NotaryTool failing with invalid server certificate

Code Signing Notarization
CodeKnitter
CodeKnitter OP
Created Apr ’25
Replies 2
Boosts 0
Views 46
Participants 2

Hi All.

I'm having a notarization issue trying to get a product built.

Starting around the beginning of April, I have a notarization process failing every time with an invalid server certificate. The returned error is:

Error: HTTPError(statusCode: nil, error: Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “notary-artifacts-prod.s3.amazonaws.com” which could put your confidential information at risk." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
    "<cert(0x107810200) s: *.s3.amazonaws.com i: Amazon RSA 2048 M01>",
    "<cert(0x107810c00) s: Amazon RSA 2048 M01 i: Amazon Root CA 1>",
    "<cert(0x107811400) s: Amazon Root CA 1 i: Starfield Services Root Certificate Authority - G2>",
    "<cert(0x107811c00) s: Starfield Services Root Certificate Authority - G2 i: Starfield Class 2 Certification Authority>"

The problem certificate appears to be "Amazon RSA 2048 M01" which appears to be expired.

The error fires in response to an 'xcrun notarytool log' command. The initial ' xcrun notarytool submit' has already worked.

The build server in this case is running Jenkins, with a Makefile driven notarization stage. It all worked perfectly until a build on April 3rd, all builds have failed since.

I have tried using '--no-s3-acceleration'. But that fails even faster with:

Conducting pre-submission checks for ICFA.zip and initiating connection to the Apple notary service...
Submission ID received
  id: d50a2157-7acb-4bd6-b1d1-6d0b1d52d5c9
Error: The operation couldn’t be completed. (Network.NWError error 2.)

Any help or suggestions would be appreciated. Right now I have folks needing a valid build.

Thanks in advance.

Answered by DTS Engineer in 834393022
The problem certificate appears to be "Amazon RSA 2048 M01" which appears to be expired.

I don’t think it’s the simple. The certificate chain presented by that server works in general. Contrast this:

% nscurl https://expired.badssl.com/
Load failed with error: Error Domain=NSURLErrorDomain Code=-1202 …

with this:

% nscurl http://notary-artifacts-prod.s3.amazonaws.com
<?xml version="1.0" encoding="UTF-8"?>
…

You’re seeing a server-side certificate failure, sure, but the certificate chain presented by the server works for me.

My experience with problems like this is that they are often tied to your environment, either your computer itself or your network environment. Can you try to tease those apart? For example:

  • Run the same command on a ‘clean’ Mac. I typically use a VM for this sort of test, so I can restore from a clean snapshot between each test.

  • If that also fails, move that Mac to a different network environment. If you’re at work, try it at home, or vice versa.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  2
Boosts  0
Views  46
Participants  2
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
Apr ’25
Recommended
The problem certificate appears to be "Amazon RSA 2048 M01" which appears to be expired.

I don’t think it’s the simple. The certificate chain presented by that server works in general. Contrast this:

% nscurl https://expired.badssl.com/
Load failed with error: Error Domain=NSURLErrorDomain Code=-1202 …

with this:

% nscurl http://notary-artifacts-prod.s3.amazonaws.com
<?xml version="1.0" encoding="UTF-8"?>
…

You’re seeing a server-side certificate failure, sure, but the certificate chain presented by the server works for me.

My experience with problems like this is that they are often tied to your environment, either your computer itself or your network environment. Can you try to tease those apart? For example:

  • Run the same command on a ‘clean’ Mac. I typically use a VM for this sort of test, so I can restore from a clean snapshot between each test.

  • If that also fails, move that Mac to a different network environment. If you’re at work, try it at home, or vice versa.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
CodeKnitter
CodeKnitter OP
May ’25

Well. The short version is that I solved this by updating both MacOS and the command-line Dev-Tools.

The Longer version....

I was never too confident about Googles AI telling the the certificate had expired. So I worked out how to run some checks running openssl commands. The certificate chain appeared to be good. (I have since disabled Googles AI summary - let's hear it for UBlock Origin!)

So then I looked at the Mac. It was an M1 Mini running MacOS 11.3. The development tools were (I think) 12.5. No physical access to the machine - it sits in a data centre somewhere.

So somewhat out of date then. The result of avoiding updates to a shared (and somewhat critical) server. So after discussion with the machines only other regular user. I started updating. The O/S update to 15.4 and the tools update to 16.3 led to various other issues. Oddly, the perl install would not load modules from CPAN, and (less oddly) the dev tools refused to build various components. I had logged something like 50-60 commits to our code base, and two open-source library updates before I finally had the machine running and notarizing builds again. The whole process took something like 12 working days. Our QA department is very happy to have it back online.

My best guess as to the issue would have to be simply out of date software being used to check the certificate chains. Presumably an O/S component somewhere?

0
NotaryTool failing with invalid server certificate
First post date Last post date
 
 
Q