Search results for

“codesign”

3,223 results found

Post

Replies

Boosts

Views

Activity

Gatekeeper scans app before it finishes copying
Hi all, I found an issue by chance where, when we copy an .app bundle (a large one), Gatekeeper can choose to try to scan the app before the file copying finishes (without the app having been launched). This of course fails, and then the app can't open because it's damaged, even though spctl and codesign checks of the completed copied app come out fine. Then Gatekeeper remembers this setting forever, not rescanning the app. I'm wondering if anyone else has seen this happen and if so, if there's a best practice for keeping Gatekeeper's hands off until the copy is done? I imagine copying into a folder not named .app, then renaming it might work, or maybe saving the plist or main binary copy until last, although both require a more complex copy operation. Maybe there's a more elegant way? Thanks!
Topic: Privacy & Security SubTopic: General Tags:
3
0
630
Nov ’24
Reply to Unable to Write Files Within App Bundle After Codesigning and Notarization
Dear Engineer, Thanks for your information. Actually, We use Qt to develop an application on the macOS platform, and we are attempting to perform code signing and notarization to ensure our the application is trusted by Apple. However, there are a few things that seem weird regarding your statement: App bundles are read-only by design. Let me provide more details for your reference. Currently, when our application starts, it needs to create folder (e.g. Temp) in the root directory of the executable For example: Myapp.app/Contents/MacOS/Myapp ---> Myapp.app/Contents/MacOS/Temp The folder is designed for storing runtime logs or config files for our application. In the past, users may also modify the settings inside target folder if needed. However, the strange thing is that after the application is codesigned and notarized. When we double-click the application Myapp (a.k.a Myapp.app) in Finder, it could successfully launch and create the Temp folder inside the Myapp.app/Contents/MacOS folder. Howeve
Topic: Code Signing SubTopic: General Tags:
Nov ’24
Reply to Pkg installation package uploaded to macstore email prompt ITMS-90296
I tried using a third-party app (Pacivist) to open the app in pkg, nd export the app locally,then followed your instructions to perform the following actions: 1、 Run codesign against the results app to confirm that its signature is valid: % codesign --verify -vvv /path/to/your.app The results obtained: PS:I noticed an error message IFlytek heard. app: a sealed resource is missing or invalid File missing:/Users/pploo2/Desktop/icon/1/iFlytek heard. app/Contents/Resources/tj_S1/_MACOSX/ node_modules I don't know if this is the key to the problem ITMS-90926. 2. Run codesign again to check that you have App Sandbox enabled: % codesign --display --entitlements - /path/to/your.app The results obtained: You can see that there is sandbox=true here Now back to the first step, I performed operations on the app before packaging it as pkg and found that there were no missing related issues
Topic: App Store Distribution & Marketing SubTopic: App Store Connect Tags:
Nov ’24
Reply to AppleScript Code Signing Error
Hi DTS Engineer, thank you for the reply. Unfortunately, some of this is over my head. All I want to do is be able to sign a simple AppleScript app so that I can avoid the recurring security prompts that appear when it tries to copy a folder from the local desktop to a network share. I mean, I tried following the link you provided. I ran the security find-identity -p codesigning command and the results show that 1 identities found and 1 valid identities found. I then tried running the command to code sign the MyTrue app and the reply I got was, Warning: unable to build chain to self-signed root for signer MyTrue: errSecInternalComponent I have downloaded and installed all available intermediate certificates, set my cert to always trust, set the corresponding intermediate to always trust and still no luck. Additional info: my cert will be used to sign a few AppleScript apps for use on a few internal computers without any kind of external distribution. Maybe I am not creating the right kind of certifi
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles Tags:
Nov ’24
Reply to Pkg installation package uploaded to macstore email prompt ITMS-90296
