-
-
Notifications
You must be signed in to change notification settings - Fork 19.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exporting OSX Fails Notarization #64544
Comments
Encountered the exact same issue and was able to resolve by changing my codesigning identity. This could really use some more verbose documentation. Here's how to retrieve the correct identity:
|
Thank you @minosvasilias I am going to try this tonight and report back. |
I was correct in thinking that it was a configuration error on my part then |
Looks like it is working. Thank you very much @minosvasilias |
Awesome! :) |
@Calinou should I close this? |
Godot version
v3.5.stable.official [991bb6a]
System information
M1 Macbook Air 2020
Issue description
I would like to preface that I am 99.9% positive that there is some sort of configuration error on my end, but I have been unable to resolve this and all of my troubleshooting seems to show that this should be working, and it just isn't.
My project was set to AdHoc Exporting for the MacOS build of my game, and when I upgraded to 3.5 stable, the export screen was displaying a couple of new warnings about how adhoc compiling would not work if the binary was downloaded from an unknown location. I am not sure if this will be an issue if I tried to distribute my game on Steam, but it will probably be an issue on itch, so I decided that I had better address it.
Following the Exporting for MacOS Guide, I inputted all of the information that I believe to be required.
Inside of Application -> Identifier I input the bundle identifier (xxx.xxx.xxx)
I enabled the Codesign section
Inside of Codesign -> Identity I put my Team ID (App ID Prefix is how its labelled in the Apple Developer Portal ?)
I enabled the Timestamp, Hardened Runtime, and Replace Existing Signature options from inside of the Codesign section
I disabled the Debug Entitlement from the Entitlements section (rather it was never enabled).
Inside of the Notarization section I entered the email address for the Apple ID that the Team ID is associated with
I entered the Apple ID password in the "Password" section
I entered the Team ID in the "Apple Team ID"
Initially when I tried to compile, Godot would fail to upload the archive to Apple, and after troubleshooting that, it was because I had not put in an App Password and it was being stopped because the account has MFA enabled. Once a proper app password was included, it was able to upload and it was producing a request identifier for Notarization, which is excellent.
About 10 minutes later I received an email from apple saying that the application was not Notarized and I need to check the log. I ran the following command to initially gain access to the log.
xcrun altool --verbose --notarization-info [Request Identifier] -u [Apple ID] -p [App Password]
A post I read on stackexchange says that the log can contain a URL to some JSON data that has the exact error. I located the URL and browsed to it and saw that there were 2 errors "The signature of the binary is invalid" and "The signature does not include a secure timestamp".
The Exporting for MacOS documentation has a link to the apple page for resolving common notarization issues, and both of these issues are listed as common. The page recommended I run some xcode terminal commands to verify the signature.
codesign -vvv --deep --strict /path/to/app.dmg
This command produced the following output.
valid on disk satisfies its Designated Requirement
If I am reading that correctly, it should mean that the application is properly signed.
The other issue was that it didn't have a secure timestamp, and there is another xcode terminal command to run.
codesign -dvv /Path/To/app.dmg
That command produced the following output
Executable= /Path/To/Executable Identifier=Game Name Format=disk image CodeDirectory v=20200 size=293 flags=0x10000(runtime) hashes=1+6 location=embedded Signature size=9088 Authority=Apple Distribution: [Team Identifier] Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Timestamp=Aug 14, 2022 at 2:48:11 PM Info.plist=not bound TeamIdentifier=[Team Identifier] Sealed Resources=none Internal requirements count=1 size=168
Some additional reading says that the timestamp is a secure time stamp when it includes the date, which mine does. The apple page also says that if this output has a section labelled "Signed Time", then the timestamp isn't secure (my output does not have this, which seems to imply that the timestamp is secure).
AdHoc compiling still works normally, my application will launch, but the binary that I attempt to get notarized will not launch as I can't staple the Notarization to it.
I believe that I am following the documentation correctly and all of my troubleshooting seems to indicate that this should be working, it just isn't. I am not 100% sure if this is something that can even be addressed by the GodotEngine Developers. Is my Team ID supposed to go inside of Codesign -> Identity or is some other piece of information supposed to go there?
When I asked for assistance on reddit and various discord servers, it was suggested that I try with an empty project to rule out some sort of configuration issue with my specific game, and the empty project still fails with the exact same error.
Thank you in advance to anybody who reads this and offers suggestions.
Steps to reproduce
Attempt to export a Notarized MacOS binary.
Minimal reproduction project
I have uploaded a minimal reproduction project, but I have removed all of my private apple identifiers and passwords from the project
TestProject.zip
.
The text was updated successfully, but these errors were encountered: