Search results for

codesign

3,114 results found

Post

Replies

Boosts

Views

Activity

Reply to A timestamp was expected but was not found
Run this in the same environment in which you’re running codesign: % curl -D /dev/stderr http://timestamp.apple.com What do you get back? Does it yield the same level of inconsistency, that is, working sometimes and failing others? Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: Code Signing SubTopic: General
Oct ’24
Reply to PAM module connecting to an XPC Service where service uses setCodeSigningRequirement
[quote='766224021, pnelson, /thread/766224, /profile/pnelson'] There should be a way to build a PAM module (dynamic Library ) so it can be code signed. [/quote] It’s certainly possible to sign a PAM module: % cp /usr/lib/pam/pam_deny.so.2 . % codesign -s - -f pam_deny.so.2 pam_deny.so.2: replacing existing signature However, that won’t help when it comes to -setCodeSigningRequirement:. macOS enforces security as process boundaries. PAM modules are in-process plug-ins, so they can’t be distinguished from any other code running in that process. Thus, from the perspective of the XPC remote peer, you can’t tell whether the request came from the PAM module running inside the process or any other code running inside that process. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: Code Signing SubTopic: General Tags:
Oct ’24
A timestamp was expected but was not found
We are facing following message A timestamp was expected but was not found during codesign for following .dylib and .pkg and it cause notarization process failed. We are facing this issue for last 3 days. we have access for timestamp.apple.com and 17.0.0.0/8 and we didn't change firewall settings. We are facing this issue randomly and not for all time(scenario is 3:1). We tried the below command to sign the package, codesign --verbose --deep --force --timestamp --options=runtime --sign Kindly let us know how to fix this probelm. traceroute timestamp.apple.com traceroute to timestamp.v.aaplimg.com (17.157.80.35), 64 hops max, 52 byte packets .... 10 17.0.9.19 (17.0.9.19) 185.693 ms 17.0.9.17 (17.0.9.17) 180.932 ms 189.060 ms 11 * * * 12 17.0.17.141 (17.0.17.141) 191.513 ms * 17.0.17.137 (17.0.17.137) 183.086 ms 13 * * * 14 * * *
Topic: Code Signing SubTopic: General
3
0
553
Oct ’24
Issue while adding App to Archive
CodeSign /Users/abc007/Library/Developer/Xcode/DerivedData/App-fjztkcxqsstohgfvqdfnedgpwltj/Build/Intermediates.noindex/ArchiveIntermediates/App/InstallationBuildProductsLocation/Applications/App.app (in target 'App' from project 'App') cd /Users/abc007/Documents/WorkSpace/RegulusIT/Release_Oct_2024/UI Backup/ios/App Signing Identity: Apple Development: Yatin Ghat (JS84GYN3O4) Provisioning Profile: iOS Team Provisioning Profile: www.rightschool.net (bdc0759d-b9d0-4470-8e3f-b5b67d3c2586) /usr/bin/codesign --force --sign 82C0E5904219E333688CE627A21522F732446038 --entitlements /Users/abc007/Library/Developer/Xcode/DerivedData/App-fjztkcxqsstohgfvqdfnedgpwltj/Build/Intermediates.noindex/ArchiveIntermediates/App/IntermediateBuildFilesPath/App.build/Release-iphoneos/App.build/App.app.xcent --generate-entitlement-der /Users/abc007/Library/Developer/Xcode/DerivedData/App-fjztkcxqsstohgfvqdfnedgpwltj/Build/Intermediates.noindex/ArchiveIntermediates/App/InstallationBuildProductsLocation/Applications/A
Topic: Code Signing SubTopic: General Tags:
1
0
518
Oct ’24
Reply to DriverKit: embedded.mobileprofile has the wildcard USB Vendor ID instead of my assigned Vendor ID
