Pitfall Preferences jobs-apply

Apple Notarization Service Delays

pitfallelectronapplecode-signing

What Happened

After setting up Apple Developer code signing for Jobs Apply desktop, electron-builder automated notarization failed with a network error. Subsequent manual submissions via xcrun notarytool submit succeeded (submission accepted, UUID returned) but all 5 submissions remained “In Progress” for 4+ hours with no completion. Apple’s notarization service was experiencing delays affecting all submissions.

The error from electron-builder:

Error: HTTPError(statusCode: nil, error: Error Domain=NSURLErrorDomain Code=-1009 
"The Internet connection appears to be offline." 
NSErrorFailingURLKey=https://appstoreconnect.apple.com/notary/v2/asp?

Network was verified working (curl returned HTTP 200). The issue was Apple-side.

Root Cause

Apple’s notarization service has variable processing times. While typical notarization completes in 2-15 minutes, delays can extend to hours or days during high-traffic periods or service issues. electron-builder’s default timeout caused the build to fail even though the app was correctly signed and the submission was valid.

How to Avoid

  1. Separate signing from notarization. Build and sign the app with pnpm run dist, let it fail at notarization. The signed .app bundle is still valid and usable.

  2. Create DMG manually:

hdiutil create -volname "Jobs Apply" \
  -srcfolder "release/mac-arm64/Jobs Apply.app" \
  -ov -format UDZO "release/Jobs-Apply-VERSION.dmg"
  1. Submit for notarization separately:
xcrun notarytool submit "release/Jobs-Apply-VERSION.dmg" \
  --keychain-profile "jobs-apply-notary" --wait
  1. Staple when ready:
xcrun stapler staple "release/Jobs-Apply-VERSION.dmg"
  1. Distribute signed-but-unstapled DMG if urgent. Users can right-click and select “Open” to bypass Gatekeeper’s first-run check. The app is code-signed and safe; stapling just allows offline verification.

Key Insight

Code signing and notarization are independent. A signed DMG works immediately for distribution; notarization adds the Apple attestation that removes the Gatekeeper warning. When Apple’s service is slow, ship the signed DMG and staple the ticket later.

The keychain profile (jobs-apply-notary) stores App Store Connect credentials so future submissions don’t need env vars:

xcrun notarytool store-credentials "jobs-apply-notary" \
  --apple-id "EMAIL" --team-id "TEAM_ID" --password "APP_SPECIFIC_PASSWORD"