I have been using the following commands for codesign, for two apps in my script: sudo codesign -f --deep --options=runtime --strict -s $CODE_SIGN_CERTIFICATE $BUNDLE_DIR/APP1.app --timestamp --verbose sudo codesign --timestamp -f --deep --options=runtime --strict -s $CODE_SIGN_CERTIFICATE $OUTPUT_DIR/APP2.app --verbose APP1 gets signed, and staple and validate action for it says successful. However, APP2 fails every time with the error: A timestamp was expected but was not found This was working fine until a few days ago but it fails every time since yesterday morning. I looked around and tried following things but nothing worked: timestamp=none or removing timestamp flag altogether timestamp=http://timestamp.apple.com/ts01 [and several other free timestamp urls] removing strict flag. I'm working on Ventura, and the apps were created with QT 5.9.0. Xcode version = 14.1. Requesting any kind of help at the earliest. Thanks in advance

Hi, I created an app in Electron and I'm using electron forge to make the app and pkg file. Each time I make the project the .app and .pkg files are created with no errors. When I run the "spctl -a -vvv -t install" command on the .app file, it says that the app is accepted. However, when I run the command on the .pkg file it says that it is rejected with "source=Unnotarized Developer ID" and the "origin=Develop ID Installer: " is the valid certificate that I created. Is someone able to help me troubleshoot this issue?

