“codesign”

sudo codesign -f -vv -o runtime --deep --timestamp -s Developer Id Cer: user(123455) try.dylib There are two problems here: Don’t sign code using sudo. The codesign tool needs access to your keychain and running as root can undermine that. Don’t sign code using --deep. See --deep Considered Harmful for an explanation as to why this is a problem. unable to build chain This post describes the two common most causes for that error. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com

That message is telling you that: Your program has the hardened runtime enabled. By default this prevents the debugger from attaching. Your program does not have the com.apple.security.get-task-allow entitlement to override that default. The second point is weird because Xcode applies this entitlement by default to Development signed builds. What does this return: % codesign -d -vvv --entitlements - /path/to/your.appex Make sure to point codesign at the app extension that you’re actually trying to debug; I would expect this to be within your container app. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com

The recipe to transfer the Developer ID Certs --> MyCertificates isn't perfect....it did allow me to copy the Certs into login / MyCertificates, but if I then try to delete the Developer ID Certs associated with System / Certificates, the delete command deletes BOTH copies of the Cert, leaving me with nothing. The good news is that codesign accepts the Certs I transferred by .p12 file Export / Import onto my M2 computer (which was the higher-level problem). It only gives a warning about finding multiple copies of the same cert. I chose NOT to accept the answer because it leaves the codesign with this warning.

This was never resolved properly. My Developer ID Certificates exist in two places within KeychainAccess: (correct) from login in MyCerticates (incorrect) from system in Certificates I tried to clean this up, but found that from the GUI, when you say to delete the Certificate in the incorrect location, it also deletes the one in the correct location. I accepted the status quo (2 copies of Certificate). The Codesign tool (embedded within the jpackage script) gives a warning two copies found of the certificate, choosing to use the fist one. Because of that failsafe feature, I was able to complete all my codesigning. With that, this thread is closed.

I'm actively facing this issue and cannot codesign any of my builds on CI. This is a major problem for us. https://developer.apple.com/forums/thread/687788 Created a ticket in Feedback Assistant, FB9493987.

File a bug and include reproduction steps (eg: a sample project would be ideal). I don't think there are any known issues here. Are you doing something codesigning yourself in a build script phase?

>it would be nice if apple had a verbose mode for this codesign commandYou can right click the error message in Xcode and choose expand to get more details, including a description of the problem.

If you run sample against codesign, where is it stuck? Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com

Hello, thanks for the answer. com.apple.quarantine -> CHECK codesign -v -> CHECK UUID -> CHECK extract-certificates -> CHECK codesign -d -> CHECK But no success. here my commandline to build my app xcodebuild -archivePath ~/aaa.xcarchive -workspace ~/aaa.xcworkspace -scheme aaa archive -configuration Release -destination 'platform=OS X' xcodebuild -exportArchive -archivePath ~/aaa.xcarchive -exportPath ~/aaa -exportOptionsPlist ~/exportOptionsMacDev.plist exportOptionsMacDev.plist -> destination export method development provisioningProfiles com.aa.aaa DEV-profile signingCertificate Apple Development signingStyle manual teamID XXXX

security tells me 4 valid identities found. Trying to sign: % codesign -s 'myidentifier' -f /tmp/mytrue /tmp/mytrue: errSecInternalComponent so it doesn't match. When I run the build on CircleCI, then codesign says it's a self-signed root and it refuses to do. When I look at the certificate in Keychain Utility, and evaluate it, on one machine it says it's fine, on another it says it's missing a root. I have compared the fingerprints of each of the intermediate certificates on the good machine to the certificates that are in the keychain on the machines that don't work, and those match. NB, I create a separate keychain for the certificates:

But this is always logged even if I DO NOT check sandbox entitlement.That’s weird. If you don’t have the sandbox enabled, you should never hit sandbox restrictions. I recommend that you confirm that the sandbox really is disabled. One good way to do this is to run codesign against your XPC Service’s pid. For example: $ codesign -d --entitlements :- `pgrep Finder` … lots of entitlements! …You can then check for the presents of the App Sandbox entitlement (com.apple.security.app-sandbox). Share and Enjoy — Quinn “The Eskimo!” Apple Developer Relations, Developer Technical Support, Core OS/Hardware let myEmail = eskimo + 1 + @apple.com

Two things:Check that your disabling of library validation is actually working. Run your app and then run codesign against the process. For example: % codesign -d -vvv --entitlements :- `pgrep TextEdit` .Check that the library was built with the macOS 10.9 SDK or later. Without that, you won’t be able to load it into a hardened runtime process. A good start here is otool: % otool -l /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration| grep -B 1 -A 4 VERSION You want to look for either a LC_VERSION_MIN_MACOSX or LC_BUILD_VERSION load command and then check the sdk field in that.After that, make sure that the code signature contains sha256 hashes. For example: % codesign -d -vvv /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration It’s OK if it has sha1 hashes as well but you have to have sha256 to be compatible with the hardened runtime.Share and Enjoy — Quinn “The Eskimo!” Apple Developer Relations, Developer Tec

If you add -vvv to the codesign command, does that turn up anything new? Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com

Thank you very much...after being sick for a while, this solved my problem with error codesign...But I do not understand why suddenly this appears...I mean in Xcode7 the project with working correctly, but not in Xcode8... is this a bug in the new version?