Search results for

“codesign”

3,221 results found

Post

Replies

Boosts

Views

Activity

macOS 15 (Sequoia): Endpoint Security client runs by hand, but LaunchDaemon fails with TCC “Full Disk Access” denial on unmanaged Macs
Platforms: macOS 15.x (Sequoia), Intel-Based App type: Endpoint Security (ES) client, notarized Developer ID app + LaunchDaemon Goal: Boot-time ES client that runs on any Mac (managed or unmanaged) Summary Our ES client launches and functions when started manually (terminal), but when loaded as a LaunchDaemon it fails to initialize the ES connection with: (libEndpointSecurity.dylib) Failed to open service: 0xe00002d8: Caller lacks TCC authorization for Full Disk Access We can’t find a supported way to grant Full Disk Access (SystemPolicyAllFiles) to a system daemon on unmanaged Macs (no MDM). Local installation of a PPPC (TCC) profile is rejected as “must originate from a user-approved MDM server.” We’re seeking confirmation: Is MDM now the only supported path for a boot-time ES daemon that requires FDA? If so, what’s Apple’s recommended approach for unmanaged Macs? Environment & Artifacts Binary (path placeholder): /Library/Application Support///App/.app/Contents/MacOS/ Universal (x86_64 + arm64) Notariz
Topic: App & System Services SubTopic: Core OS Tags:
12
0
1.8k
Jan ’26
Reply to "Application damaged and can't be opened' error prompt on 15.6.1 Sequoia
Yes, also on Mac where my application is seen earlier Yes, I perform install using sudo installer command which is a standard way of installation Yes, that's correct. Some more information: Running codesign --verify --deep --strict /path/to/your.app throws the following error, invalid resource directory (directory or signature have been modified) If I run sudo codesign --verify --deep --strict /path/to/your.app, it does not throw any error. I have verified the sudo command run with the verbose option, it says valid on disk and satisfies its Designated Requirement
Topic: Code Signing SubTopic: General Tags:
Jan ’26
DNS Proxy system extension – OSSystemExtensionErrorDomain error 9 “validationFailed” on clean macOS machine
Hi, I’m implementing a macOS DNS Proxy as a system extension and running into a persistent activation error: OSSystemExtensionErrorDomain error 9 (validationFailed) with the message: extension category returned error This happens both on an MDM‑managed Mac and on a completely clean Mac (no MDM, fresh install). Setup macOS: 15.x (clean machine, no MDM) Xcode: 16.x Team ID: AAAAAAA111 (test) Host app bundle ID: com.example.agent.NetShieldProxy DNS Proxy system extension bundle ID: com.example.agent.NetShieldProxy.dnsProxy The DNS Proxy is implemented as a NetworkExtension system extension, not an app extension. Host app entitlements From codesign -d --entitlements :- /Applications/NetShieldProxy.app: xml com.apple.application-identifier AAAAAAA111.com.example.agent.NetShieldProxy com.apple.developer.system-extension.install com.apple.developer.team-identifier AAAAAAA111 com.apple.security.app-sandbox com.apple.security.application-groups group.com.example.NetShieldmac com.apple.security.files.user-
Topic: App & System Services SubTopic: Networking Tags:
9
0
420
Jan ’26
Reply to DNS Proxy system extension – OSSystemExtensionErrorDomain error 9 “validationFailed” on clean macOS machine
Thanks for the updated posts. [quote='873386022, Leo_Nagano, /thread/812857?answerId=873386022#873386022, /profile/Leo_Nagano'] legacy dns-proxy entitlement [value] [/quote] To be clear, this isn’t a legacy value. This value is used for App Store distribution, both on iOS and macOS. It’s also used for development. The -systemextension suffix is used for direct distribution using Developer ID signing. Neither value is more legacy than the other. As to what’s going wrong, you’ve tried a lot of different things and it’s hard to be sure what’s what at this state. However, this is problematic: NSExtensionPointIdentifier com.apple.system_extension.network_extension And it suggests that you could do with some high-level guidance. The best place to get that is Xcode. Consider this sequence: In Xcode 26.2, create a new project from macOS > App template. In my case I named it “Test812857”. Then create a new target within that project, using the macOS > System Extension > Network Extension template. In my case
Topic: App & System Services SubTopic: Networking Tags:
Jan ’26
Reply to "Application damaged and can't be opened' error prompt on 15.6.1 Sequoia
[quote='873484022, oddeyed, /thread/799110?answerId=873484022#873484022, /profile/oddeyed'] My application currently requires elevated privileges or “sudo” to verify the codesign … [/quote] Lemme see if I understand this correctly: You take a Mac that’s never seen your app before. You install your app in the standard way that a user would install it. This command fails: % codesign --verify --deep --strict /path/to/your.app Instead you have to do this: % sudo codesign --verify --deep --strict /path/to/your.app Is that right? Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: Code Signing SubTopic: General Tags:
Jan ’26
Reply to "Application damaged and can't be opened' error prompt on 15.6.1 Sequoia
Hello Quinn, a couple of follow up questions on this issue. My application currently requires elevated privileges or “sudo” to verify the codesign using the codesign —verify --strict command. Will this cause the Apple Gatekeeper to throw this prompt? If that is the case, why is this prompt not shown on all of the macOS machines if Gatekeeper is unable to read our application due to restricted permissions?
