Can't staple installer

[birbilis]

Have an issue with stappling installers, it always fails after the notarization step.

• moving to separate issue from comments originally made under https://github.com/DelphiWorlds/Mosco/issues/6)

---

This comment was refering to notarizing the app, but could be related since I had the same effect originally (multiple questions about keychain "login" password, then notarization [shown as being ok in logs] and then failure at stappling step):

I just notarized fine with this version

Only issue I had is the first time it took me some time to enter the correct pwd to access the keychain which probably caused some timeout internally since it did notarize, but then failed on the ticket stappling step (the base64 encoded ticket wasn't found). Maybe that is an Apple glitch though, not Mosco's

2022/05/31 13:57:14.970 Notarization complete!
2022/05/31 13:57:14.971 Executing: /usr/bin/xcrun stapler staple "/Users/administrator/PAServer/scratch-dir/SomeSystem/READCOM_App.app"
2022/05/31 13:57:16.201 Staple ticket failed with exit code: 65 - Processing: /Users/administrator/PAServer/scratch-dir/SomeSystem/READCOM_App.app
CloudKit query for READCOM_App.app (2/093........a60) failed due to "Record not found".
Could not find base64 encoded ticket in response for 2/093........a60
The staple and validate action failed! Error 65.

(note I placed the ........ and the SomeSystem above)

---

this same thing with the staple failed also just occured when I typed in multiple times wrong password and eventually correct one at installer creation (notarized + staple ticket options).

attaching the timings of the commands in case it helps:

---

Actually I find that I can notarize installers but not staple ticket on them, not sure why. Shows this same error as above (even though I told it to always allow access to the keystore so that I don't type the password again and again [it was either failing or asking multiple times for access, not sure but kept on showing the password popup several times]).

I can notarized AND staple apps though fine (apart from this issue occuring once for app notarization at my first try)

Another thing that's not clear to me is if I should make notarized installers for notarized .app or if this process notarizes the .app, then notarizes the installer for it (or if it's not needed security-wise to have notarized .app if you have notarized installer [doesn't it give any extra post-install tampering protection?])

[birbilis]

note that I tried rebooting

...and have since told it to always allow (I guess it mean for the Moco app) access to the keychain, so it's not some delay issue with the password access. I guess it gets certificates ok if it passes the notarization step (unless the notarization step gets them online). The error though speaks about some ticket not found, that's whay I was thinking it was some timeout, but it probably isn't since there's no delay from multiple password entry failures now that it remembers it (the password entry failures could be from my slow connection via Teamviewer to the remote imac mini)

[birbilis]

Btw, as I was asking before, does the installer creation step notarize the .app again? Or do I need to pass it a notarized .app (I had tried with that too I think [notarized via Mosco's menu on Mac, not with Delphi 11.1, nor via Codex Delphi expert that from what I understand can also talk to Mosco])? Or isn't that supposed to be needed at all and I just pass the original .app?

[DelphiWorlds]

does the installer creation step notarize the .app again?

No - the app notarization process is separate to the installer notatrization. I plan to look at this issue over the next day or so

[birbilis]

Thanks for clarifying this, but not using MacOS-X regularly I wonder what's the due course there. Do I have to pass a notarized .app to the installer or does OS-X consider having a notarized installer enough security-wise?

[DelphiWorlds]

does OS-X consider having a notarized installer enough security-wise?

No, it doesn't. Installers and the apps that they install are considered two different applications

[DelphiWorlds]

Fixed in version 1.3.0 The problem was that the code was not detecting completion of notarization, due to changes in the output from Apple