macOS notarization error: "The signature algorithm used is too weak"

Question

I wonder if anyone's familiar with this error which only happens when I upload my apps to Apple for notarization:

"AppName.zip/AppName.app/Contents/Resources/EWSMacCompress.tar.gz/EWSMacCompress.tar/EWSMac.framework/Versions/A/EWSMac83886082"
"The signature algorithm used is too weak."

Additional info:

-I've been signing my apps for years with no issues. The error only happens when sending the apps for notarization.

-I submitted a bug back in November 2018, provided Apple all the info they asked for - but it was never addressed further.

-I recently contacted Apple again and they pointed me to some resource page that was last updated back in 2016. It briefly mentions a similar error - but still without any info on how to solve it: https://developer.apple.com/library/archive/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG301

-A search on this error didn't produce anything useful.

-The tar.gz file in question is an eSellerate licensing framework. As many people may know, it's been a popular licensing platform for Mac software for over a decade. While I switched to a different licensing platform some time ago, I still have thousands of customers with eSellerate licenses (as I'm sure is the situation with many other Mac developers).

As far as I understand, this whole situation has to do something with signing files inside tar.gz archives - on which I couldn't find any info either

Any help will be appreciated!

Thanks, Leo

Answer 1

You have to unpack your tar, zip or jar file, codesign all the files that have errors and repackage them.

Just go through the logs and codesign all of them with errors, and then sign the app as a whole. For me, I use the following two commands.

find ./MyApp -type f \
 -exec codesign --timestamp \
 --keychain /Users/builduser/Library/Keychains/login.keychain-db \
 -s 'Developer ID Application: XXXXXXXX' -f --verbose=9 --deep \
 --options=runtime --entitlements entitlements.xml {} +

and then sign the app

codesign --timestamp \
 --keychain /Users/builduser/Library/Keychains/login.keychain-db \
 -s 'Developer ID Application: XXXXXXXX' -f --verbose=9 --deep \
 --options=runtime --entitlements entitlements.xml MyApp

You must run codesign with --options=runtime. Here's a guide to notorization.

If you are building Java apps, these links might also be helpful: How to build MacOS app with hardened runtime in AppBundler

https://bitbucket.org/infinitekind/appbundler/issues/39/build-with-hardened-runtime