I use the Sparkle lib in my Developer ID MacOS application for auto-updating. I export the app using CLI tools (xcodebuild) and then notarize using xcrun notarytool, this all seems to work fine.
I then create a DMG, and it's when I notarize this I get around 16 of the following errors:
"The binary is not signed with a valid Developer ID certificate."
"The signature does not include a secure timestamp."
I get both of these errors for all of of the following files:
"MyApp.dmg/MyApp.app/Contents/Frameworks/Sparkle.framework/Versions/B/Sparkle"
"MyApp.dmg/MyApp.xcarchive/Products/Applications/MyApp.app/Contents/Frameworks/Sparkle.framework/Versions/B/Autoupdate"
"MyApp.dmg/MyApp.xcarchive/Products/Applications/MyApp.app/Contents/Frameworks/Sparkle.framework/Versions/B/Updater.app/Contents/MacOS/Updater"
"MyApp.dmg/MyApp.xcarchive/Products/Applications/MyApp.app/Contents/Frameworks/Sparkle.framework/Versions/B/XPCServices/Downloader.xpc/Contents/MacOS/Downloader"
"MyApp.dmg/MyApp.xcarchive/Products/Applications/MyApp.app/Contents/Frameworks/Sparkle.framework/Versions/B/XPCServices/Installer.xpc/Contents/MacOS/Installer"
It seems like the Sparkle apps that are packaged inside my app need to be codesigned before being packaged into a disk image and notarized.
I have tried:
- codesigning the
.dmgcontainer - codesigning app with
--deepflag before notarization - codesigning app and all sub-apps (listed above) individually
- codesigning app and all sub-apps before notarization
I use the following bash method I created for codesigning:
function codesignApp() {
codesign --force --sign "Developer ID Application: <NAME REDACTED> (<TEAMID REDACTED>)" \
--timestamp --deep --verbose --options=runtime "$1"
}