Topic: Code Signing SubTopic: General Tags:
Jan ’26
Using Processor Trace on Non-Xcode Built Binary
Hiya folks! I'm David and I work on rust-analyzer, which is a language server for Rust similar to sourcekit-lsp. I'm using the new Instruments profiling tooling functionality in Xcode 16.3 and Xcode 26 (Processor Trace and CPU Counters) to profile our trait solver/type checker. While I've been able to use the new CPU Counters instrument successfully (the CPU Bottleneck feature is incredible! Props to the team!), I've been unable to make use of the Processor Trace instrument. Instruments gives me the error message Processor Trace cannot profile this process without proper permissions. The diagnostic suggests adding the com.apple.security-get-task-allow entitlement to the code I'm trying to profile, or ensure that the build setting CODE_SIGN_INJECT_BASE_ENTITLEMENTS = YES is enabled in Xcode. Unfortunately, I don't know how I can add that entitlement to a self-signed binary produced by Cargo and I'm not using Xcode for somewhat obvious reasons. Here's some information about my setup: Instruments Version 26.0 (1
Topic: Developer Tools & Services SubTopic: Instruments Tags:
8
0
1.1k
Jan ’26
Reply to How to remove "Developer ID Application" certificate?
Then Xcode shouldn't just add dupes of these certs. What happens is signing fails, Xcode gives no guidance. And so the Xcode UI has the option to add a new one. Then end up with dupe certs that cannot be cleaned out. Then the profiles fail if not the correct out of the 3 dupes, and signing still fails if the cert private key isn't in the keychain. Again no guidance from Xcode on any of these signing failures. Here's one error. Xcode shows Ineligible for the profile: Provisioning profile KramViewerProvision doesn't include signing certificate Developer ID Application: ... (hash...) Here's an error when the private key isn't in the Keychain. C6BA06....: no identity found Command CodeSign failed with a nonzero exit code
Topic: Code Signing SubTopic: General Tags:
Jan ’26
Reply to certificates expired, created new certificates and missing Mac App Distribution
[quote='872696022, joel2001k, /thread/812624?answerId=872696022#872696022, /profile/joel2001k'] As reading about Certificate types, I think this certificate is missing: [/quote] No. As I mentioned above, that platform specific distribution certificate type is no longer relevant. It’s been subsumed by Apple Distribution, which works for all platforms. [quote='872712022, joel2001k, /thread/812624?answerId=872712022#872712022, /profile/joel2001k'] What is with these 2 files? [/quote] You’re asking me?!? Seriously though, Apple’s standard processes don’t use openssl. If you go down that path, you won’t find any help from Apple sources. And I think that speaks to the main issue you’re having here: Apple’s code-signing infrastructure relies on digital identities in the keychain. A digital identity is the combination of a certificate and the private key that matches the public key in that certificate. Both of these have to be in the keychain. The openssl sequence you posted above doesn’t add the private key to the k
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles Tags:
Jan ’26
Reply to Provisioning profile missing entitlement
OK, so definitely not your project. If you temporarily remove the iCloud key-value storage capability capability, the app builds, right? If so, look in the build log for an entry like this: CodeSign …/Test811382.app (in target 'Test811382' from project 'Test811382') cd …/Test811382 Signing Identity: Apple Development: Quinn Quinn (7XFU7D52S4) Provisioning Profile: iOS Team Provisioning Profile: com.example.apple-samplecode.Test811382 (5db3ba83-07fb-4780-8ca4-f87de64fd20d) Note For info on how to get the build log, see Command [something] failed with a nonzero exit code. The UUID in that entry is the UUID of the provisioning profile that Xcode is using to sign your app. You should find that in ~/Library/Developer/Xcode/UserData/Provisioning Profiles. Now dump the contents of that profile like so: % security cms -D -i 5db3ba83-07fb-4780-8ca4-f87de64fd20d.mobileprovision | plutil -p - { … Entitlements => { application-identifier => SKMME9E2Y8.com.example.apple-samplecode.Test811382 com.apple.devel
