Search results for

“codesign”

3,223 results found

Post

Replies

Boosts

Views

Activity

Reply to Codesign -- force not signing 3rd Pty binaries
The immediate cause of your problem is you have code that’s not signed: % file /Volumes/DataflowGeometry2D/DataflowGeometry2D.app/Contents/app/DFG2D_Mac_x86_313.jar /Volumes/DataflowGeometry2D/DataflowGeometry2D.app/Contents/app/DFG2D_Mac_x86_313.jar: Java archive data (JAR) % mkdir DFG2D_Mac_x86_313 % cd DFG2D_Mac_x86_313 % unzip /Volumes/DataflowGeometry2D/DataflowGeometry2D.app/Contents/app/DFG2D_Mac_x86_313.jar Archive: /Volumes/DataflowGeometry2D/DataflowGeometry2D.app/Contents/app/DFG2D_Mac_x86_313.jar … inflating: lib/jogamp-fat/jogamp-fat.jar … % mkdir jogamp-fat % cd jogamp-fat % unzip ../lib/jogamp-fat/jogamp-fat.jar Archive: ../lib/jogamp-fat/jogamp-fat.jar … inflating: natives/macosx-universal/libjocl.dylib … % file natives/macosx-universal/libjocl.dylib natives/macosx-universal/libjocl.dylib: Mach-O universal binary with 2 architectures… … % codesign -d -vvv natives/macosx-universal/libjocl.dylib … CodeDirectory v=20400 size=1606 flags=0x20002(adhoc,linker-signed) … … The notary service
Topic: Code Signing SubTopic: General
Aug ’25
Reply to Codesign -- force not signing 3rd Pty binaries
My latest process is still failing Notarization, saying 10 .dylib files (located in the jog amp MacosX Universal Binaries folder) are unsigned. My process: Unarchive jogamp-fat.jar (command line too jar xf) codesign --timestamp all 10 .dylib files confirm all signed reJar the jog amp-fat.jar codesign the jar, and confirm signed add signed jar back into Eclipse Java project as an external library Export app jar use jpackage tool to sign app jar , build .dmg, and sign that test run install and launch submit .dmg to Notarization Will try to email the .dmg to Quinn
Topic: Code Signing SubTopic: General
Aug ’25
Reply to Dynamic Library cannot call exposed C function
I have played around a bit more with the code: I tried passing pointers to the functions themselves Making sure the callbacks are called from the mainthread But nothing seems to work. I did stumble into this page though https://developer.apple.com/documentation/xcode/investigating-memory-access-crashes#Use-VM-Region-Info-to-locate-the-memory-in-your-apps-address-space And it's useful to understand the crash logs. My full crash is: Exception Type: EXC_BAD_ACCESS (SIGKILL) Exception Subtype: KERN_PROTECTION_FAILURE at 0x0000000000000000 Exception Codes: 0x0000000000000002, 0x0000000000000000 VM Region Info: 0 is not in any region. Bytes before following region: 4307271680 REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL UNUSED SPACE AT START ---> __TEXT 100bbc000-100bc0000 [ 16K] r-x/r-x SM=COW /var/containers/Bundle/Application/D7CA13B9-71D1-467E-882D-317F9AF57049/OpacityPod_Example.app/OpacityPod_Example Termination Reason: CODESIGNING 2 Invalid Page So it's clearly a pointer exceptio
Topic: Code Signing SubTopic: General Tags:
Aug ’25
Signing a daemon with the Endpoint Security entitlement
Note: This failure occurs even when running on the same machine that performed the build, signing, and notarization steps. We are developing a command-line Endpoint Security (ES) client for macOS, distributed to customers as part of an enterprise security suite. We have a valid Apple Developer Team ID (redacted for privacy) and have requested and received the Endpoint Security entitlement for our account. What We’ve Done Built a universal (x86_64/arm64) CLI ES client using Xcode on macOS Sonoma. Signed with a Developer ID Application certificate (matching our Team ID). Applied the entitlement: com.apple.developer.endpoint-security.client. Notarized the binary via notarytool after receiving Apple’s confirmation that the entitlement was “assigned to our account.” Distributed and unzipped the notarized ZIP (with com.apple.quarantine xattr intact). What Happens: When we run the binary (as root, via sudo) on any test Mac—including the original build/notarization machine—the process is killed immediately at launch.
