Hi everyone, Has anyone seen notarization behave like this? We have one specific app (let’s call it App A) with a Network Extension system extension. Whenever we submit App A for notarization: • Its submission stays “In Progress” indefinitely • The provisioning profile for its system extension becomes Invalid on its own • All our other apps suddenly fail notarization • And the whole team immediately gets: StatusCode 7000 – “Team is not yet configured for notarization.” Apple Support restored notarization once(Case 102738171569), and we confirmed other apps notarize fine — until we submit App A again, which instantly triggers the same team-wide block. This cycle has repeated twice. We verified: • Hardened runtime • Proper system extension signing • No private API usage • No get-task-allow • No ATS violations What’s confusing is that this doesn’t look like a normal notarization rejection. Normal failures don’t invalidate provisioning profiles or disable notarization for the entire team. It feels more like an automated security heuristic or misclassification. My questions: 1. Can a single app or system extension trigger an automated team-wide notarization disable? 2. Can an entitlement or NE configuration issue cause StatusCode 7000 instead of a standard rejection? 3. If this could be a false positive, is there a specific team at Apple who can manually review/clear it? Any insight would be greatly appreciated.

App Notarization got stuck, showing In-Progress from last 24 hrs. This is really frustrating. Can anyone plz update on this?

Error 7000 "Team is not yet configured for notarization" - Cannot notarize any apps I'm trying to notarize macOS apps for Developer ID distribution and consistently getting error 7000 on every submission. Error Details: { "status": "Rejected", "statusSummary": "Team is not yet configured for notarization. Please contact Developer Programs Support at developer.apple.com under the topic Development and Technical / Other Development or Technical Questions.", "statusCode": 7000 } What I've tried: Completed enrollment verification Created new App Store Connect API key with Admin access Created fresh App-Specific Password Submitted via both API key and App-Specific Password authentication All submissions are accepted and uploaded successfully, but after processing they're rejected with error 7000 Technical Details: Active Developer ID Application certificate Hardened runtime enabled Apps are properly code-signed (codesign -vvv passes) Behavior: Over 15 submissions since December 2nd - ALL rejected with the same error 7000. The submissions upload successfully and show "In Progress" for extended periods (sometimes hours) before eventually being rejected. Questions: Has anyone encountered error 7000 and resolved it? What was the fix? Are there any account settings or agreements required specifically for notarization that aren't obvious in the developer portal? Should I contact Apple Developer Support directly, or is there a self-service solution? Any guidance would be greatly appreciated.

Dear support team, is it possible to rename a notarized ZIP package and not to loose the notarized status? One of our ZIP package contains resources and binaries which are code signed. The archive itself is accepted after submitting and uploading during the notarization process (online notarization). Unfortunately, the ZIP cannot be stapled (offline verification). So, is the filename part of the notarized ZIP package or can a ZIP package be renamed? Best regards, Stefan

i encountered an error when i distributing my app on xcode 26.0.1. Below is error log. { "logFormatVersion": 1, "jobId": "ed2b622b-61f6-4c8a-90b7-7c3cdfbafc7a", "status": "Rejected", "statusSummary": "Team is not yet configured for notarization. Please contact Developer Programs Support at developer.apple.com under the topic Development and Technical / Other Development or Technical Questions.", "statusCode": 7000, "archiveFilename": "mychm.zip", "uploadDate": "2025-12-10T01:50:34.198Z", "sha256": "b61e224154823c8e06c3db904d67a78969f1564c7602f1fa77335fdd12a8d22b", "ticketContents": null, "issues": null }

