B4J Question Notarize in MacSigner 1.02

[yo3ggx]

Hello.

All steps ok, until Notarize.
I get the submission confirmation:

Uploading package to Apple server. This step can take several minutes...
Conducting pre-submission checks for janet.zip and initiating connection to the Apple notary service...
Submission ID received
  id: d3d64dfb-8500-4d21-b454-fcd75052ecbc
Successfully uploaded file
  id: d3d64dfb-8500-4d21-b454-fcd75052ecbc
  path: /Users/toma/janet/package/janet.zip

But no mail received even after a few hours, so I Click on Request info after entering the request ID.

I get the following answer:

Successfully received submission info
  createdDate: 2023-08-12T14:51:12.140Z
  id: d3d64dfb-8500-4d21-b454-fcd75052ecbc
  name: janet.zip
  status: Invalid

Of course, Staple does not work either, with the following error.

Successfully received submission info
  createdDate: 2023-08-12T14:51:12.140Z
  id: d3d64dfb-8500-4d21-b454-fcd75052ecbc
  name: janet.zip
  status: Invalid

With the previous MacSigner version (used a few months ago) everything worked as expected.

As explained here:
https://developer.apple.com/forums/thread/713345
I checked the log with notarytool.

xcrun notarytool log --apple-id [email protected] --password aort-fxjw-ewlc-awuu --team-id W5KECJU98V  d3d64dfb-8500-4d21-b454-fcd75052ecbc

{
  "logFormatVersion": 1,
  "jobId": "d3d64dfb-8500-4d21-b454-fcd75052ecbc",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "janet.zip",
  "uploadDate": "2023-08-12T14:51:21.861Z",
  "sha256": "2951c440a575d5671b89827374438a7310bc32b4d50567d9e8f4892317ed82bb",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "janet.zip/janet.app/Contents/runtime/Contents/Home/bin/jrunscript",
      "message": "The binary is not signed.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "janet.zip/janet.app/Contents/runtime/Contents/Home/bin/jrunscript",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "janet.zip/janet.app/Contents/runtime/Contents/Home/bin/jrunscript",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087724",
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "janet.zip/janet.app/Contents/runtime/Contents/Home/bin/java",
      "message": "The binary is not signed.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "janet.zip/janet.app/Contents/runtime/Contents/Home/bin/java",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "janet.zip/janet.app/Contents/runtime/Contents/Home/bin/java",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087724",
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "janet.zip/janet.app/Contents/runtime/Contents/Home/bin/keytool",
      "message": "The binary is not signed.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "janet.zip/janet.app/Contents/runtime/Contents/Home/bin/keytool",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "janet.zip/janet.app/Contents/runtime/Contents/Home/bin/keytool",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087724",
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "janet.zip/janet.app/Contents/runtime/Contents/Home/lib/jspawnhelper",
      "message": "The binary is not signed.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "janet.zip/janet.app/Contents/runtime/Contents/Home/lib/jspawnhelper",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "janet.zip/janet.app/Contents/runtime/Contents/Home/lib/jspawnhelper",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087724",
      "architecture": "x86_64"
    }
  ]
}

Any hint about what I'm doing wrong?
Package was created successfully (and functional), including signing (no errors).

Thank you.

 

[Erel]

Make a test with a simple project without native libraries. Does it work?

 

[yo3ggx]

Tested with another app, without any native code. Same error: "status: invalid".

 

[Erel]

Which version of Xcode are you using?

 

[yo3ggx]

I'm using Xcode 14.3.1 on a MacMini M2 with macOS Ventura 13.5.
I'm notarizing an x86-64 version of the app.

 

[Erel]

I'm notarizing an x86-64 version of the app.

What does it mean?

Try it without native binaries.

 

[yo3ggx]

As stated in my previous message I've tested an application without native libraries, but when you package the app with MacSigner on an M2 Mac, you can use x86-64 or arm64 version of java/javafx. Tested with the standard x86-64 version, as explained in your MacSigner thread.