Topic: App & System Services SubTopic: iCloud & Data Tags:
Jan ’26
Reply to Signing succeeds but validate fails with "Missing code-signing certificate"
[quote='812770021, davertay-j, /thread/812770, /profile/davertay-j'] it appears to contain 19 certificates [/quote] I agree that that’s strange. A distribution profile should only contain distribution certificates, and most teams only have one or two of those active at any one time. I recommend that you check the type of the profile and also look at the certificates embedded in the profile. [quote='812770021, davertay-j, /thread/812770, /profile/davertay-j'] Is there a way to find out which certificate is missing exactly? [/quote] Yes. TN3125 Inside Code Signing: Provisioning Profiles explains how you can pull apart the profile to work out what it authorises. You combine that with the --extract-certificates option to codesign, which allows you to determine the certificate of the code-signing identity that was used to sign the code. I’ve got some info on how to do that somewhere… Oh, right, here it is… Have a look at the Check the Signing Certificate section of Resolving Code Signing Crashes on Launch
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles
Jan ’26
Application hanging indefinitely after successful notarization
Hi, I have an app built in Unity that I am trying to sign an notarize for distribution. I can successfully codesign the app and it runs properly. But after successfully notarizing the app, the app stops opening. My process is as follows: # codesign the app. omitting --deep --option runtime or both will result in notarization failing codesign --force --deep --verify --verbose --option runtime --sign Developer ID Application: ORG NAME (ZZZZZZZZZ) path/to/app.app # create notarization submission zip /usr/bin/ditto -c -k --keepParent path/to/app.app path/to/app.zip # submit for notarization xcrun notarytool submit --wait path/to/app.zip -v --apple-id apple@id.com --password aaaa-aaaa-aaaa-aaaa --team-id ZZZZZZZZZ Notarization seems to succeed. Running: spctl -a -vvv -t install path/to/app.app -returns: path/to/app.app: accepted source=Notarized Developer ID origin=Developer ID Application: JOHN DOE (ZZZZZZZZZ) The Problem: Before code signature, the app runs normally After code signatur
Topic: Code Signing SubTopic: Notarization Tags:
1
0
263
Jan ’26
Reply to Application hanging indefinitely after successful notarization
Notarisation is a read-only process, so notarising an app can’t cause it to stop working. Usually problems like this are caused by the hardened runtime. Notarisation requires that you enable the hardened runtime, so folks re-sign their app with that enabled and then it fails. There are two ways you can approach that: Run the Developer ID-signed build before you notarise it. This should hang in the same way. Enable the hardened runtime on your day-to-day development builds. This lets you debug this issue like you would any other hang. Resolving Trusted Execution Problems has a section on debugging hardened runtime issues, namely Resolving Hardened Runtime Incompatibilities. Oh, one more thing. This is problematic: codesign --force --deep --verify --verbose --option runtime --sign Developer ID Application: ORG NAME (ZZZZZZZZZ) path/to/app.app To start, you’re supplying both --verify and --sign, which is never a good idea. For any given invocation of codesign, you should do one or the other. Ne
Topic: Code Signing SubTopic: Notarization Tags:
Jan ’26
Reply to Get identities from a smart card in an authorization plugin
Thanks for the extra info. First up, an SFAuthorizationPluginView can’t support smart card authentication in the same way as the built-in login UI can (FB11978008). That’s because the built-in UI populates various authorization context values but SFAuthorizationPluginView does not. The name and format of these values is not documented, so the authorization plug-in can’t work around this issue itself. However, that’s not what you’re trying to do. Rather, you’re trying to simply use smart-card-back credentials, and that’s more feasible. There’s one thing to check here, and then a roadblock to get around. The thing to check is that your smart card is available in pre-login context. To do that, disable your authorisation plug-in, reverting to the built-in login UI. Then check that you can use the built-in PIV smart card support to pair your user with your smart card, and thus log in with your YubiKey. I don’t have docs for how to do that handy — that’s more of an Apple Support thing than a DTS thing — but I do it
