Apple Gatekeeper notarised distributables

I used this with my generated password from their site:
security add-generic-password -a “my Apple ID” -w dcba-abcd-efgh-ijkl -s “DAVE_H_NOTARIZATION”
Which seemed to work OK, as I can see it in the keychain list as an “application password”
So far, so good.

I’m using it without quotes like
–password @keychain:DAVE_H_NOTARIZATION
Is that correct?

I’m still getting "Unable to validate your application. Your Apple ID or password was entered incorrectly"
And then after a couple of different attempts, it pauses for a while, then:
" Error: Unable to validate your application. This Apple ID has been locked for security reasons. Visit iForgot to reset your account (https://iForgot.appple.com)"
And now I have to change my password yet again! :rage: :face_with_symbols_over_mouth:

What the heck is going on!!!??? I’m getting somewhat stressed out now.

It also insisted I use a bundle Identifier, which I guessed, but it didn’t complain about it! How do I find the actual Bundle ID of a Packages pkg?
:roll_eyes:

This is the script I’m using to notarise and staple my installer (not built with Packages, but I’ve used the same script for my day job which is using a Packages based installer)

#!/bin/bash

USERNAME="<my apple id username>"
PASSWORD="<the generated password>"

echo "Submitting to Apple..."
xcrun altool --notarize-app -f "$1" --primary-bundle-id $2 --username $USERNAME --password $PASSWORD &> notarisation.result

ASSET_UUID=`grep RequestUUID notarisation.result | cut -d" " -f 3`

echo -n "Checking result of notarisation.."

while true; do
	echo -n '.'
	if [[ `xcrun altool --notarization-info $ASSET_UUID --username $USERNAME --password $PASSWORD 2>&1  >/dev/null | grep -c "Package Approved"` == "1" ]]; then
		break
	fi
	sleep 30
done

echo
echo "Stapling package..."

xcrun stapler staple "$1"

I then call this script with 2 arguments, the first being the path to the signed .pkg, and the 2nd being com.mycompanyname.thepluginname, but that 2nd argument corresponds to nothing in any of the installers (either in the individual .pkg for each plugin target, nor in the overall installer), so I think it could even just be some nonsense like com.installer.package (although perhaps should be unique for each product).

It’s not really best practice to have the password embedded in the script, however my reasoning for not having to bother with Key Chain is that I can revoke the app specific password should I ever end up in a situation where a 3rd party manages to access my git repos.

The only things I can offer for the method you’re using at the moment are:
a) you showed -password @keychain:DAVE_H_NOTARIZATION, it should be --password, but I assume this is just a typo
b) perhaps the password should be wrapped in quotes when you do security add-generic-password -a "my Apple ID" -w "dcba-abcd-efgh-ijkl" -s "DAVE_H_NOTARIZATION"?

But honestly I’m not sure either of those are going to be much help.

Hope you get it working soon, it is quite a pain getting this right, took me almost a whole day before I finally nailed it. Feel free to use my script, it works great for me!

1 Like

I use a script heavily inspired by the version from @kunz above, which works very well for me…

Thank for the script @richie !

I’m compiling with 10.3 to target 10.8
I’m using packages 1.2.7 which signs and date-stamps, apparently.

You really can’t remember what you call the bundle ID? So it doesn’t really matter?(!) I find that surprising.
Also it’s a little confusing that apple refers AppleID as a ‘user name’ in places. The keychain gives my full name in the list which is different again. - If I had a beard it’ll be all pulled out by now! :smiley:
It’s late here and I need a beer! I’ll try your script tomorrow, thanks again for that.

Although I don’t know why I would need a script. WTF APPLE! :crazy_face:

The script is really just to automate the whole process, otherwise it’s a matter of doing the stuff in the while true loop manually, and it takes an indeterminate amount of time to complete the notarisation before you can staple.

In my individual .pkgs (for each build target) the identifier is com.bomshanka.pluginname.vst/vst3/au (which doesn’t match the identifier in Projucer, that doesn’t seem to be a problem though) and the overall installer package doesn’t actually have an identifier specified. I think from posts I’ve seen before on the topic that the --primary-bundle-id is only important if you’re notarising an application, but I may be wrong about that.

1 Like

Thank-you very much for the info, it’s a great help.
Come on Apple, there got to be a more civilised way of doing this virus scan? Surely.

It’s in their interest for people to put things through the App Store process, you should be grateful they’ve not banned pkg files entirely :wink:

From the Apple documentation it seems that it is a requirment that a that a valid developer ID is required to codesign plugins for notarisation. I just want to to check here that it is indeed a requirement to join the Apple Developer Program to get a certificate that will work with notarisation.

Thanks

Yes, I think you’ll need a current ADP subscription to do the notarisation. I guess before it was possible to just sign up for a year and grab a certificate in order to codesign installers for the lifetime of the certificate (5 years), but now you’ll need an ongoing subscription to be able to notarise (which is separate to the code signing).

