Search results for

“codesign”

3,222 results found

Post

Replies

Boosts

Views

Activity

Most wanted Xcode features…
I propose that we collectively build a list of most wanted XCode features. Those pain points that do make our life more difficult with XCode or less fun.The goal would not be to have a scientifically correct ranking of all those, but simply:- make visible many ideas that have probably been reported in improvement requests- expose in short why that would be a great evolution, what pain point it would solve (functional improvements, not bugs correction)- if possible, discuss the feasibility of each idea.I would agree to update this original post to include new inputs.To avoid a thread where new posts get smaller and smaller in width, would be great to post each new idea as an answer to this original post. Of course discuss an idea as a reply to this idea post itself.Rule of the game would be tolerance, not trying to argue indefinitely on one idea. And be concise in wanted feature descriptionThe ultimate goal would be to influence positively XCode development team to consider the most wanted proposals.At least,
Topic: Developer Tools & Services SubTopic: Xcode Tags:
14
0
3.2k
Feb ’23
Reply to AppStore submission for Ruby/Glimmer app on MacOS without Xcode
1. Unpack profile: security cms -D -i distribution/PATHmanager.app/Contents/embedded.provisionprofile -o profile.plist (attached profile.plist) profile.plist 2. Extract the cert chain: codesign --display --extract-certificates distribution/PATHmanager.app openssl x509 -in codesign0 -inform der -text > leaf (attached leaf) leaf 3. Serial number for leaf: λ head leaf Certificate: Data: Version: 3 (0x2) Serial Number: 4a:9a:24:59:ac:96:e8:e8:45:f6:71:ab:59:b8:69:32 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Apple Worldwide Developer Relations Certification Authority, OU=G3, O=Apple Inc., C=US Validity Not Before: Mar 1 00:37:19 2025 GMT Not After : Mar 1 00:37:18 2026 GMT 4. What part of the profile should I compare to the leaf serial number? λ shasum leaf ce0e2fc70a9bde62745332b843ef650a918a39dc leaf
Topic: Code Signing SubTopic: General
Mar ’25
Reply to Xcode:Automatic signing failed
Do you have a .entitlements file that includes com.apple.developer.in-app-purchase? If so, I recommend that you remove that. In-app purchase isn’t gated by an entitlement. If you search our docs for com.apple.developer.in-app-purchase, you’ll find no references to such an entitlement. Rather, in-app purchase is available to any app that uses an explicit App ID (as opposed to a wildcard App ID). Consider this: Create a new project from Xcode’s iOS > App template. In Signing & Capabilities, add the In-App Purchase capability. Select your device as a run destination. Choose Product > Build. Now dump the entitlements of the build app: % codesign -d --entitlements - Test775663.app … [Dict] [Key] application-identifier [Value] [String] SKMME9E2Y8.com.example.apple-samplecode.Test775663 [Key] com.apple.developer.team-identifier [Value] [String] SKMME9E2Y8 [Key] get-task-allow [Value] [Bool] true As you can see, there’s no com.apple.developer.in-app-purchase entitlement in play. Share and Enjoy — Q
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles Tags:
Mar ’25
Reply to AppStore submission for Ruby/Glimmer app on MacOS without Xcode
Making progress here: Upgraded to Sequoia 15.3.1, Xcode 16.2 Codesigning executable returns 'satisfies its Designated Requirement' using: codesign --force --verify --verbose=4 --options runtime --timestamp --entitlements '/Users/chip/Desktop/PATHmanager.entitlements' --sign 'Apple Distribution: Chip Castle Dot Com, Inc. (BXN9N7MNU3)' '/Users/chip/Desktop/distribution/PATHmanager.app/Contents/MacOS/PATHmanager' Productbuild .pkg file returns successfully using: productbuild --sign '3rd Party Mac Developer Installer: Chip Castle Dot Com, Inc. (BXN9N7MNU3)' --identifier 'com.chipcastle.pathmanager' --version '1.15' --component '/Users/chip/Desktop/distribution/PATHmanager.app' /Applications '/Users/chip/Desktop/PATHmanager.pkg' Verifying signature returns 'satisfies its Designated Requirement' using: codesign --verify --verbose=4 '/Users/chip/Desktop/distribution/PATHmanager.app/Contents/MacOS/PATHmanager' Transporter uploads successfully. Running Verify via Transporter returns error:
Topic: Code Signing SubTopic: General
Mar ’25
Reply to Invalid code signing entitlements with app group on macOS
I’ve learnt a new trick so I wanted to expand on the steps I posted yesterday. I started off by running the steps up to “My next step was to add an app group to the app” point. From there I did this: On the Development website, I confirmed that the target app group ID, group.eskimo1.test, was allocated to my team. In Xcode, I navigated to the build settings for my app target. I clicked the add (+) button and added a custom build setting of REGISTER_APP_GROUPS with a value of YES. This enables the iOS-style app groups UI on Xcode 16.2. I navigated to Signing & Capabilities and added the App Groups capability. Under the group list I clicked the add (+) button. This presents the iOS-style UI. In that UI, I entered my group, group.eskimo1.test, and click OK. Xcode’s automatic code signing machinery kicked in and updated my profile. No muss, no fuss! I chose Product > Build. I dumped the signing state of the development app: % codesign -d --entitlements - Test775022E.app … [Dict] [Key] com.apple.ap
Topic: Code Signing SubTopic: Entitlements Tags:
Feb ’25
Reply to Invalid code signing entitlements with app group on macOS
One of my goals for today was to explore how Xcode 16.2 handles the app group changes we recently introduced. So I sat down and ran some tests. As a first step, I created a new app that does need a provisioning profile but doesn’t use an app group. The goal here is to cause Xcode to create and stash the development and distribution profiles for that app. Here’s what I did: Using Xcode 16.2 on macOS 15.3.1, I created a new app from the macOS > App template. I gave it a new, unique bundle ID, com.example.apple-samplecode.Test775022D, to make sure I’m starting from scratch. Note Note the D suffix. It took me 4 tries to get this right (-: In the Signing & Capabilities editor, I set the Team popup and confirmed that automatic signing was enabled. I added the iCloud capability. This forces Xcode to allocate an App ID and generate a profile for that App ID. Without that, Xcode uses my wildcard App ID, which just confuses things. I left the iCloud setup blank. I don’t need this app to use iCloud. I chose Produ
Topic: Code Signing SubTopic: Entitlements Tags:
Feb ’25
Issues with Notarization and Stapling
Hello, I am trying without luck to create a .dmg or .pkg for my electron app that can be opened by any user on a mac. Every time I fail. All is happening by the same pattern. Here is the last try with creating a .pkg instead of .dmg. The app is built and it is signed correctly (I suppose) codesign --verify --verbose=1 dist/mac-universal/VIVIDTIME.app dist/mac-universal/VIVIDTIME.app: valid on disk dist/mac-universal/VIVIDTIME.app: satisfies its Designated Requirement I created a .pkg pkgbuild --root dist/mac-universal/VIVIDTIME.app --install-location /Applications/VIVIDTIME.app --identifier app.vividtime.mac --version 1.1.0 --sign Developer ID Installer: Pavel Bochkov-Rastopchin (2QKDCTR5Y3) dist/VIVIDTIME.pkg pkgbuild: Inferring bundle components from contents of dist/mac-universal/VIVIDTIME.app pkgbuild: Adding component at Contents/Frameworks/Mantle.framework pkgbuild: Adding component at Contents/Frameworks/VIVIDTIME Helper.app pkgbuild: Adding component at Contents/Frameworks/VIVIDTIME Help
Topic: Code Signing SubTopic: Notarization
25
0
921
Feb ’25
Gate Keeper Issue
Hi, I develop a Mac application, initially on Catalina/Xcode12, but I recently upgrade to Monterey/Xcode13. I'm about to publish a new version: on Monterey all works as expected, but when I try the app on Sequoia, as a last step before uploading to the App Store, I encountered some weird security issues: The main symptom is that it's no longer possible to save any file from the app using the Save panel, although the User Select File entitlement is set to Read/Write. I've tried reinstalling different versions of the app, including the most recent downloaded from TestFlight. But, whatever the version, any try to save using the panel (e.g. on the desktop) results in a warning telling that I don't have authorization to record the file to that folder. Moreover, when I type spctl -a -t exec -v /Applications/***.app in the terminal, it returns rejected, even when the application has been installed by TestFlight. An EtreCheck report tells that my app is not signed, while codesign -dv /Applications/***.app re
Topic: Privacy & Security SubTopic: General Tags:
3
0
708
Feb ’25
Reply to Gate Keeper Issue
An EtreCheck report tells that my app is not signed, while codesign -dv /Applications/***.app returns a valid signature. I'm lost... EtreCheck isn't designed to be used with developer builds of apps. It only considers Developer ID and App Store builds as valid. You should consider spctl the authoritative result. Years ago, I used to use codesign more and I would test a Developer ID build with codesign -vv -R=anchor apple generic /path/to/app. However, you also mentioned TestFlight. I've never used TestFlight, but isn't that an App Store thing? So are you doing developer-signed builds? EtreCheck has no idea about that. Never attempt to disable Gatekeeper on your developer machine. That would be a bad idea. Thankfully, Apple recently added an extra hoop to jump through that saved you. I'm sure your Sequoia install is fine. It's the app that's corrupt. I was confused at first when you were talking about Monterey and App Store. You need at least Ventura/Xcode 15 for App Store submission
Topic: Privacy & Security SubTopic: General Tags:
Feb ’25
PKG Installer Fails Notarytool Submission Process
I am trying to get a PKG installer through the Apple codesign and notarytool process. When I submit the PKG installer I get a status message of Invalid and when I review the log file it has 2 errors. For status summary it says: Archive contains critical validation errors, and for message it says The binary is not signed. The installer contains a flat file that is installed in the Users/Shared folder via the PKG installer. Here are the steps I've taken to get the installer through the codesign and notarytool process. codesign the file that's placed in the Users/Shared folder: codesign --options=runtime --sign 'Developer ID Application: XYZ' -v /Users/.../Documents/folder/flat file which I get a message saying signed generic. Create the PKG installer with the signed flat file. Sign the PKG installer containing the signed flat file: codesign --options=runtime --sign 'Developer ID Application: XYZ' -v /Users/.../Documents/folder/flat file which I get a message saying s
Topic: Code Signing SubTopic: General Tags:
1
0
559
Feb ’25
Reply to PKG Installer Fails Notarytool Submission Process
[quote='775159021, adminTC, /thread/775159, /profile/adminTC'] The installer contains a flat file [/quote] Is that a Mach-O executable? Or something else? Because, in general, the notary service only requires that you sign the code within your installer package. If it contains data, you have to sign the package but you don’t have to sign the data that the package installs. Still, the most likely cause of your problem is a misunderstanding about how to sign installers. Installers are not code, and thus: You don’t sign them with codesign, but rather with installer-specific tools. You don’t use your Developer ID Application code-signing identity, but rather your Developer ID Installer signing identity. Packaging Mac software for distribution has all the details. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: Code Signing SubTopic: General Tags:
Feb ’25
Unable to staple - Error 65
I'm about at my wit's end trying to figure out why I can sign and notarize code, but am unable to staple the notarization, no matter what I do. I've reinstalled Xcode, reinstalled certificates, and tried about every suggestion that I can find, but still no luck. 2023 M3 MacBook Pro, OS X 15.3.1, Xcode 16.2. I have created a very basic Xcode app to test this with. I am building the project: codegen generate && xcodebuild -project SimpleNotarizationTest.xcodeproj -scheme SimpleNotarizationTest -configuration Release clean build (see attached file for build log) build-log.txt The signature and entitlements verify: codesign -d --entitlements :- ~/Library/Developer/Xcode/DerivedData/SimpleNotarizationTest-*/Build/Products/Release/SimpleNotarizationTest.app Output: Executable=/Users/minter/Library/Developer/Xcode/DerivedData/SimpleNotarizationTest-ecqihdiubptfnldimmjgnqpjr xun/Build/Products/Release/SimpleNotarizationTest.app/Contents/MacOS/SimpleNotarizationTest warning: Specifying ':' in the path
