KVR Audio

discoDSP · Post by **discoDSP** » Fri Sep 20, 2019 4:53 pm

daniel_noiseash wrote: ↑Fri Sep 20, 2019 4:22 pm Today I rebuilt Packages installer. Signed, Notarized and retried timestamp. This time I saw successful message in Terminal after timestamp attempt (yesterday there was no message after timestamp attempt).

Perhaps you got lucky or Apple changed something on their side. I was never able to timestamp a pkg signed with Packages 1.2.6.

daniel_noiseash · Post by **daniel_noiseash** » Fri Sep 20, 2019 7:06 pm

discoDSP wrote: ↑Fri Sep 20, 2019 4:53 pm
daniel_noiseash wrote: ↑Fri Sep 20, 2019 4:22 pm Today I rebuilt Packages installer. Signed, Notarized and retried timestamp. This time I saw successful message in Terminal after timestamp attempt (yesterday there was no message after timestamp attempt).
Perhaps you got lucky or Apple changed something on their side. I was never able to timestamp a pkg signed with Packages 1.2.6.

I think Apple changed something, did you try again lately?

daniel_noiseash · Post by **daniel_noiseash** » Fri Sep 20, 2019 7:09 pm

BlueprintInc wrote: ↑Fri Sep 20, 2019 4:37 pm So I may need to upload a multiple gigabyte big app everytime to notarize it? That's really hilarious

Absolutely

discoDSP · Post by **discoDSP** » Sat Sep 21, 2019 10:00 am

daniel_noiseash wrote: ↑Fri Sep 20, 2019 7:06 pm I think Apple changed something, did you try again lately?

No, I just signed the pkg via productsign and haven't made any test. I'll wait until Packages 1.2.7 which hopefully is going to be released in 1-2 weeks.

BlueprintInc wrote: ↑Fri Sep 20, 2019 4:37 pm So I may need to upload a multiple gigabyte big app everytime to notarize it? That's really hilarious

There are ways to circumvent that. For example, downloading the content via plugin once it's installed, using a https link for the data content, etc.

daniel_noiseash · Post by **daniel_noiseash** » Thu Sep 26, 2019 8:32 pm

I get "notarization is successful" mail from Apple.
Then I useTerminal for time stamp. I see this message in Terminal "The staple and validate action worked!"
But when I check the .pkg Notarization, it's been rejected.

Could that be about timestamp? Or what am I missing? (I am using Whitebox Packages 1.2.6)

Zaphod (giancarlo) · Post by **Zaphod (giancarlo)** » Thu Sep 26, 2019 11:12 pm

daniel_noiseash wrote: ↑Thu Sep 26, 2019 8:32 pm I get "notarization is successful" mail from Apple.
Then I useTerminal for time stamp. I see this message in Terminal "The staple and validate action worked!"
But when I check the .pkg Notarization, it's been rejected.

Could that be about timestamp? Or what am I missing? (I am using Whitebox Packages 1.2.6)

Check the log, basically it is a JSON reporting all issues.
You need timestamp, you need to remove the debug entitlement

discoDSP · Post by **discoDSP** » Fri Sep 27, 2019 8:56 am

I had issues with code signed PKG installers using Packages 1.2.6. After the developer himself told me secure time stamp isn't supported until 1.2.7 (which should to be released this month) I used productsign and voilá, everything got fixed.

yannb · Post by **yannb** » Thu Oct 03, 2019 12:34 pm

Hi, I have managed to notarize one .pkg thanks to your tutorial

I am now thinking how to automize this task in the whole build process without losing too much time. Because waiting for Apple's response for each product takes a lot of time. Has someone already thought about this problem ?

discoDSP · Post by **discoDSP** » Thu Oct 03, 2019 5:39 pm

Glad to be of help

One issue is the notarization time after uploading to Apple's servers may vary depending of the binaries size and the measurement for a timer is complex. There is also a validation check that could be run on a periodic basics but I can't think about a ideal solution right now.

daniel_noiseash · Post by **daniel_noiseash** » Fri Oct 04, 2019 6:52 pm

Zaphod (giancarlo) wrote: ↑Thu Sep 26, 2019 11:12 pm
daniel_noiseash wrote: ↑Thu Sep 26, 2019 8:32 pm I get "notarization is successful" mail from Apple.
Then I useTerminal for time stamp. I see this message in Terminal "The staple and validate action worked!"
But when I check the .pkg Notarization, it's been rejected.

Could that be about timestamp? Or what am I missing? (I am using Whitebox Packages 1.2.6)
Check the log, basically it is a JSON reporting all issues.
You need timestamp, you need to remove the debug entitlement

I checked the log, it says that

Code: Select all

assessment denied for Installer_v1.2.7.pkg

com.apple.message.domain: com.apple.security.assessment.outcome2

com.apple.message.signature2: bundle:UNBUNDLED

com.apple.message.signature3: Installer_v1.2.7.pkg

com.apple.message.signature5: UNKNOWN

com.apple.message.signature4: 2

com.apple.message.signature: denied:Notarized Developer ID

daniel_noiseash · Post by **daniel_noiseash** » Fri Oct 04, 2019 6:53 pm

yannb wrote: ↑Thu Oct 03, 2019 12:34 pm Hi, I have managed to notarize one .pkg thanks to your tutorial
I am now thinking how to automize this task in the whole build process without losing too much time. Because waiting for Apple's response for each product takes a lot of time. Has someone already thought about this problem ?

