TL;DR: Do not zip your app bundles using the zip command, instead use the “ditto -c -k –sequesterRsrc –keepParent MyApp.app MyApp.app.zip” command, or you can manually right click on your MyApp.app bundle on Finder and click on the “Compress MyApp.app” option, the zip command alters the UTF binary encoding of the files and makes the signature invalid.
We just went through hell to get FrostWire for Mac notarized by Apple’s automated service.
Since FrostWire is not a regular Objective-C/Swift app, but a Java app, our (one-step) build process is done entirely using bash scripts on the terminal.
The Notarization process helped us realize we had some old binaries that we hadn’t compiled since Mac SDK 10.6, and it made us sign them with hardened runtime support, it also made us make sure that there were no hidden .DS_ files as these can also cause the app bundle to be considered invalid by Apple.
In the end we were able to sign our squeaky clean FrostWire.app bundle and however we checked it, it appeared to have no errors with it whatsoever.
We’d always get the following error for our submission.
“The signature of the binary is invalid”
It was the damn .zip file
Thinking there was something wrong with our installer’s executable, we even re-built it using a custom Makefile and directly on the terminal, and not through an XCode project like we used to. As a plus, we think it’s much simpler now.
Between our signature checking on the local machine and the notarization submission there was one more step, compressing the FrostWire.app into a FrostWire.app.zip file.
To zip our bundle before submitting it to the notarization service (altool –notarize-app), we were using the zip command available at /usr/bin/zip
And this was the problem. This “zip” command is not the same compression software used by the Finder when you right click on a file and hit “Compress”
it’s called Info-ZIP and it’s not made by Apple.
As soon as we zipped the FrostWire.app with the Finder and then submitted that zip file, we were successful.
This is why the code signature checks passed just fine on our end, but not on Apple’s side.
You can zip your bundle on your script with the “ditto” tool as if you were using the Finder, this way:
This issue is not mentioned on the Apple Developer Documentation “Resolving Common Notarization Issues” article, hopefully it’ll make it to their ears and they’ll add this possible solution to their “Ensure a Valid Signature” section list of possible solutions and caveats.