codesign

TN3125 is correct in saying that the hardened runtime entitlements are unrestricted, that is, their used doesn’t have to be authorisation by a profile. I’m not sure what’s going with your app but this is working for me: Using Xcode 16.4 on macOS 15.6.1, create a new project from the macOS > Command Line Tool target. In Signing & Capabilities > Hardened Runtime, check the Disable Library Validation box. Build and run; the program runs just fine. Dump the entitlements of the built executable: % codesign -d -vvv --entitlements - Test799497 … CodeDirectory v=20500 size=630 flags=0x10000(runtime) … … [Dict] [Key] com.apple.security.cs.disable-library-validation [Value] [Bool] true … The runtime flag indicates that the hardened runtime is enabled, and the com.apple.security.cs.disable-library-validation entitlement disables library validation. Moreover, this is a command-line tool, and thus it has no provisioning profile. Please repeat the above, just to make sure that we’re on the same page. As

My understanding is that Xcode Cloud uses cloud signing [1]. Assuming that, the result you’re seeing make sense. With cloud signing the signing identity is never present in the keychain. Hence the whole “cloud” thing (-: Cloud signing is only supported in Xcode (and xcodebuild). It’s not directly supported by codesign [2]. So, you won’t be able to use it to sign your disk image. That leaves you with a few options: Don’t use a disk image. If it’s just a normal app, distributing it as a zip archive is a reasonable option. Don’t sign your disk image. While I generally recommend that folks sign their disk images, it’s not an absolute requirement. Pass your normal (so, not managed) Developer ID Application signing identity to Xcode Cloud and use that to sign your disk image. I’ll admit that none of these are particularly appealing, and I think it’d make sense for you to file an enhancement request against Xcode Cloud for a better way to deal with this. Please post your bug number, just for the record. Sha

Hi. Yes, the Developer ID identity. Thanks for promoting the use of proper terminology 😁 I've read through a number of your other posts on this forum and found them informative and helpful. And yes, I'm referring to Xcode Cloud. My ci_post_xcodebuild.sh script includes: codesign ... --sign $CODESIGN_IDENTITY diskimage.dmg Where CODESIGN_IDENTITY is the SHA-1 of my Developer ID Application: My Company (MYTEAMID). It unsurprisingly fails with: error: The specified item could not be found in the keychain. I can also see there are no identities in the keychain with: security find-identity -v -p codesigning I'm hoping Xcode Cloud provides me a better way to access the identity than uploading the .p12 to the host... Thanks!

Hi Quinn, We are indeed trying to ensure our daemon is only accessed by our client. We do have hardened runtime and kill via -o runtime in our codesign use. We have some old code that checks our signing requirement though (pre-macOS 13) but it seems we can replace that old code with setCodeSigningRequirement(_:) instead. I wasn't clear from the documentation on setCodeSigningRequirement whether that was the case. Thanks, Dave

So what threat are you trying to protect against here? Most folks who ask about setCodeSigningRequirement(_:) are trying to ensure that their daemon is only accessed by their client. If that’s your goal then this question isn’t really relevant. If the client process’s code signature becomes invalid before it connects, this check will reject the connection. And if not, you know you’re working with the expected client and thus you can assume it won’t do something to invalidate its signature. On the client side, you want to make sure your client enables the hardened runtime and doesn’t include any entitlements to disable the security features that the hardened runtime enables by default. Oh, and for extra assurance you can sign you code with the kill flag. See the codesign man page for more on that. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com

[quote='854898022, Steve-Olson-1951, /thread/797142?answerId=854898022#854898022, /profile/Steve-Olson-1951'] I built a very basic test app from Xcode templates [/quote] That’s always a great diagnostic test. In this case it confirms that there’s something specific about your main project that’s causing this issue. I have some further suggestions: From the Home screen, remove your main app from the device. And then restart the device. These steps should remove any state leftover from any previous builds of the app. Do a clean build of the app. Do a Product > Run. Does it still reproduce the problem? Presuming it does, run the app from the Home screen and then do a Debug > Attach to Process. Does that work? Also, after the rebuild in step 3, choose Product > Show Build Folder in Finder, then navigate to the Debug-iphoneos folder and, in Terminal, run this command: % codesign -d --entitlements - MyApp.app … [Dict] … [Key] get-task-allow [Value] [Bool] true As this code is Development signed, y

On our paid Apple Developer Program account (role: Account Holder/Admin), the Call Directory capability toggle does not appear on any iOS App Extension Identifier we create. Because of that, provisioning profiles for those extension IDs never include the Call Directory entitlement and the extension cannot be enabled on device. That is the only reason we tried to add manually which does not work. Environment Membership: Apple Developer Program (paid, active) Xcode: [16.x] iOS devices tested: iOS 18.4.1, 18.5 and 18.6.1 App type: iOS app + Call Directory extension App Groups: enabled and working What I am not seeing In Certificates, Identifiers & Profiles → Identifiers → (iOS App ID, type App Extension), I expect to see a Call Directory capability toggle I can enable but it is not there What actually happens The Call Directory toggle is missing from the extension Identifier details page. Profiles created for the extension ID don’t contain the Call Directory entitlement. The extension never appears under Set