Search results for

codesign

3,110 results found

Post

Replies

Boosts

Views

Activity

Reply to Dynamic Library cannot call exposed C function
@DTS Engineer as an aside for extra info. I'm adding the xcframework via cocoapods and I have tried to modify the signing of the framework via the following script in the podspec. I know Apple might not encourage the usage of Cocoapods but this is needed so we can distribute our library through several platforms s.script_phase = { :name => 'Sign Framework Binary', :execution_position => :before_compile, :script => <<-SCRIPT echo 🟦🟦🟦🟦🟦🟦🟦 Framework Binary Signing Script === # Use BUILT_PRODUCTS_DIR which points to BuildProductsPath FRAMEWORK_DIR=${BUILT_PRODUCTS_DIR}/../XCFrameworkIntermediates/${PRODUCT_NAME}/sdk.framework # Debug: Print the expected path echo Looking for framework at: $FRAMEWORK_DIR if [ -d $FRAMEWORK_DIR ]; then # Try different ways to get signing identity SIGN_IDENTITY=$EXPANDED_CODE_SIGN_IDENTITY if [ -z $SIGN_IDENTITY ] || [ $SIGN_IDENTITY = - ]; then SIGN_IDENTITY=$CODE_SIGN_IDENTITY fi if [ -z $SIGN_IDENTITY ] || [ $SIGN_IDENTITY = - ]; then # Use the first availab
Topic: Code Signing SubTopic: General Tags:
Aug ’25
Reply to App IPA upgrade loses access to keychaingroup
There are two important criteria for evaluating keychain access groups: The list of groups you can access. The default keychain access group, that is, the one used when you add an item and don’t specify a group. Sharing access to keychain items among a collection of apps explains how these are set based on three different entitlements in your app’s code signature. When debugging problems like this, I recommend that you unpack the old and new .ipa files (they’re a zip archive under the covers) and dump the entitlements of both apps: % codesign -d --entitlements - /path/to/your.app Compare the two to see what’s changed. Once you understand what’s, you can then start investigating how the new app got signed in that way, and then work out how to fix it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: Privacy & Security SubTopic: General Tags:
Aug ’25
Reply to app is already signed / code object is not signed at all
I’ve seen problems like this before. In one case it was because the developer was passing multiple subcommands to the codesign command. That is, they were passing in --sign (aka -s) and --verify (aka -v) to the same codesign invocation, and that caused weird issues. And the solution was to stop doing that (-: However, the most common cause is that the app doesn’t follow the rules in Placing content in a bundle or you’re not following the steps to sign nested code in Creating distribution-signed code for macOS. Consider this example: % mkdir -p MyTrue.app/Contents/MacOS % cp /usr/bin/true MyTrue.app/Contents/MacOS/MyTrue % cp /usr/bin/false MyTrue.app/Contents/MacOS/MyFalse % codesign --remove-signature MyTrue.app/Contents/MacOS/MyFalse % codesign --remove-signature MyTrue.app/Contents/MacOS/MyTrue % codesign -s - MyTrue.app MyTrue.app: code object is not signed at all In subcomponent: /Users/quinn/Test/MyTrue.app/Contents/MacOS/MyFalse This bundle structure is corr
Topic: Code Signing SubTopic: General Tags:
Aug ’25
GateKeeper rejects application bundles with a file name with an NFC/NFD problem by copying with Finder
I made a macOS application using Swift Package and distributed it in dmg format through Apple Notary service. However, we received a report from a user that it can be launched from a disk image mounted from dmg, but when copied to /Applications, the app is broken and does not start. I looked into why this happened, I noticed that the codesign command returned different results when copying the application bundle and /Applications on the volume mounted dmg with Finder. Mounted dmg: OK ❯ codesign --verify --deep --verbose /Volumes/azoo-key-skkserv/azoo-key-skkserv.app /Volumes/azoo-key-skkserv/azoo-key-skkserv.app: valid on disk /Volumes/azoo-key-skkserv/azoo-key-skkserv.app: satisfies its Designated Requirement Copied by Finder: Bad codesign reports that there are 148 added/missing files. ❯ codesign --verify --deep --verbose /Applications/azoo-key-skkserv.app /Applications/azoo-key-skkserv.app: a sealed resource is missing or invalid file added: /Applications/azoo-key-skkser
Topic: Code Signing SubTopic: General
5
0
268
Aug ’25
Reply to unzip identifier is not unique?
