2

I have a MacOS app and want to distribute to beta users as DMG file outside AppStore.

I have read some articles about how to notarize an app and follow the steps to successfully notarize the DMG file without any problem.

My development machine runs on MacOS 10.14, and XCode version is 10.1.

However when I try to check the notarized DMG file on another testing machine which runs on MacOS 10.14.5 (by sending the file via AirDrop, or download from my website), I still see the popup from GateKeeper with message "'myApp.dmg' can’t be opened because Apple cannot check it for malicious software." on that machine.

It seems Gatekeeper does not work properly to check notarized DMG file. Is there anybody having the same problem and how to fix that?

rmaddy
  • 314,917
  • 42
  • 532
  • 579
Trung Nguyen
  • 21
  • 1
  • Is that machine connected to the internet? Moreover, have you stapled your dmg? When you notarized your dmg, did you check the notarization log?I have no such problems using a notarized dmg. – jvarela Jul 24 '19 at 22:57
  • Did you check the console for any related messages? Using the correct code signing certificate? – Richard Barber Jul 25 '19 at 00:04
  • @jvarela: of course I stapled my dmg, and checked it by the command: spctl -v -a -t open --context context:primary-signature myApp.dmg and the result says "myApp.dmg is accepted" on my machine. However when I check this on testing machine, it says 'rejected'. – Trung Nguyen Jul 25 '19 at 01:55
  • @RichardBarber: everything works fine with code signing certificate, otherwise Apple rejected my notarization. – Trung Nguyen Jul 25 '19 at 01:58
  • Again, when you uploaded your dmg with altool, did you check the notarization log? If so, is there any indication of an error or something to be corrected? – jvarela Jul 25 '19 at 07:48
  • Apple highly recommends that you always check this log even if it approves your submission. – jvarela Jul 25 '19 at 07:51
  • @jvarela: I received an email from Apple which said 'Your Mac software has been notarized. You can now export this software and distribute it directly to users.'. After that, I checked the the notarization log and saw that {"status": "Accepted", "statusSummary": "Ready for distribution", "issues": null} from the log. Then I stapled the DMG file. Everything was OK, however GateKeeper still shown the message "myApp.dmg can't be opened because Apple cannot check it for malicious software" on another machine. – Trung Nguyen Jul 29 '19 at 02:46
  • @jvarela: I selected the option "App Store and identified developers" for "Allow apps downloaded from" in Preferences on that machine, which would enable GateKeeper to verify any notarized apps, right? – Trung Nguyen Jul 29 '19 at 02:48
  • @TrungNguyen Try `xcrun stapler validate myapp.app` to see if it verifies the staple of the notarization. – gaige Aug 02 '19 at 14:31

1 Answers1

0

Short answer

It could be due to an RPATH referencing a path outside the App bundle. Removing this RPATH would resolve the issue.

Inspecting log files

You can find extra information about the rejection (after trying to launch the blocked app) in the Console.app. Note that you should open the Console.app, before trying to open your blocked app, otherwise not all messages may be logged. You should look for process XprotectService in the logs of your device (i.e. choose your device in the left side bar of the Console.app). If the RPATH is indeed the problem, you should find a record like this:

XprotectService: [com.apple.xprotect:xprotect] File /path/to/your/executable/or/library failed on rPathCmd /rpath/causing/the/problem (rpath resolved to: (path not found), bundleURL: /path/to/your/bundle.app)

Inspecting these log files may give you a key to solve other issues too.

Note that I received the following information from an Apple engineer:

Gatekeeper does not inform users via UI about the specifics of the error, though it is in the logs for developers to look at. The notarization process is purely about a detecting malicious software and does not replicate Gatekeeper enforcement. You still need to get software notarized and test with Gatekeeper.

We are looking to provide better tooling for developers in the future to pre-flight some of these common errors.

Contact Apple

If you are not able to solve your issue with the above information, you may want to contact Apple itself using the Feedback Assistant. They do not respond very quickly (~1-2 weeks), but the answers are rather to the point.

m7913d
  • 10,244
  • 7
  • 28
  • 56