First things first, the TestFlight issue (ITMS-90886) is covered by TestFlight, Provisioning Profiles, and the Mac App Store. Regarding the App Sandbox issue (ITMS-90296), there’s a variety of potential causes for this. I recommend that you check whether App Sandbox is actually enabled on the binary that you submitted to App Store Connect. To do that: Locate the installer package (.pkg) you submitted. Unpack that. I usually do this with a third-party app (Pacifist), but Unpacking Apple Archives explains how to do it the hard way. Run codesign against the resulting app to confirm that its signature is valid: % codesign --verify -vvv /path/to/your.app Run codesign again to check that you have App Sandbox enabled: % codesign --display --entitlements - /path/to/your.app I’d expect to see output like this: % codesign --display --entitlements - /Applications/PCalc.app … [Dict] … [Key] com.apple.security.app-sandbox [Value] [Bool] true … Share and Enjoy — Quinn “The Eskim
Topic: App Store Distribution & Marketing SubTopic: App Store Connect Tags:
Nov ’24
errSecInternalComponent when trying to codesign an app through SSH
Hi, I'm trying to ssh into another machine, copy an app into that machine and codesign it using my Dev ID Application certificate, then copy it back to my original machine. I'm getting the errSecInternalComponent error when running codesign. This is the bash script I'm running: ssh ${REMOTE_SERVER} security -v unlock-keychain -p /Users//Library/keychains/login.keychain-db ssh ${REMOTE_SERVER} codesign -vvv --deep --force --verify --verbose --timestamp --options runtime --sign Developer ID Application: /tmp/$BUILD_ID/ui-app/.app ssh ${REMOTE_SERVER} codesign -dv --verbose=4 /tmp/$BUILD_ID/ui-app/.app I've tried to follow all the available info found online, managed to sign it successfully through the machine's UI, set the ACL of the private key to ALLOW ALL, restarted the keychain service, tried with the system keychain, approved all pop ups through the UI. Still with no luck through the SSH session. Any help would be greatly appreciated. Thanks!
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles Tags:
2
0
586
Nov ’24
Reply to errSecInternalComponent when trying to codesign an app through SSH
Thanks for sharing. For those reading along at home, I discuss this topic in some detail in Resolving errSecInternalComponent errors during code signing. Oh, and one last thing. You wrote: [quote='813469022, roy-bei, /thread/768354?answerId=813469022#813469022, /profile/roy-bei'] codesign -vvv --deep … [/quote] Be careful when using --deep. It’s fine to use when verifying, as you’re doing here, but don’t use it when signing. See --deep Considered Harmful for more on that. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles Tags:
Nov ’24
Reply to errSecInternalComponent when trying to codesign an app through SSH
Ok, found a solution after 10 hours. When running standalone multiple SSH commands the unlock-keychain doesn't stick between commands, running: ssh ${REMOTE_SERVER} security unlock-keychain -p /Users//Library/Keychains/login.keychain-db && codesign -vvv --deep --force --verify --verbose --timestamp --options runtime --sign Developer ID Application: /tmp/$BUILD_ID/ui-app/.app Fixed it. Good luck :)
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles Tags:
Nov ’24
Reply to Codesign dylib/framework with entitlements
[quote='768184021, nangalvivek, /thread/768184, /profile/nangalvivek'] Is it correct to codesign dylib/framewoks with entitlements? [/quote] No. It’s never correct to do that. Entitlements are only useful when applied to a main executable and can cause problems when applied to library code. [quote='768184021, nangalvivek, /thread/768184, /profile/nangalvivek'] Is this even allowed? [/quote] Depends on what you mean by “allowed”. It never does anything useful. It won’t be caught by either App Store Connect or notarisation. In most cases it’s benign. In some specific cases it will cause your program to be blocked by the trusted execution system. [quote='768184021, nangalvivek, /thread/768184, /profile/nangalvivek'] I know of at least one app that has passed notarization checks as well. [/quote] The goal of the notary service is for software to be “checked by Apple for malicious components”. It doesn’t audit your program for correctness, except as necessary to perform that goal. You can notarise a progr
Topic: Code Signing SubTopic: Entitlements Tags:
Nov ’24
Reply to iOS 18 启动崩溃 main_executable_path_missing
In addition,app recently encountered a dyld crash similar to this crash on iOS15.5, which looks somewhat similar to the current crash. Not sure if it's the same, but it looks similar.See if it helps the analysis.I have a file bug,number is FB15719846 (iOS 15.5 dyld Crash),hope it helps.Thanks. Hardware Model: iPhone14,5 Process: XxxxxxXXX [265] Path: /private/var/containers/Bundle/Application/DAC8B886-80BB-48DB-916D-DBB854B69DFD/XxxxxxXXX.app/XxxxxxXXX Identifier: com.XxxxxxXXX.XxxxxxXXX Version: 8.1.3 (81300) AppStoreTools: 15F31e AppVariant: 1:iPhone14,5:15 Code Type: ARM-64 (Native) Role: Foreground Parent Process: launchd [1] Coalition: com.XxxxxxXXX.XxxxxxXXX [409] Date/Time: 2024-08-20 11:59:31.9614 +0800 Launch Time: 2024-08-20 11:37:02.3165 +0800 OS Version: iPhone OS 15.5 (19F77) Release Type: User Baseband Version: 1.61.00 Report Version: 104 Exception Type: EXC_BAD_ACCESS (SIGKILL - CODESIGNING) Exception Subtype: UNKNOWN_0x32 at 0x00000001048d0000 Exception Codes: 0x0000000000000032, 0x00
Topic: App & System Services SubTopic: General
Nov ’24
Reply to "How to" for dext distribution
It turns out you can't do that from an Admin role. I kept looking at the output of the security command and seeing the older bundle ID showing up for com.apple.developer.driverkit.userclient-access., which was not the updated bundle ID I was developing now. FYI, this is one of the pitfalls of manual codesigning, as automatic codesigning will not allow that. That's actually the biggest issue with manual codesigning- it allows you to force configuration that won't actually work, so unless you understand EXACTLY why automatic is failing, you can easily end up replacing an error at signing with a different error somewhere else. First, I had changed the bundle ID of my dext to what it should be, after learning that the bundle ID ought to be an extension of the owning application's bundle ID. This is common practice and what Xcode does by default, but I don't believe the system actually requires it, as it needlessly restricts/complicates what's possible without any real benefit. It's been
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles Tags:
Nov ’24
Apple Silicon app builds but cannot launch
The new M1 Mac Mini is great, and I've had some success compiling various projects natively. However, I encountered an issue I'm not sure how to resolve. In Xcode, the app builds but fails to run with the following dialog of cryptic errors: Could not launch Domain: IDELaunchErrorDomain Code: 20 Recovery Suggestion: The LaunchServices launcher has return an error. Please check the system logs for the underlying cause of the error. User Info: { DVTRadarComponentKey = 113722; } - The operation couldn’t be completed. (OSStatus error -10826.) Domain: NSOSStatusErrorDomain Code: -10826 User Info: { _LSFunction = _LSLaunchWithRunningboard; _LSLine = 2508; } - The operation couldn’t be completed. Launched process exited during launch. Domain: RBSRequestErrorDomain Code: 5 Failure Reason: Launched process exited during launch. Finder complains about permission when launching, and the Console reports this message: Unable to obtain a task name port right for pid 2071: (os/kern) failure (0x5) I thought it could be a sign
Topic: Developer Tools & Services SubTopic: Xcode Tags:
16
0
12k
Aug ’22
Reply to Xcode Project with Framework - Library not loaded - mapping process and mapped file have different Team IDs
I found this topic while trying to solve pretty much the same issue in my project, and since I've found a solution, I was thinking to share it in case it would help someone else in the same situation. Turns out the framework in the build folder is not signed, so it couldn't be loaded properly. At the same time the framework located in the resulted application bundle is signed properly, but it was not used for some reason. You can check the signature of the framework with codesign -d -r - Shared.framework command. I was able to solve the issue by adding following properties to the build settings, hope it will help someone LD_RUNPATH_SEARCH_PATHS = @executable_path/Frameworks LD_RUNPATH_SEARCH_PATHS[sdk=macosx*] = @executable_path/../Frameworks Essentially it loads frameworks from the expected location for the iOS build and the other location for the macOS build (the bundle structure is different depending on the destination).