Topic: Code Signing SubTopic: Notarization
2
0
735
Feb ’25
Code signing for local, dev/staging, and production
We have a MacOS application that we plan on distributing standalone (it'll be installed through MDM or directly, not through the app store). We utilize endpoint security and full disk access for this (enterprise) app. I have a makefile that uses codesign to sign the app inside-out. All that appears to work (i.e., when I try to run the app directly it functions as I expect it to). What's the recommended way to allow the developers in my team to also sign the app for local development so it functions as close as possible to production? My first thought is to distribute the developer identity to their machines using MDM. However, ideally i'd like to rule out the ability for a developer who has the MDM profile assigned to export the keys. That really only leaves a centralized solution in place or disabling SIP on their system (which I don't want to do). Alternatively, would creating a separate identity for production make more sense, so that in the case the developer certificate is revoked, the productio
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles
4
0
517
Feb ’25
Reply to Code signing for local, dev/staging, and production
Thanks again. I ended up just following your advice from the original post and heavily documenting how to create developer (NOT distribution) certificates for my developers to use. Our distribution certificate is now just hooked into CI (and only there). Seems to work for our use cases! There are still a few fun things to determine, like computing a developer or distribution 'code requirement' so we can enable the full disk access TCC config for our app (codesign -dr - foo.app wants to pin the CR to the developer's CN). However I think i'll just post separately about that at some point. Thanks again! D
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles
Feb ’25
Most wanted Xcode features…
I propose that we collectively build a list of most wanted XCode features. Those pain points that do make our life more difficult with XCode or less fun.The goal would not be to have a scientifically correct ranking of all those, but simply:- make visible many ideas that have probably been reported in improvement requests- expose in short why that would be a great evolution, what pain point it would solve (functional improvements, not bugs correction)- if possible, discuss the feasibility of each idea.I would agree to update this original post to include new inputs.To avoid a thread where new posts get smaller and smaller in width, would be great to post each new idea as an answer to this original post. Of course discuss an idea as a reply to this idea post itself.Rule of the game would be tolerance, not trying to argue indefinitely on one idea. And be concise in wanted feature descriptionThe ultimate goal would be to influence positively XCode development team to consider the most wanted proposals.At least,
Topic: Developer Tools & Services SubTopic: Xcode Tags:
Replies
14
Boosts
0
Views
3.2k
Activity
Feb ’23
Reply to AppStore submission for Ruby/Glimmer app on MacOS without Xcode
1. Unpack profile: security cms -D -i distribution/PATHmanager.app/Contents/embedded.provisionprofile -o profile.plist (attached profile.plist) profile.plist 2. Extract the cert chain: codesign --display --extract-certificates distribution/PATHmanager.app openssl x509 -in codesign0 -inform der -text > leaf (attached leaf) leaf 3. Serial number for leaf: λ head leaf Certificate: Data: Version: 3 (0x2) Serial Number: 4a:9a:24:59:ac:96:e8:e8:45:f6:71:ab:59:b8:69:32 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Apple Worldwide Developer Relations Certification Authority, OU=G3, O=Apple Inc., C=US Validity Not Before: Mar 1 00:37:19 2025 GMT Not After : Mar 1 00:37:18 2026 GMT 4. What part of the profile should I compare to the leaf serial number? λ shasum leaf ce0e2fc70a9bde62745332b843ef650a918a39dc leaf
Topic: Code Signing SubTopic: General
Replies
Boosts
Views
Activity
Mar ’25
Command CodeSign failed with a nonzero exit code
Hi, I am brand new to Xcode and I keep on getting an error message saying Command CodeSign failed with a nonzero exit code. I am not enrolled in the Apple Developer Program. Does anyone know how to fix this?
