Search results for

codesign

3,115 results found

Post

Replies

Boosts

Views

Activity

Reply to Pkg installation package uploaded to macstore email prompt ITMS-90296
I tried using a third-party app (Pacivist) to open the app in pkg, nd export the app locally,then followed your instructions to perform the following actions: 1、 Run codesign against the results app to confirm that its signature is valid: % codesign --verify -vvv /path/to/your.app The results obtained: PS:I noticed an error message IFlytek heard. app: a sealed resource is missing or invalid File missing:/Users/pploo2/Desktop/icon/1/iFlytek heard. app/Contents/Resources/tj_S1/_MACOSX/ node_modules I don't know if this is the key to the problem ITMS-90926. 2. Run codesign again to check that you have App Sandbox enabled: % codesign --display --entitlements - /path/to/your.app The results obtained: You can see that there is sandbox=true here Now back to the first step, I performed operations on the app before packaging it as pkg and found that there were no missing related issues
Topic: App Store Distribution & Marketing SubTopic: App Store Connect Tags:
Nov ’24
Reply to AppleScript Code Signing Error
Hi DTS Engineer, thank you for the reply. Unfortunately, some of this is over my head. All I want to do is be able to sign a simple AppleScript app so that I can avoid the recurring security prompts that appear when it tries to copy a folder from the local desktop to a network share. I mean, I tried following the link you provided. I ran the security find-identity -p codesigning command and the results show that 1 identities found and 1 valid identities found. I then tried running the command to code sign the MyTrue app and the reply I got was, Warning: unable to build chain to self-signed root for signer MyTrue: errSecInternalComponent I have downloaded and installed all available intermediate certificates, set my cert to always trust, set the corresponding intermediate to always trust and still no luck. Additional info: my cert will be used to sign a few AppleScript apps for use on a few internal computers without any kind of external distribution. Maybe I am not creating the right kind of certifi
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles Tags:
Nov ’24
Reply to Pkg installation package uploaded to macstore email prompt ITMS-90296
First things first, the TestFlight issue (ITMS-90886) is covered by TestFlight, Provisioning Profiles, and the Mac App Store. Regarding the App Sandbox issue (ITMS-90296), there’s a variety of potential causes for this. I recommend that you check whether App Sandbox is actually enabled on the binary that you submitted to App Store Connect. To do that: Locate the installer package (.pkg) you submitted. Unpack that. I usually do this with a third-party app (Pacifist), but Unpacking Apple Archives explains how to do it the hard way. Run codesign against the resulting app to confirm that its signature is valid: % codesign --verify -vvv /path/to/your.app Run codesign again to check that you have App Sandbox enabled: % codesign --display --entitlements - /path/to/your.app I’d expect to see output like this: % codesign --display --entitlements - /Applications/PCalc.app … [Dict] … [Key] com.apple.security.app-sandbox [Value] [Bool] true … Share and Enjoy — Quinn “The Eskim
Topic: App Store Distribution & Marketing SubTopic: App Store Connect Tags:
Nov ’24
Reply to errSecInternalComponent when trying to codesign an app through SSH
Thanks for sharing. For those reading along at home, I discuss this topic in some detail in Resolving errSecInternalComponent errors during code signing. Oh, and one last thing. You wrote: [quote='813469022, roy-bei, /thread/768354?answerId=813469022#813469022, /profile/roy-bei'] codesign -vvv --deep … [/quote] Be careful when using --deep. It’s fine to use when verifying, as you’re doing here, but don’t use it when signing. See --deep Considered Harmful for more on that. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles Tags:
Nov ’24
errSecInternalComponent when trying to codesign an app through SSH
Hi, I'm trying to ssh into another machine, copy an app into that machine and codesign it using my Dev ID Application certificate, then copy it back to my original machine. I'm getting the errSecInternalComponent error when running codesign. This is the bash script I'm running: ssh ${REMOTE_SERVER} security -v unlock-keychain -p /Users//Library/keychains/login.keychain-db ssh ${REMOTE_SERVER} codesign -vvv --deep --force --verify --verbose --timestamp --options runtime --sign Developer ID Application: /tmp/$BUILD_ID/ui-app/.app ssh ${REMOTE_SERVER} codesign -dv --verbose=4 /tmp/$BUILD_ID/ui-app/.app I've tried to follow all the available info found online, managed to sign it successfully through the machine's UI, set the ACL of the private key to ALLOW ALL, restarted the keychain service, tried with the system keychain, approved all pop ups through the UI. Still with no luck through the SSH session. Any help would be greatly appreciated. Thanks!
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles Tags:
2
0
531
Nov ’24
Reply to errSecInternalComponent when trying to codesign an app through SSH
