FIXED: Apple Notarization issue: “The signature of the binary is invalid.”. One other reason not explained in Apple Developer Documentation

TL;DR: Do not zip your app bundles using the zip command, instead use the “ditto -c -k –sequesterRsrc –keepParent MyApp.app MyApp.app.zip” command, or you can manually right click on your MyApp.app bundle on Finder and click on the “Compress MyApp.app” option, the zip command alters the UTF binary encoding of the files and makes the signature invalid.

 

We just went through hell to get FrostWire for Mac notarized by Apple’s automated service.

Since FrostWire is not a regular Objective-C/Swift app, but a Java app, our (one-step) build process is done entirely using bash scripts on the terminal.

The Notarization process helped us realize we had some old binaries that we hadn’t compiled since Mac SDK 10.6, and it made us sign them with hardened runtime support, it also made us make sure that there were no hidden .DS_ files as these can also cause the app bundle to be considered invalid by Apple.

In the end we were able to sign our squeaky clean FrostWire.app bundle and however we checked it, it appeared to have no errors with it whatsoever.

verify-1

verify-2

verify-3

We’d always get the following error for our submission.

error

“The signature of the binary is invalid”

It was the damn .zip file

Thinking there was something wrong with our installer’s executable, we even re-built it using a custom Makefile and directly on the terminal, and not through an XCode project like we used to. As a plus, we think it’s much simpler now.

Between our signature checking on the local machine and the notarization submission there was one more step, compressing the FrostWire.app into a FrostWire.app.zip file.

To zip our bundle before submitting it to the notarization service (altool –notarize-app), we were using the zip command available at /usr/bin/zip

zip

And this was the problem. This “zip” command is not the same compression software used by the Finder when you right click on a file and hit “Compress”

inzo-zip

it’s called Info-ZIP and it’s not made by Apple.

As soon as we zipped the FrostWire.app with the Finder and then submitted that zip file, we were successful.

It appears that the /usr/bin/zip tool “is converting UTF-8 NFD charset to UTF-8 NFC. The new APFS filesystem supports both encodings unlike HFS+ where UTF-8 was always converted to UTF-8 NFD.”

This is why the code signature checks passed just fine on our end, but not on Apple’s side.

 

succcess

You can zip your bundle on your script with the “ditto” tool as if you were using the Finder, this way:

ditto

This issue is not mentioned on the Apple Developer Documentation “Resolving Common Notarization Issues” article,  hopefully it’ll make it to their ears and they’ll add this possible solution to their “Ensure a Valid Signature” section list of possible solutions and caveats.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s