No Proxy for Xcode 15: _with Xcode 14 You can modify this file : /Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/itms/java/conf/net.properties and set the following property to true ( false by default ) java.net.useSystemProxies=true_ With Xcode 15, I don't found any solution **Utilisation of environment variables http_proxy and https_proxy it's useless because it's ignored #** how I can define a proxy in order to sign with Xcode command lines ?

I have a bizzare issue with my Apple TV that is shown as "iPod" in Apple developer portal. It's correctly visible in Xcode as Apple TV, but when I add it to developer portal it says "iPod". The problem is since it's there as an iPod I can't use it to my provisioning profile to build on the device Anyone has any idea how this can be solved? [Edited by Moderator]

Hi, I am trying to release a small application which bundles a conda environment and a python script. I am using Platypus to turn it into a .app, and I include all necessary resources (libraries, binaries etc) inside the Resources directory. My application works correctly before code signing, and is portable between machines (so I don't think it is the case that the conda environment is missing something). However, after signing, it crashes when it runs one of the programs within the conda environment. I am first signing all .so, .dylib and all files in conda_env/bin as follows: # Within the conda environment directory in Resources find bin -type f | xargs -n1 codesign -f -o runtime --timestamp --sign "Developer ID Application: Whatever (123456789)" find . -name "*.dylib" -o -name "*.so" -type f | xargs -n1 codesign -f -o runtime --timestamp --sign "Developer ID Application: Whatever (123456789)" I am then signing the .app itself codesign -f -o runtime --timestamp --sign "Developer ID Application: Whatever (123456789)" my_app.app Finally, I convert it into a .dmg (with appdmg) and sign that. codesign -f --sign "Developer ID Application: Whatever (123456789)" --timestamp my_app.dmg I submit to the notary service, which succeeds, and then I staple the ticket to the .dmg: xcrun notarytool submit my_app.dmg --keychain-profile my_notarytool_keychain_id --wait xcrun stapler staple my_app.dmg spcl is happy with the signed .app and .dmg and accepts them both. spctl -a -vv my_app.app # my_app.app: accepted # source=Notarized Developer ID # origin=Whatever (123456789) spctl -a -vv -t install my_app.dmg # my_app.dmg: accepted # source=Notarized Developer ID # origin=Whatever (123456789) I have a valid Developer Application ID. All good, right? Except, during execution, the signed .app crashes. When I look in the Console, the error log always looks similar - something like: Exception Type: EXC_BAD_ACCESS (SIGKILL (Code Signature Invalid)) Termination Reason: Namespace CODESIGNING, Code 2 Invalid Page Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 libsystem_platform.dylib 0x186e15848 sys_icache_invalidate + 40 1 libllvmlite.dylib 0x2a022f8e8 llvm::sys::Memory::protectMappedMemory(llvm::sys::MemoryBlock const&, unsigned int) + 384 2 libllvmlite.dylib 0x29d765528 LLVMPY_TryAllocateExecutableMemory + 92 3 libffi.8.dylib 0x103abc04c ffi_call_SYSV + 76 etc I think all the .dylib, .so, and binaries are signed in my codesign scripts, except for the libsystem_platform.dylib mentioned in the first line of the log. Could this be the problem? How can I find if I am not signing something that is being used? Are there other types of files that I should be signing that I am missing? I've been trying to fix this for several days and I feel I have tried everything (constructing the conda env in different ways, signing in different ways, e.g. with/without --deep, with/without signing each type of library/binary) to no avail... Any help would be greatly appreciated! All the best, George

Hi, I'm having some problems signing my application. Everything was working fine until recently when the certificates expired and I got these kinds of errors when I try to upload the app to AppStoreConnect. I can build the app in dev and production mode without any issue and I can create an archive. Problems occur when uploading to AppStoreConnect. The idea would be to let Xcode take care of signing everything necessary by checking the "Automatically manage signing" box. All my targets are in "Automatically manage signing" mode. I tried to delete all the certificates and provisioning profiles that I found on the Apple portal and then generate them again, but the problem is the same. There are two of us on the team, plus a CI machine (this should be the CI that takes care of signing everything needed to send a release to AppStoreConnect). If you have an idea, I'm interested! Thanks in advance, Alexandre

I am having a peculiar issue with an app I am developing. I am trying to upload it onto App Store Connect but I am getting one error, and a very odd behavior. The error message I am getting is: /Users/user/Documents/GitHub/MyApp/MyApp/DerivedData/MyApp.pub/Build/Intermediates.noindex/ArchiveIntermediates/MyApp.pub/InstallationBuildProductsLocation/Applications/MyApp.pub.app: resource fork, Finder information, or similar detritus not allowed Command CodeSign failed with a nonzero exit code I have cleaned built the directory, I have removed the Derived Data, but this always gets thrown. It was working fine a few months ago, I have only just got back to working on it. The other issue I am havving, when I set to archive the app, I set the target as Any iOS Arm Device (arm64), but when it is archiving it switches to my iPhone as the target. I don't prompt it to do this, it just does it. This is very frustrating. I'm using a MacBook Air M1, with a macOS Sonoma. I updated my Xcode the other day, that's Version 15.4 (15F31d). My App has a minimum target of iOS 15 and a project target of Xcode 13. Any help is appreciated.

Hi Devs, i have a question concerning the security set-key-partition-list -S command. I want to use it to enable a code signing certificate being used by codesign and productbuild to sign without sudo or a password prompt. Some sources indicate i need to add codesign: as partition but some don't even mention this. So my question is what partitions are even possible to add? What does partitions in this context mean? How can i find out which i need for productbuild and codesign? Thanks in advance Paul

I have an app developed using ElectronJS that requires Accessibility permission to monitor mouse and keyboard events through the iohook package. I want to publish it on the Mac App Store, but it seems that: The Mac App Store mandates Sandboxing, and Sandboxing prohibits Accessibility permission. As a result, it seems that an app on the Mac App Store cannot obtain Accessibility permission. Can someone confirm if this is accurate or if there's a workaround?

(Skippable) Backstory: I have an app that customers initially install by: Going to our website in a browser, downloading a (notarized) disk image, mounting it, opening the (Developer ID-signed) installer package therein, and following the prompts to completion. Once installed, this app has a button you can click that will check for updates and possibly install them. When you click this button: Our app contacts an HTTPS API on our servers to see if there is an update If there is an update, the API responds with a download URL to the aforementioned notarized disk image, and the SHA-512 hash of the disk image Our app downloads the disk image, and verifies the SHA-512 hash of the download Our app mounts the DMG Our app uses /usr/sbin/pkgutil --check-signature (although I do hope to switch to SecStaticCodeCheckValidity() in the future) to verify that the OS thinks that the installer package is properly signed, and also that the organization unit on the leaf certificate for the code signing key used to sign the installer is exactly equal to our Apple Team ID Our app uses /usr/sbin/installer -package ... -volinfo to verify that the installer package thinks it can install onto the host Our app uses /usr/sbin/installer -package ... -target / to install the software update For 98%+ of our users, this update process works great. For a tiny portion of users, we're seeing that hdiutil reports that it failed to attach the disk image. For the even tinier portion of users from whom we have obtained debug logs, one of the errors we've seen is "not recognized"; however, I don't know if that's the most common error, due to the small sample size. Before I get much further, I think it's prudent to acknowledge that the above system we're using today is pushing a decade old now, and it's probably wise to verify the foundations. So... For a Developer-ID-signed macOS app that is distributed outside the Mac App Store using an installer package, what is the "best" container/packaging system for an automated system to obtain and consume the installer package with the goal of a user-initiated self-update? For example: Notarized disk image (and failures to attach the image need to be bug reports to Apple) Just the installer package (If I understand correctly, this is bad because it bypasses the automatic propagation (normally performed by macOS) of the DMG's notary ticket to the pkg, right?) Something else? Secondly, what are some common developer mistakes to avoid? For example, these come to mind: When saving the DMG to disk, explicitly enable quarantine on the DMG, so that macOS runs appropriate security checks as intended (is this correct?) When running the installer package, do not use low-level tools (like cp) to copy the pkg out of the DMG, because macOS won't be able to automatically find the notary ticket when the pkg is installed (is this correct?) Anything else? Additional context: We currently support macOS 10.13+, but we will soon support only macOS 10.15+. Thank you!

