Unable to pass apple Notarization with .net 6.0 executable

Question

Problem

The .net 6.0 executable file will not pass Notarization. Remaining of the files are ok.

Setup

• macOS Catalina: Version 10.15.7
• dotnet --version: 6.0.100-rc.2.21505.57
• The right certificate is available in keychain
• Entitlement used to sign the executable:

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.allow-jit</key><true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
    <key>com.apple.security.cs.disable-executable-page-protection</key><true/>
  </dict>
</plist>

• nuget package used to create .app - Dotnet.Bundle -Version 0.9.13 - https://www.nuget.org/packages/DotNet.Bundle

Publish steps

dotnet restore -r osx.10.15-x64 DWGuru/src/DWGuru/DWGuru.csproj

Restored ***/DWGuru/src/ImGui.NET/ImGui.NET.csproj (in 252 ms).
Restored ***/DWGuru/src/DWGuru/DWGuru.csproj (in 870 ms).

dotnet msbuild -t:BundleApp -p:RuntimeIdentifier=osx.10.15-x64 -p:UseAppHost=true -p:PublishSingleFile=true -p:PublishReadyToRun=true -p:Configuration=Release DWGuru/src/DWGuru/DWGuru.csproj

Microsoft (R) Build Engine version 17.0.0-preview-21501-01+bbcce1dff for .NET
Copyright (C) Microsoft Corporation. All rights reserved.

  You are using a preview version of .NET. See: https://aka.ms/dotnet-core-preview
  You are using a preview version of .NET. See: https://aka.ms/dotnet-core-preview
  ImagesReferenceTracker ->***/DWGuru/bin/Release/ImagesReferenceTracker/net6.0/ImagesReferenceTracker.dll
  ImGui.NET -> ***/DWGuru/bin/Release/ImGui.NET/net6.0/ImGui.NET.dll
  DWGuru -> ***/DWGuru/bin/Release/DWGuru/net6.0/osx.10.15-x64/DWGuru.dll
  DWGuru -> ***/DWGuru/bin/Release/DWGuru/net6.0/osx.10.15-x64/publish/

cp -r DWGuru/bin/Release/DWGuru/net6.0/osx.10.15-x64/publish/DWGuru.app . succeeds

codesign DWGuru.app/Contents/MacOS/* --force --timestamp --sign *** --options=runtime --deep --no-strict --entitlements 'entitlements.plist'

