“codesign”

What’s the output of this command for your app, and any other bundles in your app (ie frameworks, app extensions, etc)? codesign -dv /path/to/MyApp.app

I've included the plug-in's file structure at the top of the question above. I've skipped just the files created by codesign and spctl.

Sorry forgot to mention this the instant crash error error seems to be some what bogus any way : Command CodeSign failed with a nonzero exit code

The jpackage command tool provided by Oracle: It specifies some options for MacOS code signing: --mac-sign --mac-package-signing-prefix ST_DFG2D_ARM --mac-signing-key-user-name Pierre Bierre that it reformats when it runs and calls Apple's codesign. Maybe you can show me how to translate these options into a discrete call to codesign? [14:06:05.820] java.io.IOException: Command [/usr/bin/codesign, -s, Developer ID Application: Pierre Bierre (SL7L4YU8GT), -vvvv, --timestamp, --options, runtime, --prefix, ST_DFG2D_ARM, /var/folders/v7/06pp2_5d6gz9593k96n2z0v40000gn/T/jdk.jpackage8264959517592888307/images/image-10714515757680011645/DataflowGeometry2D.app/Contents/runtime/Contents/Home/lib/libnet.dylib] exited with 1 code I tried this guess: codesign --sign Pierre Bierre (SL7L4YU8GT) --force --options runtime --verbose --timestamp ~/DFG2D_MacOS_Manufacturing/MacOSInstallers/DFG2D_Mac_J17010_295 The response was: error: The specified item could not be found in the keychain. Not

Hi Massimo,have you signed with the hardened runtime entitlement file?Codesign --verify doesn't care about hardened runtime, but notarisation does.GreetingsBrigitte

Use this. It worked for me - codesign --force --deep --sign - /Applications/SpringToolSuite4.app It will try to force sign the app and give you permission to run it.

Turns out that PluginKit error was due to --deep codesigning flag enabled for the app target. The original error was caused by lack of $(TeamIdentifierPrefix) prefix in NSExtensionFileProviderDocumentGroup.

continued... I attempted to rerun codesign to get more info: % codesign --timestamp --options runtime -s 'Developer ID Installer: firstName lastName (redactedCode)' --prefix com.neogenesis.pfaat. -vvvv --keychain /Users/dcaffrey/Library/Keychains/login.keychain-db /var/folders/rh/2slcpd4s0qn46fgfz32680_80000gn/T/jdk.jpackage17110438044419986386/images/image-8953270622600972312/Pfaat.app/Contents/runtime/Contents/Home/lib/libnet.dylib Developer ID Installer: firstName lastName (redactedCode): **this identity cannot be used for signing code**

I’m not entirely sure what’s going on with the --keychain parameter but the best way to solve this issue: I have two certs with same name so prevent the ambiguity that codesign has when it finds two certs with same name is to pass the hash of the signing identity’s certificate to codesign. I talk about this in Creating Distribution-Signed Code for Mac (search the doc for SHA-1). Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com

I raise this question again. Earlier you suggested: The easiest way to do this is use Xcode’s import/export feature. Launch Xcode, choose Xcode > Settings, select Accounts, select the account in question, then choose Export Apple ID and Code Signing Assets from the action (…) menu. In Xcode 16 I cannot find any import/export commands to move existing codesign certificates/keys to my second Mac. Probably it will easier to create a NEW individual codesign certificate for EVERY Mac I use?

The codesign utility uses standard keychain APIs to access the digital identity it uses for signing, so it should be compatible with hardware tokens that integrate with the keychain (this presumes you have some way to load the Apple-issued certificate on to the hardware token). If yes, please describe the process as well.I don’t have any direct experience with this, alas. However, the usual setup for hardware tokens is that they appear as a keychain, so if your token is configured correctly, you shouldn’t need to do anything special on the codesign side of things. That is, you’d just pass a string that identifies the digital identity to codesign in the same way you currently do (see the Signing Identities section of codesignman page). Share and Enjoy — Quinn “The Eskimo!” Apple Developer Relations, Developer Technical Support, Core OS/Hardware let myEmail = eskimo + 1 + @apple.com

Yes, I have been granted access. Hmmm. That suggests that you’ve not applied the entitlement correctly. Run these commands: % codesign -v -vvv --deep /path/to/your/container.app % codesign -d --entitlements :- /path/to/your/container.app % security cms -D -i /path/to/your/container.app/Contents/embedded.provisionprofile % codesign -d --entitlements :- /path/to/your/container.app/Contents/Library/SystemExtensions/your.systemextension % security cms -D -i /path/to/your/container.app/Library/Contents/SystemExtensions/your.systemextension/Contents/embedded.provisionprofile The goal is to check that: Your code is correctly signed. Every entitlement claimed by your code signature is in the allowlist within the provisioning profile. For both the app and the sysex. Your app has the com.apple.developer.system-extension.install entitlement. Your sysex has the com.apple.developer.endpoint-security.client entitlement. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple l

I’m not able to reverse engineer other developer’s apps on your behalf, but I can offer some general advice. You can tell whether an app is sandboxed using codesign. For example, BBEdit is sandboxed: % codesign -d --entitlements - /Applications/BBEdit.app | grep -A 2 com.apple.security.app-sandbox … [Key] com.apple.security.app-sandbox [Value] [Bool] true but Xcode is not: % codesign -d --entitlements - /Applications/Xcode.app | grep -A 2 com.apple.security.app-sandbox … % Not all Mac App Store apps are sandboxed. Some apps shipped on the store before sandboxing was required. So, when you see an app that does something that’s seemingly impossible, it’s a good idea to check whether it’s actually sandboxed or not. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com