macos notarization fails due to Package Invalid

system · January 28, 2023, 10:22pm


	Attention	Topic was automatically imported from the old Question2Answer platform.
	Asked By	endavid

I’m on macos and I’m trying to export my game to macos and I’m confused by the Identity field in Godot 3.5.1.

The documentation doesn’t say what goes in there,

But from this thread,

github.com/godotengine/godot

For MacOS export the documentation says "leave Identity empty for ad-hoc signature" but Export Dialog does not allow it

opened 07:40AM - 17 Jul 22 UTC

closed 02:01PM - 19 Jul 22 UTC

xix-xeaon

platform:macos documentation topic:export

### Godot version v3.5.rc6.official [f05cecdc4] ### System information Linux … ### Issue description The documentation on [Exporting for macOS](https://docs.godotengine.org/en/stable/tutorials/export/exporting_for_macos.html) says: > If you do not have an Apple Developer ID Certificate [...] Keep Code Signing enabled and leave the Identity option empty, in this case Godot will use a ad-hoc signature, which will make running an exported app easier for the end users. But the Editor will give the error "Invalid bundle identifier. Identity is missing." and the export buttons become disabled. (Also, the otherwise yellow warning about notarization becomes red.) Additionally, it's called _Identity_ in the docs but _Identifier_ in the export dialog. And the options for _Timestamp_ and _Hardened Runtime_ are missing but mentioned in the docs. ### Steps to reproduce Add export for MacOS. ### Minimal reproduction project _No response_

it seems it should be the short string from your development certificate.
But I’ve seen other places where it says it should be the long string that you get after running,

security find-identity -v -p codesigning

I tried both, but I keep getting the same error from the notarization server: Package Invalid. And if I check the log, it says

"The binary is not signed with a valid Developer ID certificate."

In this Reddit thread I noticed they were using a Distribution certificate, even though Apple’s documentation says you shouldn’t use Distribution but Development. Just in case, I tried creating a Distribution certificate and I tried both the short and the long strings, and I keep getting the same notarization error.

I thought the problem could be that I hadn’t created the Identifier that I’m using for my game under Certificates, Identifiers & Profiles in my Developer console, but adding that identifier doesn’t help either.

Codesign tells me this,

codesign -dvv MyGame.dmg

Executable=/PATH-TO/MyGame.dmg
Identifier=MyGame
Format=disk image
CodeDirectory v=20200 size=297 flags=0x10000(runtime) hashes=1+6 location=embedded
Signature size=9092
Authority=Apple Development: <My name> (<10-digit ID>) (*)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Timestamp=28 Jan 2023 at 21:53:14
Info.plist=not bound
TeamIdentifier=<10-digit ID>
Sealed Resources=none
Internal requirements count=1 size=176

(*) or Apple Distribution, when I do the Distribution certificate – both fail as I said.

In the Codesign section I have:

Enable: ON
Identity: (I tried long & short, and Distribution and Development)
Timestamp: ON
Hardened runtime: ON
Replace existing signature: ON

Any idea what we need to pass in there for Notarization to succeed?

Thanks!

I realized in this thread that you have to use a Developer ID Application certificate, neither an Apple Development, nor Apple Distribution.

So I went ahead and created one and I got some progress. Now I don’t get that error about a valid ID certificate, but I get a bunch of other errors:

The signature of the binary is invalid.
The signature does not include a secure timestamp.
The executable does not have the hardened runtime enabled.

Hardened Runtime and Timestamp are enabled, but now codesign tells me that it’s not signed,

codesign -dvv MyGame.dmg
MyGame.dmg: code object is not signed at all

The only thing I changed is the certificate, so I’m at a loss.

endavid | 2023-01-28 22:46

It seems I had to use the long string of the identifier. I think it could be because the short string is duplicated once you add the Developer ID Application certificate.

endavid | 2023-01-28 23:02

system · January 28, 2023, 11:15pm


	Reply From:	endavid

Success!

I’ll answer to myself:

Go to Certificates in your Developer console and create a Developer ID Application certificate.
Download and install that certificate in your Keychain.
Use security find-identity -v -p codesigning to find the long string of the Developer ID Application certificate – that should be the Identity for Codesign.

E.g.

1) <long-A> "Apple Development: Your Name (<short-1>)"
2) <long-B> "Apple Distribution: Your Name (<short-2>)"
3) <long-C> "Developer ID Application: Your Name (<short-2>)"
   3 valid identities found

In the example, I use <long-C> (if I use <short-2> now, the DMG does not get signed, presumably because it’s shared between B and C and it gets confused?).

The codesign CLI now has more information than earlier:

codesign -dvvv MyGame.dmg

Executable=/PATH-TO/MyGame.dmg
Identifier=MyGame
Format=disk image
CodeDirectory v=20200 size=297 flags=0x10000(runtime) hashes=1+6 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=<something>
CandidateCDHashFull sha256=<something>
Hash choices=sha256
CMSDigest=<something>
CMSDigestType=2
Launch Constraints:
    	None
CDHash=<something>
Signature size=9045
Authority=Developer ID Application: My Name (<short-2>)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=28 Jan 2023 at 22:57:03
Info.plist=not bound
TeamIdentifier=<short-2>
Sealed Resources=none
Internal requirements count=1 size=172

And I got the app notarized!

I am also using 3.5.1 and following what you did, still am not getting a successful notarization of my app. All the code signing was successful and looks similar to what you got after running codesign -dvvv Trolls.dmg:

“Executable=/Users/krdavis/Projects/Trolls-Godot/Trolls.dmg
Identifier=Trolls
Format=disk image
CodeDirectory v=20200 size=294 flags=0x10000(runtime) hashes=1+6 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=(something)
CandidateCDHashFull sha256=(something)
Hash choices=sha256
CMSDigest=(something)
CMSDigestType=2
Launch Constraints:
None
CDHash=(something)
Signature size=8972
Authority=Developer ID Application: My Name (short-2)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Feb 19, 2023 at 3:35:28 PM
Info.plist=not bound
TeamIdentifier=(short-2)
Sealed Resources=none
Internal requirements count=1 size=168”

Result:

Project export for platform: Mac OSX - Failed.
• [Notarization]: Notarization failed.

Do you have any other suggestions? Thanks in advance!

keidav | 2023-02-19 23:16

Nevermind, your instructions were perfect, I wasn’t using a proper app specific password for Godot. Once I created one and used it in the export template, all worked and my app was notarized!

keidav | 2023-02-20 01:02