Topic: Privacy & Security SubTopic: General Tags:
Jan ’26
Unable to run embedded binary due to quarantine
Hi! I've been scratching my brain for a few days now to no avail. I have a Perl project that I need to embed within my app. Perl includes a pp command (https://metacpan.org/pod/pp) which takes the runtime binary and then slaps the Perl code at the end of the binary itself which in brings some woes in a sense that the binary then needs to be fixed (https://github.com/rschupp/PAR-Packer/tree/master/contrib/pp_osx_codesign_fix) by removing the linker-provided signature and fixing LINKEDIT and LC_SYMTAB header sections of the binary. Nevertheless, I've successfully gotten the binary built, fixed up and codesigned it via codesign -s '$CS' mytool (where $CS is the codesigning identity). I can verify the signature as valid using codesign -v --display mytool: Identifier=mytool Format=Mach-O thin (arm64) CodeDirectory v=20400 size=24396 flags=0x0(none) hashes=757+2 location=embedded Signature size=4820 Signed Time=5. 1. 2026 at 8:54:53 PM Info.plist=not bound TeamIdentifier=XXXXXXX
Topic: Code Signing SubTopic: General Tags:
4
0
467
Jan ’26
macOS 15 (Sequoia): Endpoint Security client runs by hand, but LaunchDaemon fails with TCC “Full Disk Access” denial on unmanaged Macs
Platforms: macOS 15.x (Sequoia), Intel-Based App type: Endpoint Security (ES) client, notarized Developer ID app + LaunchDaemon Goal: Boot-time ES client that runs on any Mac (managed or unmanaged) Summary Our ES client launches and functions when started manually (terminal), but when loaded as a LaunchDaemon it fails to initialize the ES connection with: (libEndpointSecurity.dylib) Failed to open service: 0xe00002d8: Caller lacks TCC authorization for Full Disk Access We can’t find a supported way to grant Full Disk Access (SystemPolicyAllFiles) to a system daemon on unmanaged Macs (no MDM). Local installation of a PPPC (TCC) profile is rejected as “must originate from a user-approved MDM server.” We’re seeking confirmation: Is MDM now the only supported path for a boot-time ES daemon that requires FDA? If so, what’s Apple’s recommended approach for unmanaged Macs? Environment & Artifacts Binary (path placeholder): /Library/Application Support///App/.app/Contents/MacOS/ Universal (x86_64 + arm64) Notariz
Topic: App & System Services SubTopic: Core OS Tags:
Replies
12
Boosts
0
Views
1.8k
Activity
Jan ’26
Reply to "Application damaged and can't be opened' error prompt on 15.6.1 Sequoia
Yes, also on Mac where my application is seen earlier Yes, I perform install using sudo installer command which is a standard way of installation Yes, that's correct. Some more information: Running codesign --verify --deep --strict /path/to/your.app throws the following error, invalid resource directory (directory or signature have been modified) If I run sudo codesign --verify --deep --strict /path/to/your.app, it does not throw any error. I have verified the sudo command run with the verbose option, it says valid on disk and satisfies its Designated Requirement
Topic: Code Signing SubTopic: General Tags:
Replies
Boosts
Views
Activity
Jan ’26
DNS Proxy system extension – OSSystemExtensionErrorDomain error 9 “validationFailed” on clean macOS machine
Hi, I’m implementing a macOS DNS Proxy as a system extension and running into a persistent activation error: OSSystemExtensionErrorDomain error 9 (validationFailed) with the message: extension category returned error This happens both on an MDM‑managed Mac and on a completely clean Mac (no MDM, fresh install). Setup macOS: 15.x (clean machine, no MDM) Xcode: 16.x Team ID: AAAAAAA111 (test) Host app bundle ID: com.example.agent.NetShieldProxy DNS Proxy system extension bundle ID: com.example.agent.NetShieldProxy.dnsProxy The DNS Proxy is implemented as a NetworkExtension system extension, not an app extension. Host app entitlements From codesign -d --entitlements :- /Applications/NetShieldProxy.app: xml com.apple.application-identifier AAAAAAA111.com.example.agent.NetShieldProxy com.apple.developer.system-extension.install com.apple.developer.team-identifier AAAAAAA111 com.apple.security.app-sandbox com.apple.security.application-groups group.com.example.NetShieldmac com.apple.security.files.user-
