Notarize process for macos application not working

Question

I have developed an application for MacOS. I am including notarization process as part of its distribution. I have followed all the steps and I have run:

xcrun altool --notarize-app --primary-bundle-id "${APP_BUNDLE_ID}" --username "${APPLE_DEV_ID}" --password "${DEV_APP_SPECIFIC_PASSWORD}" --file "${DMG_PATH}"  

Then I check notarization progress using:

xcrun altool --notarization-info "${notarize_uuid}"  -u "${APPLE_DEV_ID}" -p "${DEV_APP_SPECIFIC_PASSWORD} 

Output of it is:

RequestUUID: =<Request>  
      Date: 2019-05-26 09:40:34 +0000  
    Status: success  
    LogFileURL: <Log file>  
    Status Code: 0  
    Status Message: Package Approved =~ success ]] 

Then I launch staple command:

xcrun stapler staple -v <dmg file>

It also ends with success:

The staple and validate action worked!  

However when I extract the .app file and run:

spctl --assess --verbose ./macos/MyApp.app  
./macos/MyApp.app/: accepted  

According to the docs I have read it should say something like: “source=Notarized Developer ID”, right?

I am running this on MacOS Mojave 10.14.5

What am I missing??

Could someone help me?

Thanks in advance

Answer 1

In case someone faces the same problem I will post the solution to this:

First of all you must staple .app file not the dmg. This means you must extract the binary and staple it

Also in order to check if application has been notarized, in

`System Preferences - Security and Privacy`

Option Allow apps downloaded from: must have Apple Store and identifier developers option checked

Hope this helps

Answer 2

Both the app and the dmg may be notarized and stapled, seperately, one after the other. Try doing that and the error should go away.

Answer 3

Short answer

It could be due to an RPATH referencing a path outside the App bundle. Removing this RPATH would resolve the issue.

Inspecting log files

You can find extra information about the rejection (after trying to launch the blocked app) in the Console.app. Note that you should open the Console.app, before trying to open your blocked app, otherwise not all messages may be logged. You should look for process XprotectService in the logs of your device (i.e. choose your device in the left side bar of the Console.app). If the RPATH is indeed the problem, you should find a record like this:

XprotectService: [com.apple.xprotect:xprotect] File /path/to/your/executable/or/library failed on rPathCmd /rpath/causing/the/problem (rpath resolved to: (path not found), bundleURL: /path/to/your/bundle.app)

Inspecting these log files may give you a key to solve other issues too.

Note that I received the following information from an Apple engineer:

Gatekeeper does not inform users via UI about the specifics of the error, though it is in the logs for developers to look at. The notarization process is purely about a detecting malicious software and does not replicate Gatekeeper enforcement. You still need to get software notarized and test with Gatekeeper.

We are looking to provide better tooling for developers in the future to pre-flight some of these common errors.

Contact Apple

If you are not able to solve your issue with the above information, you may want to contact Apple itself using the Feedback Assistant. They do not respond very quickly (~1-2 weeks), but the answers are rather to the point.