Topic: App & System Services SubTopic: Core OS Tags:
21
0
736
Jul ’25
What is the code signing trust level?
In some crashlog files, there are additional pieces of information related to codesigning. I can understand what most of themcorresponds to (ID, TeamID, Flags, Validation Category). But there is one I have some doubt about: Trust Level. As far as I can tell (or at least what Google and other search engines say), this is an unsigned 32 bit integer that defines the trust level with -1 being untrusted, 0, being basically an Apple executable and other potential bigger values corresponding to App Store binaries, Developer ID signature, etc. Yet, I'm not able to find a corresponding detailed documentation about this on Apple's developer website. I also had a look at the LightweightCodeRequirements include file and there does not seem to be such a field available. [Q] Is there any official documentation listing the different values for this trust level value and providing a clear description of what it corresponds to?
Topic: Privacy & Security SubTopic: General Tags:
4
0
341
Jul ’25
Gatekeeper rejects notarized app ("Unnotarized Developer ID") when using necessary entitlements
Hello everyone, I'm hoping to get some guidance on a frustrating codesigning issue. I have a macOS application that successfully completes the entire notarization and stapling process, but it is still rejected by Gatekeeper during the final verification step. The rejection only happens when I apply the entitlements that I believe are necessary for my app's functionality. The application is built with PyInstaller and has the following components: A main executable written in Python. A bundled Tcl/Tk instance for the GUI. Embedded Playwright components, which include the Node.js runtime and a full Chromium browser instance. These are located deep inside the .app bundle. The Problem The core of my application relies on Playwright to perform some automated tasks, and its bundled Chromium browser requires specific entitlements to function under the Hardened Runtime. Specifically, it needs com.apple.security.cs.allow-jit and com.apple.security.cs.allow-unsigned-executable-memory. My signing process is as f
Topic: Code Signing SubTopic: Entitlements Tags:
9
0
732
Jul ’25
Reply to Gatekeeper rejects notarized app ("Unnotarized Developer ID") when using necessary entitlements
[quote='850703022, tomdesantis, /thread/794080?answerId=850703022#850703022, /profile/tomdesantis'] Surprisingly in my notary log it seems that all the Mach-O images are in the log. [/quote] Right. I suspect that my notarisation of your app has perturbed the system in some way. Given that, I’d like to try to get us back into the state where things are failing. Unfortunately that means that I have to get you to do some more work )-: Specifically: Rebuild and re-sign your app. Check that the top-level app has a different cdhash, that is, this command outputs something different: % codesign -d -vvv HotelOrganizer.app … CDHash=b4563a07ac6827cced5dd13a172c41c80ca7d589 … Notarise that. Grab the notary log and save that away. Staple and package the app. Reproduce the problem. Attach the new copy of your app and the notary log from step 4 to your bug report. Reply back here when you’re done and I’ll take another look. [quote='850703022, tomdesantis, /thread/794080?answerId=850703022#850703022, /profile/tomde
Topic: Code Signing SubTopic: Entitlements Tags:
Jul ’25
Reply to Gatekeeper rejects notarized app ("Unnotarized Developer ID") when using necessary entitlements
Every good debugging story starts with a “Huh, that’s weird.”, and this is no exception (-: Consider this: % stapler validate -v HotelOrganizer.app … Downloaded ticket has been stored at file:///var/folders/n_/p9vcphfj2l7c7fmh0ct2f70w0000gp/T/4985875e-0770-4d79-8ec1-14c034783d98.ticket. The validate action worked! So far so good. But now look at this: % NotarizationTicketDump /var/folders/n_/p9vcphfj2l7c7fmh0ct2f70w0000gp/T/4985875e-0770-4d79-8ec1-14c034783d98.ticket b4563a07ac6827cced5dd13a172c41c80ca7d589 Note NotarizationTicketDump is a tool I wrote myself to dump the cdhashes in a ticket. I can’t share that tool but you, as the person who did the notarisation, can get the same information from the notarisation log. More on this below. The ticket has only one cdhash value. That value matches your main app: % codesign -d -vvv HotelOrganizer.app … CDHash=b4563a07ac6827cced5dd13a172c41c80ca7d589 … which is good, but your app contains a lot of other Mach-O images [1]: % FindMachO.sh HotelOrganizer.app
Topic: Code Signing SubTopic: Entitlements Tags:
Jul ’25
Reply to ITMS-90207: Invalid Bundle. The bundle at 'Runner.app' does not contain a bundle executable.
