I have an iOS app that isn't acceptable for the App Store (it is used to open the front door of my apartment building so not of general interest). I can install it on my iPhone from Xcode easily enough but after a week it becomes "no longer available". I assume this is because the signature expires. I created a new code signing certificate using Keychain Access that lasts much longer. I then found the archive of my app that Xcode produced, removed the signature and resigned it with my new certificate: codesign --remove-signature -v Products/Applications/FrontDoor.app codesign -s "My Self Signed Code Signing Cert" -v Products/Applications/FrontDoor.app Now I am stuck trying to work out how to load the archive onto my (and hopefully my partner's) iPhone(s). Am I on the right track or is there a better way to handle this? Is it possible to load an archive onto an iPhone connected via USB?

This post is part of a cluster of posts related to the trusted execution system. If you found your way here directly, I recommend that you start at the top. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Don’t Run App Store Distribution-Signed Code App Store distribution-signed code is intended to be uploaded to the App Store. You can’t run it locally. Except when you can! To avoid confusing yourself, don’t attempt to run App Store distribution-signed code. Intended Purpose App Store distribution-signed code is intended to be uploaded to the App Store. When you upload code to the App Store, it checks the code’s signature as part of the distribution process. App Store distribution-signed code is not intended to be run locally. That’s what development-signed code is for! If you want to test your App Store product before shipping it to users: For day-to-day work, use Development distribution. For limited testing, use Ad Hoc or Enterprise distribution (not available on macOS) or Developer ID distribution (only available on macOS). For wider testing, use TestFlight. Note Not all capabilities are supported by Developer ID distribution. For the details, see Developer Account Help > Supported capabilities (macOS). macOS Gotcha Most Apple platforms completely block you from running App Store distribution-signed code. The exception here is macOS, which runs distribution-signed code under some circumstances. Specifically, macOS runs distribution-signed code if the code claims no restricted entitlements. If the code claims a restricted entitlement that claim must be authorised by a provisioning profile. It’s not possible to create a profile that does that: A macOS App Development or Developer ID profile never authorises the certificate from your distribution signing identity. A Mac App Store profile never authorises execution on your machine. The lack of a valid profile means that the restriction entitlement is not authorised and your app will crash on launch. For more details on what that crash looks like, see Resolving Code Signing Crashes on Launch. For detailed information about provisioning profiles, see TN3125 Inside Code Signing: Provisioning Profiles. Even though there are some cases where App Store distribution-signed code will run on the Mac, the general rule is the same there as it is for other platforms: Don’t run App Store distribution-signed code. Revision History 2022-06-01 Added App Store to the title to make the subject clearer. Made similar changes throughout the text. 2022-05-31 First posted.

Recently I've started to work with Xcode server and Xcode bot. I'm just using Xcode 12.3, no OS X server application. I've configured bot correctly which generates IPA file of my iOS application. But when I try to install that IPA with https://my-macbook-air.local/xcode It always shows me error in iOS 14+ device. I've downloaded and installed profile and manually trust certificate from Settings. But no luck on iOS 14+. Even thought same IPA is being installed in iOS 13.3 device. I read somewhere that iOS 14 uses TLS 1.3 by default for all SSL certificates, is that related to my problem? Does my Xcode server's self signed SSL is not supporting TLS 1.3? How can I solve this problem?

I want to (continue to) use XCODE to develop for my personal, local use on my Mac as I have been doing for decades. But on my new computer, in every project, I first try going to the code signing options and select either my developer ID or sign to run locally, and then I choose my personal team name (I'm not professional developing at this point - just learning and running locally.) But on Monterey/M1 and the latest XCode, it won't accept my Personal development team - it just repeats the error "signing for *** requires selecting a development team", even though I selected my Personal Team. I am very desperate to start developing with my new Mac, and any help to get past the code signing problem is greatly appreciated. I just want my projects to compile and run again. I am willing to pay for help.

