Perhaps you got lucky or Apple changed something on their side. I was never able to timestamp a pkg signed with Packages 1.2.6.daniel_noiseash wrote: ↑Fri Sep 20, 2019 4:22 pm Today I rebuilt Packages installer. Signed, Notarized and retried timestamp. This time I saw successful message in Terminal after timestamp attempt (yesterday there was no message after timestamp attempt).
HOWTO macOS notarization (plugins, app, pkg installers)
-
- KVRAF
- Topic Starter
- 5428 posts since 18 Jul, 2002
-
daniel_noiseash daniel_noiseash https://www.kvraudio.com/forum/memberlist.php?mode=viewprofile&u=393709
- KVRer
- 16 posts since 13 Feb, 2017
I think Apple changed something, did you try again lately?discoDSP wrote: ↑Fri Sep 20, 2019 4:53 pmPerhaps you got lucky or Apple changed something on their side. I was never able to timestamp a pkg signed with Packages 1.2.6.daniel_noiseash wrote: ↑Fri Sep 20, 2019 4:22 pm Today I rebuilt Packages installer. Signed, Notarized and retried timestamp. This time I saw successful message in Terminal after timestamp attempt (yesterday there was no message after timestamp attempt).
Last edited by daniel_noiseash on Fri Sep 20, 2019 7:10 pm, edited 1 time in total.
-
daniel_noiseash daniel_noiseash https://www.kvraudio.com/forum/memberlist.php?mode=viewprofile&u=393709
- KVRer
- 16 posts since 13 Feb, 2017
AbsolutelyBlueprintInc wrote: ↑Fri Sep 20, 2019 4:37 pm So I may need to upload a multiple gigabyte big app everytime to notarize it? That's really hilarious
-
- KVRAF
- Topic Starter
- 5428 posts since 18 Jul, 2002
No, I just signed the pkg via productsign and haven't made any test. I'll wait until Packages 1.2.7 which hopefully is going to be released in 1-2 weeks.daniel_noiseash wrote: ↑Fri Sep 20, 2019 7:06 pm I think Apple changed something, did you try again lately?
There are ways to circumvent that. For example, downloading the content via plugin once it's installed, using a https link for the data content, etc.BlueprintInc wrote: ↑Fri Sep 20, 2019 4:37 pm So I may need to upload a multiple gigabyte big app everytime to notarize it? That's really hilarious
-
daniel_noiseash daniel_noiseash https://www.kvraudio.com/forum/memberlist.php?mode=viewprofile&u=393709
- KVRer
- 16 posts since 13 Feb, 2017
I get "notarization is successful" mail from Apple.
Then I useTerminal for time stamp. I see this message in Terminal "The staple and validate action worked!"
But when I check the .pkg Notarization, it's been rejected.
Could that be about timestamp? Or what am I missing? (I am using Whitebox Packages 1.2.6)
Then I useTerminal for time stamp. I see this message in Terminal "The staple and validate action worked!"
But when I check the .pkg Notarization, it's been rejected.
Could that be about timestamp? Or what am I missing? (I am using Whitebox Packages 1.2.6)
-
Zaphod (giancarlo) Zaphod (giancarlo) https://www.kvraudio.com/forum/memberlist.php?mode=viewprofile&u=111268
- KVRAF
- 2596 posts since 23 Jun, 2006
Check the log, basically it is a JSON reporting all issues.daniel_noiseash wrote: ↑Thu Sep 26, 2019 8:32 pm I get "notarization is successful" mail from Apple.
Then I useTerminal for time stamp. I see this message in Terminal "The staple and validate action worked!"
But when I check the .pkg Notarization, it's been rejected.
Could that be about timestamp? Or what am I missing? (I am using Whitebox Packages 1.2.6)
You need timestamp, you need to remove the debug entitlement
-
- KVRAF
- Topic Starter
- 5428 posts since 18 Jul, 2002
I had issues with code signed PKG installers using Packages 1.2.6. After the developer himself told me secure time stamp isn't supported until 1.2.7 (which should to be released this month) I used productsign and voilá, everything got fixed.
-
- KVRer
- 1 posts since 3 Oct, 2019
Hi, I have managed to notarize one .pkg thanks to your tutorial
I am now thinking how to automize this task in the whole build process without losing too much time. Because waiting for Apple's response for each product takes a lot of time. Has someone already thought about this problem ?
I am now thinking how to automize this task in the whole build process without losing too much time. Because waiting for Apple's response for each product takes a lot of time. Has someone already thought about this problem ?
-
- KVRAF
- Topic Starter
- 5428 posts since 18 Jul, 2002
Glad to be of help One issue is the notarization time after uploading to Apple's servers may vary depending of the binaries size and the measurement for a timer is complex. There is also a validation check that could be run on a periodic basics but I can't think about a ideal solution right now.
-
daniel_noiseash daniel_noiseash https://www.kvraudio.com/forum/memberlist.php?mode=viewprofile&u=393709
- KVRer
- 16 posts since 13 Feb, 2017
I checked the log, it says thatZaphod (giancarlo) wrote: ↑Thu Sep 26, 2019 11:12 pmCheck the log, basically it is a JSON reporting all issues.daniel_noiseash wrote: ↑Thu Sep 26, 2019 8:32 pm I get "notarization is successful" mail from Apple.
