Unable to pass apple Notarization with .net 6.0 executable

248 views Asked by At

Problem

The .net 6.0 executable file will not pass Notarization. Remaining of the files are ok.

Setup

  • macOS Catalina: Version 10.15.7
  • dotnet --version: 6.0.100-rc.2.21505.57
  • The right certificate is available in keychain
  • Entitlement used to sign the executable:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.allow-jit</key><true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
    <key>com.apple.security.cs.disable-executable-page-protection</key><true/>
  </dict>
</plist>

Publish steps

dotnet restore -r osx.10.15-x64 DWGuru/src/DWGuru/DWGuru.csproj

Restored ***/DWGuru/src/ImGui.NET/ImGui.NET.csproj (in 252 ms).
Restored ***/DWGuru/src/DWGuru/DWGuru.csproj (in 870 ms).

dotnet msbuild -t:BundleApp -p:RuntimeIdentifier=osx.10.15-x64 -p:UseAppHost=true -p:PublishSingleFile=true -p:PublishReadyToRun=true -p:Configuration=Release DWGuru/src/DWGuru/DWGuru.csproj

Microsoft (R) Build Engine version 17.0.0-preview-21501-01+bbcce1dff for .NET
Copyright (C) Microsoft Corporation. All rights reserved.

  You are using a preview version of .NET. See: https://aka.ms/dotnet-core-preview
  You are using a preview version of .NET. See: https://aka.ms/dotnet-core-preview
  ImagesReferenceTracker ->***/DWGuru/bin/Release/ImagesReferenceTracker/net6.0/ImagesReferenceTracker.dll
  ImGui.NET -> ***/DWGuru/bin/Release/ImGui.NET/net6.0/ImGui.NET.dll
  DWGuru -> ***/DWGuru/bin/Release/DWGuru/net6.0/osx.10.15-x64/DWGuru.dll
  DWGuru -> ***/DWGuru/bin/Release/DWGuru/net6.0/osx.10.15-x64/publish/

cp -r DWGuru/bin/Release/DWGuru/net6.0/osx.10.15-x64/publish/DWGuru.app . succeeds

codesign DWGuru.app/Contents/MacOS/* --force --timestamp --sign *** --options=runtime --deep --no-strict --entitlements 'entitlements.plist'

