General:
DevForums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements
Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities.
Developer > Support > Certificates covers some important policy issues
Entitlements documentation
TN3125 Inside Code Signing: Provisioning Profiles — This includes links to other technotes in the Inside Code Signing series.
WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing
Certificate Signing Requests Explained DevForums post
--deep Considered Harmful DevForums post
Don’t Run App Store Distribution-Signed Code DevForums post
Resolving errSecInternalComponent errors during code signing DevForums post
Finding a Capability’s Distribution Restrictions DevForums post
Signing code with a hardware-based code-signing identity DevForums post
Mac code signing:
DevForums tag: Developer ID
Creating distribution-signed code for macOS documentation
Packaging Mac software for distribution documentation
Placing Content in a Bundle documentation
Embedding Nonstandard Code Structures in a Bundle documentation
Embedding a Command-Line Tool in a Sandboxed App documentation
Signing a Daemon with a Restricted Entitlement documentation
Defining launch environment and library constraints documentation
WWDC 2023 Session 10266 Protect your Mac app with environment constraints
TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference.
Manual Code Signing Example DevForums post
The Care and Feeding of Developer ID DevForums post
TestFlight, Provisioning Profiles, and the Mac App Store DevForums post
For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Code Signing
RSS for tagCertify that an app was created by you using Code signing, a macOS security technology.
Posts under Code Signing tag
200 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
Hi Devs,
i have a question concerning the security set-key-partition-list -S command. I want to use it to enable a code signing certificate being used by codesign and productbuild to sign without sudo or a password prompt. Some sources indicate i need to add codesign: as partition but some don't even mention this. So my question is what partitions are even possible to add? What does partitions in this context mean? How can i find out which i need for productbuild and codesign?
Thanks in advance
Paul
(Skippable) Backstory:
I have an app that customers initially install by:
Going to our website in a browser,
downloading a (notarized) disk image,
mounting it,
opening the (Developer ID-signed) installer package therein, and
following the prompts to completion.
Once installed, this app has a button you can click that will check for updates and possibly install them. When you click this button:
Our app contacts an HTTPS API on our servers to see if there is an update
If there is an update, the API responds with a download URL to the aforementioned notarized disk image, and the SHA-512 hash of the disk image
Our app downloads the disk image, and verifies the SHA-512 hash of the download
Our app mounts the DMG
Our app uses /usr/sbin/pkgutil --check-signature (although I do hope to switch to SecStaticCodeCheckValidity() in the future) to verify that
the OS thinks that the installer package is properly signed, and also that
the organization unit on the leaf certificate for the code signing key used to sign the installer is exactly equal to our Apple Team ID
Our app uses /usr/sbin/installer -package ... -volinfo to verify that the installer package thinks it can install onto the host
Our app uses /usr/sbin/installer -package ... -target / to install the software update
For 98%+ of our users, this update process works great. For a tiny portion of users, we're seeing that hdiutil reports that it failed to attach the disk image. For the even tinier portion of users from whom we have obtained debug logs, one of the errors we've seen is "not recognized"; however, I don't know if that's the most common error, due to the small sample size.
Before I get much further, I think it's prudent to acknowledge that the above system we're using today is pushing a decade old now, and it's probably wise to verify the foundations.
So...
For a Developer-ID-signed macOS app that is distributed outside the Mac App Store using an installer package, what is the "best" container/packaging system for an automated system to obtain and consume the installer package with the goal of a user-initiated self-update? For example:
Notarized disk image (and failures to attach the image need to be bug reports to Apple)
Just the installer package (If I understand correctly, this is bad because it bypasses the automatic propagation (normally performed by macOS) of the DMG's notary ticket to the pkg, right?)
Something else?
Secondly, what are some common developer mistakes to avoid? For example, these come to mind:
When saving the DMG to disk, explicitly enable quarantine on the DMG, so that macOS runs appropriate security checks as intended (is this correct?)
When running the installer package, do not use low-level tools (like cp) to copy the pkg out of the DMG, because macOS won't be able to automatically find the notary ticket when the pkg is installed (is this correct?)
Anything else?
Additional context:
We currently support macOS 10.13+, but we will soon support only macOS 10.15+.
Thank you!
I have an app developed using ElectronJS that requires Accessibility permission to monitor mouse and keyboard events through the iohook package. I want to publish it on the Mac App Store, but it seems that:
The Mac App Store mandates Sandboxing, and
Sandboxing prohibits Accessibility permission.
