Problem with Installer being quarantined on MacOS

Paul Mulroney pmulroney at logicaldevelopments.com.au
Wed Mar 9 13:47:15 UTC 2022


Hi David,

I had a similar problem with Packages and Studio 10.2.   You productsign the installer, as opposed to codesigning the application.

This is the snippet from my bash script that I use to Notarise my installer.  ($appname is the path to the .pkg file, $bundleid is the installer bundle id, @zipname is the path to the compressed file ... you get the idea.  I also have my keychain setup with my developer identity so that I don't need to hard-code my certificate info into the script)

# Strip any extended information eg finder information - fixes "resource fork, Finder information, or similar detritus not allowed"
xattr -r -d com.apple.FinderInfo $appname

# Sign
echo "** Productsign the installer **"
productsign --sign "$identity" $appname ./installer_signed.pkg >>results.txt 2>>errors.txt
# Shuffle files around -> appname is now the signed version
rm -f $appname.unsigned
mv $appname $appname.unsigned
mv ./installer_signed.pkg $appname

# Verify
echo "** Verify the productsign result **"
pkgutil --check-signature $appname

echo "Read the above output, and then"
read -p "Press any key to resume ..."

# Create a zip archive
echo "** Creating a zip archive backup for notarising **"
/usr/bin/ditto -c -k --keepParent $appname $zipname

# Notarise
echo "** Submitting file for notarisation **"
xcrun altool --notarize-app --primary-bundle-id "$bundleid" --file $zipname --username "$username" --password "@keychain:AC_PASSWORD" >>results.txt 2>>errors.txt

echo "You need to check the status of notarisation at a later time."
echo "Script complete"


> On 9 Mar 2022, at 8:36 pm, David Blaymires <davidb at jobbag.com> wrote:
> 
> Hi Phil,
> 
> Sorry, something I wasn’t very clear about, we also Notarize the resulting installer.  Here’s the text from the log of the process.  The Staple and Validate action (prior to line 4268) is for the application that we have created, it has worked, we then create the installer, it builds successfully using VMWare InstallBuilder v21.12.0, but then we have this error at line 4273 “Nesteds code is modified or invalid”.  (3 letter expletive acronym is uttered at this point…).
> The staple and validate action worked!
> 4268<http://gitlab.instinctdev.local/it/installers/-/jobs/4396#L4268> Staple status: 0
> 4269<http://gitlab.instinctdev.local/it/installers/-/jobs/4396#L4269> Create installer
> 4270<http://gitlab.instinctdev.local/it/installers/-/jobs/4396#L4270>  Building JobBag osx
> 4271<http://gitlab.instinctdev.local/it/installers/-/jobs/4396#L4271>  0% ______________ 50% ______________ 100%
> 4272<http://gitlab.instinctdev.local/it/installers/-/jobs/4396#L4272>  ########################################
> 4273<http://gitlab.instinctdev.local/it/installers/-/jobs/4396#L4273> Error: Error signing /Build files/Temp/ae46bbbb/JobBagv81.146-10.2-osx-installer.app: Invalid signature: /Build files/Temp/ae46bbbb/JobBagv81.146-10.2-osx-installer.app: nested code is modified or invalid
> 4274<http://gitlab.instinctdev.local/it/installers/-/jobs/4396#L4274> #
> 4275<http://gitlab.instinctdev.local/it/installers/-/jobs/4396#L4275> Notarize
> 4276<http://gitlab.instinctdev.local/it/installers/-/jobs/4396#L4276> No errors uploading 'JobBag.zip'.
> 
> I can’t think of any nested code that has changed or is invalid, especially as the 10.1 and 10.2 (3r30204) RT have not changed..
> Note: This error started with the previous version of VMWare InstallBuilder (20.12.0) so it’s not the mew version of VMWIB.  This happens with a 10.1 and 10.2 (r30204 and r31315) RT.  Just thought someone here may have come across this problem.
> 
> Regards,
> 
> David Blaymires
> CEO : Instinct Systems : JobBag
> 
> Phone +61 2 8115 8001
> Mobile +61 (0)416 183 848
> davidb at jobbag.com
> http://www.jobbag.com
> 
> From: omnisdev-en <omnisdev-en-bounces at lists.omnis-dev.com> on behalf of Phil (OmnisList) <phil at pgpotter.co.uk>
> Date: Wednesday, 9 March 2022 at 8:03 pm
> To: omnisdev-en at lists.omnis-dev.com <omnisdev-en at lists.omnis-dev.com>
> Subject: Re: Problem with Installer being quarantined on MacOS
> Hi David,
> 
> Sounds like you have not certified your installer.
> 
> I use packages which does that step for me.
> 
> regards
> Phil Potter
> Based in Chester in the UK.
> 
> On 09/03/2022 06:51, David Blaymires wrote:
>> Hi,
>> 
>> Late in 2021 two things occurred - Apple changed their requirements in the Apple Developer program (we had to accept new terms and conditions) and we had to create new developer certificates for the notarizing process.  We build our application integrating our xcomps into the bundle, customising the logo, name, building the contents of the First Run folder etc and build a ZIP file that is then uploaded to Apple for notarizing.
>> 
>> Once we receive the successful notarizing notification back, we then use Install Builder to build our application installer which is downloaded automatically by existing copies of JobBag and run without any problem.  However when the resulting installer is downloaded from a website, the checks that Apple is doing as part of the download process is resulting in the installer being quarantined, and the only way to release it is to run the terminal command.  Frustrating.
>> 
>> Has anyone else come across this problem and been able to solve it?  I’m sure we are missing something very simple but it is so blindingly obvious we can’t see it.
>> 
>> Regards,
>> 
>> David Blaymires
>> CEO : Instinct Systems : JobBag
>> 
>> Phone +61 2 8115 8001
>> Mobile +61 (0)416 183 848
>> davidb at jobbag.com
>> http://www.jobbag.com
>> 
>> _____________________________________________________________
>> Manage your list subscriptions athttps://lists.omnis-dev.com
>> Start a new message ->mailto:omnisdev-en at lists.omnis-dev.com
> _____________________________________________________________
> Manage your list subscriptions at https://lists.omnis-dev.com
> Start a new message -> mailto:omnisdev-en at lists.omnis-dev.com
> _____________________________________________________________
> Manage your list subscriptions at https://lists.omnis-dev.com
> Start a new message -> mailto:omnisdev-en at lists.omnis-dev.com 


I told my wife she was drawing her eyebrows too high. She looked surprised.
-- 
Paul W. Mulroney                                            We Don't Do Simple Pty Ltd 
pmulroney at logicaldevelopments.com.au       Trading as Logical Developments
www.logicaldevelopments.com.au                   ACN 161 009 374 
Ph: +61 8 9458 3889                                       86 Coolgardie Street
                                                                         BENTLEY  WA  6102




More information about the omnisdev-en mailing list