Search results for

“codesign”

3,222 results found

Post

Replies

Boosts

Views

Activity

Reply to macOS 12.0 apache2 will not load module php7
Gatekeeper in macOS ensures only verified applications can be executed and this is achieved by signing the application using codesign. Code signing is mandatory in macOS Monterey. PHP module installed using homebrew is not signed, so you need to sign it first before it can be used, or you will get the error https://www.simplified.guide/macos/apache-php-homebrew-codesign
Topic: App & System Services SubTopic: Core OS Tags:
Oct ’21
Reply to Entitlement issues with network extension
Are these entitlements being whitelisted by your provisioning profile? Remember that both your app and you sysex have profiles, and each profile must whitelist the corresponding program’s entitlements.You can check this stuff with codesign and security cms. For example: % codesign -d --entitlements :- PassThroughProxyMac.app … elided … % security cms -D -i PassThroughProxyMac.app/Contents/embedded.provisionprofile … elided … % codesign -d --entitlements :- PassThroughProxyMac.app/Contents/Library/SystemExtensions/com.example.apple-samplecode.PassThroughProxy-macOS.TransparentProxy.systemextension … elided … % security cms -D -i PassThroughProxyMac.app/Contents/Library/SystemExtensions/com.example.apple-samplecode.PassThroughProxy-macOS.TransparentProxy.systemextension/Contents/embedded.provisionprofile … elided …Share and Enjoy — Quinn “The Eskimo!” Apple Developer Relations, Developer Technical Support, Core OS/Hardware let myEmail = eskimo + 1 + @apple.com
Topic: App & System Services SubTopic: Drivers Tags:
Feb ’20
Reply to How do you codesign with a SmartCard
My card is indeed pair with the OS, so I unpaired with: sc_auth unpair so sc_auth list returns empty. Then: sc_auth identities shows: SmartCard: com.apple.pivtoken:45E0EF9E6A9A3C156F00F31E01CB7C87 Unpaired identities: 70AFFB8B07901499E4720DD172AF990A53877BFC Certificate For Card Authentication (Developer ID Application) 9F6993375273AC0F931A6FCEDFCC41E4D6603AB7 Certificate For Digital Signature (Apple Development) C897376499298448D3A9304F92B133399226E82C Certificate For PIV Authentication (Yubico PIV Authentication) Cool, and seems similar to what you got. Then I try to remove the signature with codesign --remove-signature , now I have the executable: code object is not signed at all At last, I try to sign again: codesign -s '458AXXXX' Tools --force smartcard authentication does pop-up, then: codesign -dvvv Tools The same results appear
Topic: Code Signing SubTopic: General Tags:
Apr ’23
Reply to Ship fat framework with Privacy manifest file containing required reason API also with code signing
Okay, true that. I'm referring fat to .framework. In my case only supported platform is ios-arm64. I found when I archive the framework code to obtain the .framework and later use this command to generate the xcframework: xcodebuild -create-xcframework -framework ABC.framework -output XCFramework/ABC.xcframework Without code signing, the xcframeworks works fine when integrated with the app but when codesigned with either of these commands: codesign --timestamp -v --sign Apple Distribution: AnyName (AlphaNumeric) XcFrameworkSigned/ABC.xcframework codesign --timestamp -s Apple Distribution: AnyName (AlphaNumeric) XcFrameworkSigned/ABC.xcframework it makes the Xcode crashes both Xcode 15 and Xcode 15.1 beta.
Topic: Privacy & Security SubTopic: General Tags:
Oct ’23
Reply to ICDeviceBrowser, PTP tethering, not working in macOS 14.2?