As a result, it seems that an app on the Mac App Store cannot obtain Accessibility permission.
Can someone confirm if this is accurate or if there's a workaround?
I'm assisting a customer with an iOS app. He has a personal (non-company) Apple Developer account. I know that this kind of account didn't used to support collaborators, but I'm not sure what the current status is.
He was able to add me to his account and give me permissions (Developer, App Manager). However when I run Xcode, his account does not appear in the list of Teams under my Apple ID, which is preventing me from working.
Is this a bug or temporary problem or is the fact that his account is a personal account preventing me from doing this?
Hi!
I am fairly new to Mac/ Python development. I have written a python script that includes the lovely customTkinter Library. the app works, I have checked it extensively, but after creating an executable with both Pyinstaller and Py2app, my app keeps failing notarization. I have the developer account, I have the Developer ID application: Name (xxxxxxxxxx).
My last attempt with py2app, I try to codesign the .app bundle with :
codesign --deep --force --verbose --options=runtime --timestamp --sign "Developer ID Application: Lennert Esser (5823RMSZ52)" XYZ\ 2\ OSC.app if I do that, I receive a clean message that XYZ 2 OSC.app: signed app bundle with Mach-O universal (x86_64 arm64) [com.myname.appname.app]
the verify of the code signature gives nice messages as well:
--prepared:/Users/lennert/Documents/SoftwareDevelopment/PythonLocal/Pozyx/dist/XYZ 2 OSC.app/Contents/MacOS/python
--validated:/Users/lennert/Documents/SoftwareDevelopment/PythonLocal/Pozyx/dist/XYZ 2 OSC.app/Contents/MacOS/python
....
XYZ 2 OSC.app: valid on disk
XYZ 2 OSC.app: satisfies its Designated Requirement
So I would say, so far so good...?
BUT.... if I try to notarize my archived .app bundle. the notarization fails, with looadddssss of errors, with both:
"The signature does not include a secure timestamp."
and
"The binary is not signed with a valid Developer ID certificate."
I am completely stuck. Believe me, I have tried everything. Google, ChatGTP, multiple tries to codesign everything separately with:
find /path/to/my/app/contents -type f -exec codesign -s "Developer ID application: Name (xxxxxxxxxx)" {} ;
please, please someone help me explain what I am doing wrong....
I have added an additional capability called "User Assigned Device Name" into my application(The provisions for Development, Ad hoc & App Store Connect etc already received from Apple). Since then we are facing issues on code signing. We are trying to Sign in Automatically and getting the below error always.
/.xcodeproj Provisioning profile "iOS Team Provisioning Profile: com..*******" doesn't include the com.apple.developer.contacts.notes entitlement.
Contact notes entitlements are not a part of our additional capabilities as we requested separately with Apple and received it in the provisioning profile long back. Actually that time the same(contacts notes entitlements) was not a part of the additional capabilities. Please advise if any one has gone through such a conflict and resolved.
I am pretty much at a loss here...
In the past I used altool which worked. Not sure of related though, been a while since. But the same build script I use, just replaced altool with notarytool
I first codesigen
`MYNAME@MYMACNAME ~ % codesign --verbose --force --options runtime --timestamp --sign "COMPANYSIGN" "/Volumes/DiskW/projects-cool-MYNAME/MYPRODPATH/osx/final_MYPRODNAME-dist/mac-MYPRODNAME-files/MYPRODNAME.app"
/Volumes/DiskW/projects-cool-MYNAME/MYPRODPATH/osx/final_MYPRODNAME-dist/mac-MYPRODNAME-files/MYPRODNAME.app: replacing existing signature
/Volumes/DiskW/projects-cool-MYNAME/MYPRODPATH/osx/final_MYPRODNAME-dist/mac-MYPRODNAME-files/MYPRODNAME.app: signed app bundle with Mach-O thin (x86_64) [com.MYCOMPANY.MYPRODNAME]
MYNAME@MYMACNAME ~ % `
Then display entitlements:
MYNAME@MYMACNAME ~ % codesign --verbose --display --entitlements :- "/Volumes/DiskW/projects-cool-MYNAME/MYPRODPATH/osx/final_MYPRODNAME-dist/mac-MYPRODNAME-files/MYPRODNAME.app"
Executable=/Volumes/DiskW/projects-cool-MYNAME/MYPRODPATH/osx/final_MYPRODNAME-dist/mac-MYPRODNAME-files/MYPRODNAME.app/Contents/MacOS/MYPRODNAME
Identifier=com.MYCOMPANY.MYPRODNAME
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=127176 flags=0x10000(runtime) hashes=3967+3 location=embedded
Signature size=9057
Timestamp=16 May 2024 at 11.49.11
Info.plist entries=17
TeamIdentifier=MYTEAMID
Runtime Version=10.16.0
Sealed Resources version=2 rules=13 files=279
Internal requirements count=1 size=188
MYNAME@MYMACNAME ~ %
Then I try do notarization (see next post)
