Search results for

codesign

3,113 results found

Post

Replies

Boosts

Views

Activity

Reply to The binary file is getting quarantined (com.apple.quarantine) while downloading onto another system even though it's digitally signed by a developer ID and notarised.
Verified for code sign and Notarisation as below: prjadhav@dhcp-10-180-186-174 Downloads % codesign -v -vvv --strict --deep issue_avoidance_mac issue_avoidance_mac: valid on disk issue_avoidance_mac: satisfies its Designated Requirement prjadhav@dhcp-10-180-186-174 Downloads % prjadhav@dhcp-10-180-186-174 Downloads % codesign -d -vvv issue_avoidance_mac Executable=/Users/prjadhav/Downloads/issue_avoidance_mac Identifier=issue_avoidance_mac Format=Mach-O thin (x86_64) CodeDirectory v=20400 size=855 flags=0x0(none) hashes=21+2 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=071855ea2dc635ef0c42896888239d623a48bea5 CandidateCDHashFull sha256=071855ea2dc635ef0c42896888239d623a48bea562fa83450dedb07df06fb383 Hash choices=sha256 CMSDigest=071855ea2dc635ef0c42896888239d623a48bea562fa83450dedb07df06fb383 CMSDigestType=2 CDHash=071855ea2dc635ef0c42896888239d623a48bea5 Signature size=9010 Authority=Developer ID Application: Oracle America, Inc. (VB5E2TV963) Authority=Developer ID Cert
Topic: Code Signing SubTopic: General Tags:
Feb ’25
Reply to Xcode 16.2 cannot sign developer app (AppKit) after upgraded to macOS 15.3
Unfortunately, it won't fix my issue, in my case, all items in Key Chain certificates are green, and the code sign is valid steventang@Mac-mini ~ % security find-identity -p codesigning Policy: Code Signing Matching identities DC4B46A359AF226XXXXXXXXXXXXXXXXXXD Apple Development: Steven Tang (XXXXXXX) 1 identities found Valid identities only DC4B46A359AF226XXXXXXXXXXXXXXXXXXD Apple Development: Steven Tang (XXXXXXX) 1 valid identities found ========================== But when I build project, still get unable to build chain to self-signed root for signer Apple Development: Steven Tang (XXXXXXX) /Volumes/TwoTSSD/steventang/Library/Developer/Xcode/DerivedData/XXXX-ddbilgyraofrdyfeljyuknusunza/Build/Products/Release/XXXX.app: errSecInternalComponent I signed out and signed in again, remove account and add again, the problem is still happening. BTW, this problem happened only after I upgraded macOS to 15.3, before upgrading(15.2), I don't have this issue, I supposed there would be an Xcode 16.3 but it is
Topic: Code Signing SubTopic: General Tags:
Feb ’25
Reply to Issues Mounting WebDAV Shares with NetFSMountURLAsync (Error 22)
First, off I want to focus on these details: Mounting SMB and AFP shares always works without issues. The app is properly sandboxed. and this error: System Policy: webdavfs_agent() deny(1) file-mount ...I don’t see any reason why they would affect only WebDAV mounting while everything else works fine. Agreed. Please file a bug on this and then post the bug number back here. Setting all other issues aside, I can't think of any case where the system should deny mounting for webdav but allow SMB/AFP. This is a case where they should either all fail or all succeed. Next a few clarification on other points: I’d prefer not to recreate all my certificates and configurations, as I don’t see any reason why they would affect only WebDAV mounting while everything else works fine. For future reference, there's generally not any reason to bother with this sort of recreate everything. You can basically split our codesigning architecture around two questions: Is the signature valid? -> If it is, let the code run
Topic: App & System Services SubTopic: Core OS Tags:
Feb ’25
Reply to How does xpc_connection_set_peer_code_signing_requirement work?
[quote='773573021, Kray16, /thread/773573, /profile/Kray16'] 1. Is using teamID as a signing requirement enough? [/quote] Probably. You might want to tighten that up depending on your specific security goals. For example, you might want your distribution-signed server to not allow development-side clients. For more background on this, and specific info on how Apple uses code-signing requirements in general, see TN3127 Inside Code Signing: Requirements. [quote='773573021, Kray16, /thread/773573, /profile/Kray16'] 2. How does xpc_connection_set_peer_code_signing_requirement work internally? [/quote] The exact mechanics of this are complex, but you can reasonable think of it as checking the requirement against the calling process. This is a code signing operation. You can prototype it with codesign, using the --verify subcommand. Two hints: A little known fact is that you can get codesign to operate on a process by supplying a PID as an argument. TN3127 shows how to request that codesign
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles Tags:
Feb ’25
How does xpc_connection_set_peer_code_signing_requirement work?
