I am facing a problem in electron's apps notarisations. I have submitted my NodeJS code and the validations takes a long time.
Hope, anyone can clarify why it takes so long.
Code Signing
RSS for tagCertify that an app was created by you using Code signing, a macOS security technology.
Posts under Code Signing tag
200 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
Hello,
I'm running into an issue when code signing my .app file on macOS. After introducing the --entitlements flag, I'm encountering an error that prevents the app from launching:
Error Messages:
App UI: "Cannot open the file"
Terminal (using open file.app)
The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x60000216d620 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}
Troubleshooting Details:
Without code signing, the app launches and permission pop-ups function correctly (the file tauri generates).
With code signing (but without --entitlements), the app launches but there are no permission pop-ups.
All scenarios (without signing, with signing, with signing + --entitlements) all have Info.plist in the /Contents of the .app file
Notarizing and stapling works fine when I do not include the --entitlements flag when signing.
Code for signing with entitlements:
codesign --timestamp --sign "Developer ID Application: ()" --options=runtime --entitlements ./src-tauri/Info.plist "${APP_FILE}"
Specifications
MacBook Air, M2, 16GB
macOS Sonoma 14.3.1
Xcode 15.2 (Build version 15C500b)
I have an app being deployed to QA ad hoc. All the builds have always been signed with the same provisioning profile under the same developer account. In the last two weeks, I built two different versions (e.g. 0.0.2 and 0.0.3). So, QA has been working with version 0.0.2 until last Wednesday when 0.0.3 was ready. The new build was signed in exactly the same way as before. However, on a test device with iOS 16.3.1, it did not start, showing the following message:
.
(Note: Everything was OK with Internet connection there, as QA tried to run the app immediately after downloading it and also tried it dozens of times.)
NB1: After the problem appeared, QA checked the previous version 0.0.2, and it still ran fine on the target device. However, the issue persisted when returning to 0.0.3.
NB2: The app does not appear in Settings/General/VPN&Device management section, so there is no way to actually verify it
NB3: The same IPA file runs on iOS 12 and 14 without any issues all the time.
I would greatly appreciate it if somebody could clarify the reasons of such behaviour or at least point out how to avoid it in future.
I've installed the same developer certificate onto three different Macs.
When viewed in the keychain (or in Xcode) on one Mac it says its revoked, on another it says its not trusted, but on a third there's no issue reported.
How could there be a difference between the three Macs?
(Both Macs have the date/time set to be the same).
Can 3rd party software, VPNs etc. interfere in this at all?
Relevant background:
WWDC23: Get started with privacy manifests
WWDC23: Verify app dependencies with digital signatures
Upcoming third-party SDK requirements
Many of the SDKs that will require privacy manifests and signatures are distributed as source and integrated via Swift Package Manager. I recently studied the progress made by ~10 of the listed SDKs and it seems like there's a growing consensus that the solution to including a privacy manifest when distributing via source is to list the manifest as a bundled resource.
However, I've seen little discussion of the signing requirement. This is understandable since, as the forum post Digital signatures available for Swift Packages? points out, the dependency signing talk was focused on binaries. Yet, I'm curious whether signing of some kind will actually be required for SDKs distributed as source (e.g. to enable validating the authenticity of the privacy manifest).
Clarification on this point would help tremendously as we work to ensure we'll be compliant as soon as the new requirement begins to be enforced.
Hello everyone,
Due to a change in our development team we had to revoke some certificates and regenerate new one. I have generated a Development Mobile profile including needed certificates etc. Also, in Xcode 15 i have disabled "automatically manage signing" and everything look okay as I can see the generated provisioning profile, my team, my certificate etc. Build is working correctly. We are using App Center as a CI to build/archive.. our iOS app.
