Updating, notarizing, and stapling a MacOS .app application

In one of my pipelines I update a .app application with new files. Backstory, the app uses Codeweavers Crossover tools to allow a Windows application to run on Mac. The process is fairly simple and works 100% in my pipeline minus the final staple step.

The process goes basically like this:

  1. Setup the pipeline env with the Apple app signing certificate.
  2. Import the cert into the temp keychain
  3. Setup the xcode tools I need to have for some scripts to run against the .app.
  4. Download a clean copy of the app from S3.
  5. Download from S3 a zip of new Windows binaries created in a Jenkins server.
  6. Unzip the new windows files into the app folder structure.
  7. Run some scripts on the .app that sign the files and update file timestamps, etc.
  8. Zip the updated .app file
  9. Post the .zip file to Apple for notarization with a callback URL.

These steps works 100% and the result is a zipped .app that is valid. Apple notarization approves the app and the callback URL is called. The callback kicks off another CircleCI pipline that repeats some of the steps in the first pipe to setup the environment, import certificate, setup xcode tools, and download from S3 the zipped app. I’m not using CircleCI storage.

Then the pipeline attempts to staple the .app and this is where it fails with the error:

‘./build_files/temp/ServantKeeper8.app’ found. Proceeding with stapling.
Processing: /Users/distiller/skd_project/build_files/temp/ServantKeeper8.app
Properties are {
NSURLIsDirectoryKey = 1;
NSURLIsPackageKey = 1;
NSURLIsSymbolicLinkKey = 0;
NSURLLocalizedTypeDescriptionKey = Application;
NSURLTypeIdentifierKey = “com.apple.application-bundle”;
“_NSURLIsApplicationKey” = 1;
}
Props are {
}
Cannot download ticket. CDHash must be set.
Error: Failed to staple the notarization ticket for ‘./build_files/temp/ServantKeeper8.app’.

Exited with code exit status 1

I’ve search the Apple developer docs and forms for insight on this error and have not had any luck. The key seems to be the line “Cannot download ticket. CDHash must be set. Error: Failed to staple the notarization ticket…”

This seems to indicate that the .app file has changed since it was set for notarization but it’s the same file originally zipped and uploaded to S3.

The stapling pipeline is configured using the same certificate that is used for the keychain when posting the app to Apple for notarization.

Please note if I download the updated zipped .app from the first pipeline run, I can successfully run the stapling command on it using one of my physical Macs.

Any help or tips would be greatly appreciated.