Notary Submission rejected without reason

I tried to submit my app via the Notary Service with this command:

xcrun notarytool submit "${DMG_DIR}/${DMG_NAME}" --key "${APP_STORE_API_KEY}" --key-id "${KEY}" --issuer "${ISSUER}" --verbose

and I called the API to get the status of the submission, and it said it was rejected without any meta data.

I did codesign the app with this command:

codesign --force --timestamp --deep --sign "Developer ID Application: MY_NAME" "${DMG_DIR}/${DMG_NAME}"

Verify it with this command:

codesign -vvv --deep --strict "${DMG_DIR}/${DMG_NAME}"

The verification response:

/Users/runner/work/1/a/cli/osx-x64/{DMGFILE}.dmg: valid on disk
/Users/runner/work/1/a/cli/osx-x64/{DMGFILE}.dmg: satisfies its Designated Requirement

Verify the timestamp with this command and response:

Executable=/Users/runner/work/1/a/cli/osx-x64/{DMGFILE}.dmg
Identifier={IDENTIFIER}
Format=disk image
CodeDirectory v=20200 size=297 flags=0x0(none) hashes=1+6 location=embedded
Signature size=8975
Authority=Developer ID Application: MY_NAME
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Feb 14, 2024 at 7:40:35 PM
Info.plist=not bound
TeamIdentifier=TEAM_ID
Sealed Resources=none
Internal requirements count=1 size=172

I wonder if I missed any steps. Thank you for the help.

Up vote post of TonyLee Down vote post of TonyLee
390 views
Posted by
TonyLee
Reply
Add a Comment

Replies

I called the API to get the status of the submission, and it said it was rejected without any meta data.

What does the notary log say?

For info on how to get that, see Fetching the Notary Log.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi, thank you for the reply.

I did check the Notary Log, and it did give me more detailed response than the API.

However, I don't quite understand why it's failing.

Here is the error response I got:

  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "cariad-vv.dmg/cariad-vv",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "cariad-vv.dmg/cariad-vv",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "cariad-vv.dmg/cariad-vv",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087724",
      "architecture": "x86_64"
    }
  ]

However, I did verify the code, and here is the response

/Users/runner/work/1/a/cli/osx-x64/cariad-vv.dmg: valid on disk
/Users/runner/work/1/a/cli/osx-x64/cariad-vv.dmg: satisfies its Designated Requirement
Display codesign...
Executable=/Users/runner/work/1/a/cli/osx-x64/cariad-vv.dmg
Identifier=cariad-vv
Format=disk image
CodeDirectory v=20200 size=297 flags=0x10000(runtime) hashes=1+6 location=embedded
Signature size=8974
Timestamp=Feb 22, 2024 at 12:18:19 AM
Info.plist=not bound
TeamIdentifier=974NQDDRW2
Sealed Resources=none
Internal requirements count=1 size=172

I also codesign it with the these 2 options --options runtime --timestamp, which are for secure timestamp and enable the hardened runtime, right?

I wonder if I missed any steps. Thank you for the help.

Posted by
TonyLee
Up vote reply of TonyLee Down vote reply of TonyLee
Add a Comment

For those reading along at home, I’ll be helping TonyLee in a different context.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment