Search results for

“codesign”

3,222 results found

Post

Replies

Boosts

Views

Activity

Reply to AppStore submission for Ruby/Glimmer app on MacOS without Xcode
It’s better to reply as a reply, rather than in the comments; see Quinn’s Top Ten DevForums Tips for this and other titbits. Here's the link Thanks. I downloaded that and extracted your app: % xar -xf PATHmanager.pkg % cpio -i < com.chipcastle.pathmanager.pkg/Payload 58111 blocks I then dumped its code signature: % codesign -d -vvv --entitlements - PATHmanager.app Executable=/Users/quinn/Desktop/test/PATHmanager.app/Contents/MacOS/PATHmanager Identifier=com.chipcastle.pathmanager Format=app bundle with Mach-O thin (arm64) CodeDirectory v=20500 size=223078 flags=0x10000(runtime) hashes=6964+3 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=ed5d7d18f524cae6db2b57b2682ebfa61572510b CandidateCDHashFull sha256=ed5d7d18f524cae6db2b57b2682ebfa61572510b56d6a26c037c8cc003f1f1d3 Hash choices=sha256 CMSDigest=ed5d7d18f524cae6db2b57b2682ebfa61572510b56d6a26c037c8cc003f1f1d3 CMSDigestType=2 CDHash=ed5d7d18f524cae6db2b57b2682ebfa61572510b Signature size=9115 Authority=Apple Distribution: Chip
Topic: Code Signing SubTopic: General
Mar ’25
Reply to Persistent “com.apple.security.get-task-allow” entitlement after signing¬arizing
/usr/libexec/PlistBuddy -c Add :com.apple.security.get-task-allow bool true /tmp/my-app-debug-entitlements.plist /usr/libexec/PlistBuddy -c Add :com.apple.security.cs.disable-library-validation bool true /tmp/my-app-debug-entitlements.plist codesign --timestamp --options runtime --sign Developer ID Application: *** (***) --entitlements /tmp/my-app-debug-entitlements.plist --force /path/to/my-debug-binary I had no problems with the notarization process of the binary I signed this way. As you said, I will not distribute my application in this way. I will only distribute this binary to users I want to debug. Thanks.
Topic: Code Signing SubTopic: Entitlements
Mar ’25
Multiple Executables in a Single Bundle Fails to Launch Others After Codesign
We have a rather complex network of dependencies for our application stack and, from it, we create multiple unique executables that are placed into the Contents/MacOS directory of our bundle. MyApp.app `- Contents/ `- Frameworks/... `- MacOS/ `- exec_a `- exec_b `- Resources/... Both executables require the same dependencies (and use the same shared .dylib files built as targets in the same project) so it makes sense for them to be in the same place rather than in their own .app folder as I understand it. Qt Libs -> core_lib.dylib -> gui_lib.dylib -> exec_a `-> exec_b etc. We've confirmed build artifacts are correct and the rpath/dependencies are all clean. When in development, all executables run as expected and we can command exec_a (the executable we're listing in the primary Info.plist) to launch exec_b at any time. Once the bundle is signed, however, we cannot get exec_b to launch in any capacity. Even lldb dies right away because it can't attach to anything. We assume this is something in th
Topic: Code Signing SubTopic: General Tags:
8
0
357
Mar ’25
Reply to DNS Proxy network extension doesn't start even after saving preferences successfully
I suspect that the sysextd crash is a known issue that seems to be caused by a race condition in the code (r. 99777199). The nesessionmanager crash is more likely to be caused by the properties in your sysex. The crashing thread looks like this: 5 Foundation 0x191f5c120 -[NSString initWithFormat:] + 52 6 nesessionmanager 0x100138ac0 -[NESMProviderManager createSystemExtensionErrorWithCode:extensionInfo:] + 440 7 nesessionmanager 0x100139558 -[NESMProviderManager createLaunchdPlistEntriesFromExtensionBundle:extensionInfo:error:] + 2464 8 nesessionmanager 0x1001399d8 __84-[NESMProviderManager listener:validateExtension:atTemporaryBundleURL:replyHandler:]_block_invoke + 212 NE is trying to validate your sysex, that’s failed, and it’s crashed trying to generate the error O-: Both of these are obviously bugs in our OS — these subsystems should fail rather than crash — and I encourage you to file bug reports about them. Include a sysdiagnose log and a copy of your built app (the broken one, not the fixed one). Plea