Ok, found a solution after 10 hours. When running standalone multiple SSH commands the unlock-keychain doesn't stick between commands, running: ssh ${REMOTE_SERVER} security unlock-keychain -p /Users//Library/Keychains/login.keychain-db && codesign -vvv --deep --force --verify --verbose --timestamp --options runtime --sign Developer ID Application: /tmp/$BUILD_ID/ui-app/.app Fixed it. Good luck :)
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles Tags:
Nov ’24
Reply to Codesign dylib/framework with entitlements
[quote='768184021, nangalvivek, /thread/768184, /profile/nangalvivek'] Is it correct to codesign dylib/framewoks with entitlements? [/quote] No. It’s never correct to do that. Entitlements are only useful when applied to a main executable and can cause problems when applied to library code. [quote='768184021, nangalvivek, /thread/768184, /profile/nangalvivek'] Is this even allowed? [/quote] Depends on what you mean by “allowed”. It never does anything useful. It won’t be caught by either App Store Connect or notarisation. In most cases it’s benign. In some specific cases it will cause your program to be blocked by the trusted execution system. [quote='768184021, nangalvivek, /thread/768184, /profile/nangalvivek'] I know of at least one app that has passed notarization checks as well. [/quote] The goal of the notary service is for software to be “checked by Apple for malicious components”. It doesn’t audit your program for correctness, except as necessary to perform that goal. You can notarise a progr
Topic: Code Signing SubTopic: Entitlements Tags:
Nov ’24
Reply to iOS 18 启动崩溃 main_executable_path_missing
In addition,app recently encountered a dyld crash similar to this crash on iOS15.5, which looks somewhat similar to the current crash. Not sure if it's the same, but it looks similar.See if it helps the analysis.I have a file bug,number is FB15719846 (iOS 15.5 dyld Crash),hope it helps.Thanks. Hardware Model: iPhone14,5 Process: XxxxxxXXX [265] Path: /private/var/containers/Bundle/Application/DAC8B886-80BB-48DB-916D-DBB854B69DFD/XxxxxxXXX.app/XxxxxxXXX Identifier: com.XxxxxxXXX.XxxxxxXXX Version: 8.1.3 (81300) AppStoreTools: 15F31e AppVariant: 1:iPhone14,5:15 Code Type: ARM-64 (Native) Role: Foreground Parent Process: launchd [1] Coalition: com.XxxxxxXXX.XxxxxxXXX [409] Date/Time: 2024-08-20 11:59:31.9614 +0800 Launch Time: 2024-08-20 11:37:02.3165 +0800 OS Version: iPhone OS 15.5 (19F77) Release Type: User Baseband Version: 1.61.00 Report Version: 104 Exception Type: EXC_BAD_ACCESS (SIGKILL - CODESIGNING) Exception Subtype: UNKNOWN_0x32 at 0x00000001048d0000 Exception Codes: 0x0000000000000032, 0x00
Topic: App & System Services SubTopic: General
Nov ’24
Reply to "How to" for dext distribution
It turns out you can't do that from an Admin role. I kept looking at the output of the security command and seeing the older bundle ID showing up for com.apple.developer.driverkit.userclient-access., which was not the updated bundle ID I was developing now. FYI, this is one of the pitfalls of manual codesigning, as automatic codesigning will not allow that. That's actually the biggest issue with manual codesigning- it allows you to force configuration that won't actually work, so unless you understand EXACTLY why automatic is failing, you can easily end up replacing an error at signing with a different error somewhere else. First, I had changed the bundle ID of my dext to what it should be, after learning that the bundle ID ought to be an extension of the owning application's bundle ID. This is common practice and what Xcode does by default, but I don't believe the system actually requires it, as it needlessly restricts/complicates what's possible without any real benefit. It's been
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles Tags:
Nov ’24
Apple Silicon app builds but cannot launch
The new M1 Mac Mini is great, and I've had some success compiling various projects natively. However, I encountered an issue I'm not sure how to resolve. In Xcode, the app builds but fails to run with the following dialog of cryptic errors: Could not launch Domain: IDELaunchErrorDomain Code: 20 Recovery Suggestion: The LaunchServices launcher has return an error. Please check the system logs for the underlying cause of the error. User Info: { DVTRadarComponentKey = 113722; } - The operation couldn’t be completed. (OSStatus error -10826.) Domain: NSOSStatusErrorDomain Code: -10826 User Info: { _LSFunction = _LSLaunchWithRunningboard; _LSLine = 2508; } - The operation couldn’t be completed. Launched process exited during launch. Domain: RBSRequestErrorDomain Code: 5 Failure Reason: Launched process exited during launch. Finder complains about permission when launching, and the Console reports this message: Unable to obtain a task name port right for pid 2071: (os/kern) failure (0x5) I thought it could be a sign
Topic: Developer Tools & Services SubTopic: Xcode Tags:
16
0
12k
Aug ’22
Reply to Xcode Project with Framework - Library not loaded - mapping process and mapped file have different Team IDs