During the last step of the archive export I have the following error which I cannot resolve :
[command]/usr/libexec/PlistBuddy -c Print CFBundleIdentifier /Users/runner/work/1/output/build/archive/OurStagingApp.xcarchive/Products/Applications/OurStagingApp.app/Info.plist
com.OurStagingDomain.OurStagingApp
[command]/usr/libexec/PlistBuddy -c Add provisioningProfiles:com.OurStagingApp.OurStagingApp string toktokdoc provisioning profile development _XcodeTaskExportOptions.plist
[command]/usr/bin/xcodebuild -exportArchive -archivePath /Users/runner/work/1/output/build/archive/OurStagingApp.xcarchive -exportPath /Users/runner/work/1/output/build/export/_XcodeTaskExport_OurStagingApp -exportOptionsPlist _XcodeTaskExportOptions.plist
2024-02-08 14:21:05.218 xcodebuild[18640:56463] [MT] IDEDistribution: -[IDEDistributionLogging _createLoggingBundleAtPath:]: Created bundle at path "/var/folders/r0/ztvld9wd66bfpv_g6h3ksl000000gn/T/OurStagingApp_2024-02-08_14-21-05.213.xcdistributionlogs".
2024-02-08 14:21:05.370 xcodebuild[18640:56463] [MT] IDEDistribution: -[IDEDistributionMethodManager orderedDistributionMethodsForTask:archive:logAspect:]: Error = Error Domain=IDEDistributionMethodManagerErrorDomain Code=2 "Unknown Distribution Error" UserInfo={NSLocalizedDescription=Unknown Distribution Error}
error: exportArchive: exportOptionsPlist error for key "method": expected one of {}, but found development
Error Domain=IDEFoundationErrorDomain Code=1 "exportOptionsPlist error for key "method": expected one of {}, but found development" UserInfo={NSLocalizedDescription=exportOptionsPlist error for key "method": expected one of {}, but found development}
** EXPORT FAILED **
##[error]Error: /usr/bin/xcodebuild failed with return code: 70
I tried to regen certificates, regen provisioning profile, use automatically signed..
Also this is the logs of the last working build :
DEV PROV PROFILE TokTokDocRCX
[command]/bin/rm -f _xcodetasktmp.plist
[command]/usr/libexec/PlistBuddy -c Print CFBundleIdentifier /Users/runner/work/1/output/build/archive/OurStagingApp.xcarchive/Products/Applications/OurStagingApp.app/Info.plist
com.OurDomain.OurStagingApp
[command]/usr/libexec/PlistBuddy -c Add provisioningProfiles:com.OurDomain.OurStagingApp string DEV PROV PROFILE TokTokDocRCX _XcodeTaskExportOptions.plist
[command]/usr/bin/xcodebuild -exportArchive -archivePath /Users/runner/work/1/output/build/archive/OurStagingApp.xcarchive -exportPath /Users/runner/work/1/output/build/export/_XcodeTaskExport_OurStagingApp -exportOptionsPlist _XcodeTaskExportOptions.plist
2023-08-02 11:20:01.234 xcodebuild[19044:64264] [MT] IDEDistribution: -[IDEDistributionLogging _createLoggingBundleAtPath:]: Created bundle at path "/var/folders/cn/nkrr6l5n0jz01kq9jbtb9tg00000gn/T/OurStagingApp_2023-08-02_11-20-01.233.xcdistributionlogs".
Exported OurStagingApp to: /Users/runner/work/1/output/build/export/_XcodeTaskExport_OurStagingApp
** EXPORT SUCCEEDED **
I have replaced some logs with "OurStagingApp".
Also when trying to build the archive via xcode 15 the button validate is disabled.
In my podfile:
target.build_configurations.each do |config|
config.build_settings['ENABLE_BITCODE'] = 'NO'
config.build_settings['CODE_SIGNING_ALLOWED'] = 'NO'
config.build_settings['IPHONEOS_DEPLOYMENT_TARGET'] = '14.0'
config.build_settings['BUILD_LIBRARY_FOR_DISTRIBUTION'] = 'YES'
config.build_settings['SKIP_INSTALL'] = 'NO'
end
Thanks for your help
When we added a com.apple.developer.associated-domains entitlement to our apps, they crash on launch with a code signing error on our old 2011 Mac running 10.13.6 High Sierra.