Topic: App & System Services SubTopic: Networking Tags:
Mar ’25
IdentityLookup deferQueryRequestToNetwork error 3 despite valid AASA and extension setup
I'm seeking help troubleshooting a persistent com.apple.IdentityLookup.error.messagefilter Code=3 error when my Message Filter Extension tries to defer to network. I’ve exhausted Apple documentation and forum posts, and Apple Support has asked me to escalate this via the forums to reach engineering. ✅ My Setup: Xcode: 16.2 macOS: Sequoia 15.3.1 (Apple Silicon Mac mini) Device: iPhone 14 Pro iOS: 18.3.2 (Developer Mode enabled) Tested via: TestFlight install on real device 📦 App Structure: Main App Target (minimal hello world logic) Message Filter Extension Target Messages Extension Target Message Reporting Extension Target Notifications Extension Target ✅ Capabilities & Configurations Main App Capabilities: App Groups: group.com.example.shared Network Extensions: Content Filter Associated Domains: messagefilter:my-api.example.com applinks:my-api.example.com Message Filter Capabilities: App Groups: same as main app Network Extensions: Content Filter Associated Domains: same as above 📄 Info.plist Config M
Topic: App & System Services SubTopic: General Tags:
2
0
241
Mar ’25
Reply to Regarding Qt application Code signing on MACOS
Gosh, there are two separate issues tangled up here: Code signing Override TLS server trust evaluation IMO they are completely separable. Let me start with code signing. If you distribute your product widely, it must be signed: If you’re targeting the Mac App Store, you can only submit a signed app. If you’re distributing directly, you product must be signed and notarised to pass Gatekeeper. If you’re not using Xcode then see the following docs for specific advice on how to sign your product: Creating distribution-signed code for macOS Packaging Mac software for distribution Regarding TLS server trust evaluation, that’s not really related to your code signing. You wrote: [quote='777675021, Atanu, /thread/777675, /profile/Atanu'] Upon investigating this online, we got to know there has to be codesigning (both app bundle and the dmg file ) along with notarization of the .dmg file in order to access keychain of [macOS] [/quote] That’s not entirely correct. It’s true the signing your app and your disk im
Topic: Code Signing SubTopic: General
Mar ’25
Reply to Moving signing to a new machine
I raise this question again. Earlier you suggested: The easiest way to do this is use Xcode’s import/export feature. Launch Xcode, choose Xcode > Settings, select Accounts, select the account in question, then choose Export Apple ID and Code Signing Assets from the action (…) menu. In Xcode 16 I cannot find any import/export commands to move existing codesign certificates/keys to my second Mac. Probably it will easier to create a NEW individual codesign certificate for EVERY Mac I use?
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles Tags:
Mar ’25
My FinderSync Extension is blocked by the System
Hi guys, I'm developing a FinderSync Extension that extends Finder contextual menu with a couple of items doing some trivial file operations. I'm using Xcode 16.2 on macOS Sequoia 15.3.2 I could run the containing app in debug, and in System Preferences -> File Providers the flag is enabled for my app finder extension. Anyway, the contextual menu does not show in Finder, probably because the finder extension crashes immediately. Some output: pluginkit -m | grep com.[^a] + com.mycompany.MyApp.MyAppFinderExtension(1.1.14) codesign -dvvv --entitlements - /Users/me/Library/Developer/Xcode/DerivedData/MyApp-dmzhnwmosboixodalsrrbwvwvmqm/Build/Products/Debug/MyApp.app/Contents/PlugIns/MyApp Finder Extension.appex Executable=/Users/me/Library/Developer/Xcode/DerivedData/MyApp-dmzhnwmosboixodalsrrbwvwvmqm/Build/Products/Debug/MyApp.app/Contents/PlugIns/MyApp Finder Extension.appex/Contents/MacOS/MyApp Finder Extension Identifier=com.mycompany.MyApp.MyAppFinderExtension Format=bundle with Mach-O thin (arm64
Topic: App & System Services SubTopic: General Tags:
2
0