A bit of a late reply on this, but I have a few things to share: As far as I can tell Xcode 16 has fixed all of these issues. Set codesigning to automatic, configure your capabilities in Xcode, and it signs everything exactly the way it should. I haven't specifically tested enterprise distribution (I don't have an account of that type at hand), but the automatic flows have worked perfectly for Developer ID and Mac App Store Test Flight. If it's all possible, I think building and signing with Xcode 16 is the easiest solution to all this. If you must use Xcode 15.4, then you need to be very careful about he exact flow involved. You're right that this is the underlying issue: I'm assuming this has to do with the fact that the entitlements plist is using the wildcard * instead of a proper vendor id. The wildcard value is why the development profiles can work with everything, which is also what breaks distribution signing. Here is what you can try to resolve this: I'm not sure how this stands in Xcode 15.
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles Tags:
Oct ’24
Reply to Apple Notarization service failing on app that notarized successfully some weeks ago
Hi Quinn, The jar we are trying to sign is jffi from https://github.com/jnr/jffi/releases/tag/jffi-1.3.10. We are extracting the libjffi-1.2.jnilib from the jar and signing before re-packing them. This step goes fine with nothing going wrong. We then get issues when trying to notarize the application where it says the binary isn't signed, the signature isn't valid and there isn't a valid timestamp. sign-jar-force ./Contents/Resources/xx/drivers/jffi-1.3.10-native.jar jni/Darwin/libjffi-1.2.jnilib sign-jar() { if [ -e $$app_path/$1 ]; then echo Signing (jar): $1 $2 unzip $app_path/$1 $2 -d $temp_path || echo (jar $1): unzipping $2 failed > $temp_path/.failed codesign --sign $sign_identity --timestamp $temp_path/$2 || echo (jar $app_path/$1): $temp_path/$2 > $temp_path/.failed jar -ufv $app_path/$1 $temp_path/$2 || echo (jar $1) zipping $temp_path/$2 > $temp_path/.failed rm -f $temp_path/$2 else echo Skipping: $1 (path not found) fi } This is our method for signing the jar. We have also tried
Topic: Code Signing SubTopic: Notarization
Oct ’24
Reply to Notarised and Stapled App is not running Embedded Python Interpreter
Hello, I've made a very good progress. following the changes you indicated the app works :) There is only a little detail, if python executable is moved to: SampleApp.app/Contents/MacOS/python3.11 It appears a pop up asking 'Allow [APP] to find devices on local networks?'. I tested the app placing python here: SampleApp.app/Contents/MacOS/bin/python3.11 and the app works the same but the pop up is not appearing. This is a capability is not requested in the app... I'm very curious to know why this happens. Let me share the changes that were applied: This is the new entitlements: com.apple.security.app-sandbox I enabled Hardened Runtime in Build Settings - Signing section. What about lib/python3.11. That’s not a single file, right? It’s a directory containing a hierarchy of Python goo, right? Yes, it is a folder with all the libraries, etc. Is it ok when the folder stays in Resources? Last change I made is to remove the --deep when signing python executable, now it looks like this: codesign --force --
Topic: Code Signing SubTopic: General Tags:
Oct ’24
Reply to macOS app with com.apple.developer.persistent-content-capture entitlement crashing on macOS 10.13.6
Your app has a number of code signing issues that will cause problems. First, the immediate problem you’re seeing is caused by the absence of the App ID entitlement in your main app’s code signature: % codesign -d --entitlements - Remote for Mac.app Executable=/Users/quinn/Desktop/Remote for Mac.app/Contents/MacOS/Remote for Mac [Dict] [Key] com.apple.developer.networking.multicast [Value] [Bool] true [Key] com.apple.developer.persistent-content-capture [Value] [Bool] true [Key] com.apple.security.automation.apple-events [Value] [Bool] true Without this, older systems are unable to match up your app’s profile with its code. See Check for Required Entitlements within Resolving Code Signing Crashes on Launch. Note That’s part of my Resolving Trusted Execution Problems, which contains answers to all the weird trusted execution problems I’ve encountered over the years. Beyond that, I see other concerns. Your app contains a bunch of executables: % find Remote for Mac.app -print0 | xargs -0 file | grep exe
Topic: Code Signing SubTopic: Entitlements Tags:
Oct ’24
macOS app with com.apple.developer.persistent-content-capture entitlement crashing on macOS 10.13.6
After adding com.apple.developer.persistent-content-capture entitlement the app crashes on macOS 10.13.6 with following crash report Process: Remote for Mac [20489] Path: /Applications/Remote for Mac.app/Contents/MacOS/Remote for Mac Identifier: com.cherpake.macrc.server Version: ??? Code Type: X86-64 (Native) Parent Process: ??? [1] Responsible: Remote for Mac [20489] User ID: 501 Date/Time: 2024-10-09 09:28:35.482 +0300 OS Version: Mac OS X 10.13.6 (17G14042) Report Version: 12 Anonymous UUID: A2BB761B-2A18-0E9E-2470-21BD6C22E7A8 Time Awake Since Boot: 780000 seconds System Integrity Protection: enabled Crashed Thread: 0 Exception Type: EXC_CRASH (Code Signature Invalid) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Reason: Namespace CODESIGNING, Code 0x1 kernel messages: VM Regions Near 0 (cr2): --> __TEXT 0000000105bdc000-0000000105cdd000 [ 1028K] r-x/r-x SM=COW Thread 0 Crashed: 0 ??? 0x00000001099bb19c _dyld_start + 0 Thread 0 crashed w
Topic: Code Signing SubTopic: Entitlements Tags:
2
0
1k
Oct ’24
Notarised and Stapled App is not running Embedded Python Interpreter
Hi Apple community, many thanks in advance for your help. My macOS app embeds a Python interpreter, compiled from source, including the Python executable and its associated libraries. We have tried compiling the project with Xcode 16.0 and 16.1 beta 2 over MacOS Sequoia 15.0 and 15.1. The project is 100% developed in Swift6. This is how the project looks like: SampleApp.app SampleApp.app/Contents SampleApp.app/Contents/MacOS SampleApp.app/Contents/MacOS/SampleApp SampleApp.app/Contents/MacOS/bin SampleApp.app/Contents/MacOS/bin/python3.11 SampleApp.app/Contents/Resources SampleApp.app/Contents/Resources/lib SampleApp.app/Contents/Resources/lib/python3.11 SampleApp.app/Contents/Resources/Info.plist Since we want to 'initially' distribute the app directly, Python binary is signed as follows: codesign --deep --force --options runtime --timestamp --sign $DEVELOPER_ID_APPLICATION $BINARY_PATH App entitlements contain the next entries: <key>com.apple.security.app-sandbox</key> <true/> <
Topic: Code Signing SubTopic: General Tags:
1
0
531
Oct ’24
Notarised and Stapled App is not running Embedded Python Interpreter
Hi Apple community, many thanks in advance for your help. My macOS app embeds a Python interpreter, compiled from source, including the Python executable and its associated libraries. We have tried compiling the project with Xcode 16.0 and 16.1 beta 2 over MacOS Sequoia 15.0 and 15.1 This is how the project looks like: SampleApp.app SampleApp.app/Contents SampleApp.app/Contents/MacOS SampleApp.app/Contents/MacOS/SampleApp SampleApp.app/Contents/MacOS/bin SampleApp.app/Contents/MacOS/bin/python3.11 SampleApp.app/Contents/Resources SampleApp.app/Contents/Resources/lib SampleApp.app/Contents/Resources/lib/python3.11 SampleApp.app/Contents/Resources/Info.plist Since we want to 'initially' distribute the app directly, Python binary is signed as follows: codesign --deep --force --options runtime --timestamp --sign $DEVELOPER_ID_APPLICATION $BINARY_PATH App entitlements contain the next entries: &lt;key&gt;com.apple.security.app-sandbox&lt;/key&gt; &lt;true/&gt; &lt;key&gt;co
Topic: Code Signing SubTopic: General Tags:
5
0
792
Oct ’24
pkgbuild giving signing identity error
