codesign

I work on a mac app that gets signed by a script written by another group at my company. In the past that script, which runs on 10. has produced a valid signed binary (according to checking with codesign and spctl).It seems starting with 10.10.4, our signed binary isn't being checked as correct when a user launches (after downloading from a website, which puts the binary in quarenteen).On 10.10.5, I get this when I attempt to launch:10/13/15 12:58:38.456 PM CoreServicesUIAgent[32675]: Error -60005 creating authorization10/13/15 12:58:40.551 PM CoreServicesUIAgent[32675]: Error: No signature database10/13/15 12:58:40.554 PM CoreServicesUIAgent[32675]: Cannot load Interface Builder file '/System/Library/Frameworks/AppKit.framework/Resources/English.lproj/NSAlertPanel.nib'10/13/15 12:58:40.554 PM com.apple.xpc.launchd[1]: (com.apple.xpc.launchd.oneshot.0x10000038.<appname replaced by me>[32822]) Service exited due to signal: Killed: 9I tried with the latest beta of 10.11.1, and it seems to launch

Is this a supported configuration for Mac sandboxed applications as well as Mac App Store applications?Dynamically link to a dylib in /usr/local/lib/ that may or may not be codesigned, and may or may not have been installed by a third party.The documentation tells me how to load dylibs from this location, but it's not altogether clear whether or not this is supported in the mixed scenario I describe above. This is the use case I'm trying to resolve:I currently have a MAS app that is statically bound to a Unix library in the application bundle. It's worked well this way since 2003!However my strategy is (tentatively) this: I would redeploy this as a dynamic library and use it pretty much as in, in the application bundle, unless a newer version of the dylib is found in the standard system location (/usr/local/lib/).The thing is, this is a standard Unix tool that can be built by users with cmake or even installed via homebrew, and so there's no guarantee that I can ensure that it's codesigned,

This document describes how to debug code signing entitlement problems, with specific reference to the entitlements used by the Network Extension framework.The document was written for Xcode 7.0.You may also want to review Technote 2415 Entitlements Troubleshooting, which is a more official take on the subject.Check the Built BinaryThe first step in debugging code signing entitlement problems is to check the actual entitlements of the binary. Xcode’s process for setting entitlements is quite complex, and it depends on various inputs, so it’s important to start by checking the output rather than looking at just the inputs.To check the entitlements in your binary run the following command:$ codesign -d --entitlements :- NetworkExtensionSample.app Executable=…/NetworkExtensionSample.app/NetworkExtensionSample <?xml version=1.0 encoding=UTF-8?> <!DOCTYPE plist PUBLIC -//Apple//DTD PLIST 1.0//EN …> <plist version=1.0> <dict> <key>application-identifier</key> <string&

Since about a few month ago our support started to receive sporadic reports about inability to run our applications, downloaded from our website. Applications itself is properly signed and codesign check passes well. However customers sent us several console logs and we've found tricky records there:10/19/15 15:42:32.979 CoreServicesUIAgent[30385]: Cannot load Interface Builder file '/System/Library/Frameworks/AppKit.framework/Resources/English.lproj/NSAlertPanel.nib' 10/19/15 15:42:32.979 com.apple.xpc.launchd[1]: (com.apple.xpc.launchd.oneshot.0x1000007d.APPLICATION[51602]) Service exited due to signal: Killed: 9The culprit is a Gatekeeper however nib(s) (the same but path vary for different OS languages) itself at place and with proper permissions. Once customer switch off Gatekeeper y settings ability to run application downloaded from anywhere (opposite to default MAS + identified developers), application runs well after passing verification and shows dialog about whether one want to run applica

Hello everyone,I am currently trying to upload a MAC PC game to iTunes Connect but I keep getting the following error message via Email from Apple right after I have uploaded the pkg file: (Btw. There are no other error messages coming from the Application Loader other than The resulting API file is too larger...----------------Dear developer,We have discovered one or more issues with your recent delivery for Gamename. To process your delivery, the following issues must be corrected:Invalid Signature - The main app bundle gamename at path gamename.app has following signing error(s): --prepared:/Volumes/data01/app_data/dstr/mz_6515889277427173166dir/mz_8102933281085003109dir/com.publishername.gamename.pkg/Payload/Gamename.app/Contents/Frameworks/MonoEmbedRuntime/osx/libmono.0.dylib --validated:/Volumes/data01/app_data/dstr/mz_6515889277427173166dir/mz_8102933281085003109dir/com.publishername.gamename.pkg/Payload/Gamename.app/Contents/Frameworks/MonoEmbedRuntime/osx/libmono.0.dylib --prepared:/Volumes/data01/ap