186
Mar ’25
Reply to AppStore submission for Ruby/Glimmer app on MacOS without Xcode
Ok, I had to get some support from the tebako folks before I could reply. Here's the output of the codesign --verify -vvv PATHmanager.app command you suggested: Extract pkg contents /tmp λ xar -xf ~/code/ruby/PATHmanager.pkg Verify Bill of Materials /tmp λ lsbom com.chipcastle.pathmanager.pkg/Bom . 0 0/0 ./PATHmanager.app 40755 0/0 ./PATHmanager.app/Contents 40755 0/0 ./PATHmanager.app/Contents/Frameworks 40755 0/0 ./PATHmanager.app/Contents/Frameworks/libui.dylib 100644 0/0 925632 3337342204 ./PATHmanager.app/Contents/Info.plist 100644 0/0 1415 1981579098 ./PATHmanager.app/Contents/MacOS 40755 0/0 ./PATHmanager.app/Contents/MacOS/._PATHmanager 100755 0/0 0 0 ./PATHmanager.app/Contents/MacOS/PATHmanager 100755 0/0 30036560 1901427662 ./PATHmanager.app/Contents/PkgInfo 100644 0/0 8 742937289 ./PATHmanager.app/Contents/Resources 40755 0/0 ./PATHmanager.app/Contents/Resources/AppIcon.icns 100644 0/0 56310 2265036908 ./PATHmanager.app/Contents/_CodeSignature 40755 0/0 ./PATHmanager.app/Contents/_CodeSign
Topic: Code Signing SubTopic: General
Mar ’25
Not able to notarize my application tried both .pkg and .dmg formats, Notarization Fails everytime
I have local LLM application, the backend is in python and frontend is in electron.js , all complied in a .pkg file or .dmg file I have created the valid certifcates for notarization But it fails everytime, I have attached the logs steps I followed Created a certificate all steps related to getting it setup, ran productsign command on pkg file ran codesign for dmg xcruntool submit command If anyone has any idea on how proceed codesigningdmg (2).txt code-singingpkg.txt
Topic: Code Signing SubTopic: Notarization
1
0
123
Mar ’25
Reply to SystemPolicyAllFiles code signing requirement
Sure. But at some point these things stop being technical questions and instead become a reflection of your policy. I agree/understand regarding the policy. I framed the question oddly, but I was really asking if that policy made sense (i.e., was there some other approach to do what I'm saying or is there anything unforseen that I'd encounter). I've already implemented it though and it seems to work out fine, so we'll stick with it. Yes. That is, in fact, the whole reason for a DR, in that it’s a cryptographically sound way for the code to identify itself, such that the system knows that version N+1 of your app is the ‘same code’ as version N. Ok, that's great. My concern was that what constitutes a DR (as emitted by codesign) could change in the future, and that same code meant the exact code the DR was computed for at the time it was run. This is obviously not the case since it is only reliant on certificate OIDs and such (so I'd assume if the signing certificate changes that would be the only thin
Topic: Code Signing SubTopic: General Tags:
Mar ’25
Reply to Missing Push Notification Entitlement after building in command line
Thank you @benjfromlondon for showing me the way! I had the same issue while building using the Xcode@5 in Azure Pipelines although the project was otherwise configured as it should and as many StackOverflow threads indicated it should. I will add below more information about how I fixed the issue and troubleshooting. The fix The Xcode@5 Azure Pipelines task does not sign the archive by default: # Signing & provisioning #signingOption: 'nosign' # 'nosign' | 'default' | 'manual' | 'auto'. Signing style. Default: nosign. #signingIdentity: # string. Optional. Use when signingOption = manual. Signing identity. So I added the following to my Yaml pipeline: (signingOption, signingIdentity and provisioningProfileName) - task: Xcode@5 displayName: 'Build IPA' inputs: actions: 'clean build' configuration: 'Release' sdk: 'iphoneos' xcWorkspacePath: 'ios/MyApp.xcworkspace' workingDirectory: '$(Build.SourcesDirectory)' scheme: 'MyApp' packageApp: true signingOption: 'manual' signingIdentity: 'iPhone Distribution' pr
Topic: App Store Distribution & Marketing SubTopic: App Store Connect Tags:
Mar ’25
setCodeSigningRequirement seems not to work in new Service Management API setup.
