CodeSign/Notarize Service app


I am trying to figure out how to codesign and notarize my Service app… Has anyone managed to do this?

I am able to notarize desktop apps both with App Wrapper and via the terminal… but Service apps are not bundled the same way.


I guess you got the “notarization error” that the service/console application is not codesigned?

We codesign our macOS Service/Console Applications via Script/Terminal like this (pseudo-code - I hope you get the idea):

#CodeSign dylib's codesign --timestamp -f -s "${Codesign_Identity}" "/path/to/serviceapp/serviceapp Libs/"*.dylib #CodeSign ConsoleApp codesign --timestamp -f --options runtime --entitlements "/path/to/entitlements.plist" --deep -s "${Codesign_Identity}" -i "/path/to/serviceapp/serviceappexecutable"
Since the console/service app has no “Info.plist” (such as a, you need to specify the “Bundle Identifier” yourself via “-i”.

Note: In our case, the console app is bundled inside a
As a next step, the is codesigned/notarized “as usual”.

Thanks… this helps… I was not including the “-i” parameter for the service codesign… but it looks like I still have some issues to work out with my dmg.

I still am having problems… I think I have properly code signed my service app along with all the libs……

If I enter:
codesign -dv --verbose=4 <path/to/my/service>
I get:

Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=134000 flags=0x10000(runtime) hashes=4180+3 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha1=
CandidateCDHash sha256=
Hash choices=sha1,sha256
Page size=4096
Signature size=9071
Authority=Developer ID Application: Varsity Systems, LLC ()
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Aug 12, 2019 at 12:49:09 PM
Info.plist=not bound
Runtime Version=10.14.0
Sealed Resources=none
Internal requirements count=1 size=196

… and I get essentially the same if I verify all the libs.

That executable launches with no problems.

So now I create a dmg from the folder containing the executable, resources and libs using Disk Utility….

If I mount that dmg the executable works fine and the codesign still verifies just like the original.

Now I sign the dmg using:

codesign -o runtime -s "Developer ID Application: Varsity Systems, LLC ()” <path/to/dmg>

If I mount that dmg the executable runs fine…. and its codesign also verifies just like above.

If I try to notarize the dmg using:

xcrun altool --notarize-app --primary-bundle-id “com.varsitysystems.sms” --username “" --password “" —file <path/to/dmg/file>

I get an error which includes in part:
“Archive contains critical validation errors”,
“path”: “SMS.dmg/SMS",
“message”: “The signature of the binary is invalid.”,

I have also tried to Notarize the dmg without codesgining it first…. but get the same error.

Any idea what I am doing wrong?


[quote=450268:@James Meyer]“path”: “SMS.dmg/SMS",
“message”: “The signature of the binary is invalid.”[/quote]
What do you have in the .dmg? A folder “SMS”, which just contains the Xojo-built service/console application?
To me it seems that the Notarization/Validation is looking for an “.app bundle”, which this obviously isn’t (if my assumption is correct)…

Then this is really a good question: How to notarize “just a console/service app” (which is not bundled inside an .app or .pkg)?

One thing I’d try is to codesign the whole folder “SMS” as the last codesign step. So that it gets a signature of what’s all inside the folder. Then create the .dmg, sign that one too, and send it to notary service.

Hmm… what else could be similar? Maybe @Christian Schmitz will tell us how he’s notarizing his Plugin-Downloads (which aren’t an “.app”)? I think to remember he’s mentioned doing that now.

So apart from “bundle it within an .app”, another option would be to provide a .pkg. A .pkg installer can include the ConsoleApp and install it to some predefined location. You’d then still need to sign the console app, package it to the .pkg, and finally codesign/notarize the .pkg you’re going to distribute.

I’m still curious to know if there is a way to codesign/notarize “just a standalone console/service app” (which the user downloads as a “Folder inside a .dmg”, and can move it where-ever they want it to be). I wouldn’t be surprised if that’s not possible. But I’d be more happy to be proven wrong :wink:

Yes… The SMS folder includes the executable along with a “Resources” and " Libs" sub-folder.

I will explore adding another folder on top of it all and see if it makes a difference… But also, see my next post.

I got my Service app to Notarize using a zip…(still unable to get dmg to work). This is what I did in a Terminal window… where is the path to the Build folder that contains the executable along with the “Resources” and " Libs" sub-folders.

1: xattr -cr

This removes any Finder Info or Resource forks from all the files in the .

2: codesign --timestamp -f -s “Developer ID Application: ()” “/ Libs/”*.dylib

Codesigns the .dylibs in Lib sub-folder. Also look for other files in that sub-folder which do not have a dylib extension… and run this command on them specifically.

3: codesign --timestamp -f -o runtime --deep -s “Developer ID Application: ()” -i “/”

Codesigns the executable itself. You should now have a new sub-folder called “_CodeSignature”… leave it in the folder.

4: Zip the build folder.

5: xcrun altool --notarize-app --primary-bundle-id “” --username “<your user name/email>” --password “” --file

After the zip uploads to Apple… which can take a minute or so… you should get back something like:
2019-08-12 16:35:54.462 altool[14881:2220844] No errors uploading ‘’.
RequestUUID = 76170fe4-fd84-40c6-8f0d-f45c6defe921

Once Apple has completed the Notarization you will get an email indicating if it passed or not… If not, you can get an error log by entering:

xcrun altool --notarization-info -u “<your user name/email>” --password “”

This will give you a big long URL which you can paste into your browser and obtain the log.