The notary service requires that all Mach-O images be linked against the macOS 10.9 SDK or later. This isn’t an arbitrary limitation. The hardened runtime, another notarisation requirement, relies on code signing features that were introduced along with macOS 10.9 and it uses the SDK version to check for their presence. Specifically, it checks the SDK version using the sdk field in the LC_BUILD_VERSION Mach-O load command (or the older LC_VERSION_MIN_MACOSX command). There are three common symptoms of this problem: When notarising your product, the notary service rejects a Mach-O image with the error The binary uses an SDK older than the 10.9 SDK. When loading a dynamic library, the system fails with the error mapped file has no cdhash, completely unsigned?. When displaying the code signature of a library, codesign prints this warning: % codesign -d vvv /path/to/your.dylib … Library validation warning=OS X SDK version before 10.9 does not support Library Validation … If you see any of these errors, read on… The best way to avoid this problem is to rebuild your code with modern tools. However, in some cases that’s not possible. Imagine if your app relies on the closed source libDodo.dylib library. That library’s vendor went out of business 10 years ago, and so the library hasn’t been updated since then. Indeed, the library was linked against the macOS 10.6 SDK. What can you do? The first thing to do is come up with a medium-term plan for breaking your dependency on libDodo.dylib. Relying on an unmaintained library is not something that’s sustainable in the long term. The history of the Mac is one of architecture transitions — 68K to PowerPC to Intel, 32- to 64-bit, and so on — and this unmaintained library will make it much harder to deal with the next transition. IMPORTANT I wrote the above prior to the announcement of the latest Apple architecture transition, Apple silicon. When you update your product to a universal binary, you might as well fix this problem on the Intel side as well. Do not delay that any further: While Apple silicon Macs are currently able to run Intel code using Rosetta 2, that’s not something you want to rely on in the long term. Heed this advice from About the Rosetta Translation Environment: Rosetta is meant to ease the transition to Apple silicon, giving you time to create a universal binary for your app. It is not a substitute for creating a native version of your app. But what about the short term? Historically I wasn’t able to offer any help on that front, but this has changed recently. Xcode 11 ships with a command-line tool, vtool, that can change the LC_BUILD_VERSION and LC_VERSION_MIN_MACOSX commands in a Mach-O. You can use this to change the sdk field of these commands, and thus make your Mach-O image ‘compatible’ with notarisation and the hardened runtime. Before doing this, consider these caveats: Any given Mach-O image has only a limited amount of space for load commands. When you use vtool to set or modify the SDK version, the Mach-O could run out of load command space. The tool will fail cleanly in this case but, if it that happens, this technique simply won’t work. Changing a Mach-O image’s load commands will break the seal on its code signature. If the image is signed, remove the signature before doing that. To do this run codesign with the --remove-signature argument. You must then re-sign the library as part of your normal development and distribution process. Remember that a Mach-O image might contain multiple architectures. All of the tools discussed here have an option to work with a specific architecture (usually -arch or --architecture). Keep in mind, however, that macOS 10.7 and later do not run on 32-bit Macs, so if your deployment target is 10.7 or later then it’s safe to drop any 32-bit code. If you’re dealing with a Mach-O image that includes 32-bit Intel code, or indeed PowerPC code, make your life simpler by removing it from the image. Use lipo for this; see its man page for details. It’s possible that changing a Mach-O image’s SDK version could break something. Indeed, many system components use the main executable’s SDK version as part of their backwards compatibility story. If you change a main executable’s SDK version, you might run into hard-to-debug compatibility problems. Test such a change extensively. It’s also possible, but much less likely, that changing the SDK version of a non-main executable Mach-O image might break something. Again, this is something you should test extensively. This list of caveats should make it clear that this is a technique of last resort. I strongly recommend that you build your code with modern tools, and work with your vendors to ensure that they do the same. Only use this technique as part of a short-term compatibility measure while you implement a proper solution in the medium term. For more details on vtool, read its man page. Also familiarise yourself with otool, and specifically the -l option which dumps a Mach-O image’s load commands. Read its man page for details. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Revision history: 2025-04-03 — Added a discussion of common symptoms. Made other minor editorial changes. 2022-05-09 — Updated with a note about Apple silicon. 2020-09-11 — First posted.

General: Forums topic: Code Signing Forums subtopic: Code Signing > Notarization Forums tag: Notarization WWDC 2018 Session 702 Your Apps and the Future of macOS Security WWDC 2019 Session 703 All About Notarization WWDC 2021 Session 10261 Faster and simpler notarization for Mac apps WWDC 2022 Session 10109 What’s new in notarization for Mac apps — Amongst other things, this introduced the Notary REST API Notarizing macOS Software Before Distribution documentation Customizing the Notarization Workflow documentation Resolving Common Notarization Issues documentation Notary REST API documentation TN3147 Migrating to the latest notarization tool technote Fetching the Notary Log forums post Q&A with the Mac notary service team Developer > News post Apple notary service update Developer > News post Notarisation and the macOS 10.9 SDK forums post Testing a Notarised Product forums post Notarisation Fundamentals forums post The Pros and Cons of Stapling forums post Resolving Error 65 When Stapling forums post Many notarisation issues are actually code signing or trusted execution issue. For more on those topics, see Code Signing Resources and Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