I have developed a sample app following the example found Updating your app package installer to use the new Service Management API and referring this discussion on XPC Security. The app is working fine, I have used Swift NSXPCConnection in favour of xpc_connection_create_mach_service used in the example. (I am running app directly from Xcode) I am trying to set up security requirements for the client connection using setCodeSigningRequirement on the connection instance. But it fails for even basic requirement connection.setCodeSigningRequirement(anchor apple). Error is as follows. cannot open file at line 46986 of [554764a6e7] os_unix.c:46986: (0) open(/private/var/db/DetachedSignatures) - Undefined error: 0 xpc_support_check_token: anchor apple error: Error Domain=NSOSStatusErrorDomain Code=-67050 (null) status: -67050 I have used codesign -d --verbose=4 /path/to/executable to check the attributes I do get them in the terminal. Other way round, I have tried XPC service provider sending back process
Topic: Privacy & Security SubTopic: General Tags:
12
0
378
Mar ’25
Regarding Qt application Code signing on MACOS
Hi support, Currently we are in a process of migrating our Qt application for MAC OS - ventura -v13.4. There is a specific feature in our application in which client tries to communicate with server (Socket communication) using Qt's QsslSocket Apis . To achieve this we are using self signed Ca certificate (.pem ) generated by using openSSl commands which uses IP address of the server. We are manually installing the certificate inside MAC OS - keychain and trusting it manually as well after installing . This is working fine in XCode environment in debug mode in MAC OS and client -server handshake is happening successfully. How ever after creating .dmg file (installer) the same handshake is not happening and we are getting error -Connection time out. Upon investigating this online, we got to know there has to be codesigning (both app bundle and the dmg file )along with notarization of the .dmg file in order to access keychain of MAC OS at runtime to access the self signed certificate installed. Now we
Topic: Code Signing SubTopic: General
1
0
87
Mar ’25
Reply to AppStore submission for Ruby/Glimmer app on MacOS without Xcode
It’s better to reply as a reply, rather than in the comments; see Quinn’s Top Ten DevForums Tips for this and other titbits. Here's the link Thanks. I downloaded that and extracted your app: % xar -xf PATHmanager.pkg % cpio -i < com.chipcastle.pathmanager.pkg/Payload 58111 blocks I then dumped its code signature: % codesign -d -vvv --entitlements - PATHmanager.app Executable=/Users/quinn/Desktop/test/PATHmanager.app/Contents/MacOS/PATHmanager Identifier=com.chipcastle.pathmanager Format=app bundle with Mach-O thin (arm64) CodeDirectory v=20500 size=223078 flags=0x10000(runtime) hashes=6964+3 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=ed5d7d18f524cae6db2b57b2682ebfa61572510b CandidateCDHashFull sha256=ed5d7d18f524cae6db2b57b2682ebfa61572510b56d6a26c037c8cc003f1f1d3 Hash choices=sha256 CMSDigest=ed5d7d18f524cae6db2b57b2682ebfa61572510b56d6a26c037c8cc003f1f1d3 CMSDigestType=2 CDHash=ed5d7d18f524cae6db2b57b2682ebfa61572510b Signature size=9115 Authority=Apple Distribution: Chip
Topic: Code Signing SubTopic: General
Replies
Boosts
Views
Activity
Mar ’25
Reply to Persistent “com.apple.security.get-task-allow” entitlement after signing¬arizing
/usr/libexec/PlistBuddy -c Add :com.apple.security.get-task-allow bool true /tmp/my-app-debug-entitlements.plist /usr/libexec/PlistBuddy -c Add :com.apple.security.cs.disable-library-validation bool true /tmp/my-app-debug-entitlements.plist codesign --timestamp --options runtime --sign Developer ID Application: *** (***) --entitlements /tmp/my-app-debug-entitlements.plist --force /path/to/my-debug-binary I had no problems with the notarization process of the binary I signed this way. As you said, I will not distribute my application in this way. I will only distribute this binary to users I want to debug. Thanks.