Which packaging tool are you using? I am using Whitebox Packages. The Apple email says that notarization is successful but when I check it, notarization is being rejected.

@discoDSP have you managed to notarize and verify successfully with Whitebox Packages? I an using productsign.

Lind0n · Post by **Lind0n** » Sat Oct 05, 2019 9:15 am

daniel_noiseash wrote: ↑Fri Oct 04, 2019 6:53 pm
yannb wrote: ↑Thu Oct 03, 2019 12:34 pm Hi, I have managed to notarize one .pkg thanks to your tutorial
I am now thinking how to automize this task in the whole build process without losing too much time. Because waiting for Apple's response for each product takes a lot of time. Has someone already thought about this problem ?
Which packaging tool are you using? I am using Whitebox Packages. The Apple email says that notarization is successful but when I check it, notarization is being rejected.

@discoDSP have you managed to notarize and verify successfully with Whitebox Packages? I an using productsign.

If you look thru the forum for recent posts about notarizing, you will see that you are best waiting for WhiteBox Packages v 1.2.7

discoDSP · Post by **discoDSP** » Sat Oct 05, 2019 9:46 am

Lind0n wrote: ↑Sat Oct 05, 2019 9:15 am If you look thru the forum for recent posts about notarizing, you will see that you are best waiting for WhiteBox Packages v 1.2.7

I answered him via PM. Right now a good choice is building PKG with WhiteBox Packages 1.2.6 without digital signing and after that apply the signature with productsign as described at OP. They should be notarized correctly.

daniel_noiseash · Post by **daniel_noiseash** » Sat Oct 05, 2019 12:41 pm

Lind0n wrote: ↑Sat Oct 05, 2019 9:15 am
daniel_noiseash wrote: ↑Fri Oct 04, 2019 6:53 pm
yannb wrote: ↑Thu Oct 03, 2019 12:34 pm Hi, I have managed to notarize one .pkg thanks to your tutorial
I am now thinking how to automize this task in the whole build process without losing too much time. Because waiting for Apple's response for each product takes a lot of time. Has someone already thought about this problem ?
Which packaging tool are you using? I am using Whitebox Packages. The Apple email says that notarization is successful but when I check it, notarization is being rejected.

@discoDSP have you managed to notarize and verify successfully with Whitebox Packages? I an using productsign.
If you look thru the forum for recent posts about notarizing, you will see that you are best waiting for WhiteBox Packages v 1.2.7

Yeah I know it is possible with version 1.2.6 because some people notarized successfully like George. If you look thru you can see it

daniel_noiseash · Post by **daniel_noiseash** » Sat Oct 05, 2019 12:42 pm

discoDSP wrote: ↑Sat Oct 05, 2019 9:46 am
Lind0n wrote: ↑Sat Oct 05, 2019 9:15 am If you look thru the forum for recent posts about notarizing, you will see that you are best waiting for WhiteBox Packages v 1.2.7
I answered him via PM. Right now a good choice is building PKG with WhiteBox Packages 1.2.6 without digital signing and after that apply the signature with productsign as described at OP. They should be notarized correctly.

I am following this procedure, am I missing something?

Sign the plugins with codesign

Build the .pkg without digital signing

Signing the .pkg

Code: Select all

productsign --sign "Developer ID Installer: XXXXXXX" "/Volumes/Data/Installer v1.1.0.pkg" "/Volumes/Data/Signed/Installer v1.1.0.pkg"

Notarization

Code: Select all

xcrun altool --notarize-app -f "/Volumes/Data/Signed/Installer v1.1.0.pkg" --primary-bundle-id com.xxxxinstaller.pkg --username "xxxx" --password "xxxx"

After a couple of minutes, I get "Notarization is successful" mail from Apple

Time Staple - The staple and validate action worked!
Code: Select all
```
xcrun stapler staple "/Volumes/Data/Signed/Installer v1.1.0.pkg"
```

Till now I don't get any error message from any of these process

Now it's time for checking - Code Sign Check - it is successful - Status: signed by a certificate trusted by Mac OS X
Code: Select all
```
pkgutil --check-signature "/Volumes/Data/Signed/Installer v1.1.0.pkg"
```

But when it comes Notarization check - Rejected!

Code: Select all

spctl -a -vvv -t install "/Volumes/Data/Signed/Installer v1.1.0.pkg"

I really can't figure it out why it says "rejected" at the end :/

HOWTO macOS notarization (plugins, app, pkg installers)