Our app is distributed outside of the App Store and is signed using our Developer ID Application cert.Under El Capitan, we get the ...can’t be opened because the identity of the developer cannot be confirmed. alert when trying to launch it when using the Mac App Store and identified Developers policy. Under Yosemite and Mavericks it is fine.On El Capitan, spctl -a -v Our.app returns:Our.app: rejected source=obsolete resource envelopewhile on Yosemite on the same version of the app we getOur.app: accepted source=Developer IDThe app is built on a Mac running 10.10.5.On all OSes (including El Cap), codesign --deep --verify --verbose Our.app returnsvalid on disk satisfies its Designated Requirementand check-signature reports no issues either.codesign -dv our.app returns:... Sealed Resources version=2 rules=12 files=286 ...and doing the same on the embedded Sparkle Framework also reports version=2What changed in El Capitan that could cause this?If anyone is able to check the app themselves for anything 'o

Hi guys,I'm tearing my hair out with this, i have been exporting my certificate for signing and installing on my new machine many times but since i have updated to El Capitan, i have been having issues. At first, i thought i must be exporting wrong, so i created a brand new certificate from the portal and installed but yet i have the same problem.The certificate and key exists in the keychain, but then when i build to device, it checks the keychain to authorise the use of the certificate and keychain and all that happens is the alert window appears requesting the codesign wants to sign using key x in your keychain and the buttons Always Allow, Deny and Allow, when i press Always allow or allow, nothing happens, only deny works. Whats going??? Surely im not doing something wrong am i? ThanksAndrew.

Greetings reader,Backstory:For a long time we've been using Unity to distribute apps for multiple platforms. To automate building we're using the UnityCloud Build Server - service.Recently they've added the possibility to build to os x as well. (32,64 and universal).When done so we can download a zip inclusing the build .appNow, we like to distribute in enterprise format. But our test imac began yelling stuf about unknown developers. So we needed signing.I've downloaded the developer application id certificate to sign this app and the developer installer certificate to productbuild it to a .pkg/installerSigning finally worked out but feels... sketchyTo sign i need to fix read permissions first because it was build on another machine (the cloud)Then set the internal .plist info to our desired settings (like versioning and bundle id)Then force/deep sign with our codesigning identity and build it to a packagePerhaps it feels sketchy beacuse im not well acquainted to the apple environment and it feels i

Hello,Disclaimer: This *could* be a codesigning/security question or it could be a question about running Macs as VMs.I'm working on a Mac installer that installs an Application and an Internet Plug-In under the current user's home directory. After running the installer, you should be able to go to certain web pages that load our plugin which launches our app which enables you do stuff. It mostly works! Even on 10.10!But one case where we are running into issues is when the user has their home directory on a NFS network share. In this case the plugin is not getting loaded. Looking at system.log, I can see numerous eye raising messages such asNov 5 09:28:30 connect-install-bug.local apsd[49]: Certificate not yet generated Nov 5 09:28:30 connect-install-bug.local amfid[869]: /aspera/usr/owen/Library/Internet Plug-Ins/Aspera Web 3.6.2.111584-6.plugin/Contents/MacOS/Aspera Web signature not valid: 0x186adI can verify the plugin's signature connect-install-bug:Internet Plug-Ins owen$ codesign -vv

I would like to know the correct way to verify the clients connecting to a launch daeomon using the NSXPCConnection API. Is there a way to validate the codesigning of a client connecting using MachServices?

Hey everyone,We have an enterprise developer account and have two distribution certificates. Both are expiring in 2016, one in February and one in November of 2016. The problem is that we have lost the private key associated with the November cert so it cannot be used to sign .ipa's.We have 3 apps deployed to end users using an MDM solution, and with our distribution certificate expiring soon, we want to revoke the incomplete November cert (because Apple only lets us have two active distribution certs) and create a new one to sign our apps. The problem is that we are not sure which certificate was used to sign the apps, it could be the February one or it could be the November one before the private key was lost. Thus, we are hesitant to revoke the November one in case an app was actually signed with that certificate and becomes non-functional.Thus, my question is, is there a way to check which certificate was used to sign an .ipa? I have been able to find commands for the terminal such as codesign -d

I've been looking into distributing an OS X application outside the store.However, whenever I run the installer on another mac, I get gatekeeper describing the application as unsafe.What can I do I need to do to codesign the applcation for distribution outside the app store? and do I need a third party certificate? Thank you