I'm assisting a customer with an iOS app. He has a personal (non-company) Apple Developer account. I know that this kind of account didn't used to support collaborators, but I'm not sure what the current status is. He was able to add me to his account and give me permissions (Developer, App Manager). However when I run Xcode, his account does not appear in the list of Teams under my Apple ID, which is preventing me from working. Is this a bug or temporary problem or is the fact that his account is a personal account preventing me from doing this?

I have added an additional capability called "User Assigned Device Name" into my application(The provisions for Development, Ad hoc & App Store Connect etc already received from Apple). Since then we are facing issues on code signing. We are trying to Sign in Automatically and getting the below error always. /.xcodeproj Provisioning profile "iOS Team Provisioning Profile: com..*******" doesn't include the com.apple.developer.contacts.notes entitlement. Contact notes entitlements are not a part of our additional capabilities as we requested separately with Apple and received it in the provisioning profile long back. Actually that time the same(contacts notes entitlements) was not a part of the additional capabilities. Please advise if any one has gone through such a conflict and resolved.

Hi! I am fairly new to Mac/ Python development. I have written a python script that includes the lovely customTkinter Library. the app works, I have checked it extensively, but after creating an executable with both Pyinstaller and Py2app, my app keeps failing notarization. I have the developer account, I have the Developer ID application: Name (xxxxxxxxxx). My last attempt with py2app, I try to codesign the .app bundle with : codesign --deep --force --verbose --options=runtime --timestamp --sign "Developer ID Application: Lennert Esser (5823RMSZ52)" XYZ\ 2\ OSC.app if I do that, I receive a clean message that XYZ 2 OSC.app: signed app bundle with Mach-O universal (x86_64 arm64) [com.myname.appname.app] the verify of the code signature gives nice messages as well: --prepared:/Users/lennert/Documents/SoftwareDevelopment/PythonLocal/Pozyx/dist/XYZ 2 OSC.app/Contents/MacOS/python --validated:/Users/lennert/Documents/SoftwareDevelopment/PythonLocal/Pozyx/dist/XYZ 2 OSC.app/Contents/MacOS/python .... XYZ 2 OSC.app: valid on disk XYZ 2 OSC.app: satisfies its Designated Requirement So I would say, so far so good...? BUT.... if I try to notarize my archived .app bundle. the notarization fails, with looadddssss of errors, with both: "The signature does not include a secure timestamp." and "The binary is not signed with a valid Developer ID certificate." I am completely stuck. Believe me, I have tried everything. Google, ChatGTP, multiple tries to codesign everything separately with: find /path/to/my/app/contents -type f -exec codesign -s "Developer ID application: Name (xxxxxxxxxx)" {} ; please, please someone help me explain what I am doing wrong....