DWGuru.app/Contents/MacOS/DWGuru: replacing existing signature
DWGuru.app/Contents/MacOS/DWGuru: signed app bundle with Mach-O thin (x86_64) [***]
DWGuru.app/Contents/MacOS/DWGuru.pdb: replacing existing signature
DWGuru.app/Contents/MacOS/DWGuru.pdb: signed generic [DWGuru]
DWGuru.app/Contents/MacOS/ImGui.NET.pdb: replacing existing signature
DWGuru.app/Contents/MacOS/ImGui.NET.pdb: signed generic [ImGui.NET]
DWGuru.app/Contents/MacOS/ImGui.NET.xml: replacing existing signature
DWGuru.app/Contents/MacOS/ImGui.NET.xml: signed generic [ImGui.NET]
DWGuru.app/Contents/MacOS/ImagesReferenceTracker.pdb: replacing existing signature
DWGuru.app/Contents/MacOS/ImagesReferenceTracker.pdb: signed generic [ImagesReferenceTracker]
DWGuru.app/Contents/MacOS/System.Globalization.Native.dylib: replacing existing signature
DWGuru.app/Contents/MacOS/System.Globalization.Native.dylib: signed Mach-O thin (x86_64) [System.Globalization.Native]
DWGuru.app/Contents/MacOS/System.IO.Compression.Native.dylib: replacing existing signature
DWGuru.app/Contents/MacOS/System.IO.Compression.Native.dylib: signed Mach-O thin (x86_64) [System.IO.Compression.Native]
DWGuru.app/Contents/MacOS/System.Native.a: replacing existing signature
DWGuru.app/Contents/MacOS/System.Native.a: signed generic [System.Native]
DWGuru.app/Contents/MacOS/System.Native.dylib: replacing existing signature
DWGuru.app/Contents/MacOS/System.Native.dylib: signed Mach-O thin (x86_64) [System.Native]
DWGuru.app/Contents/MacOS/System.Net.Http.Native.dylib: replacing existing signature
DWGuru.app/Contents/MacOS/System.Net.Http.Native.dylib: signed Mach-O thin (x86_64) [System.Net.Http.Native]
DWGuru.app/Contents/MacOS/System.Net.Security.Native.dylib: replacing existing signature
DWGuru.app/Contents/MacOS/System.Net.Security.Native.dylib: signed Mach-O thin (x86_64) [System.Net.Security.Native]
DWGuru.app/Contents/MacOS/System.Security.Cryptography.Native.Apple.dylib: replacing existing signature
DWGuru.app/Contents/MacOS/System.Security.Cryptography.Native.Apple.dylib: signed Mach-O thin (x86_64) [System.Security.Cryptography.Native.Apple]
DWGuru.app/Contents/MacOS/System.Security.Cryptography.Native.OpenSsl.dylib: replacing existing signature
DWGuru.app/Contents/MacOS/System.Security.Cryptography.Native.OpenSsl.dylib: signed Mach-O thin (x86_64) [System.Security.Cryptography.Native.OpenSsl]
DWGuru.app/Contents/MacOS/cimgui.dll: replacing existing signature
DWGuru.app/Contents/MacOS/cimgui.dll: signed generic [cimgui]
DWGuru.app/Contents/MacOS/cimgui.dylib: replacing existing signature
DWGuru.app/Contents/MacOS/cimgui.dylib: signed Mach-O thin (x86_64) [cimgui]
DWGuru.app/Contents/MacOS/cimgui.so: replacing existing signature
DWGuru.app/Contents/MacOS/cimgui.so: signed generic [cimgui]
DWGuru.app/Contents/MacOS/dotnet: replacing existing signature
DWGuru.app/Contents/MacOS/dotnet: signed Mach-O thin (x86_64) [dotnet]
DWGuru.app/Contents/MacOS/libsdl2.dylib: replacing existing signature
DWGuru.app/Contents/MacOS/libsdl2.dylib: signed Mach-O thin (x86_64) [libsdl2]
DWGuru.app/Contents/MacOS/libsos.dylib: replacing existing signature
DWGuru.app/Contents/MacOS/libsos.dylib: signed Mach-O thin (x86_64) [libsos]
DWGuru.app/Contents/MacOS/libuv.dylib: replacing existing signature
DWGuru.app/Contents/MacOS/libuv.dylib: signed Mach-O universal (i386 x86_64) [libuv]
DWGuru.app/Contents/MacOS/sosdocsunix.txt: replacing existing signature
DWGuru.app/Contents/MacOS/sosdocsunix.txt: signed generic [sosdocsunix]

codesign DWGuru.app --force --timestamp --sign *** --options=runtime --deep --no-strict --entitlements 'entitlements.plist'

DWGuru.app: replacing existing signature
DWGuru.app: signed app bundle with Mach-O thin (x86_64)

zip -r DWGuru.zip DWGuru.app

xcrun altool --notarize-app --primary-bundle-id "***" --username "***" --password "" --asc-provider "***" --file "DWGuru.zip"

No errors uploading 'DWGuru.zip'.
RequestUUID = ***-***-***-***-***

Result

xcrun altool --username "***" --password "***" --notarization-info ***-***-***-***-***

No errors getting notarization info.

          Date: 2021-10-29 17:29:41 +0000
          Hash: ***
    LogFileURL:***
accessKey=***
   RequestUUID: ***
        Status: invalid
   Status Code: 2
Status Message: Package Invalid

{
  "logFormatVersion": 1,
  "jobId": "***",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "DWGuru.zip",
  "uploadDate": "2021-10-29T17:48:43Z",
  "sha256": "***",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "DWGuru.zip/DWGuru.app/Contents/MacOS/DWGuru",
      "message": "The signature of the binary is invalid.",
      "docUrl": null,
      "architecture": "x86_64"
    }
  ]
}

Answer 1

The issue was with the zip tool. It broke the zip file so Notarization would fail on Apple Side.

zip -r DWGuru.zip DWGuru.app

becomes

/usr/bin/ditto -c -k --keepParent DWGuru.app DWGuru.zip