Hi. I've read a lot of different topics on forums and websites about software signing and notarization, and there is progress, but I need some help. 1. From the beginning: I am building an application on a Jenkins server and downloading the file 'example_app.dmg'. I am enrolled in the Apple Developer Program. 2. Then I use the command to sign the software: codesign --force --sign "Developer ID Application: name_of_my_certificate_in_keychain (number)" example_app.dmg 3. Checking the status: spctl -a -t open -vvv --context context: primary-signature example_app.dmg Result: example_app.dmg: rejected source = Unnotarized Developer ID origin = Developer ID Application: name_of_my_certificate_in_keychain (number) Why is it rejected? 4. Then notarization: xcrun altool --notarize-app \ --primary-bundle-id "example" \ --username "my_AppleID" \ --password "@keychain: NOTARIZED" \ --file "example_app.dmg" NOTARIZED is in the keychain with the generated password on my Apple account. 5. I get: No errors uploading 'example_app.dmg'. RequestUUID = 'number_of_my_request' 6. I check the notarization status: xcrun altool --notarization-info "number_of_my_request" \ --username "my_AppleID" \ --password "@keychain: NOTARIZED" Result: No errors getting notarization info. Date: 2022-05-10 14:15:35 +0000 Hash: hash_number LogFileURL: link_to_log_file RequestUUID: number_of_my_request Status: invalid Status Code: 2 Status Message: Package Invalid Inside the log_file, a lot of files have a status like: The binary is not signed. The signature does not include a secure timestamp. The executable does not have the hardened runtime enabled. Am I doing something wrong or what can I do better? And how I can make empty line here (this forum)?

I am a developer. I have distributed apps via the Apple Store Connect. Today I wrote a fun, simple Xcode app for my friend's 2-yr-old son. The app contains family photos etc so should not be made public. I have deployed the app on my iPhone but would love to have my friend, my friend's wife, as well as the grandparents and may be a couple of friends to have the app on their different iPhones. Can anyone advise as to what is the simplest way of doing this? Thank you.

Our TPP excludes our own processes from oversight, which makes some things very easy. Only I just found out that when our app uses a WKWebView... it's very securely shuffled off into its own process. With its own signing identifier. And a ppid of launchd. How could I tell that a com.apple.WebKit.Networking process is related to our process? (I note that the Endpoint Security Framework has added a "responsible" audit token, presumably for this sort of situation.)

Hi all, I'm developing a 3D modeling C++ application with embedded Python scripting capabilities which targets Big Sur. I want to distribute my application ("MyApp") with a full python package directly integrated into the MyApp bundle (the MyApp.app folder) so that users won't have to install Python manually. So I binded Python3.9 and my app using pybind11, and copied the Python framework folder (all files of the folder of the version 3.9, which is named "3.9") into the "Framework" directory of my App bundle, then locally set the PYTHONPATH and PYTHONHOME environment variables at run time so that they point to the python's Framework folder copied into the bundle. It's working: python scripts can run from my application even if there isn't python installed in the system. However, I have an issue when signing my MyApp bundle. Assuming that I need a python framework package which is universal, correctly signed and has folder structure and files compliant with Apple's bundle specs, I saw too options at first On one hand, homebrew provides signed python packages but for arm64 architecture only, so it must be excluded since I need x86_64 too. On the other hand, the official python website provides universal python packages but they are not signed. I then copied the Package from the official python website and removed many of its unessential components to make it tidy as much as possible, then ran a script that codesign all files that codesign signals as "not signed at all" when running it on the full RizomUV App bundle. Once all files that need to be signed have been signed, I got the following message when running codesign on the MyApp bundle folder: codesign --force --verify --verbose --sign "Developer ID Application: XXXXXXX (XXXXXX)" MyApp.app --option runtime MyApp.app: replacing existing signature MyApp.app: bundle format unrecognized, invalid, or unsuitable In subcomponent: /Users/me/Documents/a_path/MyApp.app/Contents/Frameworks/Python/lib/python3.9 That python3.9 folder, which contains a bunch of python script files (***.py) and some directories which seems to be not compliant with the bundle specifications. This prevents the signature of the full bundle and that's obviously a problem. I'm sure I'm not the only one who integrated Python as a framework into a universal bundle. I could do more investigations but I'm less and less confident that I'm following the right path as I find it overly complicated. There must be a better way right? Any help or feedback would be more welcomed. Best

During build process, I have been encountering an error "error: The specified item could not be found in the keychain." for the code signing process. My apple ID joins a developer program of my company. I have 2 macbook - 1 for my personal, and 1 for my company. I can build apps with my personal macbook, but failed with my company one. I have exported the developer account from xcode of my personal macbook, and also imported to the company macbook's xcode. Both macbooks are macOS Monterey, and both xcode are the same version 13.2.1 For building an app, I've chosen "Automatically manage signing"