Our product includes a sudo plugin so we can apply user-defined policies to manage privileged access to command line programs. We’ve been getting reports where the plugin sometimes doesn't get invoked and the sudo command falls back to its default behavior. This seems to only be happening intermittently, but when the issue does occur, this message appears in the Console:
Library Validation failed: Rejecting '/usr/local/libexec/sudo/<our_plugin>.so' (Team ID: <OURTEAMID>, platform: no) for process 'sudo(<pid>)’ (Team ID: N/A, platform: yes), reason: mapping process is a platform binary, but mapped file is not
I recall a previous discussion of this message (that I can’t locate now), which explained that although the host process has library validation disabled, the code flow raises an error anyway, so that the host process can detect it and bypass the validation to load the plugin. It looks like that's what sudo is doing: it has the private entitlement com.apple.private.security.clear-library-validation and makes the appropriate system call when the plugin initially fails to load [1] — but apparently this isn't working reliably for our sudo plugin.
We’ve observed that restarting the Mac generally resolves the issue, at least for a while. This resembles the “classic symptom of a code signing oddity” where the signature is cached and the Mach-O image is rewritten rather than replaced (as documented in Updating Mac Software). But our software uses an Installer package for updates as well as initial installation, and the Installer is documented as not having this issue, so I believe the problem lies somewhere else.
I’m running out of ideas; are there any other avenues I should investigate? Thanks for any help.
[1] This is described in an article called "About com.apple.private.security.clear-library-validation"; I can't link to it directly from the developer forums, but it can easily be found by searching for the title.
Hello,
I've been trying to update my application since days, tried everything, all my environment is unchanged except update to the latest xcode version, I only fixed a bug in my code, and updated my expired certifacates with the same IDs.
I've also been able to test the app with testflight.
The app is built successfuly, validated, uploaded to the apple connect, submited for review, accepted and published online on the mac app store.
I've been able to update the application with the mac app store.
Now here is the problem: if I delete the application, and try to reinstall it from the app store, it says: unable to install, try again later - then the mac app store is stuck, I need to quit / restart to be able to try a new install.
I also distribute my application outside of the mac app store, I've also signed and notarized my app successfully, with my developer id certificate, I tried with organizer, and also with xcrun notary on the command line, all is ok, but when I run the exported application, it says that the application is damaged (so right click/open works, and the app works well).
The only thing that I can see is this (compared with my previous version):
spctl -a -vvv -t install myapp.app:
myapp.app: rejected (invalid destination for symbolic link in bundle)
I don't have the error on my previous version.
I've checked all the links inside the package, I don't see any problem or invalid link (and the app can run perfectly.... )
I've also check the logs.json file after the notary result, no problem appears.
the whole structure of the application and files inside the .app is exactly the same between the previous version, and the new one with that problem.
hope that someone could help me to solve this problem :)
I have an app that needs re-signing/updating to work on ios 17 (ios 17.4.1).
I have renamed the IPA file to zip and extracted it to the desktop.
The files in the extracted folder are:
ItunesArtwork
ItunesMetadata.plist
Payload folder
Payload folder contains the app
App package contents contains all the app files, including the _CodeSignature folder.
I extracted the package contents to a folder on the desktop.
Xcode 15.3 (15E204a) is installed.
Need the steps necessary to complete it and generate the new IPA file to test.
Thanks all,
Ed
On our CI (GitHub Actions) we are signing our .ipa with codesign and after that uploads the resulting .ipa with altool to TestFligt.
The problem is that the entitlements added by codesign no longer appear when we view the build on TestFlight.
The app requires entitlements for push notification and for associated domains.
codesign -s Distribution prod.entitlements prod.ipa
Immediately after we do a
codesign --verbose --display --entitlements -
and the entitlements show fine.
