5

This query on how to staple ticket with unix executable after notarization. I am new to MAC OSX environment. Following steps are used to notarize and staple unix executable :-

1) Created the directory codesign_utilities

2) Added all the codesigned unix executables into it and compressed it to zip file as :- zip -r codesign_utilities.zip codesign_utilities

3) Run command for notarization:- xcrun altool --notarize-app --primary-bundle-id "com.def.ghi" --username "developer ID" --password "related password" --file codesign_utilities.zip. I am able to notarize the zip file.

4) Later, I am trying to staple the ticket with one of the unix executable which was part of the zip file with command:- xcrun stapler staple "unix executable". But, it is throwing error as:- "Could not remove existing ticket from /Contents/CodeResources ... {Error Domain=NSPOSIXErrorDomain Code=20 "Not a directory"}} The staple and validate action failed! Error 73.

I believe the error is occurring because it is just unix executable and not a executable bundle in .app format.

Queries:-

  • Can you help me what are the best ways to staple the ticket with unix executable?
  • Is it mandatory to create executable bundle for notarization and stapling? If yes, please provide the steps?
Mann
  • 61
  • 3

2 Answers2

2

man stapler has this to say:

SUPPORTED FILE FORMATS stapler works only with UDIF disk images, signed "flat" installer packages, and certain code-signed executable bundles such as ".app". Passing an unsigned "flat" installer package or an unsigned executable bundle in path to stapler is considered an error.

It seems impossible to staple a notarization ticket to a Unix executable, and I'm not sure why you want to.

TheNextman
  • 12,428
  • 2
  • 36
  • 75
  • Thanks for the quick update. Yes, it looks stapler expect input in certain defined formats and hence facing this challenge to staple ticket with unix executables for offline environment. We need to notarize our executable so that Gatekeeper does not show any concern for it. I understand it is optional for time being but it is better to take pre-emptive steps. – Mann Mar 22 '19 at 17:18
  • You will need to staple the .zip (I think that is possible) or a .dmg, and use that to distribute your executables – TheNextman Mar 22 '19 at 17:22
  • I think stapler command requires independent application as input with which ticket is required to be stapled. Certainly, .zip file format is not allowed. But not sure about .dmg format. – Mann Mar 22 '19 at 18:24
  • .dmg is allowed – TheNextman Mar 22 '19 at 18:42
  • Read again what I wrote above: "...stapler works [only] with UDIF disk images..." – TheNextman Mar 22 '19 at 18:59
  • What about a .framework package? – Justin Putney Jan 22 '22 at 00:46
2

Here is how I solved it by notarizing my executable:-

https://medium.com/@nimit95/fix-macos-catalina-caused-app-failures-1f9a05d2b0ec

Currently, only some file formats are supported for stapling.

Staple man says

SUPPORTED FILE FORMATS stapler works only with UDIF disk images, signed "flat" installer packages, and certain code-signed executable bundles such as ".app". Passing an unsigned "flat" installer package or an unsigned executable bundle in path to stapler is considered an error.

You should also attach the ticket generated ticket to your software using the stapler tool, so that future distributions include the ticket. This ensures that Gatekeeper can find the ticket even when a network connection isn’t available. It is not mandatory as if the network connection is there gatekeeper will check online.

Nimit Aggarwal
  • 135
  • 7