Then I useTerminal for time stamp. I see this message in Terminal "The staple and validate action worked!"
But when I check the .pkg Notarization, it's been rejected.
Could that be about timestamp? Or what am I missing? (I am using Whitebox Packages 1.2.6)
You need timestamp, you need to remove the debug entitlement
Code: Select all
assessment denied for Installer_v1.2.7.pkg
com.apple.message.domain: com.apple.security.assessment.outcome2
com.apple.message.signature2: bundle:UNBUNDLED
com.apple.message.signature3: Installer_v1.2.7.pkg
com.apple.message.signature5: UNKNOWN
com.apple.message.signature4: 2
com.apple.message.signature: denied:Notarized Developer ID
-
daniel_noiseash daniel_noiseash https://www.kvraudio.com/forum/memberlist.php?mode=viewprofile&u=393709
- KVRer
- 16 posts since 13 Feb, 2017
Which packaging tool are you using? I am using Whitebox Packages. The Apple email says that notarization is successful but when I check it, notarization is being rejected.yannb wrote: ↑Thu Oct 03, 2019 12:34 pm Hi, I have managed to notarize one .pkg thanks to your tutorial
I am now thinking how to automize this task in the whole build process without losing too much time. Because waiting for Apple's response for each product takes a lot of time. Has someone already thought about this problem ?
@discoDSP have you managed to notarize and verify successfully with Whitebox Packages? I an using productsign.
- KVRist
- 377 posts since 2 Feb, 2005 from UK
If you look thru the forum for recent posts about notarizing, you will see that you are best waiting for WhiteBox Packages v 1.2.7daniel_noiseash wrote: ↑Fri Oct 04, 2019 6:53 pmWhich packaging tool are you using? I am using Whitebox Packages. The Apple email says that notarization is successful but when I check it, notarization is being rejected.yannb wrote: ↑Thu Oct 03, 2019 12:34 pm Hi, I have managed to notarize one .pkg thanks to your tutorial
I am now thinking how to automize this task in the whole build process without losing too much time. Because waiting for Apple's response for each product takes a lot of time. Has someone already thought about this problem ?
@discoDSP have you managed to notarize and verify successfully with Whitebox Packages? I an using productsign.
VST/AU Developer for Hire
-
- KVRAF
- Topic Starter
- 5428 posts since 18 Jul, 2002
I answered him via PM. Right now a good choice is building PKG with WhiteBox Packages 1.2.6 without digital signing and after that apply the signature with productsign as described at OP. They should be notarized correctly.
-
daniel_noiseash daniel_noiseash https://www.kvraudio.com/forum/memberlist.php?mode=viewprofile&u=393709
- KVRer
- 16 posts since 13 Feb, 2017
Yeah I know it is possible with version 1.2.6 because some people notarized successfully like George. If you look thru you can see itLind0n wrote: ↑Sat Oct 05, 2019 9:15 amIf you look thru the forum for recent posts about notarizing, you will see that you are best waiting for WhiteBox Packages v 1.2.7daniel_noiseash wrote: ↑Fri Oct 04, 2019 6:53 pmWhich packaging tool are you using? I am using Whitebox Packages. The Apple email says that notarization is successful but when I check it, notarization is being rejected.yannb wrote: ↑Thu Oct 03, 2019 12:34 pm Hi, I have managed to notarize one .pkg thanks to your tutorial
I am now thinking how to automize this task in the whole build process without losing too much time. Because waiting for Apple's response for each product takes a lot of time. Has someone already thought about this problem ?
@discoDSP have you managed to notarize and verify successfully with Whitebox Packages? I an using productsign.
-
daniel_noiseash daniel_noiseash https://www.kvraudio.com/forum/memberlist.php?mode=viewprofile&u=393709
- KVRer
- 16 posts since 13 Feb, 2017
I am following this procedure, am I missing something?
- Sign the plugins with codesign
- Build the .pkg without digital signing
- Signing the .pkg
Code: Select all
productsign --sign "Developer ID Installer: XXXXXXX" "/Volumes/Data/Installer v1.1.0.pkg" "/Volumes/Data/Signed/Installer v1.1.0.pkg"
- Notarization
Code: Select all
xcrun altool --notarize-app -f "/Volumes/Data/Signed/Installer v1.1.0.pkg" --primary-bundle-id com.xxxxinstaller.pkg --username "xxxx" --password "xxxx"
- After a couple of minutes, I get "Notarization is successful" mail from Apple
- Time Staple - The staple and validate action worked!
Code: Select all
xcrun stapler staple "/Volumes/Data/Signed/Installer v1.1.0.pkg"
- Till now I don't get any error message from any of these process
- Now it's time for checking - Code Sign Check - it is successful - Status: signed by a certificate trusted by Mac OS X
Code: Select all
pkgutil --check-signature "/Volumes/Data/Signed/Installer v1.1.0.pkg"
- But when it comes Notarization check - Rejected!
Code: Select all
spctl -a -vvv -t install "/Volumes/Data/Signed/Installer v1.1.0.pkg"