Topic: Developer Tools & Services SubTopic: Xcode Tags:
Nov ’24
Reply to Unable to Write Files Within App Bundle After Codesigning and Notarization
[quote='768005021, CynthiaSun, /thread/768005, /profile/CynthiaSun'] Are there any restrictions regarding this? [/quote] Yes. [quote='768005021, CynthiaSun, /thread/768005, /profile/CynthiaSun'] Is there a way to bypass these restrictions? [/quote] No. App bundles are read-only by design. This isn’t a new requirement [1], but recent changes in macOS’s trusted execution system mean that it’s more important to follow the rules. To quote Embedding nonstandard code structures in a bundle: A bundle is a read-only structure. All Apple platforms except the Mac enforce this requirement at runtime. On iOS, for example, any attempt to modify your app’s bundle at runtime will fail with an error. The Mac may or may not enforce this requirement at runtime, depending on the context, but modifying your app’s bundle isn’t supported because it breaks the seal on the app’s code signature. So your current goal, having the app modify itself, is unsupported, likely to cause problems today, and even more likely to cause problems i
Topic: Code Signing SubTopic: General Tags:
Nov ’24
Reply to Content Filter: sourceAppAuditToken empty only for Firefox
This is clearly a bug. There should always be an audit token because some process must’ve started the flow. The next time you see this, please trigger a sysdiagnose log as soon as you see it, and then file a bug with that log. And once your done, I’d appreciate you posting the bug number here, just for the record. If you’re doing this on a ‘victim’ machine then you should enable additional NE logging via the VPN (Network Extension) for macOS instructions on our Bug Reporting > Profiles and Logs page. If you’re doing this on a real machine, you can enable that extra logging, but please consider the privacy impact. [quote='767822021, terransw, /thread/767822, /profile/terransw'] Not sure if relevant, but codesign with -dv showed different flags in CodeDirectory when compared to chrome: [/quote] That’s definitely not relevant. Chrome is opting in to some additional security checks, but Firefox gets most of those anyway because it’s enabled the hardened runtime (shown as runtime in that output). If yo
Topic: App & System Services SubTopic: Networking Tags:
Nov ’24
Gatekeeper scans app before it finishes copying
Hi all, I found an issue by chance where, when we copy an .app bundle (a large one), Gatekeeper can choose to try to scan the app before the file copying finishes (without the app having been launched). This of course fails, and then the app can't open because it's damaged, even though spctl and codesign checks of the completed copied app come out fine. Then Gatekeeper remembers this setting forever, not rescanning the app. I'm wondering if anyone else has seen this happen and if so, if there's a best practice for keeping Gatekeeper's hands off until the copy is done? I imagine copying into a folder not named .app, then renaming it might work, or maybe saving the plist or main binary copy until last, although both require a more complex copy operation. Maybe there's a more elegant way? Thanks!
Topic: Privacy & Security SubTopic: General Tags:
Replies
3
Boosts
0
Views
630
Activity
Nov ’24
Reply to Unable to Write Files Within App Bundle After Codesigning and Notarization
Dear Engineer, Thanks for your information. Actually, We use Qt to develop an application on the macOS platform, and we are attempting to perform code signing and notarization to ensure our the application is trusted by Apple. However, there are a few things that seem weird regarding your statement: App bundles are read-only by design. Let me provide more details for your reference. Currently, when our application starts, it needs to create folder (e.g. Temp) in the root directory of the executable For example: Myapp.app/Contents/MacOS/Myapp ---> Myapp.app/Contents/MacOS/Temp The folder is designed for storing runtime logs or config files for our application. In the past, users may also modify the settings inside target folder if needed. However, the strange thing is that after the application is codesigned and notarized. When we double-click the application Myapp (a.k.a Myapp.app) in Finder, it could successfully launch and create the Temp folder inside the Myapp.app/Contents/MacOS folder. Howeve
Topic: Code Signing SubTopic: General Tags:
Replies