Hello, have you solved this issue? I also use ImageCaptureCore to develop digital cameras tether software. During the development process, I found that the software uses temporary signatures and ICDeviceBrowser can search for devices, but after using formal signatures, it cannot search for any devices. Use the following two commands to temporarily sign: codesign --remove-signature codesign --sign - hope to get your reply! BR,
Topic: App & System Services SubTopic: Core OS Tags:
Jan ’25
Reply to Previously unseen problem with certificate signing
Dear Mr. Quinn, (Case-ID: 8907830) You wrote: One trick you can use here is to copy the command out of your build transcript and run it directly from Terminal. That should reproduce the issue. You did not specify which part of the build comments was the command you wished me to run. I decided to start with the last bits that seemed to go wrong: paddy@Johns-MBP WordPuzzleAids % CodeSign /Users/paddy/Library/Developer/Xcode/DerivedData/WordPuzzleAids-dnwilitxxdvpzablseyseujsllag/Build/Products/Debug-iphoneos/WordPuzzleAids.app (in target 'WordPuzzleAids' from project 'WordPuzzleAids') cd /Users/paddy/Projects/ThirdParty/WordPuzzleAids zsh: unknown file attribute: I # No idea what this means; am I not supposed to use zsh? paddy@Johns-MBP WordPuzzleAids % Codesign Usage: codesign -s identity [-fv*] [-o flags] [-r reqs] [-i ident] path ... # sign codesign -v [-v*] [-R=|-R ] path|[+]pid ... # verify codesign -d [options] path ... # display contents codesign -h p
Topic: Code Signing SubTopic: General Tags:
Aug ’24
Reply to codesign results in errSecInternalComponent
errSecInternalComponent The one time I've seen that message, the root cause was that the keychain was locked. When Xcode does the exact same codesign action, I believe a window appears asking for a password to unlock the keychain, but if I invoke codesign from the command line it fails with that error. The solution is security unlock-keychain. That may be nothing to do with your problem, but I thought it worth mentioning.
Topic: Code Signing SubTopic: General Tags:
Apr ’22
Reply to Why is security set-key-partition-list needed to use codesign?
To answer your second question: Yes, seems like that's the correct way. At least the GitHub Action for apple-actions/import-codesign-certs does the same (see these lines). I have no idea what that does but it seems to be necessary. In general you should be able to just use the GitHub Action apple-actions/import-codesign-certs in your own automated script as described in their Readme.md.
Topic: App & System Services SubTopic: Core OS Tags:
Jun ’21
Reply to segmentation fault codesign -s "Developer ID Application: Teamxxxxx"
When I try to codesign my app I am facing this issue & below is the command I am using pkothapeta@CCILTM03 CipherCloud % codesign -s Developer ID Application: CipherCloud Inc (ZGNQHYL3AG) --timestamp --options runtime -f --entitlements ./Sources/CipherCloud/CipherCloud.entitlements --deep ./build/CipherCloud.app Output: ./build/CipherCloud.app: replacing existing signature zsh: segmentation fault codesign -s Developer ID Application: CipherCloud Inc (ZGNQHYL3AG) runtim Please find the Crash Report & entitlements files from below ref: https://drive.google.com/file/d/14-Idpug-OZeAXxs8NvtlwOd5czIqBurB/view?usp=sharing https://drive.google.com/file/d/18CI3cbouP4dQyESvd54BDeor8yeaFVdC/view?usp=sharing
Topic: Code Signing SubTopic: Notarization Tags:
Aug ’21
Reply to How do you codesign with a SmartCard
My steps: I create the PrivKey on the yubikey, generate the CSR on-device, then submitted to apple. Then I download the cert from Apple, import to yubikey as well as my local keychain. If I import into the keychain, the keychain assistant shows the cert, but not showing up the private key. codesign gives me the following error: ➜ ~ codesign -s '966XXXX' EXECUTABLE --force EXECUTABLE: replacing existing signature Warning: unable to build chain to self-signed root for signer Developer ID Application: XXXXXX EXECUTABLE: errSecInternalComponent ➜ ~ If I do not import the cert, I receive: ➜ ~ codesign -s '966***' EXECUTABLE --force replacing existing signature errSecInternalComponent Note no more warning this time
Topic: Code Signing SubTopic: General Tags:
Mar ’23
What is the difference between applying "hardened runtime" to an executable and adding the `-o library` flag to codesign?