Sharing the full email I sent to Apple Support I am consistently encountering the ITMS-90207 error Invalid Bundle. The bundle at 'Runner.app' does not contain a bundle executable. when attempting to upload my Flutter iOS app to App Store Connect via both Transporter and direct upload from Xcode Organizer. This issue persists despite extensive troubleshooting and thorough local validation, which shows the IPA is correctly formed. App Details: App Name: OnOn App Store Connect App ID: 6502598657 Bundle Identifier: com.onon.app Latest Version/Build Attempted: Version 1.0.24, Build 50 Error Details: Exact Error Message: Invalid Bundle. The bundle at 'Runner.app' does not contain a bundle executable. (ID: [e.g., f548c384-73e9-4f09-96a0-363b7d67f650 from your log]) Transporter Log Reference: From my Transporter logs, the specific iris-code is STATE_ERROR.VALIDATION_ERROR. Example Build ID from Transporter Log: [e.g., 6bd99937-1283-486e-a245-419ea29443f0] (This ID might vary with each attempt, but providing a recent
Topic: App Store Distribution & Marketing SubTopic: App Store Connect
Jul ’25
Reply to Gatekeeper rejects notarized app ("Unnotarized Developer ID") when using necessary entitlements
I used syspolicy_check and this is the message I got: App has failed one or more pre-distribution checks. Codesign Error File: HotelOrganizer.app Severity: Fatal Full Error: Gatekeeper rejected this file. If there isn't a more descriptive error elsewhere in this output, please file a Feedback through Feedback Assistant.app so we can continue to improve syspolicy_check. Please include the app bundle you are checking and a sysdiagnose taken immediately after running syspolicy_check. Type: Notary Error I'm really frustrated by this, I tried everything I could find in the forum. I cannot distribute my app to my customers because of this issue.
Topic: Code Signing SubTopic: Entitlements Tags:
Jul ’25
Reply to Gatekeeper rejects notarized app ("Unnotarized Developer ID") when using necessary entitlements
No, I haven't added that. Is it possible that maybe this library entitlement is added automatically during codesigning? Actually after further testing, I realized that the culprit seem to be the entitlements I assign to the node and Chromium Helper executables within the Playwright framework ( com.apple.security.cs.allow-jit and com.apple.security.cs.allow-unsigned-executable-memory ). The JIT entitlement applied to the main python executable does not affect gatekeeper.