I found this topic while trying to solve pretty much the same issue in my project, and since I've found a solution, I was thinking to share it in case it would help someone else in the same situation. Turns out the framework in the build folder is not signed, so it couldn't be loaded properly. At the same time the framework located in the resulted application bundle is signed properly, but it was not used for some reason. You can check the signature of the framework with codesign -d -r - Shared.framework command. I was able to solve the issue by adding following properties to the build settings, hope it will help someone LD_RUNPATH_SEARCH_PATHS = @executable_path/Frameworks LD_RUNPATH_SEARCH_PATHS[sdk=macosx*] = @executable_path/../Frameworks Essentially it loads frameworks from the expected location for the iOS build and the other location for the macOS build (the bundle structure is different depending on the destination).
Topic: Developer Tools & Services SubTopic: Xcode Tags:
Nov ’24
Reply to Unable to Write Files Within App Bundle After Codesigning and Notarization
[quote='768005021, CynthiaSun, /thread/768005, /profile/CynthiaSun'] Are there any restrictions regarding this? [/quote] Yes. [quote='768005021, CynthiaSun, /thread/768005, /profile/CynthiaSun'] Is there a way to bypass these restrictions? [/quote] No. App bundles are read-only by design. This isn’t a new requirement [1], but recent changes in macOS’s trusted execution system mean that it’s more important to follow the rules. To quote Embedding nonstandard code structures in a bundle: A bundle is a read-only structure. All Apple platforms except the Mac enforce this requirement at runtime. On iOS, for example, any attempt to modify your app’s bundle at runtime will fail with an error. The Mac may or may not enforce this requirement at runtime, depending on the context, but modifying your app’s bundle isn’t supported because it breaks the seal on the app’s code signature. So your current goal, having the app modify itself, is unsupported, likely to cause problems today, and even more likely to cause problems i
Topic: Code Signing SubTopic: General Tags:
Nov ’24
Reply to Content Filter: sourceAppAuditToken empty only for Firefox
This is clearly a bug. There should always be an audit token because some process must’ve started the flow. The next time you see this, please trigger a sysdiagnose log as soon as you see it, and then file a bug with that log. And once your done, I’d appreciate you posting the bug number here, just for the record. If you’re doing this on a ‘victim’ machine then you should enable additional NE logging via the VPN (Network Extension) for macOS instructions on our Bug Reporting > Profiles and Logs page. If you’re doing this on a real machine, you can enable that extra logging, but please consider the privacy impact. [quote='767822021, terransw, /thread/767822, /profile/terransw'] Not sure if relevant, but codesign with -dv showed different flags in CodeDirectory when compared to chrome: [/quote] That’s definitely not relevant. Chrome is opting in to some additional security checks, but Firefox gets most of those anyway because it’s enabled the hardened runtime (shown as runtime in that output). If yo
Topic: App & System Services SubTopic: Networking Tags:
Nov ’24
Code Signing -- errSecInternalComponent, unable to build self-signed root for signer "Developer ID Application..."
I am a developer on a project at work. I recently got a new laptop; however, since then I have been unable to build/deploy our application. I received a copy of the Developer ID Application certificate and Developer ID Installer certificate from a fellow developer. Note, everything works on their machine with these certificates. I have gone through the steps documented here https://developer.apple.com/forums/thread/712005 When I run security find-identity -p codesigning, I have two certificates that show up. one for my User and one for the Developer ID Application that my colleague gave me. Both show up as matching and valid identities. When I try to codesign MyTrue, as documented in the link above, using Apple Development works; however, the Developer ID Application identity does not. I get a errSecInternalComponent error. ahenderson@ahendersonmacbook [17:29:23] [~/Downloads] -> % codesign -s Apple Development -f MyTrue -vvv MyTrue: replacing existing signature MyTrue: signed Ma
Topic: Developer Tools & Services SubTopic: General Tags:
3
0
826
Nov ’24
Reply to Outgoing SSL connections fail on macOS 15, work fine on earlier versions
The system applies the same code signing and library validation checks regardless of whether you import the library or load the library dynamically. I agree with Etresoft that importing the library is the better option, but if you can’t change that then it’s not a showstopper. As to why LLDB is hanging, I don’t have an easy answer to that. I suspect it’s some sort of code signing or library validation issue. I’m disinclined to chase that because: LLDB isn’t a great tool for debugging code signing and library validation issues. It has enough on its plate being a debugger. Once you work out what’s going wrong with the library loading, it’s likely that LLDB will just start working again. Anyway, just to get us on a firm footing, I decide to run a test: On macOS 14.7.1 using Xcode 16.1, I created a new macOS app project. I downloaded the disk image from your first post and extracted the OpenSSL libraries. I modified them to be rpath-relative, per the docs I referenced above. I’ve put the exact commands at the end
Topic: App & System Services SubTopic: Networking Tags:
Nov ’24