Notarisation for dummies

yall

@Lindon @d-healey Hello, after a year without notarizing a pkg, I got back into this thing ^^
I had kept my identifiers, password; certificates.
so
I sign the plugin, ok
I sign my pkg, ok
I am trying to notarize my pkg. but,
I get a response from the terminal

"CFURLRequestSetHTTPCookieStorageAcceptPolicy_block_invoke: no longer implemented and should not be called"

. I received an email from apple was not notarized.
I have not changed anything compared to before, I have even just repaid my subscription.
I am using exact lines from command terminal.
something changed in the method according to you?

Lindon

@yall nope - all working Ok here last time I did it...

yall

@lindon said in Notarisation for dummies:

nope - all working Ok here last time I did it...

I don't understand what's going on then

trillbilly

@yall Maybe try new identifiers, passwords & certificates. Its always something small.

yall

@trillbilly I made mistakes at the start. I blocked my account I could no longer create a certificate. apple after 2 months of mail without concrete answers, apple decided to let me create 2 new certificates. they work. simply my notarization systematically fails with refusal mail. there must be a problem with my account or something like that. I'm sure of my handling. I've done it dozens of times. that said j ak sent to a friend who has a mac m1 with logic. my plugins and vst worked without being notarized. gatekeeper was disabled

yall

@Lindon finally my mistake was the following.
I used the basic signature whereas it is necessary to take the force deep code signature....
so my pkg are notarized successfully and then stapled.
I then put several pkg in a zip and signed then notarized the zip.
success too.
little question, as stapling the zip is not possible, only notarization is enough?

DanH

@yall I don’t notarise my zip files at all

Lindon

@danh said in Notarisation for dummies:

@yall I don’t notarise my zip files at all

like @DanH - I dont notarize my zips - I zip everything up after I have successfully done the code signing and notarizing...

DanH

Should I be able to codesign and notarize an app - as in a file with a .app extension?

Terminal says no. I want to supply a standalone app without an installer. It's only use is for downloading sample content.

Any info welcome.

PS - I'm happily codesigning and notarizing .pkgs...

d.healey

@danh You code sign pkgs?

Lindon

@d-healey said in Notarisation for dummies:

@danh You code sign pkgs?

yeah - you should.

DanH

@d-healey I do, yes, but does anyone know about .app's? Just pinging an app to users can result in the 'OSX cannot check it for malicious content' message.

d.healey

@lindon Oh it's been so long since I did it I'm misremembering the process

Lindon

@danh - what are apple telling you when you try to notarize the .app ???

DanH

@lindon that it's not codesigned... Can't get the first part to work basically

Please let me know if any of the below has any clues for you

{
  "logFormatVersion": 1,
  "jobId": "e7ddde08-d7e4-4a35-af9d-ca55954eee03",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "TEST-SAMPLES-DOWNLOADER_signed.pkg",
  "uploadDate": "2022-02-01T13:10:53Z",
  "sha256": "4282dcf278ae44b528e64083b6f4aeb22a59da516e60f725013b240a33f3af72",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "TEST-SAMPLES-DOWNLOADER_signed.pkg/TEST-SAMPLES-DOWNLOADER_Standalone.pkg Contents/Payload/Applications/DANH/TEST-SAMPLES-DOWNLOADER.app/Contents/MacOS/TEST-SAMPLES-DOWNLOADER",
      "message": "The binary is not signed.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "TEST-SAMPLES-DOWNLOADER_signed.pkg/TEST-SAMPLES-DOWNLOADER_Standalone.pkg Contents/Payload/Applications/DANH/TEST-SAMPLES-DOWNLOADER.app/Contents/MacOS/TEST-SAMPLES-DOWNLOADER",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "TEST-SAMPLES-DOWNLOADER_signed.pkg/TEST-SAMPLES-DOWNLOADER_Standalone.pkg Contents/Payload/Applications/DANH/TEST-SAMPLES-DOWNLOADER.app/Contents/MacOS/TEST-SAMPLES-DOWNLOADER",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": null,
      "architecture": "x86_64"
    }
  ]
}

I should also add that I tried using @d-healey 's export app which should codesign and notarize the .pkg that it builds but I got this notarization error

Lindon

@danh well I think all the info. you need is right there,

The pkg isnt signed
theres no timestamp on it

• its not hardende runtime...

DanH

@lindon Thanks, yep, I must have been thinking it was the standalone that wasn't signed rather than the package.

I guess in any case I'm looking to sign and notarize the app directly, in app form, so not in a .pkg.

yall

@Lindon little question to understand something. I successfully notarized my pkgs. I then created a zip archive with inside, the windows installer and the pkg. I don't need to notarize the zip? Or just sign it?

d.healey

@yall said in Notarisation for dummies:

then created a zip archive with inside, the windows installer and the pkg

Why? Just give the user individual links. Most users only use one OS and you are wasting their bandwidth and yours by making them download things they probably don't need.

yall

@d-healey it allows me to avoid looking for links, if a client later wants a windows version for example, I should send them back. while the I zip it has everything, and wetransfert. faster for me.