Topic: Code Signing SubTopic: Entitlements Tags:
Jul ’25
Reply to Signing a daemon with the Endpoint Security entitlement
I’m not sure why you’re having problems with this. Lemme walk you through how I tested this today. You can review my steps to see if there’s anything obviously different. And if there isn’t, you can run through the steps yourself to see if you can repeat my experience. If so, you can then compare your primary daemon to your test daemon to see what’s different. So, here’s what I did: Using Xcode 16.4 on macOS 15.5, I created a new project from the macOS > App template. I set it up as a daemon per the advice in Signing a daemon with a restricted entitlement. Note that the details will differ a bit but the final result will be the same. Specifically, here’s my final structure: % find Test791996.app Test791996.app Test791996.app/Contents Test791996.app/Contents/_CodeSignature Test791996.app/Contents/_CodeSignature/CodeResources Test791996.app/Contents/MacOS Test791996.app/Contents/MacOS/Test791996 Test791996.app/Contents/embedded.provisionprofile Test791996.app/Contents/Info.plist Test791996.app/Contents/PkgIn
Topic: App & System Services SubTopic: Core OS Tags:
Jul ’25
Reply to Help with Entitlements for Keychain Access
[quote='793977021, neil218, /thread/793977, /profile/neil218'] I attempted to codesign my native dynamic library (.dylib) with an entitlement [/quote] That won’t work. Entitlements are only relevant to a main executable. If you sign library code with an entitlement it is, at best, ignored. Creating distribution-signed code for macOS has general guidelines for signing Mac code and it specifically calls this out. Expanding on this a little, when a process runs an executable, the system checks the entitlements claimed by that executable. If all the entitlements are authorised by the executable’s profile [1], the process starts running that program and gains those entitlements. If not, the system kills the process [2]. So, to get this to work you have to change how you sign your app as a whole. This can be tricky. I usually recommend that Java developers start Java by way of a native trampoline. See the info and links in the TCC and Main Executables section of On File System Permissions. However, that tr
Topic: Privacy & Security SubTopic: General Tags:
Jul ’25
Help with Entitlements for Keychain Access
Hi everyone, I’m working an Objective-C lib that performs Keychain operations, such as generating cryptographic keys and signing data. The lib will be used by my team in a Java program for macOS via JNI. When working with the traditional file-based Keychain (i.e., without access control flags), everything works smoothly, no issues at all. However, as soon as I try to generate a key using access control flags SecAccessControlCreateWithFlags, the Data Protection Keychain returns error -34018 (errSecMissingEntitlement) during SecKeyCreateRandomKey. This behavior is expected. To address this, I attempted to codesign my native dynamic library (.dylib) with an entitlement plist specifying various combinations of: keychain-access-groups com.apple.security.keychain etc. with: My Apple Development certificate Developer ID Application certificate Apple Distribution certificate None of these combinations made a difference, the error persists. I’d love to clarify: Is it supported to access Data Protection Keycha
Topic: Privacy & Security SubTopic: General Tags:
1
0
421
Jul ’25
Encounter "zsh: trace trap" after updating trust settings for Apple certificates
Hi guys, New to publishing apps on Apple Store. I encounter some notarization error before and resolved it in this post. By solving the previous issue, I updated the Trust setting from Always Trust to Use System Defaults for Apple certificates. The codesign and notarization no longer give me any problem. But now, I encountered another issue. When I ran the .app on my local Macbook, it now gives me zsh: trace trap error. Dive a little further and check the crash report, I found the some details as following. Process: my_app [30652] Path: /Users/USER/my_app_path Identifier: my_app Version: 0.0.0 (???) Code Type: ARM-64 (Native) Parent Process: launchd [1] User ID: 501 Date/Time: 2025-07-15 14:57:58.9874 -0400 OS Version: macOS 15.5 (24F74) Report Version: 12 Anonymous UUID: 2335F0B6-A26E-6446-6074-0FCE620C4B6A Time Awake Since Boot: 6000 seconds System Integrity Protection: enabled Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGKILL (Code Signature Invalid))