This post is part of a cluster of posts related to the trusted execution system. If you found your way here directly, I recommend that you start at the top. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Resolving Gatekeeper Problems Gatekeeper strives to ensure that only trusted software runs on a user’s Mac. It’s important that your code pass Gatekeeper. If not, you’re likely to lose a lot of customers, and your users’ hard-won trust. There are four common Gatekeeper problems: App blocked by a dangling load command path Broken code signature Lack of notarisation Command-line tool blocked by Gatekeeper The first problem is by far the most common. For the details, see Resolving Gatekeeper Problems Caused by Dangling Load Command Paths. For general information about Gatekeeper, read Apple > Developer > Signing Mac Software with Developer ID and Apple > Support > Safely open apps on your Mac. IMPORTANT This post focuses on Developer ID-signed code. Gatekeeper should not block App Store apps. If an app downloaded from the App Store fails to run, it’s likely to be some other trusted execution issue. For more about this, read Resolving Trusted Execution Problems. Verify Your Signature A good first step in any Gatekeeper investigation is to verify that your code is signed correctly. Use the codesign tool for this: % codesign -v -vvv --strict --deep MyApp.app The -vvv options increase verbosity to the point where codesign will give you useful diagnostics. For example: % codesign -v -vvv --strict --deep "Munged.app" Munged.app: a sealed resource is missing or invalid file added: …/Munged.app/Contents/Resources/names/Adam.txt file modified: …/Munged.app/Contents/Resources/names/Morgan.txt file missing: …/Munged.app/Contents/Resources/names/Rhonda.txt This app was changed after it was signed in three different ways: Adam.txt was added. Morgan.txt was modified. Rhonda.txt was removed. You might see some results that make no sense. For example: Start with an app with a valid code signature: % codesign -v -vvv --strict --deep "NotNormal.app" NotNormal.app: valid on disk NotNormal.app: satisfies its Designated Requirement Use the Finder to create a zip archive (File > Compress). Use the Finder to unpack that archive. Check the code signature of the unpacked file: % codesign -v -vvv --strict --deep "NotNormal 2.app" NotNormal 2.app: a sealed resource is missing or invalid file added: …/NotNormal 2.app/Contents/Resources/names/Zoë Schrödinger.txt file missing: …/NotNormal 2.app/Contents/Resources/names/Zoë Schrödinger.txt There are two things to note here. First, just compressing and decompressing the app broke its code signature. Weird! Second, look at the error messages. It seems that the Zoë Schrödinger.txt file is was both added and removed. Weirder! To see what’s going on here you have to look at a hex dump of the file name: % ls "NotNormal.app/Contents/Resources/names" | xxd 00000000: 5a6f c3ab 2053 6368 726f cc88 6469 6e67 Zo.. Schro..ding 00000010: 6572 2e74 7874 0a er.txt. % ls "NotNormal 2.app/Contents/Resources/names" | xxd 00000000: 5a6f 65cc 8820 5363 6872 6fcc 8864 696e Zoe.. Schro..din 00000010: 6765 722e 7478 740a ger.txt. The names are not the same! The app started out with the ë in precomposed form and the ö in decomposed form. Compressing and decompressing the app converted the ë to its decomposed form, and that change broke the code signature. Programs that deal with Unicode are expected to ignore differences in normalisation. Sadly, Apple’s code signing implementation missed that memo (r. 68829319). For more details see this post but the executive summary is that it’s best to stick to ASCII when naming files in a bundle. Identify a Notarisation Problem Gatekeeper requires that your app be notarised. If not, it will block the execution of your app with a generic, user-level message. If you find your app blocked by Gatekeeper, check if this is a notarisation issue by looking in the system log for an entry like this: type: info time: 2022-05-11 14:57:21.812176 -0700 process: syspolicyd subsystem: com.apple.syspolicy category: default message: ticket not available: 2/2/8b7410713591e6c79ea98f0132136f0faa55d22a Note If the ticket details show as <private>, enable private data in the system log. For information on how to do that, see Recording Private Data in the System Log. For general information about the system log, see Your Friend the System Log. The long hex number is the code directory hash, or cdhash, of the offending code. In this example, it’s the cdhash of the app itself: % codesign -d -vvv /Applications/NotNotarised.app … CDHash=8b7410713591e6c79ea98f0132136f0faa55d22a … However, in some cases it may be the cdhash of some library referenced by the app. For more information about cdhashes, see TN3126 Inside Code Signing: Hashes. Resolve a Notarisation Problem The obvious cause of this problem is that you haven’t notarised your app. For information on how to do that, see Notarizing macOS Software Before Distribution. If you have notarised your app and yet you still see this problem, something more subtle is happening. For example, your app might reference a dynamic library that wasn’t seen by the notary service. To investigate this: Fetch the notary log for your app. For advice on that, see Fetching the Notary Log. Confirm that the notary log matches the app you installed. Look in the notary log for the sha256 property. Its value is a SHA-256 hash of the file received by the notary service. Check that this matches the SHA-256 hash of the file you used to install your app. If not, see Hash Mismatch, below. Search the notary log for the cdhash value from the Gatekeeper log message. If the notary log doesn’t contain that cdhash, that code wasn’t included in the notarised ticket. It’s possible that you failed to submit the code to the notary service, that it was switched out with a different version after you notarised your app, that it was package in some way that the notary service couldn’t see it, or that something went wrong within the notary service. Hash Mismatch If you stapled your notarised ticket to the file used to install your app then the hashes in step 2 of the previous section won’t match. What to do depends on the file type: If the file used to install your app was a zip archive (.zip), you definitely have the wrong file. Zip archives don’t support stapling. If the file used to install your app was a signed disk image (.dmg), compare the disk image’s cdhash with the cdhash for the disk image in the notary log. If those match, you know you’re working with the same disk image. To dump a disk image’s cdhash, run the codesign tool as follows: % codesign -d -vvv DISK_IMAGE … CDHash=d963af703ac2e54af6609e9ad309abee7b66fae2 … Replace DISK_IMAGE with the path to your disk image. If the file used to install your app was a disk image but it wasn’t signed, switch to a signed disk image. It’s generally a better option. If the file used to install your app was an installer package (.pkg), there’s no good way to know if this is the correct package. In this case, modify your notarisation workflow to retain a copy of the file before it was modified by stapler. Tool Blocked by Gatekeeper If your product includes a command-line tool, you might notice this behaviour: When you double click the tool in Finder, it’s blocked by Gatekeeper. When you run the tool from within Terminal, it works. This is a known bug in macOS (r. 58097824). The issue is that, when you double click a tool in the Finder, it doesn’t run Gatekeeper’s standard execution logic. Rather, the Finder passes the tool to Terminal as a document and that opens a window (and associated shell) in which to run that document. This triggers Gatekeeper’s document logic, and that logic always blocks the tool. There are two ways around this: Embed your tool in an application. If the user runs the application first, Gatekeeper runs its normal application check. If the user allows the app to run, Gatekeeper records that decision and applies it to the app and any code within the app, including your tool. Install your tool using an installer package. When the user goes to install the package, Gatekeeper checks it. Assuming that check passes, Gatekeeper does no further checks on the content it installed. Revision History 2022-05-20 Added the Verify Your Signature section. Made other minor editorial changes.

