Notarization Signature Errors

Hi! I'm having an issue notarizing my app. I've developed my app in python, packaged it with py2app and then codesigned it using command-line:

codesign --deep --sign "Developer ID Application: Name (ID)" MyApp.app

and verified it using:

codesign --verify --verbose MyApp.app

with no problem. I then continued to notarize it with notarytool:

xcrun notarytool submit MyApp.zip --keychain-profile "MyProfile" --wait

and everything went smoothly, however, the process ended as invalid.

This is a recurring issue (used altool beforehand) where I get errors that prevent the notarization due to signature issues, some of them:

"The signature of the binary is invalid."

"The executable does not have the hardened runtime enabled."

"The binary is not signed with a valid Developer ID certificate."

"The signature does not include a secure timestamp."

And so on.

The issue is that this is occurring to the contents of the app and the python libraries and other dependencies it uses, not MyApp.app itself.

I've read online in many places and couldn't find what am I missing, I've followed the code-signing and notarization instructions to no prevail.

I hope someone here can help me solve this problem or figure out what am I missing. Many thanks :)

Up vote post of nimdint Down vote post of nimdint
476 views
Posted by
nimdint
Reply
Add a Comment

Accepted Reply

Don’t sign with --deep. See --deep Considered Harmful for an explanation as to why not.

For advice on how to sign correctly, see:

However, in a case like this it’s probably best to raise this via the support channel for your third-party tooling, because the folks there are more likely to have experience with this.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved

  • I've followed your instructions and deleted the .app file, repackaged it with py2app and signed the code with -s only, however I recieved "MyApp.app: is already signed". Tried notarizing it again and got the same errors. Could previous code-signing actions have modified all the files (and not just the .app package) and caused this? How should I proceed with the issue?

    nimdint
Add a Comment

Replies

Don’t sign with --deep. See --deep Considered Harmful for an explanation as to why not.

For advice on how to sign correctly, see:

However, in a case like this it’s probably best to raise this via the support channel for your third-party tooling, because the folks there are more likely to have experience with this.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved

  • I've followed your instructions and deleted the .app file, repackaged it with py2app and signed the code with -s only, however I recieved "MyApp.app: is already signed". Tried notarizing it again and got the same errors. Could previous code-signing actions have modified all the files (and not just the .app package) and caused this? How should I proceed with the issue?

    nimdint
Add a Comment

Thanks for the reply eskimo! I tried following your instructions, and even tried packaging everything from scratch and signing it with your suggested method, and still the same errors. It seems to be a problem with the signing of the internal contents of the app, any other suggestions?

Posted by
nimdint
Up vote reply of nimdint Down vote reply of nimdint
Add a Comment