I have created a XPC server and client using C APIs. I want to ensure that I trust the client, so I want to have a codesigning requirement on the server side, something like - xpc_connection_set_peer_code_signing_requirement(listener, anchor apple generic and certificate leaf[subject.OU] = 1234567) This checks if the client code was signed by a code-signing-identity issued by Apple and that the teamID in the leaf certificate is 1234567. My questions are- Is using teamID as a signing requirement enough? What else can I add to this requirement to make it more secure? How does xpc_connection_set_peer_code_signing_requirement work internally? Does it do any cryptographic operations to verify the clients signature or does it simply do string matching on the teamID? Is there a way actually verify the clients signature(cryptographically) before establishing a connection with the server? (so we know the client is who he claims to be)
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles Tags:
2
0
568
Jan ’25
Reply to Developer ID Certificate (How to replace damaged certificate?)
Usually I just download them all (-: The system is good at finding intermediates that it needs and ignoring any extras. However, as you’re asking, the one you’re looking for is Developer ID - G2 (Expiring 09/17/2031 00:00:00 UTC). If you download that and Quick Look it in the Finder, you’ll see its Subject Name details match the Issuer Name details from your screen shot. On the installation front, adding it to your login keychain should be fine. The system doesn’t need this intermediate to verify code [1], it only needs it to sign code. And you do that from your user context, which has access to your login keychain. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com [1] When you sign code the codesign embeds the complete certificate chain into the code signature. This has two consequences: The system verifying it has all the certificates it needs to do that verification. The system doing the signing needs the intermediate, which is why
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles Tags:
Jan ’25
Reply to dlopen on development iPhone codesign issue
Hi Quinn, I can confirm that loading the dylib when it is copied into the app bundle works correctly, so it seems like it is not a codesigning issue but rather from where the dylib is loaded. Interpreted code is unfortunately not an option because this is for rather high performance code. Wasm could be a possibility but as far as I can see there is no functionality in iOS to execute wasm code inside of an iOS app. Can you give some more details on what holes in the firewall Xcode punches for development purposes. Maybe some of that could be used for a better dev workflow on iOS.
Topic: Code Signing SubTopic: General Tags:
Jan ’25
Code Signing Python Libraries
I am trying to code sign an application which relies on many python libraries to run. For background knowledge, the .app was created with a —onefile command on Visual Studio. I code signed my application itself using codesign --deep --force --verify --timestamp --sign Developer ID Application: Issey Yohannes (GL5BCCW69X) /Users/isseyyohannes/Desktop/Automated ALGORA.app However, when I try to run the application the error shows in terminal as follows [PYI-16345:ERROR] Failed to load Python shared library '/var/folders/g9/2zbc7y_97xxbq7bnc301nnyc0000gn/T/_MEI6keRcA/Python': dlopen: dlopen(/var/folders/g9/2zbc7y_97xxbq7bnc301nnyc0000gn/T/_MEI6keRcA/Python, 10): no suitable image found. Did find: /var/folders/g9/2zbc7y_97xxbq7bnc301nnyc0000gn/T/_MEI6keRcA/Python: code signature in (/var/folders/g9/2zbc7y_97xxbq7bnc301nnyc0000gn/T/_MEI6keRcA/Python) not valid for use in process using Library Validation: mapped file has no Team ID and is not a platform binary (signed with custom identity or adhoc?) /var/f
Topic: Code Signing SubTopic: General
2
0
641
Jan ’25
Reply to codesign error - No such file or directory
Thanks for that. I downloaded your app and was able to sign it just fine: % sw_vers ProductName: macOS ProductVersion: 15.2 BuildVersion: 24C101 % % codesign -s - -f ALP_Document_Factory_II .app ALP_Document_Factory_II .app: replacing existing signature The one thing I noticed is that your app name contains weird characters. Note the ‘gaps’ in the shell completed name above. Now consider this: % ls | xxd 00000000: 414c 505f 446f 6375 6d65 6e74 5f46 6163 ALP_Document_Fac 00000010: 746f 7279 5f49 49c2 a0c2 a02e 6170 700a tory_II.....app. 00000020: 414c 505f 446f 6375 6d65 6e74 5f46 6163 ALP_Document_Fac 00000030: 746f 7279 5f49 49c2 a0c2 a02e 7a69 700a tory_II.....zip. Each c2 a0 sequence is a U+00A0 NO-BREAK SPACE. Did you add those deliberately? If not, I recommend that you remove them. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: Code Signing SubTopic: General Tags:
