Notarizing Issues (Are any items already signed before calling codesign?)

I tried notarizing a merged test app, without calling codesign.

The app should fail because nothing is signed. The app is built and then submitted. No code signing.

Notarization issues fall into 3-groups.

“A” group (expected)

This group has 2-messages for each issue path, which are:

“The binary is not signed.”,
“The signature does not include a secure timestamp.”

“B” group (expected)

This group has 3-messages for each issue path, which are:

“The binary is not signed.”,
“The signature does not include a secure timestamp.”
“The executable does not have the hardened runtime enabled.”

“C” group (unexpected)

This group has a single message, which is:

“The executable does not have the hardened runtime enabled.”

Group “C” implies that some content is already signed and timestamped, although I did no signing. Why?

There are 2-issue paths in “C” group, which are:

“/Contents/MacOS/InstallTool.app/Contents/Library/LaunchServices/com.4D.Helper”
“/Contents/MacOS/InstallTool.app/Contents/MacOS/InstallTool”

QUESTIONS:

  1. Is “C” group already signed?
  2. Do I re-sign the items in “C”?
  3. Do I have to anything to the items in “C” before resigning them?

I don’t fully subscribe to your group descriptions, but to answer your questions:

  1. Is “C” group already signed?

yes they are signed by 4D, but they are missing the hardened runtime option.
any file can be signed, even non-executables,
but apps need to be signed with the hardened runtime option,
and optionally with entitlements.

  1. Do I (have to) re-sign the items in “C”?

yes.

  1. Do I have to (do) anything to the items in “C” before resigning them?

you need to solve any issues that would prevent signing.
extended attributes (xattr -c),
old signatures (codesign --remove-signature), etc.

most importantly, you should avoid the --deep option
and “sign code inside out in individual stages”

https://developer.apple.com/library/archive/technotes/tn2206/_index.html

last but not least,

you can sign an app with a free Mac Developer certificate,
but notarisation requires you to use a $99/yr Developer ID certificate.

if you have a Developer ID certificate generated before the new rules,
notarisation is optional, which is why 4D can sign the app without the hardened runtime option.

for new Developer ID certificates, notarisation is not optional.

Hi Miyako,

Thanks for responding.

: Keisuke MIYAKO

I don’t fully subscribe to your group descriptions…

Could you elaborate?

I tried submitting for notarization an unsigned merged app to see what errors Apple reports in the “developer_log.json”.

Apple error messages appear to fall into 3-groups, which I labeled: “A”, “B” and “C”. The italicized text is the Apple error message verbatim.

: Keisuke MIYAKO

codesign --remove-signature

The “–remove_signature” operating option doesn’t seem to appear in codesign’s manual page.

Where do we find the documentation for “–remove_signature”?

Best regards,
Jeremy

–remove-signature has always been an unofficial option that everyone seems to know.
your are right, it is undocumented.


I do not dispute your explanation about the error messages returned from Apple.
I have confronted them myself so many times.

I just do not think there is merit in categorising the messages or trying to ascertain what they mean.
after all, notarisation is a 100% automated process.
if you digest the specification and fully meet their expectations, you get no errors.

otherwise, error messages may or may not be relevant to the reason why you failed.