Boosts
Views
Activity
Nov ’24
Reply to Pkg installation package uploaded to macstore email prompt ITMS-90296
I tried using a third-party app (Pacivist) to open the app in pkg, nd export the app locally,then followed your instructions to perform the following actions: 1、 Run codesign against the results app to confirm that its signature is valid: % codesign --verify -vvv /path/to/your.app The results obtained: PS:I noticed an error message IFlytek heard. app: a sealed resource is missing or invalid File missing:/Users/pploo2/Desktop/icon/1/iFlytek heard. app/Contents/Resources/tj_S1/_MACOSX/ node_modules I don't know if this is the key to the problem ITMS-90926. 2. Run codesign again to check that you have App Sandbox enabled: % codesign --display --entitlements - /path/to/your.app The results obtained: You can see that there is sandbox=true here Now back to the first step, I performed operations on the app before packaging it as pkg and found that there were no missing related issues
Topic: App Store Distribution & Marketing SubTopic: App Store Connect Tags:
Replies
Boosts
Views
Activity
Nov ’24
Reply to AppleScript Code Signing Error
Hi DTS Engineer, thank you for the reply. Unfortunately, some of this is over my head. All I want to do is be able to sign a simple AppleScript app so that I can avoid the recurring security prompts that appear when it tries to copy a folder from the local desktop to a network share. I mean, I tried following the link you provided. I ran the security find-identity -p codesigning command and the results show that 1 identities found and 1 valid identities found. I then tried running the command to code sign the MyTrue app and the reply I got was, Warning: unable to build chain to self-signed root for signer MyTrue: errSecInternalComponent I have downloaded and installed all available intermediate certificates, set my cert to always trust, set the corresponding intermediate to always trust and still no luck. Additional info: my cert will be used to sign a few AppleScript apps for use on a few internal computers without any kind of external distribution. Maybe I am not creating the right kind of certifi
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles Tags:
Replies
Boosts
Views
Activity
Nov ’24
Reply to Pkg installation package uploaded to macstore email prompt ITMS-90296
First things first, the TestFlight issue (ITMS-90886) is covered by TestFlight, Provisioning Profiles, and the Mac App Store. Regarding the App Sandbox issue (ITMS-90296), there’s a variety of potential causes for this. I recommend that you check whether App Sandbox is actually enabled on the binary that you submitted to App Store Connect. To do that: Locate the installer package (.pkg) you submitted. Unpack that. I usually do this with a third-party app (Pacifist), but Unpacking Apple Archives explains how to do it the hard way. Run codesign against the resulting app to confirm that its signature is valid: % codesign --verify -vvv /path/to/your.app Run codesign again to check that you have App Sandbox enabled: % codesign --display --entitlements - /path/to/your.app I’d expect to see output like this: % codesign --display --entitlements - /Applications/PCalc.app … [Dict] … [Key] com.apple.security.app-sandbox [Value] [Bool] true … Share and Enjoy — Quinn “The Eskim
Topic: App Store Distribution & Marketing SubTopic: App Store Connect Tags:
Replies
Boosts
Views
Activity
Nov ’24
errSecInternalComponent when trying to codesign an app through SSH
Hi, I'm trying to ssh into another machine, copy an app into that machine and codesign it using my Dev ID Application certificate, then copy it back to my original machine. I'm getting the errSecInternalComponent error when running codesign. This is the bash script I'm running: ssh ${REMOTE_SERVER} security -v unlock-keychain -p /Users//Library/keychains/login.keychain-db ssh ${REMOTE_SERVER} codesign -vvv --deep --force --verify --verbose --timestamp --options runtime --sign Developer ID Application: /tmp/$BUILD_ID/ui-app/.app ssh ${REMOTE_SERVER} codesign -dv --verbose=4 /tmp/$BUILD_ID/ui-app/.app I've tried to follow all the available info found online, managed to sign it successfully through the machine's UI, set the ACL of the private key to ALLOW ALL, restarted the keychain service, tried with the system keychain, approved all pop ups through the UI. Still with no luck through the SSH session. Any help would be greatly appreciated. Thanks!