Topic: Code Signing SubTopic: General Tags:
5
0
304
Jul ’25
Reply to Codesign -- force not signing 3rd Pty binaries
The immediate cause of your problem is you have code that’s not signed: % file /Volumes/DataflowGeometry2D/DataflowGeometry2D.app/Contents/app/DFG2D_Mac_x86_313.jar /Volumes/DataflowGeometry2D/DataflowGeometry2D.app/Contents/app/DFG2D_Mac_x86_313.jar: Java archive data (JAR) % mkdir DFG2D_Mac_x86_313 % cd DFG2D_Mac_x86_313 % unzip /Volumes/DataflowGeometry2D/DataflowGeometry2D.app/Contents/app/DFG2D_Mac_x86_313.jar Archive: /Volumes/DataflowGeometry2D/DataflowGeometry2D.app/Contents/app/DFG2D_Mac_x86_313.jar … inflating: lib/jogamp-fat/jogamp-fat.jar … % mkdir jogamp-fat % cd jogamp-fat % unzip ../lib/jogamp-fat/jogamp-fat.jar Archive: ../lib/jogamp-fat/jogamp-fat.jar … inflating: natives/macosx-universal/libjocl.dylib … % file natives/macosx-universal/libjocl.dylib natives/macosx-universal/libjocl.dylib: Mach-O universal binary with 2 architectures… … % codesign -d -vvv natives/macosx-universal/libjocl.dylib … CodeDirectory v=20400 size=1606 flags=0x20002(adhoc,linker-signed) … … The notary service
Topic: Code Signing SubTopic: General
Replies
Boosts
Views
Activity
Aug ’25
Reply to Codesign -- force not signing 3rd Pty binaries
My latest process is still failing Notarization, saying 10 .dylib files (located in the jog amp MacosX Universal Binaries folder) are unsigned. My process: Unarchive jogamp-fat.jar (command line too jar xf) codesign --timestamp all 10 .dylib files confirm all signed reJar the jog amp-fat.jar codesign the jar, and confirm signed add signed jar back into Eclipse Java project as an external library Export app jar use jpackage tool to sign app jar , build .dmg, and sign that test run install and launch submit .dmg to Notarization Will try to email the .dmg to Quinn
Topic: Code Signing SubTopic: General
Replies
Boosts
Views
Activity
Aug ’25
Reply to Dynamic Library cannot call exposed C function
I have played around a bit more with the code: I tried passing pointers to the functions themselves Making sure the callbacks are called from the mainthread But nothing seems to work. I did stumble into this page though https://developer.apple.com/documentation/xcode/investigating-memory-access-crashes#Use-VM-Region-Info-to-locate-the-memory-in-your-apps-address-space And it's useful to understand the crash logs. My full crash is: Exception Type: EXC_BAD_ACCESS (SIGKILL) Exception Subtype: KERN_PROTECTION_FAILURE at 0x0000000000000000 Exception Codes: 0x0000000000000002, 0x0000000000000000 VM Region Info: 0 is not in any region. Bytes before following region: 4307271680 REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL UNUSED SPACE AT START ---> __TEXT 100bbc000-100bc0000 [ 16K] r-x/r-x SM=COW /var/containers/Bundle/Application/D7CA13B9-71D1-467E-882D-317F9AF57049/OpacityPod_Example.app/OpacityPod_Example Termination Reason: CODESIGNING 2 Invalid Page So it's clearly a pointer exceptio
Topic: Code Signing SubTopic: General Tags:
Replies
Boosts
Views
Activity
Aug ’25
Signing a daemon with the Endpoint Security entitlement
Note: This failure occurs even when running on the same machine that performed the build, signing, and notarization steps. We are developing a command-line Endpoint Security (ES) client for macOS, distributed to customers as part of an enterprise security suite. We have a valid Apple Developer Team ID (redacted for privacy) and have requested and received the Endpoint Security entitlement for our account. What We’ve Done Built a universal (x86_64/arm64) CLI ES client using Xcode on macOS Sonoma. Signed with a Developer ID Application certificate (matching our Team ID). Applied the entitlement: com.apple.developer.endpoint-security.client. Notarized the binary via notarytool after receiving Apple’s confirmation that the entitlement was “assigned to our account.” Distributed and unzipped the notarized ZIP (with com.apple.quarantine xattr intact). What Happens: When we run the binary (as root, via sudo) on any test Mac—including the original build/notarization machine—the process is killed immediately at launch.
