Closed MichalMMac closed 5 years ago
Sounds more like a bug in the Apple notary service to me. I'm hoping they fix it; I have dozens of packages with underscores in their identifiers.
Someone (not me) please file a bug with Apple about this.
Changing this particular identifier is probably no big deal, but generally, changing pkg identifiers will lead to sadness and undesired behaviors. If pkgbuild
and productbuild
accept these pkg identifiers as valid, Apple's notarization service should as well.
FB6126843
Apple Notarization service rejects packages identifiers with underscores
Please provide a descriptive title for your feedback:
Apple Notarization service rejects packages identifiers with underscores
Which area are you seeing an issue with?
Something else not on this list
What type of feedback are you reporting?
Incorrect/Unexpected Behavior
Please describe the issue and what steps we can take to reproduce it:
A package with the id com.github.munki.pkg.munki_kickstart will be rejected, however a package with the id com.github.munki.pkg.munki-kickstart will notarize. If underscores are no longer possible with packages, this is a significant change and productbuild/xcode/etc should no longer allow package identifiers like this. Ideally though, the notarization service should allow packages with underscores.
Please describe the business impact, if any, of the issue you are reporting
This will require re-engineering many packages we deploy.
The concern (for me) is that pkg upgrade behavior depends on a consistent pkg identifier.
If you release version 1.0 with pkg identifier com.foo.some_product and version 2.0 with pkg identifier com.foo.some-product, Installer will not perform the correct upgrade install. Filesystem items in version 1.0 but not in version 2.0 will not be removed; they'll be abandoned. Then you'll feel some need to write fragile, bad, poorly-tested pre or postinstall scripts in an attempt to clean up the mess...
Apple notarization service bundle identifier error for reference:
altool: FAILURE ERROR ITMS-4302: "The software asset has an invalid primary bundle identifier: 'com.github.munki.pkg.munki_kickstart'" at SoftwareAssets/EnigmaSoftwareAsset
Also filed a duplicate FB6129971.
After further investigation, underscores are legal for pkg identifiers, but illegal for the "--primary-bundle-id" option to xcrun altool --notarize-app
. This is easy enough to work around. I was able to successfully submit a signed munki_kickstart.pkg for notarization by using --primary-bundle-id com.googlecode.munki.munki-kickstart
. Apple says the --primary-bundle-id
is actually arbitrary and does not need to match any of the pkg ids or bundle identifiers in the submission. So a change needs to be made in the proposed notarization code.
Notarization code change implemented in 2eb8273.
When I tried to upload package with the identifier
something.pkg.munki_kickstart
to Apple notary service they did not like the identifier.It might be good to have non problematic identifier in the example.