Topic: Code Signing SubTopic: Entitlements
Replies
Boosts
Views
Activity
Mar ’25
Multiple Executables in a Single Bundle Fails to Launch Others After Codesign
We have a rather complex network of dependencies for our application stack and, from it, we create multiple unique executables that are placed into the Contents/MacOS directory of our bundle. MyApp.app `- Contents/ `- Frameworks/... `- MacOS/ `- exec_a `- exec_b `- Resources/... Both executables require the same dependencies (and use the same shared .dylib files built as targets in the same project) so it makes sense for them to be in the same place rather than in their own .app folder as I understand it. Qt Libs -> core_lib.dylib -> gui_lib.dylib -> exec_a `-> exec_b etc. We've confirmed build artifacts are correct and the rpath/dependencies are all clean. When in development, all executables run as expected and we can command exec_a (the executable we're listing in the primary Info.plist) to launch exec_b at any time. Once the bundle is signed, however, we cannot get exec_b to launch in any capacity. Even lldb dies right away because it can't attach to anything. We assume this is something in th
Topic: Code Signing SubTopic: General Tags:
Replies
8
Boosts
0
Views
357
Activity
Mar ’25
Reply to DNS Proxy network extension doesn't start even after saving preferences successfully
I suspect that the sysextd crash is a known issue that seems to be caused by a race condition in the code (r. 99777199). The nesessionmanager crash is more likely to be caused by the properties in your sysex. The crashing thread looks like this: 5 Foundation 0x191f5c120 -[NSString initWithFormat:] + 52 6 nesessionmanager 0x100138ac0 -[NESMProviderManager createSystemExtensionErrorWithCode:extensionInfo:] + 440 7 nesessionmanager 0x100139558 -[NESMProviderManager createLaunchdPlistEntriesFromExtensionBundle:extensionInfo:error:] + 2464 8 nesessionmanager 0x1001399d8 __84-[NESMProviderManager listener:validateExtension:atTemporaryBundleURL:replyHandler:]_block_invoke + 212 NE is trying to validate your sysex, that’s failed, and it’s crashed trying to generate the error O-: Both of these are obviously bugs in our OS — these subsystems should fail rather than crash — and I encourage you to file bug reports about them. Include a sysdiagnose log and a copy of your built app (the broken one, not the fixed one). Plea
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
Mar ’25
IdentityLookup deferQueryRequestToNetwork error 3 despite valid AASA and extension setup
I'm seeking help troubleshooting a persistent com.apple.IdentityLookup.error.messagefilter Code=3 error when my Message Filter Extension tries to defer to network. I’ve exhausted Apple documentation and forum posts, and Apple Support has asked me to escalate this via the forums to reach engineering. ✅ My Setup: Xcode: 16.2 macOS: Sequoia 15.3.1 (Apple Silicon Mac mini) Device: iPhone 14 Pro iOS: 18.3.2 (Developer Mode enabled) Tested via: TestFlight install on real device 📦 App Structure: Main App Target (minimal hello world logic) Message Filter Extension Target Messages Extension Target Message Reporting Extension Target Notifications Extension Target ✅ Capabilities & Configurations Main App Capabilities: App Groups: group.com.example.shared Network Extensions: Content Filter Associated Domains: messagefilter:my-api.example.com applinks:my-api.example.com Message Filter Capabilities: App Groups: same as main app Network Extensions: Content Filter Associated Domains: same as above 📄 Info.plist Config M
Topic: App & System Services SubTopic: General Tags:
Replies
2
Boosts
0
Views
241
Activity
Mar ’25
Reply to Regarding Qt application Code signing on MACOS
Gosh, there are two separate issues tangled up here: Code signing Override TLS server trust evaluation IMO they are completely separable. Let me start with code signing. If you distribute your product widely, it must be signed: If you’re targeting the Mac App Store, you can only submit a signed app. If you’re distributing directly, you product must be signed and notarised to pass Gatekeeper. If you’re not using Xcode then see the following docs for specific advice on how to sign your product: Creating distribution-signed code for macOS Packaging Mac software for distribution Regarding TLS server trust evaluation, that’s not really related to your code signing. You wrote: [quote='777675021, Atanu, /thread/777675, /profile/Atanu'] Upon investigating this online, we got to know there has to be codesigning (both app bundle and the dmg file ) along with notarization of the .dmg file in order to access keychain of [macOS] [/quote] That’s not entirely correct. It’s true the signing your app and your disk im
Topic: Code Signing SubTopic: General
Replies
Boosts
Views
Activity
Mar ’25
Reply to Moving signing to a new machine
I raise this question again. Earlier you suggested: The easiest way to do this is use Xcode’s import/export feature. Launch Xcode, choose Xcode > Settings, select Accounts, select the account in question, then choose Export Apple ID and Code Signing Assets from the action (…) menu. In Xcode 16 I cannot find any import/export commands to move existing codesign certificates/keys to my second Mac. Probably it will easier to create a NEW individual codesign certificate for EVERY Mac I use?
