Failed to notarize a "distribution" pkg

Code Signing Notarization
avi_b
avi_b OP
Created 3w
Replies 5
Boosts 0
Views 198
Participants 3

I'm building a custom macOS installer for my software, primarily using the builtin tools of codesign, pkgbuild, productbuild and xcrun.

My product consist of a list of plugins and a CEP extension for the Adobe After Effect app.

All of my bundles and binaries are properly signed using a trusted Apple Developer certificate I've generated, of type Developer ID Application.

My installer is a "distribution" pkg, and has this structure(expanding it using pkgutil --expand):

SceneTools-3.4.4-osx-installer
├── Distribution
├── miscellaneous.pkg
├── plugins.aftereffects2022.pkg
├── plugins.aftereffects2023.pkg
├── plugins.aftereffects2024.pkg
├── plugins.aftereffects2025.pkg
├── preinstall.pkg
├── Resources
├── scenebuilder.pkg
└── uninstaller.pkg

Each "child" pkg would install parts of my product in different locations in the target macOS disk(this is why I'm using that kind of style of building the custom installer).

Signing each and every bundle or binary of my product, signing the "child" pkg's, then notarizing them works well with no issues, in addition signing the "final" "distribution" using productbuild --sign option also works well, but when trying to notarize the "final" pkg, the notary service fails with this error:

{
  "logFormatVersion": 1,
  "jobId": "5fb38df9-ef97-4bd3-955e-7783c37ac4a8",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "SceneTools-3.4.4-osx-installer.pkg",
  "uploadDate": "2025-06-26T14:14:41.507Z",
  "sha256": "621de5d887b06ad11214255c6e91ebd9eeffb18ad8f940365f4539bd1902fe9a",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "SceneTools-3.4.4-osx-installer.pkg",
      "message": "Package SceneTools-3.4.4-osx-installer.pkg has no signed executables or bundles. No tickets can be generated.",
      "docUrl": null,
      "architecture": null
    },
    {
      "severity": "warning",
      "code": null,
      "path": "SceneTools-3.4.4-osx-installer.pkg",
      "message": "The contents of the package at SceneTools-3.4.4-osx-installer.pkg could not be extracted.",
      "docUrl": null,
      "architecture": null
    }
  ]
}

My final pkg indeed doesn't contain any bundles or binaries directly, but that's how it should be - a container of "child" pkg.

I tried various ways of working-around this issue, like:

  1. Notarizing the dmg that contains this final pkg - worked, but when opening the pkg, GateKeeper blocks the users from opening it.
  2. Wrapping the pkg inside an .app and notarizing the .app - same as above.

What am I doing wrong? Does those kind of pkg like my "final" pkg aren't meant to be notarized? if so - how can I solve this GateKeeper blocks? Should I build my final pkg in a different way?

Answered by DTS Engineer in 849536022

For those following along at home, we believe that this was caused by a problem with the notary service [1] and that’s now resolved.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Notary disagreed with the Installer as to what was a valid package and, you know, the Installer has the high ground here (-:

Replies  5
Boosts  0
Views  198
Participants  3
ssmith_c
ssmith_c OP
2w

I think you're using the wrong certificate type. "Developer ID Application" is for applications. Developer ID Installer is for .pkg files.

0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
2w
I think you're using the wrong certificate type.

Sadly, it’s not that simple.

avi_b, I asked about this internally and it seems that something about the way that your top-level package is constructed is causing the notary service to not see the content in the nested ones. However, we’re not sure exactly what that is.

Please file a bug about this, and then post you’re bug number here. That’ll make it easier for us to properly track this investigation.

Also, it’d help if you could add a couple of things to your bug:

  • A copy of the SceneTools-3.4.4-osx-installer.pkg package that you notarised.

  • Specific info on how you constructed that package. You said that you’re using Apple tools for this, so presumably you’re driving that from a script of some sorts. If you can attach that script, that’d be grand.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
1w

@avi_b, We suspect that this will require a fix on our side and we’d really like you to file a bug so that we can use it to track the fix.

Once you’re done, please reply here with your bug number.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
4d

@avi_b, I’m still hoping to get that bug number from you.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
3d
Recommended

For those following along at home, we believe that this was caused by a problem with the notary service [1] and that’s now resolved.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Notary disagreed with the Installer as to what was a valid package and, you know, the Installer has the high ground here (-:

0
Failed to notarize a "distribution" pkg
First post date Last post date
 
 
Q