Hey, Just recently I realized something I have been overlooking in my build pipelines. I thought that by adding the the hardened runtime, I disable 3rd-party library injection (I do not have the disable-library-validation entitlement added). However, I was using some checks on my code and I noticed that the library validation code signature check fails on my applications (e.g. adding the .libraryValidation requirement via the LightweightCodeRequirements framework) - with codesign -dvvvv /path/to/app I can check it doesn't have the CS_REQUIRE_LV flag: [...] CodeDirectory v=20500 size=937 flags=0x10000(runtime) hashes=18+7 location=embedded [...] then I used in Xcode the Other Code Signing Flags setting and added the -o library option, which added the flag: [...] CodeDirectory v=20500 size=937 flags=0x12000(library-validation,runtime) hashes=18+7 location=embedded [...] Is this flag something I should be explicitly setting? Because I was under the impression enabling hardened runtime would be enough. P
Topic: Code Signing SubTopic: General Tags:
1
0
388
Sep ’25
Reply to CFBundleIdentifier Collision submitting app with Canon EDSDK
I verified that I can (and should) resign the 3 parts as follows. Doing so allows you to run with a fully hardened runtime. where Ψ is the name of an apple distribution certificate my-machine Framework % codesign -vvv -f --remove-signature EDSDK.framework/Versions/A/CHHLLite.bundle EDSDK.framework/Versions/A/CHHLLite.bundle: replacing existing signature EDSDK.framework/Versions/A/CHHLLite.bundle: signed [] my-machine Framework % codesign -vvv -f --remove-signature EDSDK.framework/Versions/A/EdsImage.bundle EDSDK.framework/Versions/A/EdsImage.bundle: replacing existing signature EDSDK.framework/Versions/A/EdsImage.bundle: signed [] my-machine Framework % codesign -vvv -f --remove-signature EDSDK.framework/Versions/A/EDSDK EDSDK.framework/Versions/A/EDSDK: replacing existing signature EDSDK.framework/Versions/A/EDSDK: signed [] my-machine Framework % codesign -f -v -s Ψ EDSDK.framework/Versions/A/EdsImage.bundle EDSDK.framework/Versions/A/EdsImage.bundle: signed bundle with M
Topic: Developer Tools & Services SubTopic: Xcode Tags:
Aug ’21
Reply to "Command CodeSign failed with a nonzero exit code" I got this error
My issue was different than the others above and I've run into it a couple times over the years. During CI automation we run fastlane and ran into this mysterious Command CodeSign failed with a nonzero exit code. Both times the fix was to manually start up Xcode start building and then there would be a CodeSign pop up asking for credentials. It only occurs when setting up a new machine.
Topic: Developer Tools & Services SubTopic: Xcode Tags:
May ’25
Kernel kills my dylib even though it's properly codesigned
Kernel tells me that my dylib has an invalid digital sign, but for 100% it's a proper digital sign. Is this a bug, or a feature? Minimal 100% reproducible example: loader.cpp: #include #include #include int main() { void* handle = dlopen(libtest.dylib, RTLD_NOW); perror(dlopen); return handle == nullptr; } test1.cpp: #include #include __attribute__((constructor)) void initfunc() { std::cout << hello from dylib1n; } test2.cpp: #include #include __attribute__((constructor)) void initfunc() { std::cout << hello from dylib2n; } Makefile: all: libtest1.dylib libtest2.dylib loader libtest1.dylib: test1.cpp c++ -shared test1.cpp -o libtest1.dylib libtest2.dylib: test2.cpp c++ -shared test2.cpp -o libtest2.dylib loader: loader.cpp c++ loader.cpp -o loader CMakeLists.txt instead of Makefile: cmake_minimum_required(VERSION 3.5) project(crash_test) add_executable(loader loader.cpp) add_library(test1 SHARED test1.cpp) add_library(test2 SHARED test2.cpp) Store all files into one directory and compile th