I am pretty much at a loss here... In the past I used altool which worked. Not sure of related though, been a while since. But the same build script I use, just replaced altool with notarytool I first codesigen `MYNAME@MYMACNAME ~ % codesign --verbose --force --options runtime --timestamp --sign "COMPANYSIGN" "/Volumes/DiskW/projects-cool-MYNAME/MYPRODPATH/osx/final_MYPRODNAME-dist/mac-MYPRODNAME-files/MYPRODNAME.app" /Volumes/DiskW/projects-cool-MYNAME/MYPRODPATH/osx/final_MYPRODNAME-dist/mac-MYPRODNAME-files/MYPRODNAME.app: replacing existing signature /Volumes/DiskW/projects-cool-MYNAME/MYPRODPATH/osx/final_MYPRODNAME-dist/mac-MYPRODNAME-files/MYPRODNAME.app: signed app bundle with Mach-O thin (x86_64) [com.MYCOMPANY.MYPRODNAME] MYNAME@MYMACNAME ~ % ` Then display entitlements: MYNAME@MYMACNAME ~ % codesign --verbose --display --entitlements :- "/Volumes/DiskW/projects-cool-MYNAME/MYPRODPATH/osx/final_MYPRODNAME-dist/mac-MYPRODNAME-files/MYPRODNAME.app" Executable=/Volumes/DiskW/projects-cool-MYNAME/MYPRODPATH/osx/final_MYPRODNAME-dist/mac-MYPRODNAME-files/MYPRODNAME.app/Contents/MacOS/MYPRODNAME Identifier=com.MYCOMPANY.MYPRODNAME Format=app bundle with Mach-O thin (x86_64) CodeDirectory v=20500 size=127176 flags=0x10000(runtime) hashes=3967+3 location=embedded Signature size=9057 Timestamp=16 May 2024 at 11.49.11 Info.plist entries=17 TeamIdentifier=MYTEAMID Runtime Version=10.16.0 Sealed Resources version=2 rules=13 files=279 Internal requirements count=1 size=188 MYNAME@MYMACNAME ~ % Then I try do notarization (see next post)

Our product includes a sudo plugin so we can apply user-defined policies to manage privileged access to command line programs. We’ve been getting reports where the plugin sometimes doesn't get invoked and the sudo command falls back to its default behavior. This seems to only be happening intermittently, but when the issue does occur, this message appears in the Console: Library Validation failed: Rejecting '/usr/local/libexec/sudo/<our_plugin>.so' (Team ID: <OURTEAMID>, platform: no) for process 'sudo(<pid>)’ (Team ID: N/A, platform: yes), reason: mapping process is a platform binary, but mapped file is not I recall a previous discussion of this message (that I can’t locate now), which explained that although the host process has library validation disabled, the code flow raises an error anyway, so that the host process can detect it and bypass the validation to load the plugin. It looks like that's what sudo is doing: it has the private entitlement com.apple.private.security.clear-library-validation and makes the appropriate system call when the plugin initially fails to load [1] — but apparently this isn't working reliably for our sudo plugin. We’ve observed that restarting the Mac generally resolves the issue, at least for a while. This resembles the “classic symptom of a code signing oddity” where the signature is cached and the Mach-O image is rewritten rather than replaced (as documented in Updating Mac Software). But our software uses an Installer package for updates as well as initial installation, and the Installer is documented as not having this issue, so I believe the problem lies somewhere else. I’m running out of ideas; are there any other avenues I should investigate? Thanks for any help. [1] This is described in an article called "About com.apple.private.security.clear-library-validation"; I can't link to it directly from the developer forums, but it can easily be found by searching for the title.

Hello, I've been trying to update my application since days, tried everything, all my environment is unchanged except update to the latest xcode version, I only fixed a bug in my code, and updated my expired certifacates with the same IDs. I've also been able to test the app with testflight. The app is built successfuly, validated, uploaded to the apple connect, submited for review, accepted and published online on the mac app store. I've been able to update the application with the mac app store. Now here is the problem: if I delete the application, and try to reinstall it from the app store, it says: unable to install, try again later - then the mac app store is stuck, I need to quit / restart to be able to try a new install. I also distribute my application outside of the mac app store, I've also signed and notarized my app successfully, with my developer id certificate, I tried with organizer, and also with xcrun notary on the command line, all is ok, but when I run the exported application, it says that the application is damaged (so right click/open works, and the app works well). The only thing that I can see is this (compared with my previous version): spctl -a -vvv -t install myapp.app: myapp.app: rejected (invalid destination for symbolic link in bundle) I don't have the error on my previous version. I've checked all the links inside the package, I don't see any problem or invalid link (and the app can run perfectly.... ) I've also check the logs.json file after the notary result, no problem appears. the whole structure of the application and files inside the .app is exactly the same between the previous version, and the new one with that problem. hope that someone could help me to solve this problem :)