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles Tags:
Replies
Boosts
Views
Activity
Mar ’25
My FinderSync Extension is blocked by the System
Hi guys, I'm developing a FinderSync Extension that extends Finder contextual menu with a couple of items doing some trivial file operations. I'm using Xcode 16.2 on macOS Sequoia 15.3.2 I could run the containing app in debug, and in System Preferences -> File Providers the flag is enabled for my app finder extension. Anyway, the contextual menu does not show in Finder, probably because the finder extension crashes immediately. Some output: pluginkit -m | grep com.[^a] + com.mycompany.MyApp.MyAppFinderExtension(1.1.14) codesign -dvvv --entitlements - /Users/me/Library/Developer/Xcode/DerivedData/MyApp-dmzhnwmosboixodalsrrbwvwvmqm/Build/Products/Debug/MyApp.app/Contents/PlugIns/MyApp Finder Extension.appex Executable=/Users/me/Library/Developer/Xcode/DerivedData/MyApp-dmzhnwmosboixodalsrrbwvwvmqm/Build/Products/Debug/MyApp.app/Contents/PlugIns/MyApp Finder Extension.appex/Contents/MacOS/MyApp Finder Extension Identifier=com.mycompany.MyApp.MyAppFinderExtension Format=bundle with Mach-O thin (arm64
Topic: App & System Services SubTopic: General Tags:
Replies
2
Boosts
0
Views
186
Activity
Mar ’25
Reply to AppStore submission for Ruby/Glimmer app on MacOS without Xcode
Ok, I had to get some support from the tebako folks before I could reply. Here's the output of the codesign --verify -vvv PATHmanager.app command you suggested: Extract pkg contents /tmp λ xar -xf ~/code/ruby/PATHmanager.pkg Verify Bill of Materials /tmp λ lsbom com.chipcastle.pathmanager.pkg/Bom . 0 0/0 ./PATHmanager.app 40755 0/0 ./PATHmanager.app/Contents 40755 0/0 ./PATHmanager.app/Contents/Frameworks 40755 0/0 ./PATHmanager.app/Contents/Frameworks/libui.dylib 100644 0/0 925632 3337342204 ./PATHmanager.app/Contents/Info.plist 100644 0/0 1415 1981579098 ./PATHmanager.app/Contents/MacOS 40755 0/0 ./PATHmanager.app/Contents/MacOS/._PATHmanager 100755 0/0 0 0 ./PATHmanager.app/Contents/MacOS/PATHmanager 100755 0/0 30036560 1901427662 ./PATHmanager.app/Contents/PkgInfo 100644 0/0 8 742937289 ./PATHmanager.app/Contents/Resources 40755 0/0 ./PATHmanager.app/Contents/Resources/AppIcon.icns 100644 0/0 56310 2265036908 ./PATHmanager.app/Contents/_CodeSignature 40755 0/0 ./PATHmanager.app/Contents/_CodeSign
Topic: Code Signing SubTopic: General
Replies
Boosts
Views
Activity
Mar ’25
Not able to notarize my application tried both .pkg and .dmg formats, Notarization Fails everytime
I have local LLM application, the backend is in python and frontend is in electron.js , all complied in a .pkg file or .dmg file I have created the valid certifcates for notarization But it fails everytime, I have attached the logs steps I followed Created a certificate all steps related to getting it setup, ran productsign command on pkg file ran codesign for dmg xcruntool submit command If anyone has any idea on how proceed codesigningdmg (2).txt code-singingpkg.txt
Topic: Code Signing SubTopic: Notarization
Replies
1
Boosts
0
Views
123
Activity
Mar ’25
Reply to SystemPolicyAllFiles code signing requirement
Sure. But at some point these things stop being technical questions and instead become a reflection of your policy. I agree/understand regarding the policy. I framed the question oddly, but I was really asking if that policy made sense (i.e., was there some other approach to do what I'm saying or is there anything unforseen that I'd encounter). I've already implemented it though and it seems to work out fine, so we'll stick with it. Yes. That is, in fact, the whole reason for a DR, in that it’s a cryptographically sound way for the code to identify itself, such that the system knows that version N+1 of your app is the ‘same code’ as version N. Ok, that's great. My concern was that what constitutes a DR (as emitted by codesign) could change in the future, and that same code meant the exact code the DR was computed for at the time it was run. This is obviously not the case since it is only reliant on certificate OIDs and such (so I'd assume if the signing certificate changes that would be the only thin