1 Like

Hmm, getting closer, errr, I think… I needed to remove the quotes from the password and user name. The mentioned script doesn’t work for me.
I’m using the file’s name as it’s bundle identifier which was a mistake it seems:-

But I can’t get the bundle ID as it’s a Packages .pkg

It now complains:
1 package(s) were not uploaded because they had problems:
/var/folders/2n/3nfdy0452j9_clrcwyt8f5nh0000gn/T/5E77AA31-0C7B-4F85-BB6B-D63E5D42E918/Untitled.itmsp - Error Messages:
ERROR ITMS-4302: “The software asset has an invalid primary bundle identifier: ‘####_packages.pkg’” at SoftwareAssets/EnigmaSoftwareAsset
2020-01-09 21:37:40.298 altool[8600:126070] *** Error: ERROR ITMS-4302: “The software asset has an invalid primary bundle identifier: ‘####_packages.pkg’” at SoftwareAssets/EnigmaSoftwareAsset

I have no idea what “EnigmaSoftwareAsset” is! I thought Microsoft error codes were obscure.
Dave H.

Have you ensured your Bundle ID conforms to the formatting requirements? It is not typical to use a file name.

A bundle ID uniquely identifies a single app throughout the system. The bundle ID string must contain only alphanumeric characters (A-Z, a-z, 0-9), hyphen (-), and period (.). The string should be in reverse-DNS format. Bundle IDs are case sensitive.

The bundle ID can actually be anything. It’s just used to identify requests on your end I think.
IIRC I’ve just used the bundle IDs of th apps. E.g. com.myCompany.myApp

Oops, never mind, tomorrow perhaps, thanks for the answers folks. I’ll get there eventually.

Hey @lalala

I have sucessfully notarised and run a staple command on my package which only contains a component and vst3 ( for some reason I can’t seem to get the PACE AAX version to sign correctly for notarisation, but that is a separate issue). The problem is that I get a rejected response from the command you suggested, which is really confusing me. I thought that a successful notarisation of my package and included plugins meant that it should work. Anyway if anyone could shed some light that would be useful.

Also I don’t have Mojave or Catalina (I am worried some of my third party plugins will break). Would anybody be willing to verify that my package is notarized properly?

https://mogwaiaudiotools.com.au/wp-content/uploads/woocommerce_uploads/2020/01/Catalina/MREV-MIX.pkg

Thanks in Advance :slight_smile:

I just tried your pkg and it said it cannot be opened as it can’t be checked for malware. :slightly_frowning_face:

Thanks Dave
Will keep trying. I am trying to codesign the pkg file too - hopefully this works.

Made some progress - I worked out that you need to use productsign to sign a pkg file - see https://help.apple.com/xcode/mac/current/#/deve51ce7c3d?sub=dev8a32007db

productsign --sign "{your_identity}" original.pkg signed.pkg

Now I am trying to notarise this.

Success! yes Yes YES!
I also did my own version of the above script for pkg files, with just one command parameter - the package name without the extension

    # For pgk files, use one parameter without the extension
    #Fill these 3 lines in...
    USERNAME=myemail@mycompany.com     # Your standard Apple ID
    PASSWORD=xxxx-xxxx-xxxx-xxxx       # app specific password    
    COMPANYID=com.mycompany.$1         # Note the .$1 here adds the file's name to the bundle ID 
     
    printf "Submitting to Apple...\n\n"
    printf  "#xcrun altool --notarize-app -f "$1.pkg" --primary-bundle-id $COMPANYID --username $USERNAME --password $PASSWORD\n"


    xcrun altool --notarize-app -f "$1.pkg" --primary-bundle-id $COMPANYID --username $USERNAME --password $PASSWORD &> notarisation.result

    ASSET_UUID=`grep RequestUUID notarisation.result | cut -d" " -f 3`

    Printf  "\n\nChecking result of notarisation.."

    while true; do
    	echo -n '.'
    	if [[ `xcrun altool --notarization-info $ASSET_UUID --username $USERNAME --password $PASSWORD 2>&1  >/dev/null | grep -c "Package Approved"` == "1" ]]; then
    		break
    	fi
    	sleep 30
    done


    printf "\nStapling package...\n"

    xcrun stapler staple "$1.pkg"

I hope it helps someone.
Dave

5 Likes

As we are now past the middle of January - has anything changed to the Notarization requirements? Are we now required to use the Catalina sdk?
I’m one step away from finally switching to Catalina and XCode 10, but would rather know exactly what I’m going into before going there.

Do any of you now ship notarized installers? Have you gotten feedback from customers? Personally - from several thousand customers I received one message asking me for a Catalina compatible installer. Not sure that’s enough to annoy all the guys who still want 32 bit compatibility. For some reason I seem to have an extraordinary high number of users running outdated OSes :face_with_raised_eyebrow:.

Do any of you ship notarized installers containing 32 bit versions of your plugins? How’s your build process to achieve that?

Where I work, we are notarizing software that is built with the 10.11 SDK, manually installed inside of Xcode 10.1, on macOS 10.13.6. We don’t get any warning (or error) in the notarization log about using this SDK.

However, we don’t release any 32-bit software anymore.

1 Like