Consider this: % ls -i /usr/bin/zipinfo /usr/bin/unzip | cat 1152921500312524002 /usr/bin/unzip 1152921500312524002 /usr/bin/zipinfo unzip and zipinfo have the same inode number, meaning that they are both hard links to the same file. That’s why you’re seeing inconsistent signing identifiers. I suspect that the OS build process is signing one and then signing the other, and you get the identifier for whichever one it did last. That’s curious, and it’s something that I’d like to file a bug about. Before doing that I’d like to nail down the details as to where you see which behaviour. I tested this locally and I always see com.apple.zipinfo: % codesign -d -v /usr/bin/unzip … Identifier=com.apple.zipinfo … This was on macOS 14.x, macOS 15.5, and macOS 26.0 beta. Where are you seeing com.apple.unzip? As to what you should do in your app, you can craft an LWCR that supports either identifier: let lwcr = try LaunchCodeRequirement.allOf { ValidationCategory(.platform) anyOf { SigningIdentifier(com.apple.unz
Topic: Code Signing SubTopic: General Tags:
Aug ’25
Safari App Extension fails to connect to CloudKit daemon (cloudd) with XPC communication errors -- CKErrorDomain Code=6 / NSCocoaErrorDomain Code=4099 – Unable to connect to CloudKit daemon
I'm working on a macOS app with a Safari web extension. I'm trying to share a SwiftData model between devices using CloudKit synchronization. I am able to get synchronization in the main app on the same device, CloudKit sync works correctly — changes appear in the CloudKit Dashboard under com.apple.coredata.cloudkit.zone. However, in the Safari App Extension, data is saved locally and persists across launches, but never syncs to CloudKit. I have followed the recommended practices for configuring the App Group and entitlements, but the issue persists. Questions: Is there an official limitation preventing Safari App Extensions from connecting to the CloudKit daemon (cloudd)? If not, what entitlements or configuration changes are required for a Safari App Extension to successfully sync with CloudKit? Is the xpc_error=159 from bootstrap_look_up() a known sandbox restriction for this extension type? Any guidance from Apple engineers or others who have successfully used CloudKit from a Safari App Extension would be
Topic: App & System Services SubTopic: iCloud & Data Tags:
2
0
78
Aug ’25
Reply to PCIDriverKit entitlements during development
In the meantime, I've discovered a few more facts, which I'll detail here. I'll also file some bugs and attach their numbers here. Perfect, thank you. I did manage to get a PCI driver to match and install on a victim machine. I used an Xcode-generated profile that includes our own PCI entitlement, but installed the driver on a machine with entitlement checks turned off. Yep, that will work. It's not something I can really recommend (for obvious reasons), but it is intentional that this does work. Moving to here: I then tried making a USB driver for development (for a vendor ID we don't have an entitlement for). On my usual Mac, the driver won't load because the entitlement in my provisioning profile is for a specific vendor ID - I can't choose the development USB transport capability. First, as a quick clarification, the term capability is basically a term Xcode invented for its own UI because what it's actually showing is a mix of: Entitlements Other stuff (like Info.plist keys) which are NOT in fact entitle
Topic: Code Signing SubTopic: Entitlements Tags:
Aug ’25
Reply to Gatekepper acts against .app package developed by a freelancer for our company
[quote='852386022, VBFSDEV, /thread/795578?answerId=852386022#852386022, /profile/VBFSDEV'] they will have access to all certificates, as you cannot grant selective certificate access. [/quote] I think you’re confused by the terminology here (an industry-wide problem, alas). It’s fine to give anyone access to a certificate. It only contains a public key. To sign code you need a digital identity, aka a code-signing identity, which is a certificate and the private key that matches the public key in that certificate. So, there’s no issue with your freelancer being able to access your Developer ID certificate [1]. What you have to protect is the matching private key. I discuss this terminological confusion in more detail in TN3161 Inside Code Signing: Certificates [quote='852386022, VBFSDEV, /thread/795578?answerId=852386022#852386022, /profile/VBFSDEV'] there is no solution to perform our signing process without granting the freelancer access to our app store connect account, correct? [/quote] It’s not that ther
Topic: Code Signing SubTopic: General Tags:
Aug ’25
Reply to PCIDriverKit entitlements during development
When I look at the available capabilities I can add to an app identifier on the Developer portal, I see com.apple.developer.driverkit.transport.usb, which is development only. There's no development only capability for PCI. Yes, and please file a bug about this and post the bug number back here. I don't know WHY there isn't a development only entitlement (I wasn't involved with DriverKit at the time), but it's a decision I'd like to revisit. And yes... Does this mean it isn't possible to develop even a proof-of-concept PCI driver without being first granted the DriverKit PCI (Primary Match) entitlement? ...that's exactly what it means. You could do this by disabling SIP (and possibly AMFI), but you can't use the more elegant flow the development entitlements allow. In addition: When adding capabilities to a driver, the list of available capabilities shown in Xcode has one DriverKit PCI (Primary Match) entry, but if I double-click it, two such entries appear in the Signing and Capabilities tab for my driver ta
