I use in the workflow itself:
https://github.com/recyclarr/recyclarr/blob/update-notary-tool/ci/notarize.sh
The script above contains this:
#!/usr/bin/env bash
set -xe
user="$1"
pass="$2"
teamId="$3"
archivePath="$4"
function submit() {
xcrun notarytool submit --wait \
--apple-id "$user" \
--password "$pass" \
--team-id "$teamId" \
recyclarr.zip | \
awk '/id: / { print $2;exit; }'
}
function log() {
xcrun notarytool log \
--apple-id "$user" \
--password "$pass" \
--team-id "$teamId" \
"$1"
}
tar -cvf recyclarr.tar "$archivePath"
zip recyclarr.zip recyclarr.tar
submissionId="$(submit)"
rm recyclarr.zip recyclarr.tar
if [[ -z "$submissionId" ]]; then
exit 1
fi
echo "Submission ID: $submissionId"
until log "$submissionId"
do
sleep 2
done
The error (from the workflow run) is:
2023-10-21 01:24:18.817 notarytool[4894:25434] *** Terminating app due to uncaught exception 'NSFileHandleOperationException', reason: '*** -[_NSStdIOFileHandle writeData:]: Broken pipe'
*** First throw call stack:
(
0 CoreFoundation 0x00007ff8106c4773 __exceptionPreprocess + 242
1 libobjc.A.dylib 0x00007ff810424bc3 objc_exception_throw + 48
2 Foundation 0x00007ff8115b5962 -[NSConcreteFileHandle readDataUpToLength:error:] + 0
3 Foundation 0x00007ff811497590 -[NSConcreteFileHandle writeData:] + 263
4 notarytool 0x000000010bcff026 notarytool + 462886
5 notarytool 0x000000010bcb780d notarytool + 169997
6 notarytool 0x000000010bcd37c6 notarytool + 284614
7 notarytool 0x000000010bcea719 notarytool + 378649
8 notarytool 0x000000010bcd3d19 notarytool + 285977
9 notarytool 0x000000010bcd2a4e notarytool + 281166
10 notarytool 0x000000010bcd5009 notarytool + 290825
11 notarytool 0x000000010bc8fe66 notarytool + 7782
12 dyld 0x000000011781b52e start + 462
)
libc++abi: terminating with uncaught exception of type NSException
I do not get this error when I run this script directly on my 2023 MBP. It only appears to happen in my github workflow.
Is this a bug in notarytool? Notarization appears to still complete, and I also get a submission ID I can use for the notarytool log command I run after.
Post not yet marked as solved
I have created a .Net MAUI application that I have written for Windows and MacCatalyst. In my entitlements.plist I have com.apple.security.app-sandbox = no.
<PropertyGroup Condition="'$(Configuration)|$(TargetFramework)|$(Platform)'=='Debug|net7.0-maccatalyst|AnyCPU'">
<MtouchLink>SdkOnly</MtouchLink>
<EnableCodeSigning>True</EnableCodeSigning>
<EnablePackageSigning>true</EnablePackageSigning>
<CreatePackage>true</CreatePackage>
<CodesignKey>Developer ID Application: xxxxxxxxxx</CodesignKey>
<CodesignProvision>xxxxxxxx</CodesignProvision>
<CodesignEntitlements>Platforms\MacCatalyst\Entitlements.plist</CodesignEntitlements>
<PackageSigningKey>Developer ID Installer: xxxxxxxxx</PackageSigningKey>
<UseHardenedRuntime>true</UseHardenedRuntime>
<RuntimeIdentifier>maccatalyst-arm64</RuntimeIdentifier>
<MtouchInterpreter>-all</MtouchInterpreter>
</PropertyGroup>
I have a 3rd party executable that I manually codesigned:
codesign --force --verify --verbose --sign xxxxxx 3rdpartyApp --timestamp --deep --options runtime
Then I build the application in Visual Studio Mac. Everything is codesigned, etc. After building I am able to successfully notarize the pkg and then staple the the notarization to it.
When I take that pkg and install it in a test environment, everything installs fine, no warning. I am able to start my application and do what I need to do But when it tries to run that 3rd party executable, it just fails. At first I checked exec permissions. I chmod it to +x. within the .app container and also all the way at the beginning, and rebuilt the application, resigned, re-notarized, etc. I am working to get some logging out to see why it failed, but having an issue with that at the moment.
In the meantime I have taken the non-notarized pkg, forced the install in the test environment and the 3rd party executable runs successfully.
So it seems the notarization process is causing this child process to fail?
