“codesign”

FWIW, I am embarrassed to say that I made things much more difficult than they had to be. Simply codesigning the jdk plug-in before signing the application itself is needed. This is the only change needed to make the ButtonDemo.app work.

iOS? macOS ...?There may be a 3rd party codesigning conflict (iOS) when they build for the store.See this SO thread for discussion:https://stackoverflow.com/questions/28731267/does-my-ios-8-framework-need-its-own-code-signing-for-distribution

This is now longer necessary after late September (see thread below). The problem has been fixed and apps with the hardened runtime enabled (codesign --options runtime) can be uploaded to the Mac App Store.

I ran into the same problems. Did not manage to resolve it. In my case I don't see any com.apple.developer.associated-domains in my embedded.mobileprovision when I deploy or export the app. Maybe there is a bug in the apple codesign tool.

Hi, This issue is happening from this week. It works sometimes. Both Codesign and productsign commands are failing. I have created FB10804197. It is working from our office in California. Could you please help. regards Prema Kumar

Same problem here! Ventura 13.0.1 + Xcode 14.1 I don't have a paid Apple Developer account, I just want to generate a fresh codesigning cert for local testing. Help!

Hi @meaton, I'm reproducing this issue by running $ codesign -f -s Apple Development: <myappacountemail> (myaccountid) dist/MyAppName.app --deep Warning: unable to build chain to self-signed root for signer Apple Development: <myappacountemail> (myaccountid) dist/MyAppName.app: errSecInternalComponent Where MyAppName is application developed in the PyQt5 framework with PyInstaller as the distribution bundler. According to the PyInstaller documentation, I set the following: python3 -m PyInstaller ... --osx-bundle-identifier= Apple Development: <myappacountemail> (myaccountid) Not sure if this helps but my .spec file includes this bundle instruction: *- mode: python ; coding: utf-8 -*- MyAppName.spec -> as input for PyInstaller ... app = BUNDLE(exe, ttttttname='MyAppName.app', tttttticon='res/heartbeat.ico', ttttttbundle_identifier='com.guymeyer.myappname.ui', ttttttinfo_plist={ tttttttt'NSPrincipalClass': 'NSApplication', tttttttt'NSAppleScriptEnabled': False, tttttttt'CFBundleDoc

@eskimo, here you go: > % codesign -s Apple Development XXX -f -vvv MyTrue MyTrue: replacing existing signature Warning: unable to build chain to self-signed root for signer Apple Development XXX MyTrue: errSecInternalComponent > % security verify-cert -c Apple Development XXX.cer -p codeSign -vvv ...certificate verification successful. --- Certificate chain 0: Apple Development XXX 1: Apple Worldwide Developer Relations Certification Authority 2: Apple Root CA --- Certificate chain properties ( { error = No error.; title = Apple Development XXX; }, { title = Apple Worldwide Developer Relations Certification Authority; }, { title = Apple Root CA; } ) --- Trust evaluation results { TrustEvaluationDate = 2022-12-15 09:30:41 +0000; TrustExpirationDate = 2022-12-15 13:35:57 +0000; TrustResultDetails = ( { }, { }, { } ); TrustResultValue = 4; TrustRevocationChecked = 1; } > % codesign -s Apple Development XXX -f -vvv MyTrue MyTrue: replacing existing signature Warning: unable

It survives multiple devices, accounts and OS updates So, to be clear, you ran the test I described in my previous post and the problem persists? If so, I have some new tests for you to run. While the system is in the broken state, try to sign something with codesign. For example: % cp /usr/bin/true MyTrue % codesign -s Apple Development: UUU -f -vvv MyTrue MyTrue: replacing existing signature MyTrue: signed Mach-O universal (x86_64 arm64e) [MyTrue] replacing Apple Development: UUU with the name of your signing identity. Presumably this will fail. What does it print? Then use Keychain Access to export your signing identity’s certificate to a .cer file and run this command: % security verify-cert -c Apple Development- UUU.cer -p codeSign -vvv where Apple Development: UUU.cer is the name of the .cer file. What does it print? Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com

You tried two commands. The first one: codesign -d --entitlements - entitlements.plist /path/to/.app/ fails because you’re specifying both - and entitlements.plist. The argument after --entitlements tell it where to write the result. A value of - means stdout. You can’t then supply a second value of entitlements.plist. The second one: codesign -d --entitlements - --xml entitlements.plist /path/to/.app/ fails for similar reasons, although in this case you’ve also inserted an independent option, --xml, between --entitlements and its argument. I recommend that you have a read through the codesign man page. Also, the above is pretty standard Unix command line stuff. If that’s foreign to you, you might want to look for a tutorial on the Unix shell. If you enter unix shell tutorial into your search engine of choice, it’ll bring up a bunch of good options. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com

>Command /usr/bin/codesign failed with exit code 1?!?!Far too generic!! - need more info??We're not allowed to see posted screenshots - use your words.

For others reading this thread, it was IPv6 connections to timestamp.apple.com were unreliable. If you don't need IPv6, then you can set it to link-local only, which will force codesign to use IPv4. Thanks to @eskimo for the assist.

I dig into the issue, hence I have 2 executable files in the app under xxx.app/Contents/MacOS: M and N, M is in the Info.plist and is the CFBundleExecutable file, after signed the M with codesign, returns with this: signed app bundle with Mach-O thin (arm64) [CFBundleIdentifier]; otherwise, the N signed with codesign in the same way, returned with this: signed Mach-O thin (arm64) [N]. And I installed the APP on my machine, when I clicked the M executable file, seems it passed the gatekeeper, but I clicked the N, seems the gatekeeper check fails. I am not sure it's the reason.

Following the Apple WWDC: https://developer.apple.com/documentation/Xcode/verifying-the-origin-of-your-xcframeworks or https://developer.apple.com/videos/play/wwdc2023/10061/ which simplifying echo Build Archive Device Slice xcodebuild clean archive -sdk iphoneos -destination 'generic/platform=iOS'[...] echo Build Archive Simulator Slice xcodebuild clean archive -sdk iphonesimulator -destination 'generic/platform=iOS Simulator' [...] echo Create XCFramework xcodebuild -create-xcframework [...] -output echo Codesign XCFramework codesign --timestamp -v --sign

Yes, also on Mac where my application is seen earlier Yes, I perform install using sudo installer command which is a standard way of installation Yes, that's correct. Some more information: Running codesign --verify --deep --strict /path/to/your.app throws the following error, invalid resource directory (directory or signature have been modified) If I run sudo codesign --verify --deep --strict /path/to/your.app, it does not throw any error. I have verified the sudo command run with the verbose option, it says valid on disk and satisfies its Designated Requirement