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles Tags:
Replies
2
Boosts
0
Views
586
Activity
Nov ’24
Reply to errSecInternalComponent when trying to codesign an app through SSH
Thanks for sharing. For those reading along at home, I discuss this topic in some detail in Resolving errSecInternalComponent errors during code signing. Oh, and one last thing. You wrote: [quote='813469022, roy-bei, /thread/768354?answerId=813469022#813469022, /profile/roy-bei'] codesign -vvv --deep … [/quote] Be careful when using --deep. It’s fine to use when verifying, as you’re doing here, but don’t use it when signing. See --deep Considered Harmful for more on that. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles Tags:
Replies
Boosts
Views
Activity
Nov ’24
Reply to errSecInternalComponent when trying to codesign an app through SSH
Ok, found a solution after 10 hours. When running standalone multiple SSH commands the unlock-keychain doesn't stick between commands, running: ssh ${REMOTE_SERVER} security unlock-keychain -p /Users//Library/Keychains/login.keychain-db && codesign -vvv --deep --force --verify --verbose --timestamp --options runtime --sign Developer ID Application: /tmp/$BUILD_ID/ui-app/.app Fixed it. Good luck :)
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles Tags:
Replies
Boosts
Views
Activity
Nov ’24
Reply to Codesign dylib/framework with entitlements
[quote='768184021, nangalvivek, /thread/768184, /profile/nangalvivek'] Is it correct to codesign dylib/framewoks with entitlements? [/quote] No. It’s never correct to do that. Entitlements are only useful when applied to a main executable and can cause problems when applied to library code. [quote='768184021, nangalvivek, /thread/768184, /profile/nangalvivek'] Is this even allowed? [/quote] Depends on what you mean by “allowed”. It never does anything useful. It won’t be caught by either App Store Connect or notarisation. In most cases it’s benign. In some specific cases it will cause your program to be blocked by the trusted execution system. [quote='768184021, nangalvivek, /thread/768184, /profile/nangalvivek'] I know of at least one app that has passed notarization checks as well. [/quote] The goal of the notary service is for software to be “checked by Apple for malicious components”. It doesn’t audit your program for correctness, except as necessary to perform that goal. You can notarise a progr
Topic: Code Signing SubTopic: Entitlements Tags:
Replies
Boosts
Views
Activity
Nov ’24
Reply to iOS 18 启动崩溃 main_executable_path_missing
In addition,app recently encountered a dyld crash similar to this crash on iOS15.5, which looks somewhat similar to the current crash. Not sure if it's the same, but it looks similar.See if it helps the analysis.I have a file bug,number is FB15719846 (iOS 15.5 dyld Crash),hope it helps.Thanks. Hardware Model: iPhone14,5 Process: XxxxxxXXX [265] Path: /private/var/containers/Bundle/Application/DAC8B886-80BB-48DB-916D-DBB854B69DFD/XxxxxxXXX.app/XxxxxxXXX Identifier: com.XxxxxxXXX.XxxxxxXXX Version: 8.1.3 (81300) AppStoreTools: 15F31e AppVariant: 1:iPhone14,5:15 Code Type: ARM-64 (Native) Role: Foreground Parent Process: launchd [1] Coalition: com.XxxxxxXXX.XxxxxxXXX [409] Date/Time: 2024-08-20 11:59:31.9614 +0800 Launch Time: 2024-08-20 11:37:02.3165 +0800 OS Version: iPhone OS 15.5 (19F77) Release Type: User Baseband Version: 1.61.00 Report Version: 104 Exception Type: EXC_BAD_ACCESS (SIGKILL - CODESIGNING) Exception Subtype: UNKNOWN_0x32 at 0x00000001048d0000 Exception Codes: 0x0000000000000032, 0x00
Topic: App & System Services SubTopic: General
Replies
Boosts
Views
Activity
Nov ’24
Reply to "How to" for dext distribution
It turns out you can't do that from an Admin role. I kept looking at the output of the security command and seeing the older bundle ID showing up for com.apple.developer.driverkit.userclient-access., which was not the updated bundle ID I was developing now. FYI, this is one of the pitfalls of manual codesigning, as automatic codesigning will not allow that. That's actually the biggest issue with manual codesigning- it allows you to force configuration that won't actually work, so unless you understand EXACTLY why automatic is failing, you can easily end up replacing an error at signing with a different error somewhere else. First, I had changed the bundle ID of my dext to what it should be, after learning that the bundle ID ought to be an extension of the owning application's bundle ID. This is common practice and what Xcode does by default, but I don't believe the system actually requires it, as it needlessly restricts/complicates what's possible without any real benefit. It's been
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles Tags:
Replies
Boosts
Views
Activity
Nov ’24
Apple Silicon app builds but cannot launch
The new M1 Mac Mini is great, and I've had some success compiling various projects natively. However, I encountered an issue I'm not sure how to resolve. In Xcode, the app builds but fails to run with the following dialog of cryptic errors: Could not launch Domain: IDELaunchErrorDomain Code: 20 Recovery Suggestion: The LaunchServices launcher has return an error. Please check the system logs for the underlying cause of the error. User Info: { DVTRadarComponentKey = 113722; } - The operation couldn’t be completed. (OSStatus error -10826.) Domain: NSOSStatusErrorDomain Code: -10826 User Info: { _LSFunction = _LSLaunchWithRunningboard; _LSLine = 2508; } - The operation couldn’t be completed. Launched process exited during launch. Domain: RBSRequestErrorDomain Code: 5 Failure Reason: Launched process exited during launch. Finder complains about permission when launching, and the Console reports this message: Unable to obtain a task name port right for pid 2071: (os/kern) failure (0x5) I thought it could be a sign
Topic: Developer Tools & Services SubTopic: Xcode Tags:
Replies
16
Boosts
0
Views
12k
Activity
Aug ’22
Reply to Xcode Project with Framework - Library not loaded - mapping process and mapped file have different Team IDs
I found this topic while trying to solve pretty much the same issue in my project, and since I've found a solution, I was thinking to share it in case it would help someone else in the same situation. Turns out the framework in the build folder is not signed, so it couldn't be loaded properly. At the same time the framework located in the resulted application bundle is signed properly, but it was not used for some reason. You can check the signature of the framework with codesign -d -r - Shared.framework command. I was able to solve the issue by adding following properties to the build settings, hope it will help someone LD_RUNPATH_SEARCH_PATHS = @executable_path/Frameworks LD_RUNPATH_SEARCH_PATHS[sdk=macosx*] = @executable_path/../Frameworks Essentially it loads frameworks from the expected location for the iOS build and the other location for the macOS build (the bundle structure is different depending on the destination).
Topic: Developer Tools & Services SubTopic: Xcode Tags:
Replies
Boosts
Views
Activity
Nov ’24
Reply to Unable to Write Files Within App Bundle After Codesigning and Notarization
[quote='768005021, CynthiaSun, /thread/768005, /profile/CynthiaSun'] Are there any restrictions regarding this? [/quote] Yes. [quote='768005021, CynthiaSun, /thread/768005, /profile/CynthiaSun'] Is there a way to bypass these restrictions? [/quote] No. App bundles are read-only by design. This isn’t a new requirement [1], but recent changes in macOS’s trusted execution system mean that it’s more important to follow the rules. To quote Embedding nonstandard code structures in a bundle: A bundle is a read-only structure. All Apple platforms except the Mac enforce this requirement at runtime. On iOS, for example, any attempt to modify your app’s bundle at runtime will fail with an error. The Mac may or may not enforce this requirement at runtime, depending on the context, but modifying your app’s bundle isn’t supported because it breaks the seal on the app’s code signature. So your current goal, having the app modify itself, is unsupported, likely to cause problems today, and even more likely to cause problems i
Topic: Code Signing SubTopic: General Tags:
Replies
Boosts
Views
Activity
Nov ’24
Reply to Content Filter: sourceAppAuditToken empty only for Firefox
This is clearly a bug. There should always be an audit token because some process must’ve started the flow. The next time you see this, please trigger a sysdiagnose log as soon as you see it, and then file a bug with that log. And once your done, I’d appreciate you posting the bug number here, just for the record. If you’re doing this on a ‘victim’ machine then you should enable additional NE logging via the VPN (Network Extension) for macOS instructions on our Bug Reporting > Profiles and Logs page. If you’re doing this on a real machine, you can enable that extra logging, but please consider the privacy impact. [quote='767822021, terransw, /thread/767822, /profile/terransw'] Not sure if relevant, but codesign with -dv showed different flags in CodeDirectory when compared to chrome: [/quote] That’s definitely not relevant. Chrome is opting in to some additional security checks, but Firefox gets most of those anyway because it’s enabled the hardened runtime (shown as runtime in that output). If yo
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
Nov ’24