Topic: App & System Services SubTopic: Networking Tags:
Replies
9
Boosts
0
Views
420
Activity
Jan ’26
Reply to DNS Proxy system extension – OSSystemExtensionErrorDomain error 9 “validationFailed” on clean macOS machine
Thanks for the updated posts. [quote='873386022, Leo_Nagano, /thread/812857?answerId=873386022#873386022, /profile/Leo_Nagano'] legacy dns-proxy entitlement [value] [/quote] To be clear, this isn’t a legacy value. This value is used for App Store distribution, both on iOS and macOS. It’s also used for development. The -systemextension suffix is used for direct distribution using Developer ID signing. Neither value is more legacy than the other. As to what’s going wrong, you’ve tried a lot of different things and it’s hard to be sure what’s what at this state. However, this is problematic: NSExtensionPointIdentifier com.apple.system_extension.network_extension And it suggests that you could do with some high-level guidance. The best place to get that is Xcode. Consider this sequence: In Xcode 26.2, create a new project from macOS > App template. In my case I named it “Test812857”. Then create a new target within that project, using the macOS > System Extension > Network Extension template. In my case
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
Jan ’26
Reply to "Application damaged and can't be opened' error prompt on 15.6.1 Sequoia
[quote='873484022, oddeyed, /thread/799110?answerId=873484022#873484022, /profile/oddeyed'] My application currently requires elevated privileges or “sudo” to verify the codesign … [/quote] Lemme see if I understand this correctly: You take a Mac that’s never seen your app before. You install your app in the standard way that a user would install it. This command fails: % codesign --verify --deep --strict /path/to/your.app Instead you have to do this: % sudo codesign --verify --deep --strict /path/to/your.app Is that right? Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: Code Signing SubTopic: General Tags:
Replies
Boosts
Views
Activity
Jan ’26
Reply to "Application damaged and can't be opened' error prompt on 15.6.1 Sequoia
Hello Quinn, a couple of follow up questions on this issue. My application currently requires elevated privileges or “sudo” to verify the codesign using the codesign —verify --strict command. Will this cause the Apple Gatekeeper to throw this prompt? If that is the case, why is this prompt not shown on all of the macOS machines if Gatekeeper is unable to read our application due to restricted permissions?
Topic: Code Signing SubTopic: General Tags:
Replies
Boosts
Views
Activity
Jan ’26
Using Processor Trace on Non-Xcode Built Binary
Hiya folks! I'm David and I work on rust-analyzer, which is a language server for Rust similar to sourcekit-lsp. I'm using the new Instruments profiling tooling functionality in Xcode 16.3 and Xcode 26 (Processor Trace and CPU Counters) to profile our trait solver/type checker. While I've been able to use the new CPU Counters instrument successfully (the CPU Bottleneck feature is incredible! Props to the team!), I've been unable to make use of the Processor Trace instrument. Instruments gives me the error message Processor Trace cannot profile this process without proper permissions. The diagnostic suggests adding the com.apple.security-get-task-allow entitlement to the code I'm trying to profile, or ensure that the build setting CODE_SIGN_INJECT_BASE_ENTITLEMENTS = YES is enabled in Xcode. Unfortunately, I don't know how I can add that entitlement to a self-signed binary produced by Cargo and I'm not using Xcode for somewhat obvious reasons. Here's some information about my setup: Instruments Version 26.0 (1
Topic: Developer Tools & Services SubTopic: Instruments Tags:
Replies
8
Boosts
0
Views
1.1k
Activity
Jan ’26
Reply to How to remove "Developer ID Application" certificate?
