codesign

Looks like I wasn't using the right SHA1 for my cert when calling codesign. I figured I could get the cert information by using security export-smartcard -i [card] | grep sha1 sha1 : After a bit of string manipulation: DC5F8D160FCD0342AE061D70716E114BD438D668 Now when I'm calling codesign -s DC5F8D160FCD0342AE061D70716E114BD438D668 -f foobar I can see the sign method of my TKTokenSession being called. tl;dr: New identity doesn't show up in Keychain, but it doesn't mean the OS can't use it. However you need to make sure you're using the right SHA1.

automation package installer script I'm using looks like this: set -euo pipefail APP_NAME=Runetale.app APP_BUNDLE=build/macos/Build/Products/Release/${APP_NAME} DEV_ID_APP_CERT=Developer ID Application: MYTEAMID DEV_ID_INSTALLER_CERT=Developer ID Installer: MYTEAMID APP_VERSION=1.0.0 APP_BUNDLE_ID=com.runetale.desktop # Apple credentials for notarization APPLE_ID= TEAM_ID= APP_SPECIFIC_PW= # clean and build rm -rf build flutter clean flutter build macos --release # Ensure the app exists if [ ! -d $APP_BUNDLE ]; then echo Error: $APP_BUNDLE not found. Make sure the app bundle is present. exit 1 fi echo Starting code signing for $APP_BUNDLE... # copy Runetale.app codesign -d -vvv build/macos/Build/Products/Release/Runetale.app ditto $APP_BUNDLE $APP_NAME # copy entitlements codesign -d --entitlements Release.entitlements --xml Runetale.app codesign -d --entitlements PacketTunnelRelease.entitlements --xml Runetale.app/Contents/Library/SystemExtensions/com.runetale.desktop.PacketTunnel.

@DTS Engineer Thank you. I read the documentation provided by Apple engineers. I was able to create the installer successfully and launch the application. However, when I try to connect to the VPN, I get the following error: default 16:53:58.419606+0900 Runetale Saving configuration Runetale with existing signature (null) error 16:53:58.420440+0900 Runetale Failed to save configuration Runetale: Error Domain=NEConfigurationErrorDomain Code=10 permission denied UserInfo={NSLocalizedDescription=permission denied} error 16:53:58.420474+0900 Runetale Failed to save configuration: Error Domain=NEVPNErrorDomain Code=5 permission denied UserInfo={NSLocalizedDescription=permission denied} error 16:53:58.420407+0900 nehelper Runetale Failed to obtain authorization right for 3: no authorization provided Is there any possible reason for this? The entitlements look like this: App entitlements com.apple.application-identifier myteamid.com.runetale.desktop com.apple.developer.networking.networkextension packet-tunnel-

To recap, my Ruby files for the app are located under ./app, with the gems being vendored. This library is located at ./app/vendor/bundle/ruby/3.3.0/gems/libui-0.1.2-arm64-darwin/vendor/libui.dylib. I'm curious if I should codesign the libui.dylib before building the binary with Tebako? If so, would I still need to codesign the Contents/Frameworks files under the app bundle? (I'm assuming yes on this latter point.) Thanks in advance for your suggestions.

Can you clarify the warning? Does it say the app was downloaded from the internet and no malware was found? Or does it say something worse? If this is an app downloaded from the internet, then it's going to say it was downloaded from the internet. No way around that unless you want to put it in the Mac App Store. If it is just an app, then there is no reason to put it inside a DMG. Just compress it into a zip file. I have no idea what you mean by complete codesigning using the third-party app itself—not via command-line scripts. Are you saying that you didn't use Xcode to build the app? If so, then you're on your own. You are totally at the mercy of whatever tool you are using to build the app. These things are a single button click in Xcode.

Solved (or more like worked around whatever weird issue this was). I realized on this occasion I'd only tried building to VM, not YYC, although I usually tested both in the past if there were any issues. On YYC I was able to build without the codesigning error, after which I needed to open the xcodeproj manually which was located at (macuser)/gamemakerstudio2/GM_MAC/(gamename)/(gamename).

Blat! Sometimes I can’t see the wood for the trees )-: I downloaded your project today, installed it, re-enabled the setCodeSigningRequirement(_:) call, and then reproduced the problem. Cool. The error code logged, -67050, is errSecCSReqFailed, aka: % security error -67050 Error: 0xFFFEFA16 -67050 code failed to satisfy specified code requirement(s) This is very specific. The code doesn’t satisfy the requirement. So after a bit of faffing around I used codesign to actually test the requirement on that code: % codesign --verify -vvv -R =anchor apple AppleDTSLaunchDaemon1.app/Contents/Resources/DTSDaemon … test-requirement: code failed to satisfy specified code requirement(s) Well, that explains why XPC is complaining! But this should work, because the code is properly signed: % codesign -d -vvv AppleDTSLaunchDaemon1.app/Contents/Resources/DTSDaemon … Authority=Apple Development: Quinn Quinn (7XFU7D52S4) … And then it struck me. anchor apple is the wrong requirement. It checks whether

There are a number of potential issues here. First: [quote='779961021, dreisicht, /thread/779961, /profile/dreisicht'] codesign -s My Name --keychain keychain -f --deep … [/quote] Don’t use --deep when signing code. See --deep Considered Harmful for an explanation as to why not. As to what you should do, I’ll come back to that below. [quote='779961021, dreisicht, /thread/779961, /profile/dreisicht'] Unfortunately this signed package does not work when checking with spctl. [/quote] It’s generally best to avoid spctl for this sort of thing. If you want to test whether something will pass Gatekeeper, use the process described in Testing a Notarised Product. [quote='779961021, dreisicht, /thread/779961, /profile/dreisicht'] codesign -dv -veurbose=4 RenderRob.app/Contents/MacOS/libcrypto.3.dylib [/quote] That definitely belongs in Contents/Frameworks. See Placing Content in a Bundle. Coming back to how you should sign your code, there’s a general process for that described in: Creating distributi

[quote='833266022, mmccartney, /thread/778169?answerId=833266022#833266022, /profile/mmccartney'] Perhaps this is because we're trying to run things not delivered by the Mac Store yet. [/quote] If you’re trying to run a distribution-signed app then, yeah, that won’t work. See Don’t Run App Store Distribution-Signed Code. However, it seems like you were also testing development-signed app and that’s also failing. I tried your setup from Xcode, just to make sure that I wasn’t completely misleading you. AFAICT everything worked as expected. Here’s what I did: Using Xcode 16.3 on macOS 15.3.2, I created a new app from the macOS > App template. I then ran through the instructions in Embedding a command-line tool in a sandboxed app to create a new helper tool target and embed the results. I added a button that launched it: Button(Spawn) { do { print(will launch) let p = Process() let u = Bundle.main.url(forAuxiliaryExecutable: ToolX)! p.executableURL = u try p.run() print(did launch) } catch { print(did not laun

[quote='833602022, Etresoft, /thread/779910?answerId=833602022#833602022, /profile/Etresoft'] Or various command-line looks like pkgutil, codesign, or spctl? [/quote] [quote='833618022, DTS Engineer, /thread/779910?answerId=833618022#833618022'] Stick with installer packages but use pkgutil to check their signature. [/quote] Thanks for the responses! pkgutil was considered but we wanted to avoid parsing of the command line tools output. We are primarily interested in the certificate subject names present in the package signature. The intention is to make sure that we install packages that are not only validly signed or accepted by Gatekeeper, pkgutil. And it looks like one would need to parse the output of command line tools to check if a specific team ID is present. That's definitely doable but we wanted to look into options with proper API that we could call from ObjC/Swift before going to an option with running a command line from code.