Topic: App & System Services SubTopic: Core OS Tags:
2
0
1.1k
Oct ’22
Reply to macOS 12.0 apache2 will not load module php7
Gatekeeper in macOS ensures only verified applications can be executed and this is achieved by signing the application using codesign. Code signing is mandatory in macOS Monterey. PHP module installed using homebrew is not signed, so you need to sign it first before it can be used, or you will get the error https://www.simplified.guide/macos/apache-php-homebrew-codesign
Topic: App & System Services SubTopic: Core OS Tags:
Replies
Boosts
Views
Activity
Oct ’21
Reply to Entitlement issues with network extension
Are these entitlements being whitelisted by your provisioning profile? Remember that both your app and you sysex have profiles, and each profile must whitelist the corresponding program’s entitlements.You can check this stuff with codesign and security cms. For example: % codesign -d --entitlements :- PassThroughProxyMac.app … elided … % security cms -D -i PassThroughProxyMac.app/Contents/embedded.provisionprofile … elided … % codesign -d --entitlements :- PassThroughProxyMac.app/Contents/Library/SystemExtensions/com.example.apple-samplecode.PassThroughProxy-macOS.TransparentProxy.systemextension … elided … % security cms -D -i PassThroughProxyMac.app/Contents/Library/SystemExtensions/com.example.apple-samplecode.PassThroughProxy-macOS.TransparentProxy.systemextension/Contents/embedded.provisionprofile … elided …Share and Enjoy — Quinn “The Eskimo!” Apple Developer Relations, Developer Technical Support, Core OS/Hardware let myEmail = eskimo + 1 + @apple.com
Topic: App & System Services SubTopic: Drivers Tags:
Replies
Boosts
Views
Activity
Feb ’20
Reply to How do you codesign with a SmartCard
My card is indeed pair with the OS, so I unpaired with: sc_auth unpair so sc_auth list returns empty. Then: sc_auth identities shows: SmartCard: com.apple.pivtoken:45E0EF9E6A9A3C156F00F31E01CB7C87 Unpaired identities: 70AFFB8B07901499E4720DD172AF990A53877BFC Certificate For Card Authentication (Developer ID Application) 9F6993375273AC0F931A6FCEDFCC41E4D6603AB7 Certificate For Digital Signature (Apple Development) C897376499298448D3A9304F92B133399226E82C Certificate For PIV Authentication (Yubico PIV Authentication) Cool, and seems similar to what you got. Then I try to remove the signature with codesign --remove-signature , now I have the executable: code object is not signed at all At last, I try to sign again: codesign -s '458AXXXX' Tools --force smartcard authentication does pop-up, then: codesign -dvvv Tools The same results appear
Topic: Code Signing SubTopic: General Tags:
Replies
Boosts
Views
Activity
Apr ’23
Reply to Ship fat framework with Privacy manifest file containing required reason API also with code signing
Okay, true that. I'm referring fat to .framework. In my case only supported platform is ios-arm64. I found when I archive the framework code to obtain the .framework and later use this command to generate the xcframework: xcodebuild -create-xcframework -framework ABC.framework -output XCFramework/ABC.xcframework Without code signing, the xcframeworks works fine when integrated with the app but when codesigned with either of these commands: codesign --timestamp -v --sign Apple Distribution: AnyName (AlphaNumeric) XcFrameworkSigned/ABC.xcframework codesign --timestamp -s Apple Distribution: AnyName (AlphaNumeric) XcFrameworkSigned/ABC.xcframework it makes the Xcode crashes both Xcode 15 and Xcode 15.1 beta.
Topic: Privacy & Security SubTopic: General Tags:
Replies
Boosts
Views
Activity
Oct ’23
Reply to ICDeviceBrowser, PTP tethering, not working in macOS 14.2?