Then Xcode shouldn't just add dupes of these certs. What happens is signing fails, Xcode gives no guidance. And so the Xcode UI has the option to add a new one. Then end up with dupe certs that cannot be cleaned out. Then the profiles fail if not the correct out of the 3 dupes, and signing still fails if the cert private key isn't in the keychain. Again no guidance from Xcode on any of these signing failures. Here's one error. Xcode shows Ineligible for the profile: Provisioning profile KramViewerProvision doesn't include signing certificate Developer ID Application: ... (hash...) Here's an error when the private key isn't in the Keychain. C6BA06....: no identity found Command CodeSign failed with a nonzero exit code
Topic: Code Signing SubTopic: General Tags:
Replies
Boosts
Views
Activity
Jan ’26
Reply to certificates expired, created new certificates and missing Mac App Distribution
[quote='872696022, joel2001k, /thread/812624?answerId=872696022#872696022, /profile/joel2001k'] As reading about Certificate types, I think this certificate is missing: [/quote] No. As I mentioned above, that platform specific distribution certificate type is no longer relevant. It’s been subsumed by Apple Distribution, which works for all platforms. [quote='872712022, joel2001k, /thread/812624?answerId=872712022#872712022, /profile/joel2001k'] What is with these 2 files? [/quote] You’re asking me?!? Seriously though, Apple’s standard processes don’t use openssl. If you go down that path, you won’t find any help from Apple sources. And I think that speaks to the main issue you’re having here: Apple’s code-signing infrastructure relies on digital identities in the keychain. A digital identity is the combination of a certificate and the private key that matches the public key in that certificate. Both of these have to be in the keychain. The openssl sequence you posted above doesn’t add the private key to the k
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles Tags:
Replies
Boosts
Views
Activity
Jan ’26
Reply to Provisioning profile missing entitlement
OK, so definitely not your project. If you temporarily remove the iCloud key-value storage capability capability, the app builds, right? If so, look in the build log for an entry like this: CodeSign …/Test811382.app (in target 'Test811382' from project 'Test811382') cd …/Test811382 Signing Identity: Apple Development: Quinn Quinn (7XFU7D52S4) Provisioning Profile: iOS Team Provisioning Profile: com.example.apple-samplecode.Test811382 (5db3ba83-07fb-4780-8ca4-f87de64fd20d) Note For info on how to get the build log, see Command [something] failed with a nonzero exit code. The UUID in that entry is the UUID of the provisioning profile that Xcode is using to sign your app. You should find that in ~/Library/Developer/Xcode/UserData/Provisioning Profiles. Now dump the contents of that profile like so: % security cms -D -i 5db3ba83-07fb-4780-8ca4-f87de64fd20d.mobileprovision | plutil -p - { … Entitlements => { application-identifier => SKMME9E2Y8.com.example.apple-samplecode.Test811382 com.apple.devel
Topic: App & System Services SubTopic: iCloud & Data Tags:
Replies
Boosts
Views
Activity
Jan ’26
Reply to Signing succeeds but validate fails with "Missing code-signing certificate"
[quote='812770021, davertay-j, /thread/812770, /profile/davertay-j'] it appears to contain 19 certificates [/quote] I agree that that’s strange. A distribution profile should only contain distribution certificates, and most teams only have one or two of those active at any one time. I recommend that you check the type of the profile and also look at the certificates embedded in the profile. [quote='812770021, davertay-j, /thread/812770, /profile/davertay-j'] Is there a way to find out which certificate is missing exactly? [/quote] Yes. TN3125 Inside Code Signing: Provisioning Profiles explains how you can pull apart the profile to work out what it authorises. You combine that with the --extract-certificates option to codesign, which allows you to determine the certificate of the code-signing identity that was used to sign the code. I’ve got some info on how to do that somewhere… Oh, right, here it is… Have a look at the Check the Signing Certificate section of Resolving Code Signing Crashes on Launch
Topic: Code Signing SubTopic: Certificates, Identifiers & Profiles
Replies
Boosts
Views
Activity
Jan ’26
Application hanging indefinitely after successful notarization
