Building unsigned, signing and notarizing manually afterwards leads to those same notarization errors
Opened this issue · 4 comments
I have my xcode project configured to not do the signing and notarization (or at least "Sign to run locally"), and instead I have a GitHub workflow that signs and notarize manually afterwards. This seems to be a problem and I'm guessing it's because copy-helper-swiftpm.sh doesn't just copy the helper but does a signing step. It's a little weird though and I don't quite understand the notarization errors.
In the notarytool log, it mentions LaunchAtLogin_LaunchAtLogin.bundle and the LaunchAtLoginHelper.zip within as if the rm at the end of copy-helper-swiftpm.sh didn't run! Here's the initial chunk of the log with the first of those errors:
{
"logFormatVersion": 1,
"jobId": "7e2f079b-9c4f-482d-9686-81d05b2c1dae",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "notarization.zip",
"uploadDate": "2024-09-25T07:52:03.736Z",
"sha256": <blahblahblah>,
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "notarization.zip/Batch Clipboard.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper.zip/LaunchAtLoginHelper.app/Contents/MacOS/LaunchAtLoginHelper",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "x86_64"
},
In my project I've confirmed that my Launch at Login build phase runs, that ONLY_ACTIVE_ARCH is NO, that copy-helper-swiftpm.sh executes, and it looks like it has removed LaunchAtLogin_LaunchAtLogin.bundle afterwards. This is my maniacal build phase script that's trying to verify this:
if [ -x "${BUILT_PRODUCTS_DIR}/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/copy-helper-swiftpm.sh" ] ; then
echo "before call to copy-helper-swiftpm.sh ONLY_ACTIVE_ARCH is $ONLY_ACTIVE_ARCH"
else
echo "copy-helper-swiftpm.sh appears to not exist or be executable"
fi
if "${BUILT_PRODUCTS_DIR}/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/copy-helper-swiftpm.sh" ; then
if [ ! -d "$BUILT_PRODUCTS_DIR/$CONTENTS_FOLDER_PATH" ] ; then
echo "copy-helper-swiftpm.sh had no access to an app bundle at $BUILT_PRODUCTS_DIR/$CONTENTS_FOLDER_PATH"
elif [ -d "$BUILT_PRODUCTS_DIR/$CONTENTS_FOLDER_PATH/Resources/LaunchAtLogin_LaunchAtLogin.bundle" ] ; then
echo "copy-helper-swiftpm.sh did NOT remove $BUILT_PRODUCTS_DIR/$CONTENTS_FOLDER_PATH/Resources/LaunchAtLogin_LaunchAtLogin.bundle"
else
echo "copy-helper-swiftpm.sh did indeed remove $BUILT_PRODUCTS_DIR/$CONTENTS_FOLDER_PATH/Resources/LaunchAtLogin_LaunchAtLogin.bundle"
fi
else
echo "copy-helper-swiftpm.sh failed"
exit 1
fi
which prints in the build logs:
before call to copy-helper-swiftpm.sh ONLY_ACTIVE_ARCH is NO
<signing stuff>
copy-helper-swiftpm.sh did indeed remove /Users/runner/work/Cleepp/Cleepp/Build/Products/Release/Batch Clipboard.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle
(twice in fact, once for x86_64 and once for arm64. that's expected, right?)
I can't tell if mention of LaunchAtLogin_LaunchAtLogin.bundle in the log is a weird curiosity, or something critical. Assuming it's just because I don't understand enough about that bundle, I would think that the real problem is that copy-helper-swiftpm.sh isn't doing the signing I need.
Am I right that the ".bundle" errors are a red herring and that manualy signing afterwards is really the problem? Should my workflow be doing somethig extra to correctly sign the helper app? Or maybe it's not so simple to do it this way and I'm better off raising my minimal system requirements so I can do without LaunchAtLogin (or use LaunchAtLogin-Modern)?
I am having the same exact issue. No idea how to work around this in my automation pipeline. @sindresorhus do you have any hints?
By the way I do automatic signing with xcodebuild archive and then xcodebuild exportArchive with automatic signingStyle in the export options.
Basically the exact same thing I would do in the Xcode's Organizer UI. But in the UI it works.
For some reason, it seems the script is not running if you archive using xcodebuild. The .bundle is in the archive. If you archive using the Xcode's UI (Product > Archive) then it's not there.
