Apple notarization fails

[rameerez]

I've just switched from Carthage to SPM and I'm using v4.0.0

Everything works fine except Apple won't notarize the app, throwing a "Package Invalid" error with the following messages:

• The binary is not signed with a valid developer id certificate
• The signature does not include a secure timestamp
• The executable requests the com.apple.security.get-task-allow entitlement

macOS version: 10.15.7
Xcode version: 12.0.1

More info about affected files:

- The binary is not signed with a valid developer id certificate
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper.zip/LaunchAtLoginHelper.app/Contents/MacOS/LaunchAtLoginHelper
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/MacOS/LaunchAtLoginHelper
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftAppKit.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftCoreImage.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftObjectiveC.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftXPC.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftCore.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftCoreGraphics.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftMetal.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftCoreData.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftDispatch.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftos.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftCoreFoundation.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftDarwin.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftQuartzCore.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftIOKit.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftFoundation.dylib

- The signature does not include a secure timestamp
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper.zip/LaunchAtLoginHelper.app/Contents/MacOS/LaunchAtLoginHelper
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/MacOS/LaunchAtLoginHelper
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftAppKit.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftCoreImage.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftObjectiveC.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftXPC.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftCore.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftCoreGraphics.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftMetal.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftCoreData.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftDispatch.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftos.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftCoreFoundation.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftDarwin.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftQuartzCore.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftIOKit.dylib
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/Frameworks/libswiftFoundation.dylib

- The executable requests the com.apple.security.get-task-allow entitlement
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper.zip/LaunchAtLoginHelper.app/Contents/MacOS/LaunchAtLoginHelper
  - MyApp.zip/MyApp.app/Contents/Resources/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip/LaunchAtLoginHelper.app/Contents/MacOS/LaunchAtLoginHelper

[sindresorhus]

Did you remember to also change the run script?

Because the error indicates that the ZIP files were not removed which indicates the run script didn't run.

[rameerez]

This gave me the clue to find out what was wrong! Yes, I did change the run script, but after reading your comment I went on to inspect it and found out that LaunchAtLogin_LaunchAtLogin.bundle only gets deleted if $CONFIGURATION == "Release". My current configuration name is not "Release" so line 48

rm -rf "$contents_path/Resources/LaunchAtLogin_LaunchAtLogin.bundle"

never got executed.

Changing the conditional on line 47 to $CONFIGURATION != "Debug" seems to work for me. Now the app gets notarized correctly! Thanks for your very quick response!

[sindresorhus]

only gets deleted if $CONFIGURATION == "Release". My current configuration name is not "Release" so line 48

I wonder if it's possible to detect if the current configuration is "release build type" without matching on the name.

Changing the conditional on line 47 to $CONFIGURATION != "Debug" seems to work for me. Now the app gets notarized correctly! Thanks for your very quick response!

That seems like a good change in general. Wanna do a PR?

We should probably also explicitly document that it's expected that the debug configuration is named Debug.

[rameerez]

That seems like a good change in general. Wanna do a PR?

Sure! Opening a PR now :)

[zackdotcomputer]

Ah shoot - I left a comment about what my PR is and how it builds on the original one, but I left it on #52 rather than here. Please refer to it there.