How to Unfuck your Xcode Developer-ID Notarization Uploads

Update (June 4th 2019):

Xcode Upload displaying an error reading: There was an error sending data to the iTunes Store. Scheduling restart shortly...

It appears as though the issue described in this blog post has been resolved sometime after publishing. Uploading apps for notarization using Xcode 10.2.1 and above generates a funky looking There was an error sending data to the iTunes Store. Scheduling restart shortly... error, followed by the upload succeeding without issue.

I have no idea whether this was fixed by Apple, my ISP or somewhere in between. I’m leaving the original article up, just in case anyone ever stumbles over this issue again.

Per Aspera ad Failure

I was having an issue with Apple’s Developer-ID Notarization Service for Mac Apps, which had all of my binary uploads getting stuck at the “Uploading Package to Apple Services…” section of Xcode’s uploading process.

An exasperated Tweet and a Stackoverflow question with zero answers later I found myself debugging the issue myself for three super “fun” days. Here’s what I found out:

Network issues: Here be dragons

Having re-installed Xcode & Developer Tools multiple times, used a separate code base for testing, nuked my macOS installation & checked to see that uploads to both the Mac & the iOS App Store were also failing there really was just one possible cause for this issue left. The most horrifying & confusing of all the possible causes in IT: The network.

Sure enough, the upload goes through without any issues as soon as I connect to a network that’s getting its internet connection from another ISP.

So as things stand, no ammount of router jiggery & firewall voodoo seem to work. Any upload from within a network served by my cruddy cable ISP is destined to fail in interesting ways.

Apple’s partial solution

Knowing that all uploads to Apple Services, even iOS App Store Connect, are failing and that we’re dealing with a network issue, it turns out that, as per usual, Stackoverflow has a solution.

If your uploads to App Store Connect are failing, you can simply use Application Loader to upload an archived build of your app.

Application Loader has the handy ability to disable transfer protocols that are causing you issues. It’s as simple as checking off a checkbox in the apps “Advanced” preferences.

Open Application Loaders Preference and, in the "Advanced"-Tab, disable "Aspera" & "Isigniant"

Sure enough, having disable the problematic protocols my uploads to App Store Connect now work.

But there’s a catch:
Application Loader only supports uploads to App Store Connect, not the Developer-ID Notarization Service for macOS Apps. And Xcode’s Developer-ID uploader does not have an option for disabling problematic protocols.

The solution: Using Little Snitch

So if you need to Upload your mac App to Developer-ID Notarization & you get stuck at the “Uploading package to Apple Services…” bit in Xcode, here’s what you do:

Using a copy of Little Snitch (the most amazing macOS Firewall application out there) we first need to figure out if you’re running into an issue with the upload protocol. So start an Upload to the Notarization service through Xcode and keep a watchful eye on Little Snitch’s Network Monitor. You should see a process called ascp making connections on port 33001 to various .apple.com endpoints. This indicates Xcode trying to upload your binaries using the Aspera protocol, which appears to be causing issues when used with cruddy cable ISPs.

Little Snitch Network monitor showing the ascp process making connections on port 33001

Now, it turns out that Xcode does support alternative protocols for upload & when it detects that its protocol of choice can’t establish a connection, it will instead choose an alternative fallback protocol that should work even with a cruddy cable ISP (why it can’t detect the Aspera connection failing when it gets stuck is beyond me).

So to make it very clear to Xcode that the Aspera protocol is not an option we create a New Rule in Little Snitch that blocks all Outgoing Connections on Port 33001 for Any Application. Same goes for Incoming Connections.

Now, since ascp is an Apple utility connecting to an apple.com domain, you may need to disable the default macOS services rule group in Little Snitch for this to be effective.

Creating new Rules in Little Snitch to block incoming and outgoing connections for Any Application on Port 33001

If you’ve gone through this firewall setup, you should now be able to re-try your upload. Xcode should now use a fallback protocol and the upload should succeed.

Successful Upload in Xcode

While I’m still not sure about why Apple won’t let developers manually disable problematic upload protocols & why Application Loader can’t support Developer-ID Notarization, after banging my head against an Xcode-shaped wall I’m mostly happy to have figured out this workaround.

If you know more about the whys & hows of this issue, feel free too Tweet at me or send me a carrier-pigeon eMail.