Topic: Code Signing SubTopic: General Tags:
Replies
3
Boosts
0
Views
1k
Activity
Mar ’21
Reply to Xcode:Automatic signing failed
Do you have a .entitlements file that includes com.apple.developer.in-app-purchase? If so, I recommend that you remove that. In-app purchase isn’t gated by an entitlement. If you search our docs for com.apple.developer.in-app-purchase, you’ll find no references to such an entitlement. Rather, in-app purchase is available to any app that uses an explicit App ID (as opposed to a wildcard App ID). Consider this: Create a new project from Xcode’s iOS > App template. In Signing & Capabilities, add the In-App Purchase capability. Select your device as a run destination. Choose Product > Build. Now dump the entitlements of the build app: % codesign -d --entitlements - Test775663.app … [Dict] [Key] application-identifier [Value] [String] SKMME9E2Y8.com.example.apple-samplecode.Test775663 [Key] com.apple.developer.team-identifier [Value] [String] SKMME9E2Y8 [Key] get-task-allow [Value] [Bool] true As you can see, there’s no com.apple.developer.in-app-purchase entitlement in play. Share and Enjoy — Q
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles Tags:
Replies
Boosts
Views
Activity
Mar ’25
Reply to AppStore submission for Ruby/Glimmer app on MacOS without Xcode
Making progress here: Upgraded to Sequoia 15.3.1, Xcode 16.2 Codesigning executable returns 'satisfies its Designated Requirement' using: codesign --force --verify --verbose=4 --options runtime --timestamp --entitlements '/Users/chip/Desktop/PATHmanager.entitlements' --sign 'Apple Distribution: Chip Castle Dot Com, Inc. (BXN9N7MNU3)' '/Users/chip/Desktop/distribution/PATHmanager.app/Contents/MacOS/PATHmanager' Productbuild .pkg file returns successfully using: productbuild --sign '3rd Party Mac Developer Installer: Chip Castle Dot Com, Inc. (BXN9N7MNU3)' --identifier 'com.chipcastle.pathmanager' --version '1.15' --component '/Users/chip/Desktop/distribution/PATHmanager.app' /Applications '/Users/chip/Desktop/PATHmanager.pkg' Verifying signature returns 'satisfies its Designated Requirement' using: codesign --verify --verbose=4 '/Users/chip/Desktop/distribution/PATHmanager.app/Contents/MacOS/PATHmanager' Transporter uploads successfully. Running Verify via Transporter returns error:
Topic: Code Signing SubTopic: General
Replies
Boosts
Views
Activity
Mar ’25
Reply to Invalid code signing entitlements with app group on macOS
I’ve learnt a new trick so I wanted to expand on the steps I posted yesterday. I started off by running the steps up to “My next step was to add an app group to the app” point. From there I did this: On the Development website, I confirmed that the target app group ID, group.eskimo1.test, was allocated to my team. In Xcode, I navigated to the build settings for my app target. I clicked the add (+) button and added a custom build setting of REGISTER_APP_GROUPS with a value of YES. This enables the iOS-style app groups UI on Xcode 16.2. I navigated to Signing & Capabilities and added the App Groups capability. Under the group list I clicked the add (+) button. This presents the iOS-style UI. In that UI, I entered my group, group.eskimo1.test, and click OK. Xcode’s automatic code signing machinery kicked in and updated my profile. No muss, no fuss! I chose Product > Build. I dumped the signing state of the development app: % codesign -d --entitlements - Test775022E.app … [Dict] [Key] com.apple.ap
Topic: Code Signing SubTopic: Entitlements Tags:
Replies
Boosts
Views
Activity
Feb ’25
Reply to Invalid code signing entitlements with app group on macOS
One of my goals for today was to explore how Xcode 16.2 handles the app group changes we recently introduced. So I sat down and ran some tests. As a first step, I created a new app that does need a provisioning profile but doesn’t use an app group. The goal here is to cause Xcode to create and stash the development and distribution profiles for that app. Here’s what I did: Using Xcode 16.2 on macOS 15.3.1, I created a new app from the macOS > App template. I gave it a new, unique bundle ID, com.example.apple-samplecode.Test775022D, to make sure I’m starting from scratch. Note Note the D suffix. It took me 4 tries to get this right (-: In the Signing & Capabilities editor, I set the Team popup and confirmed that automatic signing was enabled. I added the iCloud capability. This forces Xcode to allocate an App ID and generate a profile for that App ID. Without that, Xcode uses my wildcard App ID, which just confuses things. I left the iCloud setup blank. I don’t need this app to use iCloud. I chose Produ