When I submit my app for notarization, it takes more than 24 hours but still shows "In progress". Does anyone else experience the same issue? Here is the history records: Successfully received submission history. history -------------------------------------------------- createdDate: 2024-12-22T07:32:20.998Z id: 81f36df5-21a2-4101-a264-9ac62e7b85a5 name: Gatsbi.zip status: In Progress -------------------------------------------------- createdDate: 2024-12-22T04:00:29.496Z id: 6d99632c-7aef-4e46-bdef-d70845cd39b5 name: Gatsbi.zip status: In Progress -------------------------------------------------- createdDate: 2024-12-21T10:54:48.433Z id: 1fdcd6c6-d707-4521-9b4d-4a5f3e03959a name: Gatsbi.zip status: In Progress -------------------------------------------------- createdDate: 2024-12-21T10:05:02.700Z id: 4237e15e-00e3-4884-9bdd-f7f900af2dc1 name: Gatsbi.zip status: In Progress -------------------------------------------------- createdDate: 2024-12-21T08:40:19.404Z id: 102039b9-4a16-4fbb-8371-f9b6cb0e1a80 name: Gatsbi.zip status: In Progress -------------------------------------------------- createdDate: 2024-12-21T07:31:01.588Z id: b6f82941-1ac2-4f5d-99ed-c44141934a0d name: Gatsbi.zip status: Accepted

Hi Everyone, Just a quick, and what is probably a really simple question. Do I require a 'Paid' Apple Developer account if I just wish to notarise my application for use on my local network. I don't see myself needing to use the App Store in the near future. I know I can manually add the app and authorise it, but I'd like to avoid this. Kindly Ryn

We notarize all of our apps as part of our nightly build. Every few weeks Apple changes something in the developer agreement, and therefore require the primary account holder to accept the new terms. However, this means our nightly builds break until the terms are accepted, which is a true pain in the ass. Is there some way to tell notarytool to force the notarization? Or tell the lawyers to chill tf out? This seems to happen every 2-4 weeks.

