SD Notary changes sandbox setting

Hi, I use SD Notary to notarize an app, and use RB Checker Lite to check the app before and after notarization. Attached are the Before & After results:

It shows “The application is sandboxed” before, and “The application is not sandboxed” after. Any idea?

Btw, I’m notarizing .app (not .dmg or .zip). I can’t find how to notarize .app using xcrun altool. Obviously SD Notary is able to do it, but how?


I’d imagine it’s because the app is being re-signed, and with a different identity, but I’m not sure.

If you’re sandboxing in Xcode, you should probably also notarize there.

Apple documents it all on-line – it comes up as the first item in a Google search.

The app was not created in Xcode and that’s the reason I can’t use it to notarize. The app is signed using the same developer cert, so I don’t understand why SD Notary changes the sandbox setting.

The Apple docs on xcrun altool says:

“Because you can’t upload the .app bundle directly to the notary service, you’ll need to create a compressed archive containing the app”

That’s what I was referring to - to notarize .app, which seems impossible unless it is zipped or turned into a dmg. Is that how SD Notary works, by compressing first?


That’s not what your screenshot says. IAC, SD Notary will re-sign, which will presumably break sandboxing.

It signs with the hardened runtime, then uploads a .zip archive of it, yes.

Is there some reason you want sandboxing and the hardened runtime?