Topic: Code Signing SubTopic: Entitlements Tags:
Replies
Boosts
Views
Activity
Feb ’25
Issues with Notarization and Stapling
Hello, I am trying without luck to create a .dmg or .pkg for my electron app that can be opened by any user on a mac. Every time I fail. All is happening by the same pattern. Here is the last try with creating a .pkg instead of .dmg. The app is built and it is signed correctly (I suppose) codesign --verify --verbose=1 dist/mac-universal/VIVIDTIME.app dist/mac-universal/VIVIDTIME.app: valid on disk dist/mac-universal/VIVIDTIME.app: satisfies its Designated Requirement I created a .pkg pkgbuild --root dist/mac-universal/VIVIDTIME.app --install-location /Applications/VIVIDTIME.app --identifier app.vividtime.mac --version 1.1.0 --sign Developer ID Installer: Pavel Bochkov-Rastopchin (2QKDCTR5Y3) dist/VIVIDTIME.pkg pkgbuild: Inferring bundle components from contents of dist/mac-universal/VIVIDTIME.app pkgbuild: Adding component at Contents/Frameworks/Mantle.framework pkgbuild: Adding component at Contents/Frameworks/VIVIDTIME Helper.app pkgbuild: Adding component at Contents/Frameworks/VIVIDTIME Help
Topic: Code Signing SubTopic: Notarization
Replies
25
Boosts
0
Views
921
Activity
Feb ’25
Gate Keeper Issue
Hi, I develop a Mac application, initially on Catalina/Xcode12, but I recently upgrade to Monterey/Xcode13. I'm about to publish a new version: on Monterey all works as expected, but when I try the app on Sequoia, as a last step before uploading to the App Store, I encountered some weird security issues: The main symptom is that it's no longer possible to save any file from the app using the Save panel, although the User Select File entitlement is set to Read/Write. I've tried reinstalling different versions of the app, including the most recent downloaded from TestFlight. But, whatever the version, any try to save using the panel (e.g. on the desktop) results in a warning telling that I don't have authorization to record the file to that folder. Moreover, when I type spctl -a -t exec -v /Applications/***.app in the terminal, it returns rejected, even when the application has been installed by TestFlight. An EtreCheck report tells that my app is not signed, while codesign -dv /Applications/***.app re
Topic: Privacy & Security SubTopic: General Tags:
Replies
3
Boosts
0
Views
708
Activity
Feb ’25
Reply to Gate Keeper Issue
An EtreCheck report tells that my app is not signed, while codesign -dv /Applications/***.app returns a valid signature. I'm lost... EtreCheck isn't designed to be used with developer builds of apps. It only considers Developer ID and App Store builds as valid. You should consider spctl the authoritative result. Years ago, I used to use codesign more and I would test a Developer ID build with codesign -vv -R=anchor apple generic /path/to/app. However, you also mentioned TestFlight. I've never used TestFlight, but isn't that an App Store thing? So are you doing developer-signed builds? EtreCheck has no idea about that. Never attempt to disable Gatekeeper on your developer machine. That would be a bad idea. Thankfully, Apple recently added an extra hoop to jump through that saved you. I'm sure your Sequoia install is fine. It's the app that's corrupt. I was confused at first when you were talking about Monterey and App Store. You need at least Ventura/Xcode 15 for App Store submission
Topic: Privacy & Security SubTopic: General Tags:
Replies
Boosts
Views
Activity
Feb ’25
PKG Installer Fails Notarytool Submission Process
I am trying to get a PKG installer through the Apple codesign and notarytool process. When I submit the PKG installer I get a status message of Invalid and when I review the log file it has 2 errors. For status summary it says: Archive contains critical validation errors, and for message it says The binary is not signed. The installer contains a flat file that is installed in the Users/Shared folder via the PKG installer. Here are the steps I've taken to get the installer through the codesign and notarytool process. codesign the file that's placed in the Users/Shared folder: codesign --options=runtime --sign 'Developer ID Application: XYZ' -v /Users/.../Documents/folder/flat file which I get a message saying signed generic. Create the PKG installer with the signed flat file. Sign the PKG installer containing the signed flat file: codesign --options=runtime --sign 'Developer ID Application: XYZ' -v /Users/.../Documents/folder/flat file which I get a message saying s
