notarizing DMG fails

matthias_livecode_150811 at m-r-d.de matthias_livecode_150811 at m-r-d.de
Wed May 5 04:31:26 EDT 2021


Tiemo,

i think i found the solution. I tried here myself and did als get the error "this identity cannot be used for signing code" when using the Developer ID Installer certificate for signing the .pkg.
According to Apple (see point 2)
https://help.apple.com/xcode/mac/current/#/deve51ce7c3d

you have to use the tool productsign to sign the package installer. 

So the syntax is like this

productsign --sign <Your_Developer_Installer_ID> <Path_to_PKG>  <Path_where_the_signed_PKG_shall_be written>

Example
productsign --sign "Developer ID Installer: Matthias Rebbe (xxxxxxxx)"  "/users/matthias/LC/builts/test/test.pkg" "/users/matthias/LC/builts/test/test_signed.pkg"

After successful signing i got this messages in Terminal

productsign: using timestamp authority for signature
productsign: signing product with identity "Developer ID Installer: Matthias Rebbe (xxxxxxxx)" from keychain /Users/matthias/Library/Keychains/login.keychain-db
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to /users/matthias/LC/builts/test/test_signed.pkg


Regards

-
Matthias Rebbe
Life Is Too Short For Boring Code

> Am 05.05.2021 um 09:35 schrieb matthias rebbe via use-livecode <use-livecode at lists.runrev.com>:
> 
> Timo, 
> 
> .app -> Developer ID Application
> .pkg -> Developer ID Installer
> .dmg -> Developer ID Application
> 
> 
> 
> -
> Matthias Rebbe
> Life Is Too Short For Boring Code
> 
>> Am 05.05.2021 um 08:56 schrieb Tiemo via use-livecode <use-livecode at lists.runrev.com>:
>> 
>> Hi Panos,
>> thanks for jumping in
>> 
>> I am on macOS 11.2.3 and created the certificates pretty freshly two weeks ago.
>> Xcode-select -p doesn't returns any version# at all, it just returns a path: "/Applications/Xcode.app/Content/Developer/
>> Xcodebuild -version shows Xcode 12.5 build 12E262
>> I now (re-?)installed the command line tools by xcode-select -- install
>> But xcode-select -p still doesn't shows any version# ???
>> I now downloaded the Apple Worldwide Developer Relations Intermediate Certificate. Actually I am not sure, if it was there before (I didn't checked it before)
>> 
>> I will later test again from the scratch
>> 
>> But I am still unsure if I may use the " Developer ID Application" certificate also for the pkg and dmg or if I have to use the "Developer ID Installer" certificate for the pkg and dmg?
>> 
>> Thanks
>> 
>> Tiemo
>> 
>> 
>> 
>> -----Ursprüngliche Nachricht-----
>> Von: use-livecode <use-livecode-bounces at lists.runrev.com> Im Auftrag von panagiotis merakos via use-livecode
>> Gesendet: Dienstag, 4. Mai 2021 18:19
>> An: How to use LiveCode <use-livecode at lists.runrev.com>
>> Cc: panagiotis merakos <merakosp at gmail.com>
>> Betreff: Re: notarizing DMG fails
>> 
>> Hello Tiemo,
>> 
>> When did you create these certificates? And what is your MacOS version, and the Xcode version returned if you type "xcode-select -p" in a Terminal? I am wondering if you need to install the new Apple Worldwide Developer Relations Intermediate Certificate:
>> 
>> https://developer.apple.com/support/wwdr-intermediate-certificate/
>> 
>> You can find it here:
>> 
>> https://developer.apple.com/support/expiration/
>> 
>> Kind regards,
>> Panos
>> --
>> 
>> On Tue, 4 May 2021 at 19:02, Tiemo via use-livecode < use-livecode at lists.runrev.com> wrote:
>> 
>>> Hi Matthias,
>>> 
>>> still struggeling ...
>>> 
>>> I have two developer certificates in my keychain:
>>> Developer ID Installer : <my ID>
>>> Developer ID Application: <my ID>
>>> 
>>> Using the Application certificate on the app and pkg and dmg, all 
>>> codesigning is fine, even when verifying it, but I get the "The binary 
>>> is not signed" error in the notarization log, when notarizing the dmg ???
>>> Using the Installer certificate on the pkg, I get already the error 