Next command is
xcrun altool --upload-app --type ios -f prod.ipa --apiKey $api_key_id --apiIssuer $appstore_api_key_issuer
To us it seems like altool strips the entitlements from the .ipa.
What are we doing wrong?
Hi everyone!
We use to have an intel Mac machine where we generate the Developer ID Installer & Application certs for signing and notarization process. This process works sweet.
Now, we move from an intel to a m1 Mac machine, where we want to do the same process as before. I had try two different approaches, but ending up with the same result.
I export the cert with the private key from my intel to the m1 machine, but when I try to sign, I get: Invalid signature. (Not sure what this error means in this case as everything works on the intel machine. I am guessing the cipher for creating either the private key or the signature differs between the architecture)
I try to generate new certs for this m1 machine, but I get the following error: You already have a current Developer ID installer certificate or a pending certificate request. I try with the same account, but also with a different account. In both cases got the same error.
I create a ticket for apple, where they said to expect a reply between one and two business days, but no luck yet.
Many of the trusted execution problems I see are caused by folks signing their product using the --deep option. While that can work in some circumstances, I generally recommend against it. There are two issues with --deep:
It applies the same code signing options to every code item that it signs, something that’s not appropriate in general. For example, you might have an app containing a nested command-line tool, where the app and the tool need different entitlements. The --deep option will apply the same entitlements to both, which is a serious mistake.
It only signs code that it can find, and it only finds code in nested code sites. If you put code in a place where the system is expecting to find data, --deep won’t sign it.
The first issue is fundamental to how --deep works, and is the main reason you should not use it. Indeed, on macOS it may cause the trusted execution system to block your program from running. For the details, see the Check for Entitlements on Library Code section of Resolving Library Loading Problems.
The second issue is only a problem if you don’t follow the rules for nesting code and data within a bundle, as documented in Placing Content in a Bundle. However, my experience is that the products that don’t follow those rules are exactly the same sort of products that try to use --deep.
The alternative to --deep is to sign each code item separately, from the inside out. If your product has lots of nested code, automate this using a script.
Note One exception to the prohibition on --deep is Automator apps. If you’re signing an Automator app, see this DevForums post.
For detailed information on how to correctly sign and package Mac software, see Creating distribution-signed code for macOS and Packaging Mac software for distribution.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Revision history:
2024-05-06 Update some links to reference the Real Documentation™ rather than my legacy DevForums posts.
2022-06-14 Added a link to Resolving Library Loading Problems. Replaced the link to Signing a Mac Product For Distribution with a link to Creating Distribution-Signed Code for Mac. Made other minor editorial changes.
2021-10-21 Replaced the nested code reference with one to Placing Content in a Bundle. Minor editorial changes.
2020-09-15 Adopted the correct terminology for Automator apps.
2020-03-09 First version.
We have developed a library and a DriverKit driver on Mac platform. And we need to disable SIP to install dext and later point of time if we enable SIP then the dext is non functional. So is it mandatory to disable the SIP for whole life time of dext? Also it is not recommended to disable the SIP for a long time, as it may create a security hole.
Standard ways are given on Apple support page that how to notarise an application to distribute over the internet. Here one mandatory account is required that is Apple Developer account which is a paid account we believe. Standing at this point can you share the complete steps of software distribution process which will include code signing, notarisation process and stapling.
I'm trying to build my Expo app. I already built it for Android, but now I'm struggling to create a release on iOS to upload on TestFlight. I have the apple developer account of my university, and they added our bundle ID there(I'm not an admin). When I try to build with EAS, it requires a p12 file.
So, I tried to generate it in this way:
From Keychain Access I created a CSR(by adding my mail and name) and then on Apple Developers I uploaded it(Certificates > +), so I downloaded a .cer file
I opened the .cer on Keychain Access and I dragged it under "login" section
From there I exported the p12 file
But that p12 gives me always this error when I run npx eas build --platform ios :
Provided Distribution Certificate is no longer valid on Apple's server
after submitting the p12 file on eas console.
Can someone help us?
Thanks in advance for your availability :)
Hi everyone,
Has this every happened to you? If so, how did you resolve it?
Submitting my app for review, I got the following rejection:
Guideline 2.4.5(ii) - Performance
The package currently available in App Store Connect cannot be installed and may be corrupted.