This post is part of a cluster of posts related to the trusted execution system. If you found your way here directly, I recommend that you start at the top. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Resolving Gatekeeper Problems Gatekeeper strives to ensure that only trusted software runs on a user’s Mac. It’s important that your code pass Gatekeeper. If not, you’re likely to lose a lot of customers, and your users’ hard-won trust. There are three common Gatekeeper problems: App blocked by a dangling load command path Lack of notarisation Command-line tool blocked by Gatekeeper The first problem is by far the most common. For the details, see Resolving Gatekeeper Problems Caused by Dangling Load Command Paths. For general information about Gatekeeper, read Apple > Developer > Signing Mac Software with Developer ID and Apple > Support > Safely open apps on your Mac. IMPORTANT This post focuses on Developer ID-signed code. Gatekeeper should not block App Store apps. If an app downloaded from the App Store fails to run, it’s likely to be some other trusted execution issue. For more about this, read Resolving Trusted Execution Problems. Identifying a Notarisation Problem Gatekeeper requires that your app be notarised. If not, it will block the execution of your app with a generic, user-level message. If you find your app blocked by Gatekeeper, check if this is a notarisation issue by looking in the system log for an entry like this: type: info time: 2022-05-11 14:57:21.812176 -0700 process: syspolicyd subsystem: com.apple.syspolicy category: default message: ticket not available: 2/2/8b7410713591e6c79ea98f0132136f0faa55d22a Note If the ticket details show as <private>, enable private data in the system log. For information on how to do that, see Recording Private Data in the System Log. For general information about the system log, see Your Friend the System Log. The long hex number is the code directory hash, or cdhash, of the offending code. In this example, it’s the cdhash of the app itself: % codesign -d -vvv /Applications/NotNotarised.app … CDHash=8b7410713591e6c79ea98f0132136f0faa55d22a … However, in some cases it may be the cdhash of some library referenced by the app. For more information about cdhashes, see TN3126 Inside Code Signing: Hashes. Resolving a Notarisation Problem The obvious cause of this problem is that you haven’t notarised your app. For information on how to do that, see Notarizing macOS Software Before Distribution. If you have notarised your app and yet you still see this problem, something more subtle is happening. For example, your app might reference a dynamic library that wasn’t seen by the notary service. To investigate this: Fetch the notary log for your app. For advice on that, see Fetching the Notary Log. Confirm that the notary log matches the app you installed. Look in the notary log for the sha256 property. Its value is a SHA-256 hash of the file received by the notary service. Check that this matches the SHA-256 hash of the file you used to install your app. If not, see Hash Mismatch, below. Search the notary log for the cdhash value from the Gatekeeper log message. If the notary log doesn’t contain that cdhash, that code wasn’t included in the notarised ticket. It’s possible that you failed to submit the code to the notary service, that it was switched out with a different version after you notarised your app, that it was package in some way that the notary service couldn’t see it, or that something went wrong within the notary service. Hash Mismatch If you stapled your notarised ticket to the file used to install your app then the hashes in step 2 of the previous section won’t match. What to do depends on the file type: If the file used to install your app was a zip archive (.zip), you definitely have the wrong file. Zip archives don’t support stapling. If the file used to install your app was a signed disk image (.dmg), compare the disk image’s cdhash with the cdhash for the disk image in the notary log. If those match, you know you’re working with the same disk image. To dump a disk image’s cdhash, run the codesign tool as follows: % codesign -d -vvv DISK_IMAGE … CDHash=d963af703ac2e54af6609e9ad309abee7b66fae2 … Replace DISK_IMAGE with the path to your disk image. If the file used to install your app was a disk image but it wasn’t signed, switch to a signed disk image. It’s generally a better option. If the file used to install your app was an installer package (.pkg), there’s no good way to know if this is the correct package. In this case, modify your notarisation workflow to retain a copy of the file before it was modified by stapler. Tool Blocked by Gatekeeper If your product includes a command-line tool, you might notice this behaviour: When you double click the tool in Finder, it’s blocked by Gatekeeper. When you run the tool from within Terminal, it works. This is a known bug in macOS (r. 58097824). The issue is that, when you double click a tool in the Finder, it doesn’t run Gatekeeper’s standard execution logic. Rather, the Finder passes the tool to Terminal as a document and that opens a window (and associated shell) in which to run that document. This triggers Gatekeeper’s document logic, and that logic always blocks the tool. There are two ways around this: Embed your tool in an application. If the user runs the application first, Gatekeeper runs its normal application check. If the user allows the app to run, Gatekeeper records that decision and applies it to the app and any code within the app, including your tool. Install your tool using an installer package. When the user goes to install the package, Gatekeeper checks it. Assuming that check passes, Gatekeeper does no further checks on the content it installed.