>>> when codesigning the pkg "this identity cannot be used for signing code" ???
>>> 
>>> All errors are the same, either using the tool "Packages" or creating 
>>> the package on command line by pkgbuild (productbuild is only for 
>>> builing appStore apps, as far as I see it)
>>> 
>>> I must be missing something obvious
>>> 
>>> Any other ideas?
>>> Tiemo
>>> 
>>> 
>>> -----Ursprüngliche Nachricht-----
>>> Von: use-livecode <use-livecode-bounces at lists.runrev.com> Im Auftrag 
>>> von matthias rebbe via use-livecode
>>> Gesendet: Dienstag, 4. Mai 2021 13:49
>>> An: How to use LiveCode <use-livecode at lists.runrev.com>
>>> Cc: matthias_livecode_150811 at m-r-d.de
>>> Betreff: Re: notarizing DMG fails
>>> 
>>> Tiemo,
>>> 
>>> you can create 2 different installer certificates in you Apple 
>>> developer account.
>>> One is called 'Mac Installer Distribution' and is used for code 
>>> signing installers for the Mac App Store.
>>> The other one is called 'Developer ID Installer' and is used to code 
>>> sign your  Installer Package for distribution outside of the Mac App 
>>> Store
>>> 
>>> Which one did you use for signing the packager?
>>> 
>>> And another question, how did you build the package? Did you use a 3rd 
>>> party tool or did you use 'productbuild' in Terminal?
>>> If you used a 3rd party tool, then could you please try to create the 
>>> package installer using terminal command?
>>> 
>>> productbuild --sign <Developer ID Installer signing identity> 
>>> --component <path_to_your_App> /Applications <path_of_the_packager>
>>> 
>>> example
>>> productbuild --sign "Developer ID Installer: Matthias Rebbe 
>>> (xxxxxxxxxxxxx)" --component "/users/matthias/LC/builts/test/test.app"
>>> /Applications "/users/matthias/downloads/MyPackager.pkg"
>>> 
>>> 
>>> But maybe it was just the wrong installer certificate
>>> 
>>> Regards
>>> Matthias
>>> 
>>> 
>>> -
>>> Matthias Rebbe
>>> Life Is Too Short For Boring Code
>>> 
>>>> Am 04.05.2021 um 12:08 schrieb Tiemo via use-livecode <
>>> use-livecode at lists.runrev.com>:
>>>> 
>>>> Hi Matthias,
>>>> 
>>>> thank you for your ideas. I tried both.
>>>> 
>>>> When using just signed, but not notarized apps, packing, signing the 
>>>> pkg, wrapping into dmg, signing the dmg, I get the same error when 
>>>> notarizing the dmg "The binary is not signed"
>>>> 
>>>> When trying to notarize the signed pkg via terminal I get the error:
>>>> "unable to  notarize app"
>>>> "Upload succeeded but did not receive a RequestedUUID. Unable to 
>>>> upload your app for notarization (-1018)"
>>>> 
>>>> I also tried to use the "Installer" certificate instead of the
>>> "Application"
>>>> certificate, but trying this with codesigning the package, I get the 
>>>> error "this identitiy cannot be used"
>>>> (actually I don't know for what purposes you can use the Installer
>>>> certificate)
>>>> 
>>>> 
>>>> Codesigning and notarizing the apps works fine ...
>>>> 
>>>> Perhaps I'll look for another packager and go testing with another
>>> packager.
>>>> 
>>>> Any other ideas?
>>>> Tiemo
>>>> 
>>>> 
>>>> -----Ursprüngliche Nachricht-----
>>>> Von: use-livecode <use-livecode-bounces at lists.runrev.com> Im Auftrag 
>>>> von matthias rebbe via use-livecode
>>>> Gesendet: Dienstag, 4. Mai 2021 10:34
>>>> An: How to use LiveCode <use-livecode at lists.runrev.com>
>>>> Cc: matthias_livecode_150811 at m-r-d.de
>>>> Betreff: Re: notarizing DMG fails
>>>> 
>>>> Hi Tiemo,
>>>> 
>>>> but you did not create a .pkg from the a notarized app, did you?
>>>> 
>>>> You have to create and code sign a .pkg from the code signed, but 
>>>> not notarized, .app  and then you have to notarize only the .pkg or 
>>>> the code signed .dmg, if you want to distribute as .dmg.
>>>> So the steps are
>>>> 
>>>> 1. code sign your .app - do not notarize it!
>>>> 2. create a .pkg from the .app and code sign it 3. if you want to 