Topic: Code Signing SubTopic: General Tags:
Replies
Boosts
Views
Activity
Mar ’25
Reply to Missing Push Notification Entitlement after building in command line
I have found that you can also check whether your app executable contains the aps-environment string. For example: grep -n -a aps-environment Payload/MyApp.app/MyApp It did not contain the string before the fix and it did after. This is probably similar to codesign -d --entitlements :- Payload/MyApp.app
Topic: App Store Distribution & Marketing SubTopic: App Store Connect Tags:
Replies
Boosts
Views
Activity
Mar ’25
Reply to Missing Push Notification Entitlement after building in command line
Thank you @benjfromlondon for showing me the way! I had the same issue while building using the Xcode@5 in Azure Pipelines although the project was otherwise configured as it should and as many StackOverflow threads indicated it should. I will add below more information about how I fixed the issue and troubleshooting. The fix The Xcode@5 Azure Pipelines task does not sign the archive by default: # Signing & provisioning #signingOption: 'nosign' # 'nosign' | 'default' | 'manual' | 'auto'. Signing style. Default: nosign. #signingIdentity: # string. Optional. Use when signingOption = manual. Signing identity. So I added the following to my Yaml pipeline: (signingOption, signingIdentity and provisioningProfileName) - task: Xcode@5 displayName: 'Build IPA' inputs: actions: 'clean build' configuration: 'Release' sdk: 'iphoneos' xcWorkspacePath: 'ios/MyApp.xcworkspace' workingDirectory: '$(Build.SourcesDirectory)' scheme: 'MyApp' packageApp: true signingOption: 'manual' signingIdentity: 'iPhone Distribution' pr
Topic: App Store Distribution & Marketing SubTopic: App Store Connect Tags:
Replies
Boosts
Views
Activity
Mar ’25
setCodeSigningRequirement seems not to work in new Service Management API setup.
I have developed a sample app following the example found Updating your app package installer to use the new Service Management API and referring this discussion on XPC Security. The app is working fine, I have used Swift NSXPCConnection in favour of xpc_connection_create_mach_service used in the example. (I am running app directly from Xcode) I am trying to set up security requirements for the client connection using setCodeSigningRequirement on the connection instance. But it fails for even basic requirement connection.setCodeSigningRequirement(anchor apple). Error is as follows. cannot open file at line 46986 of [554764a6e7] os_unix.c:46986: (0) open(/private/var/db/DetachedSignatures) - Undefined error: 0 xpc_support_check_token: anchor apple error: Error Domain=NSOSStatusErrorDomain Code=-67050 (null) status: -67050 I have used codesign -d --verbose=4 /path/to/executable to check the attributes I do get them in the terminal. Other way round, I have tried XPC service provider sending back process
Topic: Privacy & Security SubTopic: General Tags:
Replies
12
Boosts
0
Views
378
Activity
Mar ’25
Regarding Qt application Code signing on MACOS
Hi support, Currently we are in a process of migrating our Qt application for MAC OS - ventura -v13.4. There is a specific feature in our application in which client tries to communicate with server (Socket communication) using Qt's QsslSocket Apis . To achieve this we are using self signed Ca certificate (.pem ) generated by using openSSl commands which uses IP address of the server. We are manually installing the certificate inside MAC OS - keychain and trusting it manually as well after installing . This is working fine in XCode environment in debug mode in MAC OS and client -server handshake is happening successfully. How ever after creating .dmg file (installer) the same handshake is not happening and we are getting error -Connection time out. Upon investigating this online, we got to know there has to be codesigning (both app bundle and the dmg file )along with notarization of the .dmg file in order to access keychain of MAC OS at runtime to access the self signed certificate installed. Now we
Topic: Code Signing SubTopic: General
Replies
1
Boosts
0
Views
87
Activity
Mar ’25