This post is part of a cluster of posts related to the trusted execution system. If you found your way here directly, I recommend that you start at the top. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Resolving App Sandbox Inheritance Problems If you’re creating a product with the App Sandbox enabled and it crashes with a trap within _libsecinit_appsandbox, it’s likely that you’re tripping over one of the following problems: Nonheritable entitlements Changing sandbox Nothing to inherit Nonheritable Entitlements The most common cause of this problem is also the most obscure. If you have a sandboxed app with an embedded program that you run as a child process, a crash in _libsecinit_appsandbox is most likely caused by the embedded program being signed with entitlements that can’t be inherited. Imagine an, SandboxInit, with an embedded helper tool, NotHeritable. When the app runs the helper tool as a child process, the helper tool crashes with a crash report like this: Exception Type: EXC_BAD_INSTRUCTION (SIGILL) … Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 libsystem_secinit.dylib … _libsecinit_appsandbox.cold.7 + 49 1 libsystem_secinit.dylib … _libsecinit_appsandbox + 2096 2 libsystem_trace.dylib … _os_activity_initiate_impl + 51 3 libsystem_secinit.dylib … _libsecinit_initializer + 67 4 libSystem.B.dylib … libSystem_initializer + 286 5 dyld … invocation function for block in dyld4::Loade… 6 dyld … invocation function for block in dyld3::MachO… 7 dyld … invocation function for block in dyld3::MachO… 8 dyld … dyld3::MachOFile::forEachLoadCommand(Diagnost… 9 dyld … dyld3::MachOFile::forEachSection(void (dyld3:… 10 dyld … dyld3::MachOAnalyzer::forEachInitializer(Diag… 11 dyld … dyld4::Loader::findAndRunAllInitializers(dyld… 12 dyld … dyld4::APIs::runAllInitializersForMain() + 38 13 dyld … dyld4::prepare(dyld4::APIs&, dyld3::MachOAnal… 14 dyld … start + 388 The helper tool has trapped within _libsecinit_appsandbox. Look at the entitlements of the helper tool: % codesign -d --entitlements - SandboxInit.app/Contents/MacOS/NotHeritable … [Dict] [Key] com.apple.security.app-sandbox [Value] [Bool] true [Key] com.apple.security.inherit [Value] [Bool] true [Key] com.apple.security.get-task-allow [Value] [Bool] true The com.apple.security.app-sandbox and com.apple.security.inherit entitlements are fine: They configure the program to inherit its sandbox from its parent. The problem is the com.apple.security.get-task-allow entitlement, which is not compatible with this sandbox inheritance. The com.apple.security.get-task-allow entitlement is often automatically injected by Xcode. For information on how to prevent this, see Embedding a Command-Line Tool in a Sandboxed App. Some entitlements are compatible with sandbox inheritance. Unfortunately that list of entitlements is not documented (r. 93582428). The most commonly use ones are the hardened runtime exception entitlements documented in Hardened Runtime. The other entitlements on the list are pretty obscure. Changing Sandbox Another cause of a trap within _libsecinit_appsandbox is the child process trying to set up its own sandbox. If a sandboxed process runs another program as a child process, that child process always inherits its sandbox from the parent. If the program’s executable is signed with com.apple.security.app-sandbox but not com.apple.security.inherit — that is, it tries to set up a new sandbox — it will crash in _libsecinit_appsandbox. A process is not allowed to change its sandbox. To check for this problem, look for the following in the crash report: Application Specific Signatures: SYSCALL_SET_PROFILE This indicates that the process tried to setup its sandbox profile but that failed, in this case because it already has a sandbox profile. To fix this problem, either: In the child, add the com.apple.security.inherit entitlement so that it inherits its sandbox from the parent. In the parent, run the program so that it’s not a child process. For example, you could launch it using NSWorkspace. Nothing to Inherit Another cause of a trap within _libsecinit_appsandbox is when a nonsandboxed process runs another program as a child process and that other program’s executable has the com.apple.security.app-sandbox and com.apple.security.inherit entitlements. That is, the child process wants to inherit its sandbox from its parent but there’s nothing to inherit. To check for this problem, look for the following in the crash report: Application Specific Information: Process is not in an inherited sandbox. There are three ways you might fix this problem: Sandbox the parent. Unsandbox the child. Run the child in its own sandbox by removing the com.apple.security.inherit entitlement.