>>>> distribute as dmg, create .dmg with the .pkg and code sign the .dmg 4.
>>>> notarize the .pkg (or the .dmg)
>>>> 
>>>> The staple process then writes the needed information to the .dmg, 
>>>> to the containing .pkg and the .app.
>>>> 
>>>> If these are the steps you've done already, then could you please 
>>>> try the following using the helper stack
>>>> 
>>>> 1. code sign .app
>>>> 2. notarize the .app using the '.zip method'
>>>> 
>>>> Is this successful? Then the problem does not rely on your .app.
>>>> In this case please repeat and code sign the .app using the helper 
>>>> stack and use the .dmg method
>>>> 
>>>> Is this successful? If so, then also the .dmg is fine
>>>> 
>>>> Repeat now manually, as .pkg is not supported by the helper stack.
>>>> 
>>>> 1. code sign .app
>>>> 2. create .pkg
>>>> 3. code sign .pkg
>>>> 4. notarize .pkg
>>>> 
>>>> Is this successful?
>>>> 
>>>> Regards,
>>>> 
>>>> Matthias
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> -
>>>> Matthias Rebbe
>>>> Life Is Too Short For Boring Code
>>>> 
>>>>> Am 04.05.2021 um 09:47 schrieb Tiemo via use-livecode
>>>> <use-livecode at lists.runrev.com>:
>>>>> 
>>>>> Hello,
>>>>> 
>>>>> 
>>>>> 
>>>>> I have signed and notarized several apps with Matthias tool - 
>>>>> successful
>>>>> 
>>>>> Then I packaged theses apps with Packages and signed the package 
>>>>> via terminal - successful
>>>>> 
>>>>> Then I  put the pkg into a dmg via DMG canvas and signed the dmg 
>>>>> via terminal - successful
>>>>> 
>>>>> Then I uploaded the dmg for notarization via terminal. The upload 
>>>>> was successful, but the email from apple told me, that the upload 
>>>>> was not notarized and the logfile tells me:
>>>>> 
>>>>> 
>>>>> 
>>>>> Severity: Error
>>>>> 
>>>>> Path: "DGSlern_Update_1.0.0.4.dmg/DGS Lernprogramm 1.0.0.4 Update .pkg"
>>>>> 
>>>>> Message: The binary is not signed
>>>>> 
>>>>> 
>>>>> 
>>>>> This is a bit irritating. Has anybody anytime encountered such 
>>>>> conflicting messages?
>>>>> 
>>>>> Any idea, where to look for?
>>>>> 
>>>>> Thanks
>>>>> 
>>>>> Tiemo
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> use-livecode mailing list
>>>>> use-livecode at lists.runrev.com
>>>>> Please visit this url to subscribe, unsubscribe and manage your
>>>> subscription preferences:
>>>>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>>> 
>>>> 
>>>> _______________________________________________
>>>> use-livecode mailing list
>>>> use-livecode at lists.runrev.com
>>>> Please visit this url to subscribe, unsubscribe and manage your 
>>>> subscription
>>>> preferences:
>>>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>>> 
>>>> 
>>>> _______________________________________________
>>>> use-livecode mailing list
>>>> use-livecode at lists.runrev.com
>>>> Please visit this url to subscribe, unsubscribe and manage your
>>> subscription preferences:
>>>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>> 
>>> 
>>> _______________________________________________
>>> use-livecode mailing list
>>> use-livecode at lists.runrev.com
>>> Please visit this url to subscribe, unsubscribe and manage your 
>>> subscription preferences:
>>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>> 
>>> 
>>> _______________________________________________
>>> use-livecode mailing list
>>> use-livecode at lists.runrev.com
>>> Please visit this url to subscribe, unsubscribe and manage your 
>>> subscription preferences:
>>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>> 
>> _______________________________________________
>> use-livecode mailing list
>> use-livecode at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
>> 
>> 
>> _______________________________________________
>> use-livecode mailing list
>> use-livecode at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
> 
> 
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode





More information about the use-livecode mailing list