Next Steps
Please rebuild your application and upload a new version. If this issue continues, please contact Apple Developer Technical Support for help investigating the issue.
DTS referred me back to app review:
We are unable to help you resolve this matter. Please circle back with the App Review team for assistance.
I'm building the .pkg with productbuild:
xcrun productbuild --product WFH\ Phone\ Webcam.app/Contents/Info.plist --component WFH\ Phone\ Webcam.app /Applications --sign "3rd Party Mac Developer Installer: Mansour Moufid (42A2D88R9U)" --timestamp WFH\ Phone\ Webcam.pkg
and uploading it with altool:
xcrun altool --username "..." --password "..." --validate-app --file WFH\ Phone\ Webcam.pkg --type osx
xcrun altool --username "..." --password "..." --upload-app --file WFH\ Phone\ Webcam.pkg --type osx
The .pkg signature looks fine:
xcrun pkgutil --check-signature WFH\ Phone\ Webcam.pkg
Package "WFH Phone Webcam.pkg":
Status: signed by a developer certificate issued by Apple (Development)
Signed with a trusted timestamp on: 2024-04-29 14:11:27 +0000
Certificate Chain:
1. 3rd Party Mac Developer Installer: Mansour Moufid (42A2D88R9U)
Expires: 2025-03-13 20:11:55 +0000
SHA256 Fingerprint:
CB 8A 12 1D 4D 16 29 27 08 30 07 1C 6C F6 1C F4 85 6E AE F1 B1 34
68 F7 81 6D C3 3B 1B 8C 5D 32
------------------------------------------------------------------------
2. Apple Worldwide Developer Relations Certification Authority
Expires: 2030-02-20 00:00:00 +0000
SHA256 Fingerprint:
DC F2 18 78 C7 7F 41 98 E4 B4 61 4F 03 D6 96 D8 9C 66 C6 60 08 D4
24 4E 1B 99 16 1A AC 91 60 1F
------------------------------------------------------------------------
3. Apple Root CA
Expires: 2035-02-09 21:40:36 +0000
SHA256 Fingerprint:
B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C
68 C5 BE 91 B5 A1 10 01 F0 24
The app's signature also checks out:
codesign --strict --deep --verbose --verify WFH\ Phone\ Webcam.app
WFH Phone Webcam.app: valid on disk
WFH Phone Webcam.app: satisfies its Designated Requirement
I have no idea what "cannot be installed and may be corrupted" means and app review is not responding to my request for more information...
I have a personal app I use only for myself on my iPhone. I do not distribute this. Its stops working every year when my renewal comes up. Once I renew my subscription I reload the app onto my phone and it works again. Is there a way that I can have it work forever without having to reload it every year? Sometimes I forget to reload after my renewal and it does not work until I do so.
Hi,
I have codesigned my application and after this macos won't run the binary anymore.
codesign -f -o runtime --timestamp -s "Developer ID Application: YOUR NAME (TEAM_ID)" --entitlements $HOME/workspace/GSequencer-cocoa/gsequencer-macos/macos-contrib/GSequencer.entitlements -i com.gsequencer.GSequencer --deep $HOME/workspace/GSequencer-cocoa/gsequencer-macos/build/universal/GSequencer.app
Verify signature works.
codesign -vv $HOME/workspace/GSequencer-cocoa/gsequencer-macos/build/universal/GSequencer.app
The same for the DMG file, still doesn't work anymore.
codesign -f -o runtime --timestamp -s "Developer ID Application: YOUR NAME (TEAM_ID)" $HOME/workspace/GSequencer-cocoa/gsequencer-macos/build/arm64/GSequencer-6.9.1.dmg
I would love to distribute my application with code signing. Note all libraries are built using clang or clang++.
I figured out that when I leave entitlements away it would launch but complains about library signatures.
regards, Joël
Hi,
I am experience crashes with my application after code signing, this didn't happen before. Does OpenGL require special permissions?
GSequencer stack-trace gtk4 crash
by, Joël
I am able to successfully install the app on my device, but I am unable to verify the app.
Steps to reproduce:
Navigate to Settings -> VPN & Device Management on iPhone 14
Select developer under Developer App
Select trust this computer
Attempt to Verify App
The "Verify App" button has no effect. The app can still be installed when built, but is not able to be opened. Navigating to ppq.apple.com in a browser results in a "cannot be trusted":