Signed with Developer ID but Pre-notarization check failed
0x5e opened this issue · 10 comments
Hi, I'm signing the mac app with developer id certificate but failed in pre-check.
~ » xcnotary precheck ~/Downloads/xxx.app
Processing...
Pre-notarization check failed:
Bundle is not signed with a Developer ID certificate or it includes unsigned binaries.
Suggested fix:
Make sure CODE_SIGN_IDENTITY was specified during the build.
See also:
https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/resolving_common_notarization_issues
I see the xcnotary is executing /usr/sbin/spctl -v --assess -t exec INPUT_PATH, and here's my debug information:
~ » /usr/sbin/spctl -v --assess -t exec /path/to/xxx.app
/path/to/xxx.app: rejected
source=Developer ID
~ » codesign -dvvv /path/to/xxx.app
Executable=/path/to/xxx.app/Contents/MacOS/XXX
Identifier=com.xxx.xxx
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=892 flags=0x10000(runtime) hashes=17+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=3998752aaecd52de4602fcd53704979685cec41a
CandidateCDHashFull sha256=3998752aaecd52de4602fcd53704979685cec41a94815a7679f1c16582cffd24
Hash choices=sha256
CMSDigest=3998752aaecd52de4602fcd53704979685cec41a94815a7679f1c16582cffd24
CMSDigestType=2
CDHash=3998752aaecd52de4602fcd53704979685cec41a
Signature size=8968
Authority=Developer ID Application: XXX. (XXXXXXXXXX)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=May 18, 2021 at 8:14:13 PM
Info.plist entries=22
TeamIdentifier=XXXXXXXXXX
Runtime Version=11.3.0
Sealed Resources version=2 rules=13 files=11
Internal requirements count=1 size=208
~» csrutil status
System Integrity Protection status: disabled.
PS: My SIP is disabled, I'm not sure if it will influence the spctl command.
Thanks for the issue.
Some ideas:
- I am not sure if having SIP disabled affects the validation. Could try enabling it to see if it helps.
- I would also look into the code signing process and that everything inside the bundle (frameworks, other binaries, etc.) are signed.
- How are you building/signing the binary? If this is not a typical Xcode build, you would need to run
codesign --sign "Developer ID Application: <company name>" --options runtime <path>multiple times, from inside out (last call being the bundle itself.)
Hi @davidvartan ,
- I enable and restart the computer, it shows rejected still.
- I'm building the binary using typical Xcode build.
Since it's just pre-check, and I'm sure I'm using the Developer ID certificate, so in this step, can we pass this situation:
- spctl executed with code 3, but output contains 'source=Developer ID' or 'source=Notarized Developer ID'
Hmm, but a spctl failure suggests that notarization will fail. The point of the precheck is fail early on purpose, saving developers' time waiting for notarization. I would suggest troubleshooting why spctl is failing. For example, the bundle maybe contains an unsigned resource inside.
This command may help: codesign --verify --verbose <path to bundle>
ok I will try notarization tomorrow, thanks for your help
Notarization passed, and now /usr/sbin/spctl -v --assess -t exec INPUT_PATH log is:
/Applications/xxx.app: rejected
source=Notarized Developer ID
Still exit with code 3. But changed to "source=Notarized Developer ID".
Date: 2021-05-19 01:42:36 +0000
Hash: 6d14b5e81f9d0bb3e1bc33590e16c2e98c88df4a7690bee4f75d67afa8630e30
LogFileURL: https://....
RequestUUID: xxxxx
Status: success
Status Code: 0
Status Message: Package Approved
Thanks for the update. So it looks like the notarization service accepted the app despite the "rejected."
Does GateKeeper allow the application to launch after this?
Could you try the same spctl command and also add --ignore-cache flag to see if it helps? Wondering if SIP being disabled previously may have cached an invalid result.
Some Googling (I tried "spctl rejected notarization succeeded") suggests that Gatekeeper includes additional checks beyond what notarization looks at.
I would also try creating a brand new project and following the same code signing process to try to isolate the issue.
Hope this helps! Beyond that, I'm afraid I don't have much insight as it would be something specific to your build.
the app is allowed to launch. And my GateKeeper setting is "only allow AppStore".
--ignore-cache not working.
I understand the purpose of precheck is to save user's time waiting for notarization service. However this precheck blocks me of uploading using the xcnotary tools. Thanks for your help, I'll continue to find out why rejected when I'm free, will tell you If I find out. 😁
Ah, I forgot to mention that you should have the com.apple.quarantine flag set for the various checks to happen. This typically gets set by the web browser when the user downloads your app. For a quick test, you can do something like:
- Right-click on your
.appand choose the Compress option. - Take the resulting
zipfile and drag it onto a web browser, which will let you "download" it into your Downloads folder. - Then you can unzip it and try running it and you should see a warning if the app isn't properly signed. Does this happen?
not working, still 'rejected', but actually no warning when launching the app. :)
As suggested above, I would try setting up a brand new clean project and codesigning/running spctl to see if it gets `rejected.' Alternatively, there is something amiss from previously disabling Gatekeeper but unfortunately I have not run into such a problem locally.
For additional troubleshooting help, I just added a --no-precheck flag to xcnotary notarize in v0.4.8. The tool will now also output some debugging information from Apple's service which may or may not provide additional info. Note that you should be able to run prechecks for production distribution, Gatekeeper should not fail.
To update:
brew update
brew upgrade akeru-inc/tap/xcnotary
Hope this helps and best of luck!