From time to time I see folks run into error 65 when stapling a ticket to their notarised Mac software. This post explains the two common causes of that error. If you have questions or comments, start a new thread here on the forums. Put it in the Code Signing > Notarization topic area so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Resolving Error 65 When Stapling If you directly distribute Mac software, you must sign and notarise your product so that it passes Gatekeeper. For information on how to do this, see: Notarizing macOS software before distribution, if you use Xcode Creating distribution-signed code for macOS, Packaging Mac software for distribution, and Customizing the notarization workflow otherwise The last step of that process is to staple a ticket to your notarised product. This can fail with error 65. There are two common causes of that failure: No appropriate ticket Trust issues The following sections explain how to recognise and resolve these issues. Note You are not absolutely required to staple your product. See The Pros and Cons of Stapling for more on that topic. No Appropriate Ticket Consider the following stapling error: % stapler staple "TestError65.dmg" Processing: /Users/quinn/Desktop/TestError65 2025-03-03 22-12-47/TestError65.dmg CloudKit query for TestError65.dmg (2/d812985247c75e94fd603f026991f96144a031af) failed due to "Record not found". Could not find base64 encoded ticket in response for 2/d812985247c75e94fd603f026991f96144a031af The staple and validate action failed! Error 65. Note the Record not found message. This indicates that the stapling operation failed because there’s no appropriate ticket. To investigate this, look at the notary log: % notarytool-log b53042b6-4cbb-4cef-ade4-dae034a69947 { … "status": "Accepted", … "sha256": "f012735a6d53b17082c088627da4249c9988111d17e7a90c49aa64ebc6bae22e", "ticketContents": [ { "path": "TestError65.dmg/TestError65.app", "digestAlgorithm": "SHA-256", "cdhash": "abc27b0f2daee77b9316de3c6844fbd9e234621c", "arch": "x86_64" }, { "path": "TestError65.dmg/TestError65.app", "digestAlgorithm": "SHA-256", "cdhash": "9627c72e53d44ae77513613e2ce33314bd5ef41e", "arch": "arm64" }, { "path": "TestError65.dmg/TestError65.app/Contents/MacOS/TestError65", "digestAlgorithm": "SHA-256", "cdhash": "abc27b0f2daee77b9316de3c6844fbd9e234621c", "arch": "x86_64" }, { "path": "TestError65.dmg/TestError65.app/Contents/MacOS/TestError65", "digestAlgorithm": "SHA-256", "cdhash": "9627c72e53d44ae77513613e2ce33314bd5ef41e", "arch": "arm64" }, { "path": "TestError65.dmg", "digestAlgorithm": "SHA-256", "cdhash": "01a553c91ee389764971767f5082ab8c7dcece02" } ], "issues": null } First, make sure that the status field is Accepted. If there’s some other value, the notary service didn’t generate a ticket at all! To understand why, look at the rest of the notary log for errors and warnings. Assuming that your notarisation request was successful, look through the log for cdhash values. These represent the contents of the ticket generated by the notary service. Compare that list to the cdhash values of the code being signed: % hdiutil attach "TestError65.dmg" … … /Volumes/Install TestError65 % codesign -d -vvv --arch arm64 "/Volumes/Install TestError65/TestError65.app" … CDHash=9627c72e53d44ae77513613e2ce33314bd5ef41e … % codesign -d -vvv --arch x86_64 "/Volumes/Install TestError65/TestError65.app" … CDHash=abc27b0f2daee77b9316de3c6844fbd9e234621c … Those are all present in the ticket. However, consider the cdhash of the disk image itself: % codesign -d -vvv "TestError65.dmg" … CDHash=d812985247c75e94fd603f026991f96144a031af … That’s the cdhash that stapler is looking for: CloudKit query for TestError65.dmg (2/d812985247c75e94fd603f026991f96144a031af) failed due to "Record not found". But it’s not present in the notarised ticket. Note The term cdhash stands for code directory hash. If you’re curious what that’s about, see TN3126 Inside Code Signing: Hashes and the Notarisation Fundamentals DevForums post. What happened here is: I built the app. I signed it with my Developer ID code-signing identity. I created a disk image from that app. I signed that with my Developer ID code-signing identity. I notarised that. I then re-signed the disk image. This changes the cdhash in the code signature. Now the disk image’s cdhash doesn’t match the cdhash in the ticket, so stapling fails. To resolve this problem, make sure you’re stapling exactly the file that you submitted to the notary service. One good option is to compare the SHA-256 hash of the file you’re working on with the sha256 field in the notary log. Trust Issues Now consider this stapling error: % stapler staple "TestError65.dmg" Processing: /Users/quinn/TestError65.dmg Could not validate ticket for /Users/quinn/TestError65.dmg The staple and validate action failed! Error 65. Note how it’s different from the previous one. Rather than saying that the ticket was not found, it says Could not validate ticket. So, stapler found the ticket for the file and then tried to validate it before doing the staple operation. That validation failed, and thus this error. The most common cause of this problem is folks messing around with trust settings. Consider this: % security dump-trust-settings SecTrustSettingsCopyCertificates: No Trust Settings were found. % security dump-trust-settings -d SecTrustSettingsCopyCertificates: No Trust Settings were found. Contrast it with this: % security dump-trust-settings SecTrustSettingsCopyCertificates: No Trust Settings were found. % security dump-trust-settings -d Number of trusted certs = 1 Cert 0: Apple Root CA - G3 Number of trust settings : 10 … Someone has tweaked the trust settings for the Apple Root CA - G3 anchor. In fact, I used Keychain Access to mark the certificate as Always Trust. You’d think that’d avoid problems, but you’d be wrong. Our code signing machinery expects Apple’s anchor and intermediate certificates to have the default trust settings. IMPORTANT Some trust settings overrides are fine. For example, on my main work Mac there are trust settings overrides for Apple internal anchors. This problem occurs when there are trust settings overrides for Apple’s standard anchor and intermediate certificates. To fix this: In Terminal, run the dump-trust-settings commands shown above and build a list of Apple certificates with trust settings overrides. In Keychain Access, find the first problematic certificate in your list. Note that there may be multiple instances of the certificate in different keychains. If that’s the case, follow these steps for each copy of the certificate. Double click the certificate to open it in a window. If the Trust section is collapsed, expand it. Ensure that all the popups are set to their default values (Use System Defaults for the first, “no value specified” for the rest). If they are, close the window and move on to step 8. If not, set the popups to the default values and close the window. Closing the window may require authentication to save the trust settings. Repeat steps until 2 through 7 for each of the problematic certificates you found in step 1. When you’re done, run the dump-trust-settings commands again to confirm that your changes took effect.