Topic: App & System Services SubTopic: Core OS Tags:
Replies
21
Boosts
0
Views
736
Activity
Jul ’25
What is the code signing trust level?
In some crashlog files, there are additional pieces of information related to codesigning. I can understand what most of themcorresponds to (ID, TeamID, Flags, Validation Category). But there is one I have some doubt about: Trust Level. As far as I can tell (or at least what Google and other search engines say), this is an unsigned 32 bit integer that defines the trust level with -1 being untrusted, 0, being basically an Apple executable and other potential bigger values corresponding to App Store binaries, Developer ID signature, etc. Yet, I'm not able to find a corresponding detailed documentation about this on Apple's developer website. I also had a look at the LightweightCodeRequirements include file and there does not seem to be such a field available. [Q] Is there any official documentation listing the different values for this trust level value and providing a clear description of what it corresponds to?
Topic: Privacy & Security SubTopic: General Tags:
Replies
4
Boosts
0
Views
341
Activity
Jul ’25
Gatekeeper rejects notarized app ("Unnotarized Developer ID") when using necessary entitlements
Hello everyone, I'm hoping to get some guidance on a frustrating codesigning issue. I have a macOS application that successfully completes the entire notarization and stapling process, but it is still rejected by Gatekeeper during the final verification step. The rejection only happens when I apply the entitlements that I believe are necessary for my app's functionality. The application is built with PyInstaller and has the following components: A main executable written in Python. A bundled Tcl/Tk instance for the GUI. Embedded Playwright components, which include the Node.js runtime and a full Chromium browser instance. These are located deep inside the .app bundle. The Problem The core of my application relies on Playwright to perform some automated tasks, and its bundled Chromium browser requires specific entitlements to function under the Hardened Runtime. Specifically, it needs com.apple.security.cs.allow-jit and com.apple.security.cs.allow-unsigned-executable-memory. My signing process is as f
Topic: Code Signing SubTopic: Entitlements Tags:
Replies
9
Boosts
0
Views
732
Activity
Jul ’25
Reply to Gatekeeper rejects notarized app ("Unnotarized Developer ID") when using necessary entitlements
[quote='850703022, tomdesantis, /thread/794080?answerId=850703022#850703022, /profile/tomdesantis'] Surprisingly in my notary log it seems that all the Mach-O images are in the log. [/quote] Right. I suspect that my notarisation of your app has perturbed the system in some way. Given that, I’d like to try to get us back into the state where things are failing. Unfortunately that means that I have to get you to do some more work )-: Specifically: Rebuild and re-sign your app. Check that the top-level app has a different cdhash, that is, this command outputs something different: % codesign -d -vvv HotelOrganizer.app … CDHash=b4563a07ac6827cced5dd13a172c41c80ca7d589 … Notarise that. Grab the notary log and save that away. Staple and package the app. Reproduce the problem. Attach the new copy of your app and the notary log from step 4 to your bug report. Reply back here when you’re done and I’ll take another look. [quote='850703022, tomdesantis, /thread/794080?answerId=850703022#850703022, /profile/tomde
Topic: Code Signing SubTopic: Entitlements Tags:
Replies
Boosts
Views
Activity
Jul ’25
Reply to Gatekeeper rejects notarized app ("Unnotarized Developer ID") when using necessary entitlements
Every good debugging story starts with a “Huh, that’s weird.”, and this is no exception (-: Consider this: % stapler validate -v HotelOrganizer.app … Downloaded ticket has been stored at file:///var/folders/n_/p9vcphfj2l7c7fmh0ct2f70w0000gp/T/4985875e-0770-4d79-8ec1-14c034783d98.ticket. The validate action worked! So far so good. But now look at this: % NotarizationTicketDump /var/folders/n_/p9vcphfj2l7c7fmh0ct2f70w0000gp/T/4985875e-0770-4d79-8ec1-14c034783d98.ticket b4563a07ac6827cced5dd13a172c41c80ca7d589 Note NotarizationTicketDump is a tool I wrote myself to dump the cdhashes in a ticket. I can’t share that tool but you, as the person who did the notarisation, can get the same information from the notarisation log. More on this below. The ticket has only one cdhash value. That value matches your main app: % codesign -d -vvv HotelOrganizer.app … CDHash=b4563a07ac6827cced5dd13a172c41c80ca7d589 … which is good, but your app contains a lot of other Mach-O images [1]: % FindMachO.sh HotelOrganizer.app
Topic: Code Signing SubTopic: Entitlements Tags:
Replies
Boosts
Views
Activity
Jul ’25
Reply to ITMS-90207: Invalid Bundle. The bundle at 'Runner.app' does not contain a bundle executable.