Hey I need some... direction here. I have 2 developer "ids". Apple Development : ***@*** (ID) Apple Distribution : Company *** (ID) Now I can notarize my software using Apple Development, but I cant using Apple Distribution as it says "message": "The binary is not signed with a valid Developer ID certificate.",. What should I do to make this thing... ship-able & release-able? I'm using CMAKE, Clion, no xcode to do it automatically sadly... Can some1 hint me what ID should I use for public release? Regards Dariusz

I have an application which has .py files inside it (it's a developer tool and the python executable must be provided by the user). This means that when the user executes the application .pyc files are generated inside it (it's not possible to pre-generate those because the user can select the python interpreter he wants to use and having the .pyc for all existing python interpreters is unwieldy). So, I can sign and execute the application and all works well initially, but after the user executes code the notarization is no longer valid due to the pycache and .pyc files generated internally. Is there a way out to make the notarization work in this scenario?

I am having the similar problem expressed through numerous posts over the years (each of which I have read carefully, attempted to resolve based on those solutions, yet have a unique scenario here). When attempting to build/run on any of my iPhone test devices it is failing to install the provisioning profile: A valid provisioning profile for this executable was not found. Domain: com.apple.dt.MobileDeviceErrorDomain Code: -402620395 Here's a breakdown of what I have done, but first... NOTE: I have 2 separate apps that I'm testing. All of the following settings are the same for both. One of them runs fine, but the other fails as described. To start totally clean I did the following: Upgraded xCode to the latest (14.2) version Updated my iPhone to latest version 15.7.3 I deleted all my provisioning profiles, signing certifications, developer certificates, etc. and went and recreated them all from scratch. Created a new certificate signing request files, then used them to create new distribution certificate and APN certificates (downloaded aps.cer, double clicked to install to Keychain Access. Created new provisioning profiles, downloaded, double clicked to install to xcode (but they don't show up or work). After doing this one of my apps runs fine on my devices but the other still throws that same error about the provisioning profile??? I have also tried a number of the various suggested solutions: Went into xCode > Windows > Devices and Simulators and right clicked on my device to select Show Provisioning Profiles... deleted them from here, then clicked "+" to attempt to add it manually but the error pops up "Failed to install one or more provisioning profiles on the device." I have tried unchecking "Automatically manage signing" in xCode then manually selecting the provisioning profile, but when attempting to build/run on device the same error happens. I have even gone into Users/MYACCOUNT/Library/MobileDevice/Provisioning Profiles and confirmed the individual .mobileprovision files are there (I deleted all of the other ones just to make sure). Really could use some help here... again, the bizzare thing is I started with a clean slate, took the same steps with 2 separate apps, one works fine but the other continues getting this error? What am I missing???

According to https://developer.apple.com/forums/thread/677139 such certs dont appear in Keychain assistant or security find-identities ******, but sure, I can take that. security export-smartcard shows my cert up: ==== certificate #4 class : "cert" subj : &lt;aaaaaaaaaa cenc : 3 ctyp : 3 pkhh : &lt;aaaaa aaaa&gt; agrp : "com.apple.token" pdmn : "dk" labl : "Certificate For Card Authentication (Developer ID Application: XXXXX)" UUID : "XXXX-XXXXX" mdat : 2000-00-00-00 slnr : &lt;XXXXX&gt; sync : 0 sha1 : &lt;XXXXX&gt; tkid : "com.apple.pivtoken:XXXXXX" musr : &lt;&gt; cdat : 2000-***-XX-*** tomb : 0 issr : &lt;XXXX&gt; skid : &lt;XXXXX&gt; accc : constraints: { ord : true } protection: { tkid : "com.apple.pivtoken:XXXX" } Now that question is, how do I tell codesign to use this certificate?