Jan ’25
App Startup Issues after Upgrade to MacOS Sequoia
Short description of the issue/suggestion: After upgrading to MacOS Sequoia and being required to code sign and notarize my app, cannot launch app even though code sign and notarization pass Please tell us about your environment: MacBookPro Chip Apple M2 Max 32 GB JavaPackager version: 1.7.6 OS version: macOS Sequoia 15.0.1 JDK version: jdk-1.8 Build tool: Maven Steps to reproduce the issue: -DMG Maven Build of Spring Boot /Java (version 8) application with fvarrui JavaPackager plugin using default universalJavaApplicationStub. Code signing and Notarization / Stapling PASS and App installs in Application folder, however cannot launch App. Although code sign and notarization pass, it is interesting that in the build output, prior to it submitting to Apple, there is an error stating that the App code sign could not be replaced. What is the expected behavior? -App launches when double clicking the application icon What have you tried to resolve / workaround the issue? -Install via package rather than DMG - same
Topic: Code Signing SubTopic: General
5
0
630
Jan ’25
Unnotarized Developer ID
I'm new to notarizing applications. I'm building an Electron application using electron-packager. The signing looks solid: codesign -vvv --deep --strict path/to/app.app # satisfies its Designated Requirement But checking notarization, looks like it didn't work. spctl --assess -vv path/to/app.app # source=Unnotarized Developer ID # origin=Developer ID Application: Tyson XXXX (XXXXX) I'm wondering how to fix the Unnotarized Developer ID. Thanks!
Topic: Code Signing SubTopic: Notarization
1
0
422
Jan ’25
Reply to dlopen on development iPhone codesign issue
One curious thing I am seeing is that: codesign -vv -d --verbose testlibrary-ios.dylib outputs: Executable=/Users/joe/sources/Curiosity/hotreload/cmake-build-debug/testlibrary-ios.dylib Identifier=testlibrary-ios Format=Mach-O thin (arm64) ... It surprised me that my dylib has an Executable= with the path to the dylib. Is this expected and could it be related to my problem?
Topic: Code Signing SubTopic: General Tags:
Jan ’25
dlopen on development iPhone codesign issue
Hi, For the purposes of iteration speed in development builds, on an iPhone in development mode, I am attempting to use hot reloaded dylibs. The goal is that the app is rarely fully restarted and small code changes can be applied quickly, drastically reducing iteration speed. For this purpose I have a socket server on my Mac that sends changed dylibs to my app on my iPhone. This works great on Mac, however on iOS i am running into codesigning problems. I am using the following to codesign the dylib: codesign -f -s XXX --timestamp=none testlibrary-ios.dylib I am placing the downloaded dylib in this folder: const char* cachedirectoryPath = [NSSearchPathForDirectoriesInDomains(NSCachesDirectory, NSUserDomainMask, YES)[0] UTF8String]; dlopen gives me the following error: dlopen(/var/mobile/Containers/Data/Application/67A3D31B-6F72-4939-9E7F-665FC78CDC61/Library/Caches/testlibrary-ios.dylib, 0x000A): tried: '/usr/lib/system/introspection/testlibrary-ios.dylib' (no such file, not in dyld
Topic: Code Signing SubTopic: General Tags:
5
0
570
Jan ’25
Reply to codesign entitlements syntax error
I know this is a very old post but I just ran into the same problem (for an iOS app) and I think I figured it out. This is not an invalid XML so the error is misleading, and that's why plutil has no trouble with it. The problem is datetime format: 2038-01-31T11:46:58Z This is a fully-qualified ISO date but it looks like the codesign tool chokes on it. I was able to work around this by truncating the time part and keeping just the date: 2038-01-31 With this change, I was able to sign and deploy my app to my physical device.
Topic: Developer Tools & Services SubTopic: Xcode Tags:
Jan ’25
Reply to codesign error - No such file or directory
[quote='773118021, dickL45, /thread/773118, /profile/dickL45'] Yours baffled [/quote] This is a weird error. I’ve seen in before [1] but I’ve not yet worked out exactly how to trigger it. Problems like this are almost always the result of folks not following the rules described in Placing Content in a Bundle. However, it’s hard to debug this with just the error message you’re getting from codesign. Two things: If you add more -v flags to codesign, does the verbose logging reveal anything? If not, are you willing to share a copy of the ALP_Document_Factory_II.app? If so, zip it up and reply here with the URL. ps I recommend you have a read of Quinn’s Top Ten DevForums Tips. Specifically tip 5’s info about preformatted text and tip 14 about posting URLs. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com [1] For example, here.
Topic: Code Signing SubTopic: General Tags:
Jan ’25