Topic: Code Signing SubTopic: General Tags:
Replies
1
Boosts
0
Views
559
Activity
Feb ’25
Reply to PKG Installer Fails Notarytool Submission Process
[quote='775159021, adminTC, /thread/775159, /profile/adminTC'] The installer contains a flat file [/quote] Is that a Mach-O executable? Or something else? Because, in general, the notary service only requires that you sign the code within your installer package. If it contains data, you have to sign the package but you don’t have to sign the data that the package installs. Still, the most likely cause of your problem is a misunderstanding about how to sign installers. Installers are not code, and thus: You don’t sign them with codesign, but rather with installer-specific tools. You don’t use your Developer ID Application code-signing identity, but rather your Developer ID Installer signing identity. Packaging Mac software for distribution has all the details. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: Code Signing SubTopic: General Tags:
Replies
Boosts
Views
Activity
Feb ’25
Unable to staple - Error 65
I'm about at my wit's end trying to figure out why I can sign and notarize code, but am unable to staple the notarization, no matter what I do. I've reinstalled Xcode, reinstalled certificates, and tried about every suggestion that I can find, but still no luck. 2023 M3 MacBook Pro, OS X 15.3.1, Xcode 16.2. I have created a very basic Xcode app to test this with. I am building the project: codegen generate && xcodebuild -project SimpleNotarizationTest.xcodeproj -scheme SimpleNotarizationTest -configuration Release clean build (see attached file for build log) build-log.txt The signature and entitlements verify: codesign -d --entitlements :- ~/Library/Developer/Xcode/DerivedData/SimpleNotarizationTest-*/Build/Products/Release/SimpleNotarizationTest.app Output: Executable=/Users/minter/Library/Developer/Xcode/DerivedData/SimpleNotarizationTest-ecqihdiubptfnldimmjgnqpjr xun/Build/Products/Release/SimpleNotarizationTest.app/Contents/MacOS/SimpleNotarizationTest warning: Specifying ':' in the path
Topic: Code Signing SubTopic: Notarization
Replies
2
Boosts
0
Views
735
Activity
Feb ’25
Code signing for local, dev/staging, and production
We have a MacOS application that we plan on distributing standalone (it'll be installed through MDM or directly, not through the app store). We utilize endpoint security and full disk access for this (enterprise) app. I have a makefile that uses codesign to sign the app inside-out. All that appears to work (i.e., when I try to run the app directly it functions as I expect it to). What's the recommended way to allow the developers in my team to also sign the app for local development so it functions as close as possible to production? My first thought is to distribute the developer identity to their machines using MDM. However, ideally i'd like to rule out the ability for a developer who has the MDM profile assigned to export the keys. That really only leaves a centralized solution in place or disabling SIP on their system (which I don't want to do). Alternatively, would creating a separate identity for production make more sense, so that in the case the developer certificate is revoked, the productio
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles
Replies
4
Boosts
0
Views
517
Activity
Feb ’25
Reply to Code signing for local, dev/staging, and production
Thanks again. I ended up just following your advice from the original post and heavily documenting how to create developer (NOT distribution) certificates for my developers to use. Our distribution certificate is now just hooked into CI (and only there). Seems to work for our use cases! There are still a few fun things to determine, like computing a developer or distribution 'code requirement' so we can enable the full disk access TCC config for our app (codesign -dr - foo.app wants to pin the CR to the developer's CN). However I think i'll just post separately about that at some point. Thanks again! D
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles
Replies
Boosts
Views
Activity
Feb ’25