Topic: Code Signing SubTopic: Entitlements Tags:
Aug ’25
Reply to CloudKit it writes to development container, not Production
CloudKit uses your app’s com.apple.developer.icloud-container-environment entitlement to discover whether you’re using a Development or Production version of your provisioning profile, as documented in Testing Your Code Using the Development Container. Apps running on simulators use the Development environment; apps running on a device with Xcode by default use the Development environment as well. If that is the way you run your app to populate the data, the data will go to the the Development environment. TestFlight and App Store apps by default use the Production environment, and so I am wondering if you unintentionally change the entitlement to have your app use the Development environment. You can verify by running the following command line: $ codesign -d --ent :- The output should contain something like this: aps-environment production If you see that the value of the key is development, that will explain why your app writes to the Development environment, and you can double check if you chang
Topic: App & System Services SubTopic: iCloud & Data Tags:
Aug ’25
Reply to Gatekepper acts against .app package developed by a freelancer for our company
[quote='852314022, VBFSDEV, /thread/795578?answerId=852314022#852314022, /profile/VBFSDEV'] do you mean adding the freelancer to my app store connect account? [/quote] Yes. Just like you would do for iOS. [quote='852314022, VBFSDEV, /thread/795578?answerId=852314022#852314022, /profile/VBFSDEV'] which role would you recommend … ? [/quote] That’s a balance between what authority you want to grant them and how much time you want to spend servicing their requests for credential manipulation. Although, having said that, I’ll note that this is no different than it is for iOS. IMPORTANT There’s one thing to watch out for here. If you make them an Admin, don’t explicitly allow them to created Developer ID certificates. See the “Create cloud-managed Developer ID certificates” row in Developer > Support > Articles > Program Roles. [quote='852314022, VBFSDEV, /thread/795578?answerId=852314022#852314022, /profile/VBFSDEV'] You also say that we should not grant access to any certificates [/quote] There are multi
Topic: Code Signing SubTopic: General Tags:
Aug ’25
Reply to Gatekepper acts against .app package developed by a freelancer for our company
Hi Quinn, Thanks for your reply, yet I'm still a little confused, as mentioned all I've done so far is to release mobile apps through automated signing via XCode for iOS (iPhones and iPads). I am also not sure if the freelancer developed the app within XCode. Can you maybe be more precise regarding: Regarding 1., do you mean adding the freelancer to my app store connect account? If not, where? If so, which role would you recommend, according to the principle of least needed access? You also say that we should not grant access to any certificates, so I'm a little confused by this proposition. Regarding 2., are we supposed to provide that Apple Developer Identity to him? Regarding 5., do yo mean sign codesign the app with the developer ID I generated and then notarize the app? If I understand things correctly, these two things have to be done also in the future before releasing any update, correct ?
Topic: Code Signing SubTopic: General Tags:
Aug ’25
Reply to macOS Content Filter: Entitlement Error - Legacy vs. -systemextension Mismatch
I followed the instructions in the link you provided: Exporting a Developer ID Network Extension: https://developer.apple.com/forums/thread/737894 However, when I try to open the application, I receive a popup error: The application can’t be opened. When I check the macOS console log, I see the error: Unsatisfied entitlements Specifically: error 12:01:34.578205+0700 taskgated-helper com.xxx.xxx: Unsatisfied entitlements: com.apple.developer.system-extension.install, com.apple.developer.networking.networkextension, com.apple.developer.team-identifier However, when I inspect the application using the terminal command: codesign -d --entitlements I see that my application is signed and contains all the necessary entitlements, including: com.apple.developer.system-extension.install com.apple.developer.networking.networkextension with the value content-filter-provider-systemextension com.apple.developer.team-identifier = 63D4662568 Can you please help me resolve this issue?
Topic: App & System Services SubTopic: Networking Tags:
Aug ’25