I've discovered that some of my third party intel dylibs are using the old LC_VERSION_MIN_MACOSX, which I'm pretty sure are causing library loading problems. My reasoning is that the arm versions all use the new format and works. The intel version works without signing and notarisation, but not when signed and notarised. See: https://developer.apple.com/forums/thread/127450 "The LC_VERSION family of load commands are no longer emitted when targeting the latest versions of the operating systems. Those commands are superseded by LC_BUILD_VERSION." https://developer.apple.com/forums/thread/659964 Just wondering what the incantation is to change from the old to the new so that: myThirdPartyPlugin.dylib: Load command 8    cmd LC_VERSION_MIN_MACOSX  cmdsize 16  version 10.7    sdk 10.15.4 becomes something like: myThirdPartyPlugin.dylib: Load command 8    cmd LC_BUILD_VERSION  cmdsize 32  platform MACOS   minos 12.0    sdk 12.3   ntools 1    tool LD  version 820.1 Thanks in advance for your time and response. Stew

I'm trying to overcome a problem by changing the build versions within some third party dylibs. See https://developer.apple.com/forums/thread/726412. However, I'm getting an error when I run the command: vtool -set-build-version macos 12.0 12.0 -replace -output "/Volumes/Data/Projects/MyApp/Pharo/Builds/1.0.0/Bundle/intel64/MyApp.app/Contents/MacOS/PluginsFixed/libUnixOSProcessPlugin.dylib" "/Volumes/Data/Projects/MyApp/Pharo/Builds/1.0.0/Bundle/intel64/MyApp.app/Contents/MacOS/Plugins/libUnixOSProcessPlugin.dylib" The error is: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/vtool error: mkstemp: No such file or directory. It looks like it is failing when creating a temporary file, so maybe it is a configuration problem? This is my last hurdle with the whole notarization, codesigning journery, and any help is very much appreciated!

Hi , I'm experiencing a weird crash on macOS 13 Beta3 when the app starts and I don't know what's causing it. I build this app in Xcode 14 Beta3 successfully and it can work normally in macOS &lt;= 12.5 The Translated Report said that "Exception Type: EXC_CRASH (SIGKILL (Code Signature Invalid)) " &amp; "Error Formulating Crash Report: dyld_process_snapshot_get_shared_cache failed" , I've tried so much to solve this problem but nothing worked. Is there anyone who can give me any suggestions or ideas to where I dig further? Thanks in advance for any suggestions. Attachments below are the log detail. Translated Report codesign -d -vvv --entitlements - application.app

I'm using App Wrapper on my Mac to codesign and notarize my app, but I get an error when it uploads to Apple: " failed Your Apple ID account is attached to other providers. You will need to specify which provider you intend to submit content to. Please contact us if you have questions or need help. (1627)" I've never had this problem before. I am the only one in my company, so I don't know why the account is attached to other providers. I called Apple support and they had no idea and suggested I contact Ohanaware who makes App Wrapper. He didn't know what it was either. Anyone have any ideas? All my certificates are current and I've deleted any that were expired. I did notice that when evaluating the certificates, it says "No root certificate found." Could that be the problem? And how do I fix this?

We are in the process of developing our text to speech and speech analysis tools over to mobile platforms = cross platform development. The tools are written in C++ and are compiled using CMake with an ios specific toolchain targetting the correct platform sdk. One of the parts of this toolkit is the dynamic loading of language specific dylibs via dlopen. I have seen that this can only be done if the dylib has been signed with the same certificate as the application. Note that we are still using "free" developer certificates generated automatically by XCode. When I run the test application, at the point where the dylib should be loaded via dlopen, the load fails and dlerror returns the following : dlopen(&amp;lt;path to dylib&amp;gt;, 0x0001): code signature invalid (errno=1) sliceOffset=0x00000000, codeBlobOffset=0x0205D0F0, codeBlobSize=0x000453B0 for '&amp;lt;path to dylib&amp;gt;' However, when I check the code signature with : codesign -d --verbose=2 --extract-certificates &amp;lt;path&amp;gt; I get the same certificate output from both the application bundle and the dylib in question. For example : Identifier=libnormaliser_fr Format=Mach-O thin (arm64) CodeDirectory v=20400 size=265332 flags=0x0(none) hashes=8286+2 location=embedded Signature size=4755 Authority=Apple Development: &amp;lt;our apple id&amp;gt; Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Signed Time=4 Jan 2021 at 09:27:14 Info.plist=not bound TeamIdentifier=&amp;lt;our team id&amp;gt; Sealed Resources=none Internal requirements count=1 size=192 Now, when I run the command : codesign --verify --deep --verbose=2 it outputs : ./libxxx.dylib: valid on disk ./libxxx.dylib: satisfies its Designated Requirement I am testing on an iPad with iOS version 14.0.1, by the way. So, something is still missing, but what ? Can anyone help me with this please ?