The signature is accepted on current Macs, and the associated domains do work.
The command line utilities say everything is ok, the entitlement is in the signature and the embedded profile.
The apps will run fine on High Sierra without the entitlement.
The only guess I have is perhaps High Sierra is rejecting any unknown entitlement?
The error is
Code has restricted entitlements, but the validation of its code signature failed.
Unsatisfied Entitlements:
No Unsatisfied Entitlements are listed.
Removing the entitlements from the signature lets the apps run on High Sierra.
Hi,
I have create a universal app then did this:
https://support.apple.com/en-vn/guide/apple-business-essentials/axm20c32e0c6/web
But this doesn't produce a working package installer.
productbuild --sign "3rd Party Mac Developer Installer: ****" --component /Applications/MyApp.app MyApp-universal.pkg
Do I need to create a code signature with codesign, prior to call productbuild?
regards, Joël
Learn how code signing uses certificates to identify code authors.
View Technote TN3161 >
Hello,
Im currently having signing issues submitting my Swift macOS app to App Store Connect. After submitting it using Xcode I receive an e-mail with these issues:
ITMS-90238: Invalid Signature - The main app bundle CodeMenu at path CodeMenu.app has following signing error(s): nested code is modified or invalid . Refer to the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple.com/library/mac/technotes/tn2206/_index.html for more information.
ITMS-90238: Invalid Signature - The nested app bundle CodeMirror-SwiftUI at path CodeMenu.app/Contents/Frameworks/CodeMirror-SwiftUI.framework has following signing error(s): valid on disk /Volumes/workspace/app_data/SWValidationService/mz_15562079435119469448dir/mz_7860448159412669971dir/id.thedev.marcin.CodeMenu.pkg/Payload/CodeMenu.app/Contents/Frameworks/CodeMirror-SwiftUI.framework/Versions/A: does not satisfy its designated Requirement /Volumes/workspace/app_data/SWValidationService/mz_15562079435119469448dir/mz_7860448159412669971dir/id.thedev.marcin.CodeMenu.pkg/Payload/CodeMenu.app/Contents/Frameworks/CodeMirror-SwiftUI.framework/Versions/A: explicit requirement satisfied . Refer to the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple.com/library/mac/technotes/tn2206/_index.html for more information.
ITMS-90238: Invalid Signature - The nested app bundle iosMath at path CodeMenu.app/Contents/Frameworks/iosMath.framework has following signing error(s): valid on disk /Volumes/workspace/app_data/SWValidationService/mz_15562079435119469448dir/mz_7860448159412669971dir/id.thedev.marcin.CodeMenu.pkg/Payload/CodeMenu.app/Contents/Frameworks/iosMath.framework/Versions/A: does not satisfy its designated Requirement /Volumes/workspace/app_data/SWValidationService/mz_15562079435119469448dir/mz_7860448159412669971dir/id.thedev.marcin.CodeMenu.pkg/Payload/CodeMenu.app/Contents/Frameworks/iosMath.framework/Versions/A: explicit requirement satisfied . Refer to the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple.com/library/mac/technotes/tn2206/_index.html for more information.
ITMS-90296: App sandbox not enabled - The following executables must include the 'com.apple.security.app-sandbox' entitlement with a Boolean value of true in the entitlements property list: [[CodeMenu.app/Contents/MacOS/CodeMenu]] Refer to App Sandbox page at https://developer.apple.com/documentation/security/app_sandbox for more information on sandboxing your app.
The app has required entitlements enabled, like App Sandbox and Hardened Runtime.
I don't know what can be the cause of it, but from what I read I'm guessing that something is somewhere it isn't meant to be and the other issues are a result of it. However, I don't know how can I begin debugging this. thank you in advance.
It requires a provisioning profile, and while I have one, I cannot select it within Signing & Capabilities since it is empty.
On blank projects it works as intended, but whenever the Unity stuff gets imported, it just disappears entirely, making it impossible to export Unity Titles to visionOS.