DWGuru.app/Contents/MacOS/DWGuru: replacing existing signature
DWGuru.app/Contents/MacOS/DWGuru: signed app bundle with Mach-O thin (x86_64) [***]
DWGuru.app/Contents/MacOS/DWGuru.pdb: replacing existing signature
DWGuru.app/Contents/MacOS/DWGuru.pdb: signed generic [DWGuru]
DWGuru.app/Contents/MacOS/ImGui.NET.pdb: replacing existing signature
DWGuru.app/Contents/MacOS/ImGui.NET.pdb: signed generic [ImGui.NET]
DWGuru.app/Contents/MacOS/ImGui.NET.xml: replacing existing signature
DWGuru.app/Contents/MacOS/ImGui.NET.xml: signed generic [ImGui.NET]
DWGuru.app/Contents/MacOS/ImagesReferenceTracker.pdb: replacing existing signature
DWGuru.app/Contents/MacOS/ImagesReferenceTracker.pdb: signed generic [ImagesReferenceTracker]
DWGuru.app/Contents/MacOS/System.Globalization.Native.dylib: replacing existing signature
DWGuru.app/Contents/MacOS/System.Globalization.Native.dylib: signed Mach-O thin (x86_64) [System.Globalization.Native]
DWGuru.app/Contents/MacOS/System.IO.Compression.Native.dylib: replacing existing signature
DWGuru.app/Contents/MacOS/System.IO.Compression.Native.dylib: signed Mach-O thin (x86_64) [System.IO.Compression.Native]
DWGuru.app/Contents/MacOS/System.Native.a: replacing existing signature
DWGuru.app/Contents/MacOS/System.Native.a: signed generic [System.Native]
DWGuru.app/Contents/MacOS/System.Native.dylib: replacing existing signature
DWGuru.app/Contents/MacOS/System.Native.dylib: signed Mach-O thin (x86_64) [System.Native]
DWGuru.app/Contents/MacOS/System.Net.Http.Native.dylib: replacing existing signature
DWGuru.app/Contents/MacOS/System.Net.Http.Native.dylib: signed Mach-O thin (x86_64) [System.Net.Http.Native]
DWGuru.app/Contents/MacOS/System.Net.Security.Native.dylib: replacing existing signature
DWGuru.app/Contents/MacOS/System.Net.Security.Native.dylib: signed Mach-O thin (x86_64) [System.Net.Security.Native]
DWGuru.app/Contents/MacOS/System.Security.Cryptography.Native.Apple.dylib: replacing existing signature
DWGuru.app/Contents/MacOS/System.Security.Cryptography.Native.Apple.dylib: signed Mach-O thin (x86_64) [System.Security.Cryptography.Native.Apple]
DWGuru.app/Contents/MacOS/System.Security.Cryptography.Native.OpenSsl.dylib: replacing existing signature
DWGuru.app/Contents/MacOS/System.Security.Cryptography.Native.OpenSsl.dylib: signed Mach-O thin (x86_64) [System.Security.Cryptography.Native.OpenSsl]
DWGuru.app/Contents/MacOS/cimgui.dll: replacing existing signature
DWGuru.app/Contents/MacOS/cimgui.dll: signed generic [cimgui]
DWGuru.app/Contents/MacOS/cimgui.dylib: replacing existing signature
DWGuru.app/Contents/MacOS/cimgui.dylib: signed Mach-O thin (x86_64) [cimgui]
DWGuru.app/Contents/MacOS/cimgui.so: replacing existing signature
DWGuru.app/Contents/MacOS/cimgui.so: signed generic [cimgui]
DWGuru.app/Contents/MacOS/dotnet: replacing existing signature
DWGuru.app/Contents/MacOS/dotnet: signed Mach-O thin (x86_64) [dotnet]
DWGuru.app/Contents/MacOS/libsdl2.dylib: replacing existing signature
DWGuru.app/Contents/MacOS/libsdl2.dylib: signed Mach-O thin (x86_64) [libsdl2]
DWGuru.app/Contents/MacOS/libsos.dylib: replacing existing signature
DWGuru.app/Contents/MacOS/libsos.dylib: signed Mach-O thin (x86_64) [libsos]
DWGuru.app/Contents/MacOS/libuv.dylib: replacing existing signature
DWGuru.app/Contents/MacOS/libuv.dylib: signed Mach-O universal (i386 x86_64) [libuv]
DWGuru.app/Contents/MacOS/sosdocsunix.txt: replacing existing signature
DWGuru.app/Contents/MacOS/sosdocsunix.txt: signed generic [sosdocsunix]

codesign DWGuru.app --force --timestamp --sign *** --options=runtime --deep --no-strict --entitlements 'entitlements.plist'

DWGuru.app: replacing existing signature
DWGuru.app: signed app bundle with Mach-O thin (x86_64)

zip -r DWGuru.zip DWGuru.app

xcrun altool --notarize-app --primary-bundle-id "***" --username "***" --password "" --asc-provider "***" --file "DWGuru.zip"

No errors uploading 'DWGuru.zip'.
RequestUUID = ***-***-***-***-***

Result

xcrun altool --username "***" --password "***" --notarization-info ***-***-***-***-***

No errors getting notarization info.

          Date: 2021-10-29 17:29:41 +0000
          Hash: ***
    LogFileURL:***
accessKey=***
   RequestUUID: ***
        Status: invalid
   Status Code: 2
Status Message: Package Invalid
{
  "logFormatVersion": 1,
  "jobId": "***",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "DWGuru.zip",
  "uploadDate": "2021-10-29T17:48:43Z",
  "sha256": "***",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "DWGuru.zip/DWGuru.app/Contents/MacOS/DWGuru",
      "message": "The signature of the binary is invalid.",
      "docUrl": null,
      "architecture": "x86_64"
    }
  ]
}
1

There are 1 answers

0
Richard Lalancette On BEST ANSWER

The issue was with the zip tool. It broke the zip file so Notarization would fail on Apple Side.

zip -r DWGuru.zip DWGuru.app

becomes

/usr/bin/ditto -c -k --keepParent DWGuru.app DWGuru.zip