I'm signing a small command line TCP listener for Mac M1 which usually signs and notarizes correctly using the following command: codesign --sign $IDENTITY --options runtime --timestamp server/executable In order to enrich the features of our listener we may need to load JVM library from Oracle, in order to be allowed to load a third party dyamic library I've introduced an entitlements plist file called macos-entlist.plist as follows: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.cs.allow-jit</key> <false/> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <false/> <key>com.apple.security.cs.disable-executable-page-protection</key> <false/> <key>com.apple.security.cs.allow-dyld-environment-variables</key> <true/> <key>com.apple.security.cs.disable-library-validation</key> <true/> <key>com.apple.security.get-task-allow</key> <false/> </dict> </plist> And changed my codesign command as follows: codesign --sign $IDENTITY --entitlements macos-entlist.plist --options runtime --timestamp server/executable After adding the entitlements feature to my codesigning and notarization logic my ZIP file still passes the notarization phase but when I try to run executable I get an error message saying that executable cannot be opened because the developer cannot be verified. The issue happens regardless the contents of macos-entlist.plist (eg: even setting all the values to false I still get the error) it seems that that the mere introduction of the parameter --entitlements macos-entlist.plist causes the executable to not be valid anymore despite the fact that the notarization phase succeeds. Curiously other command line executable files in my ZIP signed with the same codesign command are still running fine. Do you have any suggestions on how I can correctly introduce entitlements?

How to sign and notarize a kext? Any body could help me to finish it? I already wrote a apply to enable my develop account kext sign ability,but i dose not recieve any response. Help!

We recently added keychain-access-group to our macOS app but the app failed to open in big sur (macOS 11). It works fine in Monterey and Ventura. The crash log shows. Exception Type: EXC_CRASH (Code Signature Invalid) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Reason: Namespace CODESIGNING, Code 0x1 Here is our entitlement and provision profile codesign -d --entitlements &lt;plist version="1.0"&gt; &lt;dict&gt; &lt;key&gt;com.apple.security.device.audio-input&lt;/key&gt;&lt;true/&gt;&lt;key&gt;com.apple.security.device.camera&lt;/key&gt;&lt;true/&gt; &lt;key&gt;keychain-access-groups&lt;/key&gt; &lt;array&gt; &lt;string&gt;Q76YUSCMX8.com.veevasystems.crmdesktop&lt;/string&gt; &lt;/array&gt; &lt;/dict&gt; &lt;/plist&gt; The provision profile shows security cms -D -i &lt;key&gt;ApplicationIdentifierPrefix&lt;/key&gt; &lt;array&gt; &lt;string&gt;Q76YUSCMX8&lt;/string&gt; &lt;/array&gt; ... &lt;key&gt;Entitlements&lt;/key&gt; &lt;dict&gt; &lt;key&gt;com.apple.application-identifier&lt;/key&gt; &lt;string&gt;Q76YUSCMX8.com.veevasystems.crmdesktop&lt;/string&gt; &lt;key&gt;keychain-access-groups&lt;/key&gt; &lt;array&gt; &lt;string&gt;Q76YUSCMX8.*&lt;/string&gt; &lt;/array&gt; &lt;key&gt;com.apple.developer.team-identifier&lt;/key&gt; &lt;string&gt;Q76YUSCMX8&lt;/string&gt; &lt;/dict&gt; ... &lt;key&gt;TeamIdentifier&lt;/key&gt; &lt;array&gt; &lt;string&gt;Q76YUSCMX8&lt;/string&gt; &lt;/array&gt; Based on my understanding the provisioning profile should allow share keychain that is prefixed with our team id. Is there anything wrong with our setup? This really puzzles us since everything looks correct. Why it does not work in big sur? When we remove the keychain-access-groups from the entitlement file (keep the provisioning profile as is) then it is able to open but the feature does not work because we depended on the shared keychain. Please advice. Thanks

