fix(build): staple notarization ticket to .app and DMG#91
Merged
Conversation
pasrom
force-pushed
the
fix/notarization-staple
branch
5 times, most recently
from
15f632f to
69d86ee
Compare
Without a stapled ticket, Gatekeeper must contact Apple online on first launch. When that check fails (no network, captive portal, slow notary servers), users see "could not verify" — even though the app is correctly notarized. Cask installs are especially affected: the cask discards the DMG context after copying, so any ticket on the DMG alone is lost. Notarize and staple the .app explicitly (via ditto+zip submit), and also wait+staple the DMG so direct DMG installs work offline too.
pasrom
force-pushed
the
fix/notarization-staple
branch
from
69d86ee to
99afd4f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.appbundle directly (via ditto+zip submit) so Gatekeeper does not need an online check on first launch--wait+xcrun stapler stapleto the DMG notarization stepWhy
A user reported the "MeetingTranscriber Not Opened — Apple could not verify..." dialog after a fresh Cask install, even though the build is correctly signed and notarized.
Investigation showed:
spctl: Notarized Developer ID ✅stapler validate: ❌ no ticket stapled to either.appor DMGWithout a stapled ticket, Gatekeeper must contact Apple online on first launch. When that check fails (no network, captive portal, slow notary servers), users see the scary dialog. Cask installs are especially affected because the cask discards the DMG context after copying the
.app, so any ticket on the DMG alone is lost.Trade-off
The build now waits for Apple's notary service to finish (typically 1–5 min, occasionally up to ~15 min) before stapling. This makes releases slower but means users never hit the online-check failure path.
Test plan
./scripts/build_release.shlocally with validAPPLE_ID/TEAM_ID/APP_PASSWORDxcrun stapler validate MeetingTranscriber.appsucceedsxcrun stapler validate MeetingTranscriber-<version>.dmgsucceeds