Hello, have you solved this issue? I also use ImageCaptureCore to develop digital cameras tether software. During the development process, I found that the software uses temporary signatures and ICDeviceBrowser can search for devices, but after using formal signatures, it cannot search for any devices. Use the following two commands to temporarily sign: codesign --remove-signature codesign --sign - hope to get your reply! BR,
Topic: App & System Services SubTopic: Core OS Tags:
Replies
Boosts
Views
Activity
Jan ’25
Reply to Previously unseen problem with certificate signing
Dear Mr. Quinn, (Case-ID: 8907830) You wrote: One trick you can use here is to copy the command out of your build transcript and run it directly from Terminal. That should reproduce the issue. You did not specify which part of the build comments was the command you wished me to run. I decided to start with the last bits that seemed to go wrong: paddy@Johns-MBP WordPuzzleAids % CodeSign /Users/paddy/Library/Developer/Xcode/DerivedData/WordPuzzleAids-dnwilitxxdvpzablseyseujsllag/Build/Products/Debug-iphoneos/WordPuzzleAids.app (in target 'WordPuzzleAids' from project 'WordPuzzleAids') cd /Users/paddy/Projects/ThirdParty/WordPuzzleAids zsh: unknown file attribute: I # No idea what this means; am I not supposed to use zsh? paddy@Johns-MBP WordPuzzleAids % Codesign Usage: codesign -s identity [-fv*] [-o flags] [-r reqs] [-i ident] path ... # sign codesign -v [-v*] [-R=|-R ] path|[+]pid ... # verify codesign -d [options] path ... # display contents codesign -h p
Topic: Code Signing SubTopic: General Tags:
Replies
Boosts
Views
Activity
Aug ’24
Reply to codesign results in errSecInternalComponent
errSecInternalComponent The one time I've seen that message, the root cause was that the keychain was locked. When Xcode does the exact same codesign action, I believe a window appears asking for a password to unlock the keychain, but if I invoke codesign from the command line it fails with that error. The solution is security unlock-keychain. That may be nothing to do with your problem, but I thought it worth mentioning.
Topic: Code Signing SubTopic: General Tags:
Replies
Boosts
Views
Activity
Apr ’22
Reply to Why is security set-key-partition-list needed to use codesign?
To answer your second question: Yes, seems like that's the correct way. At least the GitHub Action for apple-actions/import-codesign-certs does the same (see these lines). I have no idea what that does but it seems to be necessary. In general you should be able to just use the GitHub Action apple-actions/import-codesign-certs in your own automated script as described in their Readme.md.
Topic: App & System Services SubTopic: Core OS Tags:
Replies
Boosts
Views
Activity
Jun ’21
Reply to segmentation fault codesign -s "Developer ID Application: Teamxxxxx"
When I try to codesign my app I am facing this issue & below is the command I am using pkothapeta@CCILTM03 CipherCloud % codesign -s Developer ID Application: CipherCloud Inc (ZGNQHYL3AG) --timestamp --options runtime -f --entitlements ./Sources/CipherCloud/CipherCloud.entitlements --deep ./build/CipherCloud.app Output: ./build/CipherCloud.app: replacing existing signature zsh: segmentation fault codesign -s Developer ID Application: CipherCloud Inc (ZGNQHYL3AG) runtim Please find the Crash Report & entitlements files from below ref: https://drive.google.com/file/d/14-Idpug-OZeAXxs8NvtlwOd5czIqBurB/view?usp=sharing https://drive.google.com/file/d/18CI3cbouP4dQyESvd54BDeor8yeaFVdC/view?usp=sharing
Topic: Code Signing SubTopic: Notarization Tags:
Replies
Boosts
Views
Activity
Aug ’21
Reply to How do you codesign with a SmartCard
My steps: I create the PrivKey on the yubikey, generate the CSR on-device, then submitted to apple. Then I download the cert from Apple, import to yubikey as well as my local keychain. If I import into the keychain, the keychain assistant shows the cert, but not showing up the private key. codesign gives me the following error: ➜ ~ codesign -s '966XXXX' EXECUTABLE --force EXECUTABLE: replacing existing signature Warning: unable to build chain to self-signed root for signer Developer ID Application: XXXXXX EXECUTABLE: errSecInternalComponent ➜ ~ If I do not import the cert, I receive: ➜ ~ codesign -s '966***' EXECUTABLE --force replacing existing signature errSecInternalComponent Note no more warning this time
Topic: Code Signing SubTopic: General Tags:
Replies
Boosts
Views
Activity
Mar ’23
What is the difference between applying "hardened runtime" to an executable and adding the `-o library` flag to codesign?