I have an app that needs re-signing/updating to work on ios 17 (ios 17.4.1). I have renamed the IPA file to zip and extracted it to the desktop. The files in the extracted folder are: ItunesArtwork ItunesMetadata.plist Payload folder Payload folder contains the app App package contents contains all the app files, including the _CodeSignature folder. I extracted the package contents to a folder on the desktop. Xcode 15.3 (15E204a) is installed. Need the steps necessary to complete it and generate the new IPA file to test. Thanks all, Ed

On our CI (GitHub Actions) we are signing our .ipa with codesign and after that uploads the resulting .ipa with altool to TestFligt. The problem is that the entitlements added by codesign no longer appear when we view the build on TestFlight. The app requires entitlements for push notification and for associated domains. codesign -s Distribution prod.entitlements prod.ipa Immediately after we do a codesign --verbose --display --entitlements - and the entitlements show fine. Next command is xcrun altool --upload-app --type ios -f prod.ipa --apiKey $api_key_id --apiIssuer $appstore_api_key_issuer To us it seems like altool strips the entitlements from the .ipa. What are we doing wrong?

We have developed a library and a DriverKit driver on Mac platform. And we need to disable SIP to install dext and later point of time if we enable SIP then the dext is non functional. So is it mandatory to disable the SIP for whole life time of dext? Also it is not recommended to disable the SIP for a long time, as it may create a security hole. Standard ways are given on Apple support page that how to notarise an application to distribute over the internet. Here one mandatory account is required that is Apple Developer account which is a paid account we believe. Standing at this point can you share the complete steps of software distribution process which will include code signing, notarisation process and stapling.

Hi everyone! We use to have an intel Mac machine where we generate the Developer ID Installer &amp; Application certs for signing and notarization process. This process works sweet. Now, we move from an intel to a m1 Mac machine, where we want to do the same process as before. I had try two different approaches, but ending up with the same result. I export the cert with the private key from my intel to the m1 machine, but when I try to sign, I get: Invalid signature. (Not sure what this error means in this case as everything works on the intel machine. I am guessing the cipher for creating either the private key or the signature differs between the architecture) I try to generate new certs for this m1 machine, but I get the following error: You already have a current Developer ID installer certificate or a pending certificate request. I try with the same account, but also with a different account. In both cases got the same error. I create a ticket for apple, where they said to expect a reply between one and two business days, but no luck yet.

I'm trying to build my Expo app. I already built it for Android, but now I'm struggling to create a release on iOS to upload on TestFlight. I have the apple developer account of my university, and they added our bundle ID there(I'm not an admin). When I try to build with EAS, it requires a p12 file. So, I tried to generate it in this way: From Keychain Access I created a CSR(by adding my mail and name) and then on Apple Developers I uploaded it(Certificates > +), so I downloaded a .cer file I opened the .cer on Keychain Access and I dragged it under "login" section From there I exported the p12 file But that p12 gives me always this error when I run npx eas build --platform ios : Provided Distribution Certificate is no longer valid on Apple's server after submitting the p12 file on eas console. Can someone help us? Thanks in advance for your availability :)

I have a personal app I use only for myself on my iPhone. I do not distribute this. Its stops working every year when my renewal comes up. Once I renew my subscription I reload the app onto my phone and it works again. Is there a way that I can have it work forever without having to reload it every year? Sometimes I forget to reload after my renewal and it does not work until I do so.