I'm new to Mac and packaging and signing, but I've come a long way. I've got a Developer ID and a code signing certificate. I want to package a Java app and first of all distribute it from my website, not AppStore. my jpackage call is this: [ ! -d smalljre ] &amp;&amp; jlink -p /usr/lib/jvm/java-17-openjdk-amd64/jmods --add-modules java.base,java.desktop --output ./smalljre jpackage --verbose --input build --main-jar i2brain.jar --name i2Brain --app-version 3.3.2 --type app-image --runtime-image ./smalljre I know I will need to sign the app, see below. The output: Mac-mini:FromUbuntu johnmac$ ./run_jpackage  [14:56:32.358] Creating app package: i2Brain.app in /Users/johnmac/Downloads/FromUbuntu [14:56:32.656] Using default package resource JavaApp.icns [icon] (add i2Brain.icns to the resource-dir to customize). [14:56:32.658] Preparing Info.plist: /Users/johnmac/Downloads/FromUbuntu/i2Brain.app/Contents/Info.plist. [14:56:32.660] Using default package resource Info-lite.plist.template [Application Info.plist] (add Info.plist to the resource-dir to customize). [14:56:32.669] Using default package resource Runtime-Info.plist.template [Java Runtime Info.plist] (add Runtime-Info.plist to the resource-dir to customize). [14:56:32.684] Running /usr/bin/codesign [14:56:32.717] Running /usr/bin/codesign [14:56:32.790] Running /usr/bin/codesign [14:56:32.883] Running /usr/bin/codesign [14:56:32.945] Running /usr/bin/codesign [14:56:33.008] Running /usr/bin/codesign [14:56:33.071] Running /usr/bin/codesign [14:56:33.141] Running /usr/bin/codesign [14:56:37.061] Running /usr/bin/codesign [14:56:37.121] java.io.IOException: Command [/usr/bin/codesign, --remove-signature, /Users/johnmac/Downloads/FromUbuntu/i2Brain.app/Contents/runtime/Contents/Home/lib/libjava.dylib] exited with 1 code at jdk.jpackage/jdk.jpackage.internal.Executor.executeExpectSuccess(Executor.java:90) at jdk.jpackage/jdk.jpackage.internal.IOUtils.exec(IOUtils.java:215) at jdk.jpackage/jdk.jpackage.internal.MacAppImageBuilder.lambda$signAppBundle$38(MacAppImageBuilder.java:740) at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.accept(ForEachOps.java:183) &lt; ---snip--- &gt; at jdk.jpackage/jdk.jpackage.main.Main.execute(Main.java:91) at jdk.jpackage/jdk.jpackage.main.Main.main(Main.java:52) [14:56:37.128] java.io.IOException: Command [/usr/bin/codesign, --remove-signature, /Users/johnmac/Downloads/FromUbuntu/i2Brain.app/Contents/runtime/Contents/Home/lib/libjava.dylib] exited with 1 code at jdk.jpackage/jdk.jpackage.internal.Executor.executeExpectSuccess(Executor.java:90) at jdk.jpackage/jdk.jpackage.internal.IOUtils.exec(IOUtils.java:215) at jdk.jpackage/jdk.jpackage.internal.MacAppImageBuilder.lambda$signAppBundle$38(MacAppImageBuilder.java:740) at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.accept(ForEachOps.java:183) at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179) at java.base/java.util.stream.ReferencePipeline$15$1.accept(ReferencePipeline.java:541) at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197) at java.base/java.util.Iterator.forEachRemaining(Iterator.java:133) at java.base/java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1845) at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509) at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150) at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173) at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) at java.base/java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:596) at jdk.jpackage/jdk.jpackage.internal.MacAppImageBuilder.signAppBundle(MacAppImageBuilder.java:719) at jdk.jpackage/jdk.jpackage.internal.MacAppImageBuilder.doSigning(MacAppImageBuilder.java:382) at jdk.jpackage/jdk.jpackage.internal.MacAppImageBuilder.prepareApplicationFiles(MacAppImageBuilder.java:333) at jdk.jpackage/jdk.jpackage.internal.AppImageBundler.createAppBundle(AppImageBundler.java:172) at jdk.jpackage/jdk.jpackage.internal.AppImageBundler.execute(AppImageBundler.java:91) at jdk.jpackage/jdk.jpackage.internal.Arguments.generateBundle(Arguments.java:674) at jdk.jpackage/jdk.jpackage.internal.Arguments.processArguments(Arguments.java:551) at jdk.jpackage/jdk.jpackage.main.Main.execute(Main.java:91) at jdk.jpackage/jdk.jpackage.main.Main.main(Main.java:52) [14:56:37.129] jdk.jpackage.internal.PackagerException: java.io.IOException: and more of the same. My questions: Am I doing something wrong which causes codesign to be called without me mentioning signing? (I do get an i2Brain.app folder, (which is far too big.)) 2)When I've got his running, am I correct in thinking I have to then package the i2Brain.app folder I get? Do I use package for that, or a different tool? 3) When I add the following line to my jpackage call, part of the output implies my certificate is ok. See below. So, what is going on? TIA! :-) --mac-sign --mac-signing-key-user-name "John Boyd-Rainey" [15:18:31.016] Creating app package: i2Brain.app in /Users/johnmac/Downloads/FromUbuntu [15:18:31.313] Using default package resource JavaApp.icns [icon] (add i2Brain.icns to the resource-dir to customize). [15:18:31.314] Preparing Info.plist: /Users/johnmac/Downloads/FromUbuntu/i2Brain.app/Contents/Info.plist. [15:18:31.315] Using default package resource Info-lite.plist.template [Application Info.plist] (add Info.plist to the resource-dir to customize). [15:18:31.325] Using default package resource Runtime-Info.plist.template [Java Runtime Info.plist] (add Runtime-Info.plist to the resource-dir to customize). [15:18:31.331] Using default package resource entitlements.plist [Mac Entitlements] (add i2Brain.entitlements to the resource-dir to customize). [15:18:31.337] Running /usr/bin/codesign [15:18:31.359] Running /usr/bin/codesign [15:18:31.823] Running /usr/bin/codesign [15:18:31.885] Running /usr/bin/codesign [15:18:32.164] Running /usr/bin/codesign [15:18:32.222] java.io.IOException: Command [/usr/bin/codesign, --remove-signature, /Users/johnmac/Downloads/FromUbuntu/i2Brain.app/Contents/runtime/Contents/Home/bin/keytool] exited with 1 code ... and as before.

