Apple’s Notary Service can’t compete with a supermarket restroom

macOS developers great and tiny are now totally dependent on Apple for release of their software. Whether they give Apple a share of their revenues by selling through its App Store, or distribute independently and have to notarize their products, Apple has to approve that release one way or the other. Apple’s Notary Service is therefore critical to a great many macOS developers.

When I use toilet/restroom facilities in a store, there’s invariably a notice on the wall giving details of who to contact if those facilities are defective or dirty. When I drive behind a delivery truck, there are details of its operator, and often a phone number I can call if their driver isn’t driving well. When we use the countless services that we all do, there’s invariably a contact system to which we can report problems. Except for Apple’s Notary Service.

Last weekend, I put in a fair bit of work changing my database of firmware versions, changing the source code of SilentKnight and silnite to produce new and improved versions, and testing them out as well as I can. The final and crucial step in preparing them for release was to notarize them through Apple’s Notary Service, and that’s where it all went wrong.

I first submitted SilentKnight version 1.5 using Xcode. This was the first time that I had used version 11.2, and I proceeded in the normal way. It reported that the app had been successfully uploaded, and a few minutes later I was puzzled that it hadn’t yet been notarized and was still not ready to distribute. I gave it a bit longer, then checked its service status, which was green. But when I queried the status of my notarization request within Xcode, it reported that no record of that request could be found, and advised me to submit it afresh.

I incremented its build number, repeated, and had exactly the same problem, although the service status remained green. It was only at the third attempt that it succeeded, and I had the app ready to distribute, after more than an hour of trying.

I then turned to the command tool, which has to be notarized from Terminal’s command line because Apple hasn’t yet got round to providing a proper interface to this common task for developers. Having built the Installer package, I submitted it to the Notary Service, and it responded with the message
No errors uploading 'silniteInstaller.pkg'
and the UUID of the request. A few minutes later, I tried querying its status using the command
xcrun altool --notarization-info [UUID] -u [mail address] -p [password]
and received the response
*** Error: Apple Services operation failed. Could not find the RequestUUID.

Checking my notarization history using the command
xcrun altool --notarization-history 0 -u [mail address] -p [password]
showed no trace of the request, but the service status remained on green.

I therefore re-submitted the request, only to go through the same error message, and continued for another few attempts. By now, it was getting on for midnight, and I had run out of wakefulness to continue any further. A tweet had elicited reports of similar problems from other developers, so I went to bed after asking a contact in Apple how to report the problem.

Like other bad dreams, the following morning there was a whole bunch of emails from Apple’s Notary Service, which had finally processed all my requests several hours later.

You may recall that I’ve been a strong advocate for Apple’s Notary Service in the past, and my experience with it over more than a hundred notarizations remains good. But like any service, there are going to be times when things aren’t right. Developers need:

Accurate error messages which provide the right advice. As it turned out, every error had been misleading, and repeatedly resubmitting wasn’t the right way forward. Had the service informed me there was a problem and notarization would be delayed, I could have done something else instead of wasting most of an evening.
Accurate service status indicators. The service was down, but there was no indication of any problem except after you had submitted a request.
A contact point (Twitter, email) for informing Apple that the service wasn’t working properly. I’m lucky in having individual contacts who have been extremely helpful. But it’s unfair on them that they should feel obliged to do this, particularly over weekends. Apple should at least come up to the standards of supermarket toilets/restrooms and provide an official point of contact.

The real test of a service is not when everything’s working fine, but when there’s a problem. Last weekend not only did the service fail, but its support was left to the goodwill of Apple’s most dedicated staff. Given the importance of the Notary Service to thousands of developers, that’s simply not acceptable.

12Comments

Add yours

1

I ♥ communicating with  on November 5, 2019 at 8:07 pm

This is ridiculous. The notarize service has worked fine the past months. Since a week or two there are delays of several hours making it hard to produce builds timely to thoroughly test things.

Would love to hear some response from Apple to this problem.

At least good to know this seems to affect all developers. As this has been going on for weeks now, it seems Apple doesn’t really seem to care or they would at least have issues some statement that they are aware of this problem.

LikeLiked by 1 person
2

Michael Tsai - Blog - Catalina Notarization on November 6, 2019 at 8:46 pm

[…] Update (2019-11-06): Howard Oakley: […]

LikeLike
3

Jerry Fritschle on November 7, 2019 at 1:28 pm

If public restrooms are good for one thing, it’s phone numbers 🙂

LikeLiked by 1 person
- 4
  
  hoakley on November 7, 2019 at 3:09 pm
  
  Haha!
  Howard.
  
  LikeLike
5

Anon on November 7, 2019 at 4:20 pm

If I told you it was a DoS attack, would you change your mind?

LikeLiked by 1 person
- 6
  
  hoakley on November 7, 2019 at 4:26 pm
  
  No. What possible difference would that make? Appropriate error messages and some means of reporting the problem to Apple are even more important then.
  Besides, if it was a DoS attack, why did the Service Status remain green?
  Presumably Apple did consider that such attacks might be made on the service, and plan for mitigation?
  Howard.
  
  LikeLike
- 7
  
  hoakley on November 7, 2019 at 5:55 pm
  
  Thinking about this further, the misleading error messages – which actually encouraged developers to resubmit the request – and the green status light would have amplified any DoS attack with inappropriately repeated requests. Normally, I’d only submit one request, and then check the service status or any error returned. In this case I submitted and resubmitted getting on for ten before I finally accepted defeat.
  Howard.
  
  LikeLike
8

G.J. Parker on November 7, 2019 at 9:47 pm

For a data point, i haven’t had any problems w/ notarizing using xcode 11.0 on Mojave. Been doing a bunch lately.

LikeLike
- 9
  
  hoakley on November 7, 2019 at 11:11 pm
  
  I think by now I have notarized over 150, maybe even 200 times. I’ve never experienced anything like this before. But the measure of the service is when things aren’t working well, not when they are all fine.
  Howard.
  
  LikeLike
  - 10
    
    G.J. Parker on November 7, 2019 at 11:54 pm
    
    Completely agree that inaccurate error messages, ‘vanishing submissions’ and missing contact info are, well, poor to be generous.
    
    I was thinking perhaps there’s a problem in the newest version of Xcode. That, i think we can agree, isn’t unheard of.
    
    Best of luck,
    
    LikeLike
    - 11
      
      hoakley on November 8, 2019 at 8:04 am
      
      Thank you.
      That’s what worried me initially, but the problem was worse when using the command tools instead. It turned out to be fairly universal at the time, and was fixed when the service was restored.
      Howard.
      
      LikeLike
12

Leo on November 8, 2019 at 7:09 am

I have multiple apps, some with custom installers, some use AppleScript-ObjC extensively. All of them by now are notarized – but it took enormous time and effort. From my experience, notarization is badly designed and poorly documented. Yes, a comparison with some kind of third-world public toilet would be the best.

I recently experienced the same issues as the ones you reported – UUID can’t be found errors, then notarization confirmations after a few hours.

I submitted it as yet another notarization-related bug to Apple. And reminded them, once again, that the time wasted due to the notarization issues and poor documentation has been astonishing. Which translates directly into loss of income – as independent developers who run their own business are not getting paid by the hour.

Well that’s my view on this topic.

LikeLiked by 1 person