Hello everyone
I tried to upload my playground app via Xcode to AppStore Connect. Unfortunately it didn’t worked. I tried everything what the error suggested me to do. But its still not working. Has anyone ever encountered this error?
I've developed a Java application for ad hoc distribution, not intended for the Apple Store. Using the jpackage utility and the parameters...
--mac-sign
--mac-signing-keychain
--mac-signing-key-user-name
...I'm able to point the software to a signing certificate.
My problem is that jpackage requires a certificate with a "Developer ID Application" type/prefix, and I'm not authorized to create a certificate of this type, as "This operation can only be performed by the account holder."
I thought it might be sufficient to create a "Distribution" certificate, since this allows a developer to "Sign your iOS, iPadOS, macOS, tvOS, watchOS, and visionOS apps for release testing using Ad Hoc distribution or for submission to the App Store." However, there doesn't appear to be any way to get jpackage to accept anything other than a "Developer ID Application" -prefixed certificate.
I gather from this, and the fact that the Developer ID Application certificate is described as "This certificate is used to code sign your app for distribution outside of the Mac App Store," that this is the only type of "legitimate" security certificate Apple will accept when launching out-of-store apps. I'm not certain of this, however, and I'd like to be certain before pestering my client about it.
My questions are:
Is a "Developer ID Application" certificate specifically required, or can I sign the app using, e.g., a "Distribution" certificate without issues?
If a "Developer ID Application" certificate is required, is it possible for my client (the "Account Holder") to grant me access to download it and use it?
If a "Developer ID Application" certificate is required, what exactly is a "Distribution" certificate good for? Why isn't it sufficient to distribute software?
If I can sign the app using a Distribution certificate, is there a way to force jpackage to do this, or do I have to it manually using, e.g., codesign ex post facto?
Note that this issue has cropped up before on this thread, but the developer there ultimately found his developer ID certificate and the discussion was abandoned before any answers were forthcoming.
Hi team
We are facing following message "A timestamp was expected but was not found" during codesign for following .pkg file and it cause Jenkins NB process failed.
We are facing this issue for last 3 days as it was working on last 18th January.
Kindly let us know how to fix this problem.
Rgds
I'm working on a macOS app that uses a JSContext and I want to debug it with the Safari Web Inspector.
According to Session 402 at WWDC 2016 the following entitlement is required:
<key>com.apple.webinspector.allow</key>
<true/>
This is easy enough to add, but it causes the app to crash at launch with a code signing issue. The console shows that taskgated-helper is reporting just before the crash:
Unsatisfied entitlements: com.apple.webinspector.allow
For anyone who finds this, here's what you need to know:
https://webkit.org/blog/13936/enabling-the-inspection-of-web-content-in-apps/
Basically, there's now a inspectable property on both the WKWebView and JSContext. Unfortunately, there's no mention of the old entitlement in the WebKit blog post, so it's impossible for folks using the old technique to find.
Hopefully this post will bridge this gap.
It also might be something for @eskimo to add to his (always helpful) code signing documentation.
-ch
I need an OV certificate to code sign an Electron application. I was used to build in Jenkins the application oth for Windows and macOS using Electron-Forge (https://www.electronforge.io/guides/code-signing/code-signing-macos). To be more specific use XCode and Keychain to store the certificate.
Sadly, new certificate industry requirements will force me to use Azure Key Vaults (or other cloud HSM alternatives) to store the certificate.
I need to find a way to code-sign it for macOS from Azure Key Vaults or equivalent solutions.
Thank you
Both the codesign tool and Xcode allow you to sign code with a hardware-based code-signing identity. However, setting that up can be a bit of a challenge. Recently a developer open a DTS tech support incident requesting help with this, and so I thought I’d post my instructions here for the benefit of all.
If you have any questions or comments about this, please start a new thread, tagging it with Code Signing so that I see it.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Signing code with a hardware-based code-signing identity
Both the codesign tool and Xcode allow you to sign code with a hardware-based code-signing identity. This post explains how to set that up.
I used macOS 14.2.1 with Xcode 15.2. For my hardware-based key I used a YubiKey 5 NFC that I reset to its defaults. I installed YubiKey Manager 1.2.5.
