Apple notarization fails

Question

Apple notarization fails

rameerez opened this issue 4 years ago · comments

I've just switched from Carthage to SPM and I'm using v4.0.0

Everything works fine except Apple won't notarize the app, throwing a "Package Invalid" error with the following messages:

The binary is not signed with a valid developer id certificate
The signature does not include a secure timestamp
The executable requests the com.apple.security.get-task-allow entitlement

macOS version: 10.15.7
Xcode version: 12.0.1

More info about affected files:


- The binary is not signed with a valid developer id certificate
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper.zip/LaunchAtLoginHelper.app/Contents/MacOS/LaunchAtLoginHelper
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/MacOS/LaunchAtLoginHelper
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftAppKit.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftCoreImage.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftObjectiveC.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftXPC.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftCore.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftCoreGraphics.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftMetal.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftCoreData.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftDispatch.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftos.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftCoreFoundation.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftDarwin.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftQuartzCore.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftIOKit.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftFoundation.dylib

- The signature does not include a secure timestamp
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper.zip/LaunchAtLoginHelper.app/Contents/MacOS/LaunchAtLoginHelper
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/MacOS/LaunchAtLoginHelper
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftAppKit.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftCoreImage.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftObjectiveC.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftXPC.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftCore.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftCoreGraphics.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftMetal.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftCoreData.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftDispatch.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftos.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftCoreFoundation.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftDarwin.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftQuartzCore.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftIOKit.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftFoundation.dylib

- The executable requests the com.apple.security.get-task-allow entitlement
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper.zip/LaunchAtLoginHelper.app/Contents/MacOS/LaunchAtLoginHelper
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/MacOS/LaunchAtLoginHelper

Sindre Sorhus · Answer 1 · Sun Oct 04 2020 07:13:10 GMT+0800 (China Standard Time)

Did you remember to also change the run script?

Because the error indicates that the ZIP files were not removed which indicates the run script didn't run.

rameerez · Answer 2 · Sun Oct 04 2020 08:02:34 GMT+0800 (China Standard Time)

This gave me the clue to find out what was wrong! Yes, I did change the run script, but after reading your comment I went on to inspect it and found out that LaunchAtLogin_LaunchAtLogin.bundle only gets deleted if $CONFIGURATION == "Release". My current configuration name is not "Release" so line 48

rm -rf "$contents_path/Resources/LaunchAtLogin_LaunchAtLogin.bundle"

never got executed.

Changing the conditional on line 47 to $CONFIGURATION != "Debug" seems to work for me. Now the app gets notarized correctly! Thanks for your very quick response!

Sindre Sorhus · Answer 3 · Tue Oct 20 2020 09:08:18 GMT+0800 (China Standard Time)

only gets deleted if $CONFIGURATION == "Release". My current configuration name is not "Release" so line 48

I wonder if it's possible to detect if the current configuration is "release build type" without matching on the name.

Changing the conditional on line 47 to $CONFIGURATION != "Debug" seems to work for me. Now the app gets notarized correctly! Thanks for your very quick response!

That seems like a good change in general. Wanna do a PR?

We should probably also explicitly document that it's expected that the debug configuration is named Debug.

rameerez · Answer 4 · Tue Dec 15 2020 02:38:36 GMT+0800 (China Standard Time)

That seems like a good change in general. Wanna do a PR?

Sure! Opening a PR now :)

Zack Sheppard · Answer 5 · Sat Feb 27 2021 00:23:40 GMT+0800 (China Standard Time)

Ah shoot - I left a comment about what my PR is and how it builds on the original one, but I left it on #52 rather than here. Please refer to it there.