Sharing the full email I sent to Apple Support I am consistently encountering the ITMS-90207 error Invalid Bundle. The bundle at 'Runner.app' does not contain a bundle executable. when attempting to upload my Flutter iOS app to App Store Connect via both Transporter and direct upload from Xcode Organizer. This issue persists despite extensive troubleshooting and thorough local validation, which shows the IPA is correctly formed. App Details: App Name: OnOn App Store Connect App ID: 6502598657 Bundle Identifier: com.onon.app Latest Version/Build Attempted: Version 1.0.24, Build 50 Error Details: Exact Error Message: Invalid Bundle. The bundle at 'Runner.app' does not contain a bundle executable. (ID: [e.g., f548c384-73e9-4f09-96a0-363b7d67f650 from your log]) Transporter Log Reference: From my Transporter logs, the specific iris-code is STATE_ERROR.VALIDATION_ERROR. Example Build ID from Transporter Log: [e.g., 6bd99937-1283-486e-a245-419ea29443f0] (This ID might vary with each attempt, but providing a recent
Topic: App Store Distribution & Marketing SubTopic: App Store Connect
Replies
Boosts
Views
Activity
Jul ’25
Reply to Gatekeeper rejects notarized app ("Unnotarized Developer ID") when using necessary entitlements
I used syspolicy_check and this is the message I got: App has failed one or more pre-distribution checks. Codesign Error File: HotelOrganizer.app Severity: Fatal Full Error: Gatekeeper rejected this file. If there isn't a more descriptive error elsewhere in this output, please file a Feedback through Feedback Assistant.app so we can continue to improve syspolicy_check. Please include the app bundle you are checking and a sysdiagnose taken immediately after running syspolicy_check. Type: Notary Error I'm really frustrated by this, I tried everything I could find in the forum. I cannot distribute my app to my customers because of this issue.
Topic: Code Signing SubTopic: Entitlements Tags:
Replies
Boosts
Views
Activity
Jul ’25
Reply to Gatekeeper rejects notarized app ("Unnotarized Developer ID") when using necessary entitlements
No, I haven't added that. Is it possible that maybe this library entitlement is added automatically during codesigning? Actually after further testing, I realized that the culprit seem to be the entitlements I assign to the node and Chromium Helper executables within the Playwright framework ( com.apple.security.cs.allow-jit and com.apple.security.cs.allow-unsigned-executable-memory ). The JIT entitlement applied to the main python executable does not affect gatekeeper.