Hey, Just recently I realized something I have been overlooking in my build pipelines. I thought that by adding the the hardened runtime, I disable 3rd-party library injection (I do not have the disable-library-validation entitlement added). However, I was using some checks on my code and I noticed that the library validation code signature check fails on my applications (e.g. adding the .libraryValidation requirement via the LightweightCodeRequirements framework) - with codesign -dvvvv /path/to/app I can check it doesn't have the CS_REQUIRE_LV flag: [...] CodeDirectory v=20500 size=937 flags=0x10000(runtime) hashes=18+7 location=embedded [...] then I used in Xcode the Other Code Signing Flags setting and added the -o library option, which added the flag: [...] CodeDirectory v=20500 size=937 flags=0x12000(library-validation,runtime) hashes=18+7 location=embedded [...] Is this flag something I should be explicitly setting? Because I was under the impression enabling hardened runtime would be enough. P
Topic: Code Signing SubTopic: General Tags:
Replies
1
Boosts
0
Views
388
Activity
Sep ’25
Reply to Codesigning Error
Beat me to it. Same issue on Sierra, im pretty sure at this point that the codesign shipped with Sierra is broken
Topic: App & System Services SubTopic: Core OS Tags:
Replies
Boosts
Views
Activity
Jun ’16
Reply to CFBundleIdentifier Collision submitting app with Canon EDSDK
I verified that I can (and should) resign the 3 parts as follows. Doing so allows you to run with a fully hardened runtime. where Ψ is the name of an apple distribution certificate my-machine Framework % codesign -vvv -f --remove-signature EDSDK.framework/Versions/A/CHHLLite.bundle EDSDK.framework/Versions/A/CHHLLite.bundle: replacing existing signature EDSDK.framework/Versions/A/CHHLLite.bundle: signed [] my-machine Framework % codesign -vvv -f --remove-signature EDSDK.framework/Versions/A/EdsImage.bundle EDSDK.framework/Versions/A/EdsImage.bundle: replacing existing signature EDSDK.framework/Versions/A/EdsImage.bundle: signed [] my-machine Framework % codesign -vvv -f --remove-signature EDSDK.framework/Versions/A/EDSDK EDSDK.framework/Versions/A/EDSDK: replacing existing signature EDSDK.framework/Versions/A/EDSDK: signed [] my-machine Framework % codesign -f -v -s Ψ EDSDK.framework/Versions/A/EdsImage.bundle EDSDK.framework/Versions/A/EdsImage.bundle: signed bundle with M
Topic: Developer Tools & Services SubTopic: Xcode Tags:
Replies
Boosts
Views
Activity
Aug ’21
Reply to "Command CodeSign failed with a nonzero exit code" I got this error
My issue was different than the others above and I've run into it a couple times over the years. During CI automation we run fastlane and ran into this mysterious Command CodeSign failed with a nonzero exit code. Both times the fix was to manually start up Xcode start building and then there would be a CodeSign pop up asking for credentials. It only occurs when setting up a new machine.
Topic: Developer Tools & Services SubTopic: Xcode Tags:
Replies
Boosts
Views
Activity
May ’25
Kernel kills my dylib even though it's properly codesigned
Kernel tells me that my dylib has an invalid digital sign, but for 100% it's a proper digital sign. Is this a bug, or a feature? Minimal 100% reproducible example: loader.cpp: #include #include #include int main() { void* handle = dlopen(libtest.dylib, RTLD_NOW); perror(dlopen); return handle == nullptr; } test1.cpp: #include #include __attribute__((constructor)) void initfunc() { std::cout << hello from dylib1n; } test2.cpp: #include #include __attribute__((constructor)) void initfunc() { std::cout << hello from dylib2n; } Makefile: all: libtest1.dylib libtest2.dylib loader libtest1.dylib: test1.cpp c++ -shared test1.cpp -o libtest1.dylib libtest2.dylib: test2.cpp c++ -shared test2.cpp -o libtest2.dylib loader: loader.cpp c++ loader.cpp -o loader CMakeLists.txt instead of Makefile: cmake_minimum_required(VERSION 3.5) project(crash_test) add_executable(loader loader.cpp) add_library(test1 SHARED test1.cpp) add_library(test2 SHARED test2.cpp) Store all files into one directory and compile th
Topic: App & System Services SubTopic: Core OS Tags:
Replies
2
Boosts
0
Views
1.1k
Activity
Oct ’22