I have some third party frameworks that are signed with a v=20200 signature. When I add them to my project and set them to Embed and Sign, the app won't install on my device giving the error The code signature version is no longer supported. I have tried resigning them using codesign -s "Apple Development: XXXX XXXX (BLXXXXXX)" -f --preserve-metadata --generate-entitlement-der XXXSDK.xcframework but the signature always reports v=20200. I tried removing the code sign and letting Xcode do it's thing, but get the same result. Is this a problem with the way the .xcframework was built? Can I fix this without getting it rebuilt?

I have a series of codesign commands that I would run regularly to sign my app. They always worked fine, until I recently upgraded my Mac OS to Monterey and XCode to 13.3.1. Now the same syntax just results in codesign's usage message. Here's one of the commands that fails: codesign --deep --force --verify --verbose --timestamp --options runtime --entitlements "example.entitlements" --sign "Developer ID Application: Company Name (XXXXXXXXXX)" I tried variations also, to no avail, such as this: codesign -s "Developer ID Application: Company Name (XXXXXXXXXX)" --options runtime --timestamp --force --deep --entitlements "example.entitlements" Any idea what I'm doing wrong, and why it stopped working after upgrading? Thanks.

Hi,I am posting this in the hopes that it may save someone with a similar problem some time.A build was failing with the following error:Code Signing Error: Provisioning profile "FooBar" doesn't include signing certificate "iPhone Developer: foo bar (xxxxxxxxxxx)".The build was done on the command line with:xcodebuild OTHER_CODE_SIGN_FLAGS='--keychain /Users/me/Library/Keychains/Buildsystem' (and other parameters)Before each build we create the Buildsystem keychain and import the certificates needed fo the build into it. The keychain is then removed after the build.I could do the build locally and it would work, it was only on our build machine under jenkins that it failed.After spending a lot of time on this I found the cause was that there was another certificate in the builds machine's login keychain that was being used for the code signing even though we had provided a keychain with the correct certificate and told the codsigning to use it. After deleting the bad certificate from teh login keychain everything worked.So it looks like the -keychain has no effect or that codesigning searched the login keychain before the specified one.Is there anyway to change this behavior? The idea of using a special keychain for the build process was to avoid things like this.

I build my iOS app on a machine(build machine- MacMini Xcode 13.2.1) with a valid distribution profile/certificate and upload it to our in-house distribution center (AppCenter) where the other registered devices(test devices) can download & run the app. At some point in the past, something has been changed and all devices after receiving the build and downloading the app, right at the launch time seeing the crash of the app- the log in console says: error 15:31:47.331479-0500 SpringBoard Bootstrapping failed for <FBApplicationProcess: 0x153da32f0; application<com.myapp.companyname>:> with error: <NSError: 0x280139ec0; domain: RBSRequestErrorDomain; code: 5; reason: "Launch failed."> { NSUnderlyingError = <NSError: 0x280138ea0; domain: NSPOSIXErrorDomain; code: 85>; } error     16:39:27.769869-0500  SpringBoard       Scene FBSceneManager/sceneID: com.myapp.companyname update failed: <NSError: 0x2820ec360; domain: FBSceneErrorDomain; code: 1 (operation-failed); reason: "Scene update failed."> {    NSUnderlyingError = <NSError: 0x2820dfc90; domain: FBWorkspaceScene; code: 1; reason: "Client process exited.">; } I believe this is something about an invalid certificate that does not let the app launch on other machines. I did a quick test: instead of using my build machine, I used the same distribution profile on another machine and build the same Xcode project and when I upload IPA to AppCenter, the other devices can run the app perfectly. I checked the emebedded.mobileprovision file content from both machines(one that works on all machines, and one that crashes on all machines: that is my build machine) and they look similar (certification date, Identifiers, Developer certificates, entitlements, expiration... ) Any idea what could be wrong? or what other places I can search for the reason for the crash? It's very frustrating!! btw, I tried to remove the cache data, restart the machine,...etc but no luck -seems all builds from the build machine won't be able to run on any devices! Any help is appreciated, Camron