IMPORTANT While I used a YubiKey, the code signing parts of this process should work with any token that has a functioning CryptoTokenKit driver.
In the case of the YubiKey, it presents a PIV interface and thus it’s supported by macOS’s built-in PIV CryptoTokenKit driver.
In this example I created an Apple Development certificate because those are dime a dozen. This process should work with any other type of code-signing certificate. Indeed, it make sense to store your most precious keys in a hardware token, including your Developer ID keys. For more on that topic, see The Care and Feeding of Developer ID.
Generate a certificate signing request
To generate a certificate signing request (CSR):
Connect the YubiKey via USB.
Dismiss any system alerts:
If the “Allow this accessory to connect?” alert comes up, click Allow.
If the Keyboard Setup Assistant comes up, quit that.
If the ctkbind notification comes up, dismiss that. Coded signing does not require that you bind your login account to your hardware token.
Launch YubiKey Manager.
Choose Applications > PIV.
Click Configure Certificates.
Select Digital Signature (slot 9c). In the past I’ve run into situations where signing fails if you don’t use this slot, although I haven’t tested that in this particular case.
Click Generate.
Select Certificate Signing Request (CSR) and click Next.
Select the RSA2048 algorithm and click Next.
Enter a subject and click Next. The value you use here doesn’t matter because Apple ignores pretty much everything in the CSR except the public key.
Click Generate.
Choose a save location and name. Don’t include a file name extension.
When prompted for the management key, enter that and click OK.
When prompted for the PIN, enter that and click OK.
The app will generate a .csr file at your chosen location.
Quit YubiKey Manager.
Note Apple typically uses the .certSigningRequest extension for CSRs, but this process works just fine with the .csr extension used by YubiKey Manager.
Generate a certificate from your CSR
To generate a certificate from that CSR:
In Safari, go to Developer > Account and log in.
If you’re a member of multiple teams, make sure you have the correct one selected at the top right.
Click Certificates.
Click the add (+) button to create a new certificate.
Select Apple Development and click Continue.
Click Choose File, select your CSR file, and click Upload.
Click Continue to generate your certificate.
That takes you to the Download Your Certificate page. Click Download.
In Terminal, calculate a SHA-1 hash of your .cer file.
% shasum "development.cer"
840f40ef6b10bedfb2315ac49e07f7e6508a1680 development.cer
Import the certificate to form a code-signing identity
To import this certificate into your YubiKey:
Convert the certificate to PEM form:
% openssl x509 -in "development.cer" -inform der -out "development.pem"
Launch YubiKey Manager.
Choose Applications > PIV.
Click Configure Certificates.
Select Digital Signature (slot 9c).
Click Import.
In the file dialog, select the PEM and click Import.
When prompted for the management key, enter that and click OK. The UI updates to show the certificate issuer (Apple Worldwide Developer Relations Certificate Authority) and subject (Apple Development: UUU, where UUU identifies you).
Quit YubiKey Manager.
Unplug the YubiKey and then plug it back in.
Sign a test program
Before digging into Xcode, check that you can sign code with the codesign tool:
Create a small program to test with. In my case I decided to re-sign the built-in true command-line tool:
% cp "/usr/bin/true" "MyTool"
% codesign -s - -f "MyTool"
Run codesign to sign your program, passing in the SHA-1 hash of the certificate you imported into the YubiKey:
% codesign -s 840f40ef6b10bedfb2315ac49e07f7e6508a1680 -f "MyTool"
When prompted for the PIN, enter that and click OK. The codesign invocation completes like so:
% codesign -s 840f40ef6b10bedfb2315ac49e07f7e6508a1680 -f "MyTool"
MyTool: replacing existing signature
Sign from Xcode
To sign from Xcode:
Open your project in Xcode. In my case I created a new project by choosing File > New then selecting macOS > Command Line tool.
In Signing & Capabilities for the tool target, turn off “Automatically manage signing”.