Hi, I have an app built in Unity that I am trying to sign an notarize for distribution. I can successfully codesign the app and it runs properly. But after successfully notarizing the app, the app stops opening. My process is as follows: # codesign the app. omitting --deep --option runtime or both will result in notarization failing codesign --force --deep --verify --verbose --option runtime --sign Developer ID Application: ORG NAME (ZZZZZZZZZ) path/to/app.app # create notarization submission zip /usr/bin/ditto -c -k --keepParent path/to/app.app path/to/app.zip # submit for notarization xcrun notarytool submit --wait path/to/app.zip -v --apple-id apple@id.com --password aaaa-aaaa-aaaa-aaaa --team-id ZZZZZZZZZ Notarization seems to succeed. Running: spctl -a -vvv -t install path/to/app.app -returns: path/to/app.app: accepted source=Notarized Developer ID origin=Developer ID Application: JOHN DOE (ZZZZZZZZZ) The Problem: Before code signature, the app runs normally After code signatur
Topic: Code Signing SubTopic: Notarization Tags:
Replies
1
Boosts
0
Views
263
Activity
Jan ’26
Reply to Application hanging indefinitely after successful notarization
Notarisation is a read-only process, so notarising an app can’t cause it to stop working. Usually problems like this are caused by the hardened runtime. Notarisation requires that you enable the hardened runtime, so folks re-sign their app with that enabled and then it fails. There are two ways you can approach that: Run the Developer ID-signed build before you notarise it. This should hang in the same way. Enable the hardened runtime on your day-to-day development builds. This lets you debug this issue like you would any other hang. Resolving Trusted Execution Problems has a section on debugging hardened runtime issues, namely Resolving Hardened Runtime Incompatibilities. Oh, one more thing. This is problematic: codesign --force --deep --verify --verbose --option runtime --sign Developer ID Application: ORG NAME (ZZZZZZZZZ) path/to/app.app To start, you’re supplying both --verify and --sign, which is never a good idea. For any given invocation of codesign, you should do one or the other. Ne
Topic: Code Signing SubTopic: Notarization Tags:
Replies
Boosts
Views
Activity
Jan ’26
Reply to Get identities from a smart card in an authorization plugin
Thanks for the extra info. First up, an SFAuthorizationPluginView can’t support smart card authentication in the same way as the built-in login UI can (FB11978008). That’s because the built-in UI populates various authorization context values but SFAuthorizationPluginView does not. The name and format of these values is not documented, so the authorization plug-in can’t work around this issue itself. However, that’s not what you’re trying to do. Rather, you’re trying to simply use smart-card-back credentials, and that’s more feasible. There’s one thing to check here, and then a roadblock to get around. The thing to check is that your smart card is available in pre-login context. To do that, disable your authorisation plug-in, reverting to the built-in login UI. Then check that you can use the built-in PIV smart card support to pair your user with your smart card, and thus log in with your YubiKey. I don’t have docs for how to do that handy — that’s more of an Apple Support thing than a DTS thing — but I do it
Topic: Privacy & Security SubTopic: General Tags:
Replies
Boosts
Views
Activity
Jan ’26
Unable to run embedded binary due to quarantine
Hi! I've been scratching my brain for a few days now to no avail. I have a Perl project that I need to embed within my app. Perl includes a pp command (https://metacpan.org/pod/pp) which takes the runtime binary and then slaps the Perl code at the end of the binary itself which in brings some woes in a sense that the binary then needs to be fixed (https://github.com/rschupp/PAR-Packer/tree/master/contrib/pp_osx_codesign_fix) by removing the linker-provided signature and fixing LINKEDIT and LC_SYMTAB header sections of the binary. Nevertheless, I've successfully gotten the binary built, fixed up and codesigned it via codesign -s '$CS' mytool (where $CS is the codesigning identity). I can verify the signature as valid using codesign -v --display mytool: Identifier=mytool Format=Mach-O thin (arm64) CodeDirectory v=20400 size=24396 flags=0x0(none) hashes=757+2 location=embedded Signature size=4820 Signed Time=5. 1. 2026 at 8:54:53 PM Info.plist=not bound TeamIdentifier=XXXXXXX
Topic: Code Signing SubTopic: General Tags:
Replies
4
Boosts
0
Views
467
Activity
Jan ’26