8

These are the commands I'm running. This used to work for me every time but now it's failing.

codesign -s "Developer ID Application: <YOUR NAME>" --timestamp --options runtime -f --entitlements entitlements.plist --deep <APP NAME>.app

/usr/bin/ditto -c -k --keepParent <APP NAME>.app <APPNAME>.zip

xcrun altool --notarize-app --primary-bundle-id "<BUNDLE ID>" -u "<YOUR EMAIL>" -p "<APP SPECIFIC PASSWORD>" --file <YOURAPP>.zip

I get an email with "your app has failed notarization" or whatnot.

These are the errors I'm getting.

{
"logFormatVersion": 1,
"jobId": "69910cca-87c0-44f6-a8ec-a0c8a6a7b614",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "MegaHasan.zip",
"uploadDate": "2020-02-05T19:07:48Z",
"sha256": "b6b7c75a0e50a9ec9f238360c674f9345ef6a97d27a21a69e793b7938927eb42",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "MegaHasan.zip/Mega Hasan.app/Contents/Plugins/plugin_bit.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MegaHasan.zip/Mega Hasan.app/Contents/Plugins/plugin_bit.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MegaHasan.zip/Mega Hasan.app/Contents/Plugins/plugin_bit.dylib",
"message": "The binary uses an SDK older than the 10.9 SDK.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MegaHasan.zip/Mega Hasan.app/Contents/Plugins/libsteam_api.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MegaHasan.zip/Mega Hasan.app/Contents/Plugins/libsteam_api.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MegaHasan.zip/Mega Hasan.app/Contents/Plugins/plugin_steamworks.dylib",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MegaHasan.zip/Mega Hasan.app/Contents/Plugins/plugin_steamworks.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MegaHasan.zip/Mega Hasan.app/Contents/Frameworks/CoronaCards.framework/Versions/A/Frameworks/gameNetwork.dylib",
"message": "The binary uses an SDK older than the 10.9 SDK.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "MegaHasan.zip/Mega Hasan.app/Contents/Frameworks/CoronaCards.framework/Versions/A/Frameworks/licensing.dylib",
"message": "The binary uses an SDK older than the 10.9 SDK.",
"docUrl": null,
"architecture": "x86_64"
}
]
}
hamobi
  • 7,940
  • 4
  • 35
  • 64
  • The reason it used to work is that Apple [relaxed the requirements in Sept. 2019](https://developer.apple.com/news/?id=09032019a). The reason it stopped working is that they [restored the stricter requirements at the beginning of Feb. 2020](https://developer.apple.com/news/?id=12232019a). Effectively, your app never met the "real" requirements. – Ken Thomases Feb 21 '20 at 00:53

2 Answers2

5

Notarization only works for binaries linked against macOS 10.9 or later. You must relink the offending library against SDK 10.9 or later and resubmit the application.

You must install an XCode macos SDK at least as modern as 10.9 and use it as your sysroot when you compile and link the libraries which are not up to date. Then recompile and link your app against the new libs. It is usually a good idea to compile all dylibs and the main executive binary with the same toolchain. For notarization, any pre 10.9 sdk-linked binary is going to be a no-go unfortunately.

Richard Barber
  • 5,257
  • 2
  • 15
  • 26
  • how do i do that – hamobi Feb 21 '20 at 00:36
  • You must install an XCode macos SDK at least as modern as 10.9 and use it as your sysroot when you compile and link the libraries which are not up to date. – Richard Barber Feb 21 '20 at 03:29
  • Then recompile and link your app against the new libs. – Richard Barber Feb 21 '20 at 03:31
  • im up to date with xcode and mac os.. these libs are pre-compiled so i prob dont have much control over them.. I notice if i use the SD notary tool I can get away with all the libs passing except for one using the options. "disable library validation, allow JIT compiled code" for whatever reason that plugin_bit library still throwing just one error. – hamobi Feb 21 '20 at 03:33
  • In that case don’t use precompiled dylibs. It is usually a good idea to compile all dylibs and the main executive binary with the same toolchain. For notarization, any pre 10.9 sdk-linked binary is going to be a no-go unfortunately. – Richard Barber Feb 22 '20 at 11:20
  • @RichardBarber So what can you do if you dont have src for lib and cannot rebuild it, see https://stackoverflow.com/questions/61208189/java-notarization-of-libapplescriptengine-dylib-failing-with-the-binary-uses-an – Paul Taylor Apr 14 '20 at 14:06
3

I'm running to similar issues with a notarization process for electron that used to work and now doesn't. I found that somehow some of my certificates had been revoked. They didn't show that way in the Apple Developer site, but when I went into Xcode: Preferences: Accounts and clicked on the Manage Certificates button.

Creating new certificates did get me to the point where I made it through notarization but now get signing errors when I upload with Application Loader, so I may have done something else wrong making the new certificates and regenerating my provisioning profiles, but hopefully this helps you out.

Alexis Bell
  • 151
  • 9