In Build Settings, find the Code Signing Identity build setting, choose Other, and then enter the SHA-1 hash of your certificate.
Choose Product > Build.
When prompted for the PIN, enter that and click OK. The build then completes.
IMPORTANT This requires Xcode 13 or later. Earlier versions of Xcode only work with file-based code-signing identities.
Hi everyone :)
I'm exploring XPC these days; more specifically, I'm trying to establish a connection between a macOS application and an XPC service.
I succeeded in establishing the connection, but now I'm trying to verify the incoming connection by using SecCodeCopyGuestWithAttributes, passing it an audit token.
But I got the following error:
2024-01-18 10:43:06.805435+0100 DemoService[1627:7118397] [logging-persist] cannot open file at line 46922 of [554764a6e7]
2024-01-18 10:43:06.805452+0100 DemoService[1627:7118397] [logging-persist] os_unix.c:46922: (0) open(/private/var/db/DetachedSignatures) - Undefined error: 0
Cannot get SecCode: 100001 - UNIX[Operation not permitted]
Audit token: Optional(32 bytes)
The last two lines come from my code:
class XPCClientValidator {
var secCodeOptional: SecCode? = nil;
func identifyGuest(for connection: NSXPCConnection) -> Bool {
let auditToken = AuditToken.extractToken(from: connection)
let hostSecCode: SecCode? = nil; // This is a way to indicate that the code signing root of trust hould be used as host.
let attributes = [ kSecGuestAttributeAudit: auditToken ] as CFDictionary
let secFlags = SecCSFlags(rawValue: 0)
// Asks a code host to identify the guest given the audit token
let status: OSStatus = SecCodeCopyGuestWithAttributes(hostSecCode, attributes, secFlags, &self.secCodeOptional)
if (status != errSecSuccess) {
let msg = SecCopyErrorMessageString(status, nil)!
print("Cannot get SecCode: \(status) - \(msg)")
print("Audit token: \(String(describing: auditToken))")
return false
}
guard let _ = secCodeOptional else {
NSLog("Couldn't unwrap the secCode")
return false
}
return true
}
}
I saw a few posts on the forum, but nothing helped me to solve this issue.
The complete source code is here: https://github.com/tony-go/XPCDemo/tree/secure-xpc
Note: If you want to reproduce it, you have to:
start the app
type a random input
click on "uppercase it"
I am stuck. I have an iPadOS app that installs and calls a DEXT. I have a provisioning file for the DEXT and another for the app. Xcode shows me that the respective provisioning files match the bundle ids and that the entitlements and provisions match up. I have a developer certificate (two, actually) on the iPad. Xcode shows me, via "Devices" that the provisioning files are installed. When I try to run the app, I get:
0x16d3db000 +[MICodeSigningVerifier _validateSignatureAndCopyInfoForURL:withOptions:error:]: 78: Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.vyncZ7/extracted/USBApp.app/SystemExtensions/w1ebr.MUUI.ipadOS.driver.dext : 0xe8008015 (A valid provisioning profile for this executable was not found.)
I don't know what to check next.
I have a simple CLI app bundle that activates my system extension. When I sign it for development it works fine. However, once I sign it with my developer ID certificate for distribution, the network extension will not activate, getting stuck the activation request and completely killing any internet connectivity until I restart.
The only thing that I see is different is when I call systemextensionsctl list I get something like:
1 extension(s)
--- com.apple.system_extension.network_extension
enabled active teamID bundleID (version) name [state]
<TEAM_ID> com.company.networkExt (1.0/240116145656) - [validating by category]
* * <TEAM_ID> com.company.networkExt (1.0/240115061310) ProxyExtension [activated enabled]
Where the one specifying [validating by category] is the one that I'm trying to activate signed with the developer ID cert. The one that is [activated enabled] got there from a dev build.
The app was built and notarized and shows to be valid by any codesign -dv --verify --strict and spctl commands that I've found. The system extension is also valid according to codesign.
The entitlements are adjusted to use the -systemextension suffix to work with Developer ID certificates.
Is there another step required to make it work with a developer ID certificate?