Search results for

“codesign”

3,223 results found

Post

Replies

Boosts

Views

Activity

Reply to codesign doesn't use the keychain path passed via --keychain
I’m not entirely sure what’s going on with the --keychain parameter but the best way to solve this issue: I have two certs with same name so prevent the ambiguity that codesign has when it finds two certs with same name is to pass the hash of the signing identity’s certificate to codesign. I talk about this in Creating Distribution-Signed Code for Mac (search the doc for SHA-1). Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: Code Signing SubTopic: General Tags:
May ’22
Reply to Sandboxed app won't run
Possibly, but if Gatekeeper was unhappy with your app it should say so, not just cause the app to hang at launch.You can check what code signing and Gatekeeper think of your app with the following commands.$ codesign -vvv --deep /Applications/iTunes.app $ spctl --assess --raw /Applications/iTunes.appNote On 10.11 and later, also pass --strict to codesign. Share and Enjoy — Quinn The Eskimo! Apple Developer Relations, Developer Technical Support, Core OS/Hardware let myEmail = eskimo + 1 + @apple.com
Topic: Code Signing SubTopic: General Tags:
Jul ’15
Reply to Unable to pass notarization due to files in MyApp.app/Contents/Resources
Found a solution - credit to ChatGPT. Directly sign the dylib files in Resources files codesign -s YOUR_CERTIFICATE -vvv --deep --timestamp --entitlements entitlements.plist path/to/YOUR_APP_NAME.app/Contents/Resources/*.dylib --force and THEN sign the full prject codesign -s CERTIFICATE_ID_OR_NAME -v --deep --timestamp --entitlements entitlements.plist -o runtime dist/YOUR_APP_NAME.app --force Full tutorial: https://sites.google.com/site/petesjunkyard/how-to-turn-your-python-program-into-a-working-macos-app
Topic: Code Signing SubTopic: Notarization Tags:
Feb ’23
Notarization service rejects .pkg. pkgutil, codesign and spctl validate app/package.
Hello. We have an app bundle that we package into a .pkg file. We are currently getting an error when notarizing the .pkg artifact. But running all the suggested tool vs the built bundle/package results in validating the bundle/package. We don't know what notarization service is rejecting the pkg. The notarization failure: Notarization Invalid { logFormatVersion: 1, jobId: b26ec329-409e-4a21-88f0-6f924795a6db, status: Invalid, statusSummary: Archive contains critical validation errors, statusCode: 4000, archiveFilename: MY-APP.pkg, uploadDate: 2021-07-19T17:39:59Z, sha256: 019c0409eab63e68cfe6323sd2e33715f07c731d5b4192254277ed62db1b6e97d, ticketContents: null, issues: [ { severity: error, code: null, path: MY-APP.pkg, message: The binary is not signed., docUrl: null, architecture: null } ] } Here is the output of codesign -v -vvv --deep --strict MY-APP.app: ... MY-APP.app: valid on disk MY-APP.app: satisfies its Designated Requirement Output of pkgutil --check-signature MY-APP.pkg : Package MY-APP.pk
Topic: Code Signing SubTopic: Notarization Tags:
2
0
1k
Jul ’21
Reply to Connection Interrupted Error sudo -u _securityagent pluginkit -a /Applications/SmartCardApp.app/Contents/PlugIns/CssToken.appex
But I am receiving the following error: Illegal instruction: 4 It sounds like your app crashed, probably due to a trap. That should have generated a crash report. If so, please post it here. For advice on how to do that, see Posting a Crash Report. I want to be able to use identities on a Cryptographic Token from codesign when codesign is running in the context of a script started by a daemon. Do you know how I can do that? I’d be surprised if there were any way to make that work. CTK was designed to be used from a user context. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: Privacy & Security SubTopic: General Tags:
Dec ’21
Reply to How to enable get-task-allow entitlement? Is it need to be enabled in signing certificate or can we enable it from Xcode?
Hi,This can be acheived from the codesign command as well.sudo codesign --sign xxxx -f --timestamp --options=runtime --entitlements /Users/admin/Desktop/ent.plist <path to app>The /Users/admin/Desktop/ent.plist file contains<?xml version=1.0 encoding=UTF-8?><!DOCTYPE plist PUBLIC -//Apple//DTD PLIST 1.0//EN http://www.apple.com/DTDs/PropertyList-1.0.dtd><plist version=1.0><dict> <key>com.apple.security.get-task-allow</key> <false/></dict></plist>Hope this helps.
Topic: Developer Tools & Services SubTopic: Xcode Tags:
Aug ’19
Reply to Notarization failing, not signed with Developer ID Cert
Thanks, for the info, but let me clear up a couple items. Vagueness on tools was in relation to this: For more details on how to work with installer packages, see the man pages for productbuild, productsign, pkgbuild, and pkgutil. As the man pages don't do a good job of telling me when/why I need to use which one of those. Also note that codesign did NOT fail with an error saying the string was ambiguous. Both codesign and productsign ran without error. If the error you mentioned HAD been reported, it. would have definitely helped me figure out what the problem was. I do have Notarization succeeding now.
Topic: Code Signing SubTopic: Notarization Tags:
Sep ’22
Reply to Auditing code signatures
So I also asked about this internally and have something I’d like you to try. If you dump a code signature with enough -v options, you eventually get to the CMSDigest field. Does that line up with your signing operations? % codesign -d --arch arm64 -vvvvv /Applications/Pages.app … CMSDigest=4380386763a016bee5fbfbf362f7c9c05bb1a5ea2d5ed9535b371fb36223e3e6 … % codesign -d --arch x86_64 -vvvvv /Applications/Pages.app … CMSDigest=d4d89d97cc94daa5437f14f02490a4a9efd9eece7ca22150d807df344c36d3c9 … Note that it’s different for each architecture. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: Code Signing SubTopic: General Tags:
Jan ’25
Reply to codesign doesn't use the keychain path passed via --keychain
I’m not entirely sure what’s going on with the --keychain parameter but the best way to solve this issue: I have two certs with same name so prevent the ambiguity that codesign has when it finds two certs with same name is to pass the hash of the signing identity’s certificate to codesign. I talk about this in Creating Distribution-Signed Code for Mac (search the doc for SHA-1). Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: Code Signing SubTopic: General Tags:
Replies
Boosts
Views
Activity
May ’22
Reply to Sandboxed app won't run
Possibly, but if Gatekeeper was unhappy with your app it should say so, not just cause the app to hang at launch.You can check what code signing and Gatekeeper think of your app with the following commands.$ codesign -vvv --deep /Applications/iTunes.app $ spctl --assess --raw /Applications/iTunes.appNote On 10.11 and later, also pass --strict to codesign. Share and Enjoy — Quinn The Eskimo! Apple Developer Relations, Developer Technical Support, Core OS/Hardware let myEmail = eskimo + 1 + @apple.com
Topic: Code Signing SubTopic: General Tags:
Replies
Boosts
Views
Activity
Jul ’15
Reply to Unable to pass notarization due to files in MyApp.app/Contents/Resources
Found a solution - credit to ChatGPT. Directly sign the dylib files in Resources files codesign -s YOUR_CERTIFICATE -vvv --deep --timestamp --entitlements entitlements.plist path/to/YOUR_APP_NAME.app/Contents/Resources/*.dylib --force and THEN sign the full prject codesign -s CERTIFICATE_ID_OR_NAME -v --deep --timestamp --entitlements entitlements.plist -o runtime dist/YOUR_APP_NAME.app --force Full tutorial: https://sites.google.com/site/petesjunkyard/how-to-turn-your-python-program-into-a-working-macos-app
Topic: Code Signing SubTopic: Notarization Tags:
Replies
Boosts
Views
Activity
Feb ’23
Reply to Is Apple's Timestamp Server Acting Up?
As a workaround I tweaked my build script to call codesign again and again if it fails, and that seems to have solved my issue (at the expense of time). So it definitely seems that the timestamp server is flaking out.
Topic: Code Signing SubTopic: General Tags:
Replies
Boosts
Views
Activity
Oct ’21
Reply to security: SecKeychainItemImport: The user name or passphrase you entered is not correct.
security -v import bundle.p12 -k login.keychain -T /usr/bin/codesign -P https://1drv.ms/u/c/de13bcdacf228c88/ER4DNppbQQRMlY4tzawZ1s8BNLNcbEnuf54lLUOL1oD-Dg
Topic: Privacy & Security SubTopic: General Tags:
Replies
Boosts
Views
Activity
May ’25
Reply to MacOS X application code sign issue
Please resist duplicate posts, thanks - see: For Best Results - Read the LabelRef:MacOS X application codesign gets failed if it has symlink folders
Topic: UI Frameworks SubTopic: AppKit Tags:
Replies
Boosts
Views
Activity
Feb ’19
Reply to App notarized but Gatekeeper still shows app as untrusted
I believe that is incorrect. I am able to install, open and run web browser-downloaded non-codesigned/non-notarized apps in Catalina with the right-click trick.
Topic: App & System Services SubTopic: Core OS Tags:
Replies
Boosts
Views
Activity
Jul ’19
Reply to codesign --verify is OK, but spctl --assess gives "a sealed resource is missing or invalid"
I found the issue: one of the agent processes bundled inside my .app was incorrectly signed; using codesign --verify --deep --verbose allowed me to find this.
Topic: Code Signing SubTopic: General Tags:
Replies
Boosts
Views
Activity
Apr ’19
Notarization service rejects .pkg. pkgutil, codesign and spctl validate app/package.
Hello. We have an app bundle that we package into a .pkg file. We are currently getting an error when notarizing the .pkg artifact. But running all the suggested tool vs the built bundle/package results in validating the bundle/package. We don't know what notarization service is rejecting the pkg. The notarization failure: Notarization Invalid { logFormatVersion: 1, jobId: b26ec329-409e-4a21-88f0-6f924795a6db, status: Invalid, statusSummary: Archive contains critical validation errors, statusCode: 4000, archiveFilename: MY-APP.pkg, uploadDate: 2021-07-19T17:39:59Z, sha256: 019c0409eab63e68cfe6323sd2e33715f07c731d5b4192254277ed62db1b6e97d, ticketContents: null, issues: [ { severity: error, code: null, path: MY-APP.pkg, message: The binary is not signed., docUrl: null, architecture: null } ] } Here is the output of codesign -v -vvv --deep --strict MY-APP.app: ... MY-APP.app: valid on disk MY-APP.app: satisfies its Designated Requirement Output of pkgutil --check-signature MY-APP.pkg : Package MY-APP.pk
Topic: Code Signing SubTopic: Notarization Tags:
Replies
2
Boosts
0
Views
1k
Activity
Jul ’21
Reply to Connection Interrupted Error sudo -u _securityagent pluginkit -a /Applications/SmartCardApp.app/Contents/PlugIns/CssToken.appex
But I am receiving the following error: Illegal instruction: 4 It sounds like your app crashed, probably due to a trap. That should have generated a crash report. If so, please post it here. For advice on how to do that, see Posting a Crash Report. I want to be able to use identities on a Cryptographic Token from codesign when codesign is running in the context of a script started by a daemon. Do you know how I can do that? I’d be surprised if there were any way to make that work. CTK was designed to be used from a user context. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: Privacy & Security SubTopic: General Tags:
Replies
Boosts
Views
Activity
Dec ’21
Reply to How to enable get-task-allow entitlement? Is it need to be enabled in signing certificate or can we enable it from Xcode?
Hi,This can be acheived from the codesign command as well.sudo codesign --sign xxxx -f --timestamp --options=runtime --entitlements /Users/admin/Desktop/ent.plist <path to app>The /Users/admin/Desktop/ent.plist file contains<?xml version=1.0 encoding=UTF-8?><!DOCTYPE plist PUBLIC -//Apple//DTD PLIST 1.0//EN http://www.apple.com/DTDs/PropertyList-1.0.dtd><plist version=1.0><dict> <key>com.apple.security.get-task-allow</key> <false/></dict></plist>Hope this helps.
Topic: Developer Tools & Services SubTopic: Xcode Tags:
Replies
Boosts
Views
Activity
Aug ’19
Reply to Notarization failing, not signed with Developer ID Cert
Thanks, for the info, but let me clear up a couple items. Vagueness on tools was in relation to this: For more details on how to work with installer packages, see the man pages for productbuild, productsign, pkgbuild, and pkgutil. As the man pages don't do a good job of telling me when/why I need to use which one of those. Also note that codesign did NOT fail with an error saying the string was ambiguous. Both codesign and productsign ran without error. If the error you mentioned HAD been reported, it. would have definitely helped me figure out what the problem was. I do have Notarization succeeding now.
Topic: Code Signing SubTopic: Notarization Tags:
Replies
Boosts
Views
Activity
Sep ’22
Reply to Auditing code signatures
So I also asked about this internally and have something I’d like you to try. If you dump a code signature with enough -v options, you eventually get to the CMSDigest field. Does that line up with your signing operations? % codesign -d --arch arm64 -vvvvv /Applications/Pages.app … CMSDigest=4380386763a016bee5fbfbf362f7c9c05bb1a5ea2d5ed9535b371fb36223e3e6 … % codesign -d --arch x86_64 -vvvvv /Applications/Pages.app … CMSDigest=d4d89d97cc94daa5437f14f02490a4a9efd9eece7ca22150d807df344c36d3c9 … Note that it’s different for each architecture. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: Code Signing SubTopic: General Tags:
Replies
Boosts
Views
Activity
Jan ’25
segmentation fault codesign -s "Developer ID Application: Teamxxxxx"
Even though I have valid and multiple Developer ID Application certs in my apple developer account, I am facing this issue. Could any know how to overcome this?
Topic: Code Signing SubTopic: Notarization Tags:
Replies
6
Boosts
0
Views
1k
Activity
Aug ’21
Reply to App crashing at startup with "Code Signature Invalid"
I found that my app doesn't have an embedded.provisionprofile file in the Contents folder. The bundle is not generated by XCode. Should I add the profile manually or is there a command to do that? (no codesign option apparently)
Topic: App & System Services SubTopic: General Tags:
Replies
Boosts
Views
Activity
May ’21