Topic: Code Signing SubTopic: Entitlements Tags:
Replies
Boosts
Views
Activity
Jul ’25
Reply to Signing a daemon with the Endpoint Security entitlement
I’m not sure why you’re having problems with this. Lemme walk you through how I tested this today. You can review my steps to see if there’s anything obviously different. And if there isn’t, you can run through the steps yourself to see if you can repeat my experience. If so, you can then compare your primary daemon to your test daemon to see what’s different. So, here’s what I did: Using Xcode 16.4 on macOS 15.5, I created a new project from the macOS > App template. I set it up as a daemon per the advice in Signing a daemon with a restricted entitlement. Note that the details will differ a bit but the final result will be the same. Specifically, here’s my final structure: % find Test791996.app Test791996.app Test791996.app/Contents Test791996.app/Contents/_CodeSignature Test791996.app/Contents/_CodeSignature/CodeResources Test791996.app/Contents/MacOS Test791996.app/Contents/MacOS/Test791996 Test791996.app/Contents/embedded.provisionprofile Test791996.app/Contents/Info.plist Test791996.app/Contents/PkgIn
Topic: App & System Services SubTopic: Core OS Tags:
Replies
Boosts
Views
Activity
Jul ’25
Reply to Help with Entitlements for Keychain Access
[quote='793977021, neil218, /thread/793977, /profile/neil218'] I attempted to codesign my native dynamic library (.dylib) with an entitlement [/quote] That won’t work. Entitlements are only relevant to a main executable. If you sign library code with an entitlement it is, at best, ignored. Creating distribution-signed code for macOS has general guidelines for signing Mac code and it specifically calls this out. Expanding on this a little, when a process runs an executable, the system checks the entitlements claimed by that executable. If all the entitlements are authorised by the executable’s profile [1], the process starts running that program and gains those entitlements. If not, the system kills the process [2]. So, to get this to work you have to change how you sign your app as a whole. This can be tricky. I usually recommend that Java developers start Java by way of a native trampoline. See the info and links in the TCC and Main Executables section of On File System Permissions. However, that tr
Topic: Privacy & Security SubTopic: General Tags:
Replies
Boosts
Views
Activity
Jul ’25
Help with Entitlements for Keychain Access
Hi everyone, I’m working an Objective-C lib that performs Keychain operations, such as generating cryptographic keys and signing data. The lib will be used by my team in a Java program for macOS via JNI. When working with the traditional file-based Keychain (i.e., without access control flags), everything works smoothly, no issues at all. However, as soon as I try to generate a key using access control flags SecAccessControlCreateWithFlags, the Data Protection Keychain returns error -34018 (errSecMissingEntitlement) during SecKeyCreateRandomKey. This behavior is expected. To address this, I attempted to codesign my native dynamic library (.dylib) with an entitlement plist specifying various combinations of: keychain-access-groups com.apple.security.keychain etc. with: My Apple Development certificate Developer ID Application certificate Apple Distribution certificate None of these combinations made a difference, the error persists. I’d love to clarify: Is it supported to access Data Protection Keycha
Topic: Privacy & Security SubTopic: General Tags:
Replies
1
Boosts
0
Views
421
Activity
Jul ’25
Encounter "zsh: trace trap" after updating trust settings for Apple certificates
Hi guys, New to publishing apps on Apple Store. I encounter some notarization error before and resolved it in this post. By solving the previous issue, I updated the Trust setting from Always Trust to Use System Defaults for Apple certificates. The codesign and notarization no longer give me any problem. But now, I encountered another issue. When I ran the .app on my local Macbook, it now gives me zsh: trace trap error. Dive a little further and check the crash report, I found the some details as following. Process: my_app [30652] Path: /Users/USER/my_app_path Identifier: my_app Version: 0.0.0 (???) Code Type: ARM-64 (Native) Parent Process: launchd [1] User ID: 501 Date/Time: 2025-07-15 14:57:58.9874 -0400 OS Version: macOS 15.5 (24F74) Report Version: 12 Anonymous UUID: 2335F0B6-A26E-6446-6074-0FCE620C4B6A Time Awake Since Boot: 6000 seconds System Integrity Protection: enabled Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGKILL (Code Signature Invalid))
Topic: Code Signing SubTopic: General Tags:
Replies
5
Boosts
0
Views
304
Activity
Jul ’25