Print notarization log on failure

[wiktor-k]

What is the problem or limitation you are having?

When notarization fails it's not clear what went wrong.

Describe the solution you'd like

Automatically fetch the notarization log (e.g. xcrun notarytool log 7d9249fb-f9ac-4bb1-b296-256ebabff66b --apple-id ... --team-id ...) and display to the user.

Describe alternatives you've considered

Display a help message on notarization error printing the command the the user can run to learn more.

Additional context

Just for the record a sample log:

xcrun notarytool log 7d9249fb-f9ac-4bb1-b296-256ebabff66b --apple-id ... --team-id ...

{
  "logFormatVersion": 1,
  "jobId": "7d9249fb-f9ac-4bb1-b296-256ebabff66b",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "pks-2.0.0.dmg",
  "uploadDate": "2023-09-29T07:40:29.653Z",
  "sha256": "40125eba88640082a9f1098d9bb133cc584cf4c59c44e25c8e0e1431f9dd2eac",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "pks-2.0.0.dmg/pks.app/Contents/Resources/app_packages/PySide6/Qt/lib/QtWebEngineCore.framework/Versions/A/QtWebEngineCore",
      "message": "The signature of the binary is invalid.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "pks-2.0.0.dmg/pks.app/Contents/Resources/app_packages/PySide6/Qt/lib/QtWebEngineCore.framework/Versions/A/QtWebEngineCore",
      "message": "The signature of the binary is invalid.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
      "architecture": "arm64"
    }
  ]
}

For the record I think the change should be somewhere around here. Submission errors are not the only ones that can trigger failure.

[freakboy3742]

Agreed that this sounds like a worthwhile addition.

In terms of implementation - I think you've found the right location for the code; the complication will be extracting the job ID so it can be passed into the request.

[wiktor-k]

Yep. I think that a smaller improvement, just mentioning in the error message that notarytool log can be used to get more details, would be a big help to new people.

[glyph]

@wiktor-k Those pyside6 errors look unfortunately familiar, and this is probably a separate issue, but did you manage to address those and successfully sign & notarize that app? c.f. https://github.com/glyph/Encrust/issues/7 — I am wondering if I need to pile more horrible hacks into my own tool or if briefcase has already figured out the correct technique here.

[wiktor-k]

but did you manage to address those and successfully sign & notarize that app?

Retrying the process got me a signed and notarized app. I don't think the second try ever failed but I'm not 100% sure.

I'm actually super curious why notarization considers the binary unsigned (as evidenced by the log I attached) even though I'm sure briefcase signed it before notarization but sadly I don't have that much time to debug it in detail :disappointed:

[glyph]

I'm actually super curious why notarization considers the binary unsigned (as evidenced by the log I attached) even though I'm sure briefcase signed it before notarization but sadly I don't have that much time to debug it in detail 😞

Briefcase is a bit more thorough about its discovery of which files to sign, so it should have caught this) but Qt is doing something weird that makes the usual code-signing process break.

[ethompsy]

Working on this at Pycon 2024