Guys, I created the CSR from my testing MacBook and shared the .csr to my manager and he generated the developer ID installer certificate using the shared .csr. After I installed the developer id installer, keychain shows 'the certificate is not trusted'. So I changed it to 'Always trust'. Then covert the app from DMG to PKG and followed the steps for conversion given in this website (https://techcommunity.microsoft.com/t5/intune-customer-success/how-to-deploy-dmg-or-app-format-apps-to-intune-managed-macs/ba-p/1503416). Now I stuck at step 6, product sign and getting the error message: productsign: error: Could not find appropriate signing identity for “3rd party Mac Developer Installer: Developer ID Installer: XXXXX (XXXXXX)”. Kindly advice, how to proceed or shall I ask my manager to re-generate the developer ID installer certificate using the same shared .csr If so what reason I should give to him for the re-generation?

Hello, this is my first post here, I hope I am not asking what is considered to be common knowledge. After a long and very frustrating day, I have found out why copying out my (correctly signed and notarised) MyProg.app from the (correctly signed and notarised) enclosing DMG breaks it ("Is damaged and can't be opened"): it seems that D&D or C&P from Finder does something to destroy the notarisation. spctl --ignore-cache --assess -vvvv MyProg.app after I copy MyProg.app out of the DMG using FInder gives MyProg.app: a sealed resource is missing or invalid If I copy MyProg.app from the DMG container into another directory by "cp -R" or "ditto" instead of D&D or C&P in Finder, everything works as it should and the notarisation is not broken. Is there a way to copy MyProg.app out of the enlocing DMG and keep the notarisation without resorting to command line? Dropping down to command line is not a problem for me, but it is for quite a few of my users - not everybody is comfortable with command line, and debugging what they did wrong sometimes turns out to be quite a futile undertaking.