Debugging code signing and notarization

Author: Jojo-Schmitz

build/ci/macos/notarize.sh

@@ -33,12 +33,15 @@ echo "Uploading to apple to notarize..."
 
 for i in 1 2 3; do
     c=0
-    xcrun notarytool submit \
+    set -o pipefail
+    (xcrun notarytool submit $ARTIFACTS_DIR/$ARTIFACT_NAME \
         --apple-id $APPLE_USERNAME \
-        --team-id $APPLE_TEAM_ID \
         --password $APPLE_PASSWORD \
-        --wait $ARTIFACTS_DIR/$ARTIFACT_NAME \
+        --team-id $APPLE_TEAM_ID \
+        --wait \
+        | tee -a notarytool_log.txt) \
         || c=$?
+    set +o pipefail
     if [ $c -eq 0 ]; then break; fi
     if [ $i -eq 3 ]; then
         echo "notarytool failed; exiting after 3 retries."
@@ -47,6 +50,12 @@ for i in 1 2 3; do
     echo "notarytool failed; retrying in 30s"
     sleep 30
 done
+xcrun notarytool log $(awk '/id:/ { print $2; exit}' notarytool_log.txt) \
+        --apple-id $APPLE_USERNAME \
+        --password $APPLE_PASSWORD \
+        --team-id $APPLE_TEAM_ID \
+        notary_extra_log.json
+jq "." notary_extra_log.json || cat notary_extra_log.json
 
 echo "Stapling and running packaging up"
 xcrun stapler staple $ARTIFACTS_DIR/$ARTIFACT_NAME

build/package_mac

@@ -199,9 +199,10 @@ find "${VOLUME}/${LONGER_NAME}.app/Contents/Resources" -name '*.dylib' -exec cod
 # Sign code in other (more conventional) locations
 codesign --force --options runtime --entitlements "${WORKING_DIRECTORY}/../build/macosx_entitlements.plist" --deep -s "Developer ID Application: ${DEVELOPER_NAME}" "${CODE_PATHS[@]}"
 echo "spctl"
-spctl --assess --type execute "${VOLUME}/${LONGER_NAME}.app"
+spctl --assess --type execute --verbose=4 --ignore-cache --no-cache "${VOLUME}/${LONGER_NAME}.app"
 echo "Codesign verify"
 codesign --verify --deep --strict --verbose=2 "${CODE_PATHS[@]}"
+codesign -d -vvv "${CODE_PATHS[@]}"
 
 echo "Unmount"
 for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do