 

[yo3ggx]

If I check with codesign tool, looks ok.

codesign -dvv ./package/janet.app
Executable=/Users/toma/janet/package/janet.app/Contents/MacOS/janet
Identifier=ro.yo3ggx.janet
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=1627 flags=0x10000(runtime) hashes=40+7 location=embedded
Signature size=8980
Authority=Developer ID Application: Dan Ovidiu Toma (W5AVCXxxxx)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Aug 12, 2023 at 5:30:00 PM
Info.plist entries=16
TeamIdentifier=W5AVCXxxxx
Runtime Version=11.1.0
Sealed Resources version=2 rules=13 files=155
Internal requirements count=1 size=176

 

[Erel]

FWIW, I've just notarized an app with v1.02 and it works. If you like I can send you the previous version. It should still be supported by Apple.

 

[yo3ggx]

Thank you, but I would like to find the root cause, as it seems I'm the only one affected.
I'm not in a hurry to publish the new release. I will try to sign and notarize the app from the console.

I wonder why I get the messages:
"The signature does not include a secure timestamp."
According to this page:
https://developer.apple.com/documen.../resolving_common_notarization_issues#3087721

In this case, be sure to add a secure timestamp by adding the timestamp option to your OTHER_CODE_SIGN_FLAGS build setting, or by using the option directly with the codesign utility if you sign manually, as described in the previous section.

Generating a secure timestamp requires internet access. macOS accepts only one secure timestamp server, namely timestamp.apple.com, which uses the follow address ranges:
17.32.213.0/24
17.179.249.0/24
17.157.80.0/24

but checking with codesign -dvv ./package/janet.app I do not get any error.

Please check the other errors from the log send previously.

"The binary is not signed.", "path": "janet.zip/janet.app/Contents/runtime/Contents/Home/bin/jrunscript"
"The signature does not include a secure timestamp.","path": "janet.zip/janet.app/Contents/runtime/Contents/Home/bin/jrunscript",
"The executable does not have the hardened runtime enabled.","path": "janet.zip/janet.app/Contents/runtime/Contents/Home/bin/jrunscript",
"The binary is not signed.","path": "janet.zip/janet.app/Contents/runtime/Contents/Home/bin/java",
"The signature does not include a secure timestamp.","path": "janet.zip/janet.app/Contents/runtime/Contents/Home/bin/java",
"The executable does not have the hardened runtime enabled.","path": "janet.zip/janet.app/Contents/runtime/Contents/Home/bin/java",
"The binary is not signed.","path": "janet.zip/janet.app/Contents/runtime/Contents/Home/bin/keytool",
"The signature does not include a secure timestamp.","path": "janet.zip/janet.app/Contents/runtime/Contents/Home/bin/keytool",
"The executable does not have the hardened runtime enabled.","path": "janet.zip/janet.app/Contents/runtime/Contents/Home/bin/keytool",
"The binary is not signed.","path": "janet.zip/janet.app/Contents/runtime/Contents/Home/lib/jspawnhelper",
"The signature does not include a secure timestamp.","path": "janet.zip/janet.app/Contents/runtime/Contents/Home/lib/jspawnhelper",
"The executable does not have the hardened runtime enabled.","path": "janet.zip/janet.app/Contents/runtime/Contents/Home/lib/jspawnhelper",

It looks like code signing in MacSigner 1.02 does not work as expected (for me) for files not related to my app.

 

[yo3ggx]

Hello Erel. Please provide a link to the old version (based on altool). I have the source code, but after compilation does not work on my Mac.
Thank you.

 

[yo3ggx]

Can be my issue related to this, which applies only to arm based Macs (M1, M2)?
https://stackoverflow.com/questions/75107171/issues-with-codesigning-and-notarization-for-mac-m1

Anyone with a M1 or M2 Mac able to use the new MacSigner tool successfully?

 

[Erel]

Hello Erel. Please provide a link to the old version (based on altool). I have the source code, but after compilation does not work on my Mac.
Thank you

The signed app is no longer available, but you should be able to run it as a jar with java.

 

[yo3ggx]

As I don't have the source code from MacSigner 1.01, I used 0.95.
I successfully notarize the app using that version.
No errors, so I suspect v1.02 (with notarytool) does not work on M1/M2 Macs.

Some links that may help others more experienced than me and with the same issue.
https://stackoverflow.com/questions/75614448/macos-codesignature-invalid-after-adding-entitlements
https://stackoverflow.com/questions/75107171/issues-with-codesigning-and-notarization-for-mac-m1

Hope the issue with MacSigner 1.02 will be solved until the deadline of Nov 1, 2023.