Post not yet marked as solved
Ok so I've just swapped over from altool to notarytool and submitted my first app, notarytool tells me Successfully uploaded, and having waited 30mins (which would be some sort of record wait for altool) info tells me status:Accepted
I notice elsewhere that there are comments that the first submission can take some time - even days - but as I've done A LOT of notarizing over the last couple of years I wouldnt classify myself as submitting my first request... or is that more properly "my first request with notarytool"?
If so - happy to sit and wait for a couple of days this first time thru....
Post not yet marked as solved
Hello.
I am doing a migration from altool to notarytool.
I am doing the above on an enterprise network which is not able to communicate with the outside world except for some URLs, ports.
Previously, when I was using altool to execute notarize, I requested the administrator to open url, port by referring to the document below, and so far, it is proceeding without any problem.
[https://support.apple.com/en-us/HT210060]
The problem is that when I use notarytool to notarize, it tries to access a new domain called appstoreconnect.apple.com, which is not in the documentation above.
Did I need to ask my network administrator to allow only the above URL or the other? Or is there another way to do notarize without accessing that URL?
If there is any additional documentation on opening hosts and ports that I am not aware of, I would appreciate it if you could point me to it.
Post not yet marked as solved
I'm using the "notarytool store-credentials" command to store my access credentials for notarizing our apps from a build server through Jenkins.
The machine is a Mac Mini M1 running Ventura.
This works per se but for a reason I don't understand, I need to do this repeatedly.
When I store the credentials, it will work for the next hours but at some point the machine will "forget" the access credentials resulting in this error output:
Conducting pre-submission checks for <app name> and initiating connection to the Apple notary service...
Error: No Keychain password item found for profile: notarization
Run 'notarytool store-credentials' to create another credential profile.
I then have to run the store-credentials command again so I can use it again for the next few hours. This is obviously quite annoying especially since it's absolutely not obvious why it behaves that way.
The machine is on 24/7 and I don't see why the keychain item gets removed.
I'd appreciate any insight and would like to know what I have to do to store the credentials permanently.
Post not yet marked as solved
I'm attempting to notarize and distribute a game built with Love2D. Love2D is an engine which runs games written in Lua and bundled into .love files, which are identical to .zip files. Packaging a game for Mac distribution involves cloning the Love2D Xcode project, providing your built game.love file (the zipped game content), and then signing and notarizing as with any other Mac app (see more on the Love2D wiki: https://love2d.org/wiki/Game_Distribution#Creating_a_macOS_Application).
I'm encountering an issue because my game contains compiled C binaries which the game loads at runtime. These binaries are compiled for MacOS x86 and arm64, and work perfectly in development. I am able to successfully build and sign the game with my Developer ID Application certificate and provisioning profile, but notarization of the game fails because the compiled C binaries are not signed; below is an excerpt from the audit log:
{
"severity": "error",
"code": null,
"path": "Bang_Average_Football.zip/love.app/Contents/Resources/game.love/deps/gifcatlib_arm64.so",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
},
I can sign these binaries using codesign and the same certificate as the Mac app like so (with the correct name):
codesign --sign "Developer ID Application: Firstname Lastname" --verbose=4 gifcatlib_arm64.so
After signing the binaries, the app successfully builds, and is notarized successfully without reporting any code signing issues. Hooray! The issue is that the app doesn't actually run and crashes as soon as it attempts to use any of the now-signed binaries complaining that they haven't been signed correctly. Here's a link to the full crash log; the specific error is below:
Exception Type: EXC_BAD_ACCESS (SIGKILL (Code Signature Invalid))
Exception Codes: UNKNOWN_0x32 at 0x000000010a9c8000
Exception Codes: 0x0000000000000032, 0x000000010a9c8000
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace CODESIGNING, Code 2
The same error occurs even with Hardened Runtime disabled and 'Disable Library Validation' enabled.
Is there a likely cause of this crash? Why does notarization succeed but the app essentially instacrashes? Have I signed the binaries incorrectly? Is what I'm attempting not actually possible? (can signed and unsigned binaries not really be hotswapped like this?)
Please let me know if there's any more information I should provide.
Thanks,
Ruairi
Post not yet marked as solved
I signed my application in MacOS 13.4, and the signed objects include all the binary files I compiled myself, and notarizing also works. It can also run normally on my version 13.4 Mac. However, when I copied this application to a computer with Mac OS version 11.3, it couldn't run properly.
Dlopen will generate an error message, indicating that some of the dynamic libraries called by the program do not match the signature of the program itself. These dynamic libraries are from JRE, so I re-signed them and notarizing also works.
In MacOS 13.4, it still runs normally, but in MacOS 11.3, it will report another error:
Error occurred during initialization of VM
Could not reserve enough space for code cache
What is the reason for this and how should I handle it? Thank you in advance for any comments on this issue.
RichardFoss.