The actual error: pkgbuild: error: Could not find appropriate signing identity for “Developer ID installer: My Name (DeveloperID)”. I'm trying to sign a program written with gfortran. The steps worked the last time (Mar 23) I built this code. The steps to error: a) xcrun notarytool store-credentials --apple-id xxx --team-id yyy Giving Profile Name zzz and App-specific password b) codesign --force --timestamp --options=runtime -s Developer ID Application: My Name (yyy) AppName c) pkgbuild --root ROOT --identifier org.aaa.bbb --version 1.1.1 --sign Developer ID installer: My Name (yyy) AppName.pkg ROOT contains the package contents At this point I get the error pkgbuild: error: Could not find appropriate signing identity for “Developer ID installer: My Name (yyy)” Are there steps that have changed. Any suggestions? Thanks, David
Topic: Code Signing SubTopic: General Tags:
1
0
690
Oct ’24
Reply to EACCES Error on binary included in Electron app
The whole directory chain has 755. I have the binary in Contents/Libs/bin/sox/sox (binary). The SoX binary is also code-signed. It is indeed being spawned in a child process (node) within Electron. As I previously mentioned, this works fine if I use the Homebrew version. const audioRecorder = spawn(soxPath, soxArgs) As an alternative, might I have a script that installs this sox binary to /opt/bin/sox? I tried to make one with pkgbuild, codesign, & xcrun. It does make SoxInstaller.pkg, but fails when I try to run it and the logs are not written (I am just guessing at the script). `#!/bin/bash Set the log file path to a specific directory LOGFILE=/tmp/sox_install.log Redirect output to the log file exec > >(tee -a $LOGFILE) 2>&1 Start logging echo ===> Starting SoX install script at $(date) echo ===> Log file: $LOGFILE Ensure the script is running with elevated privileges if [ $(id -u) -ne 0 ]; then echo ERROR: This script must be run as root or with sudo exit 1 fi Define the So
Topic: Code Signing SubTopic: General Tags:
Oct ’24
EACCES Error on binary included in Electron app
Hi, I have an Electron app that I build, sign, notarize, and staple using electron-builder. It includes Sound Exchange (SoX), which I was invoking from the homebrew installed version. It builds a dmg and works fine. However, my users are non-technical, thus cannot be expected to install dev tools, homebrew, and sox from the command line and set paths. Therefore, I need to include a SoX binary in my app. I have a static SoX binary that works. However, when I try to run it from my electron app, I get Error: spawn / /sox EACCES. Electron-builder is signing the SoX binary codesign --sign --force --timestamp --options runtime --entitlements dist/entitlements/entitlements.mac.plist /Contents/Resources/bin/sox/sox The app sign/notarize works fine, the dmg mounts, and the app runs until I try to invoke SoX. Also, I verified the sox binary and entire app are signed and the app staple is valid. I am running the app from /Applications. Please help me!
Topic: Code Signing SubTopic: General Tags:
3
0
790
Oct ’24
Building a Safari extension - but Safari doesn't see it
I'm trying to build a (personal) Safari extension, which should add an HTTP header when visiting a few websites. I'm a newbie at XCode. Using XCode, the build runs and the app runs correctly (the standard boilerplate code tells me that the extension is currently off). However, the extension doesn't appear in Safari>Settings>Extensions at all, so I cannot enable the extension. There are two warnings (warnings? or errors? fatal? or not?): NSBundle file:///System/Library/PrivateFrameworks/MetalTools.framework/ principal class is nil because all fallbacks have failed Unable to create bundle at URL ((null)): normalized URL null ...I'm brand new to XCode so I don't really know whether these errors are fatal, and how to fix them if so. These warnings appear when the app runs, not during the build cycle. The plugin appears when issuing this command in Terminal: pluginkit -mAvvv -p com.apple.Safari.web-extension ...part of that response is: podnewsllc.Podnews-Security.Extension(1.0) Path = /Users/jamescridland/L
Topic: Safari & Web SubTopic: General Tags:
1
0
752
Oct ’24