For a unit test, we are building a (non-bundled) test executable with the ENABLE_HARDENED_RUNTIME build setting enabled (set to "YES"), which eventually causes codesign to be run with the "--option runtime" setting. The resulting binary has the "hardening" bit (0x1000) set in the code signature and there are no exceptions per entitlements. In our unit test, we launch the test executable, obtain a SecCodeRef to the (dynamic) code using SecCodeCopyGuestWithAttributes() and inspect the flags in the signing information. We expect both kSecCodeStatusHard and kSecCodeStatusKill to be set for this code. When building and testing locally, this is always the case. When building and testing in our build pipeline, this is mostly the case, but every now and then, the test fails, because both "hard" and "kill" flags are missing from the signing information. It is my understanding that the "runtime" option (or the "hardening" bit in the signature) causes those two flags to be set when the code executes - is this incorrect or not guaranteed? If OTOH this is a correct understanding I would also assume that those flags are being set before the executable enters its main() function? Any explanation why we sometimes don't see those flags in the SecCodeRef for the guest code?

Hi Developers, I maked .ipa file the in xamarin, but Apple Transport the didn't unsuccess. I geted 30 item Asset error message (90171) (90209) My transporting rejected. Anyone know solutions, please share to me. Best regards, Sandor Sapi

On MacOS Sonoma (with XCode 15.0.1 installed) when I run this code-signing command in the terminal I get 2 exactly identical entries: xcrun security find-identity -v -p codesigning This causes problems with the XCode command-line signing utility. What do I need to do to fix this duplicate identity problem? When I open the Key-Chain app I only see one entry.

I am a complete noob to macOS, iOS or tvOS development and am simply trying to follow this article from the LibRetro documentation: https://docs.libretro.com/development/retroarch/compilation/ios/. I have followed all of the steps up to and including the first RetroArch build attempt, but I get a plethora of errors during that step as shown by the attached transcript. Any help would be very much appreciated. MTIA! :-D Transcript of Xcode Build Log

I can't upload a build via Xcode Organizer on Sonoma with Xcode 15.0.1. When I try to upload the build to App Store Connect via Xcode Organizer I get an error message: "App Store Connect access for ... is required. Add an account in Accounts settings." + "No App Store Connect access for the team". For info, I use my Apple ID as admin. I've tried several reboots (device and Xcode), in addition to many sign in/out from the account manager. All my certificates are created. No success. But I've found a strange issue with the WDRC (Apple Worldwide Developer Relations Certification Authority) certificate that may explain this error message (probably generic). I've create a dummy iOS project, and every time Xcode is managing the signing process (Automatic), an expired WDRC certificate is generated in Keychain. I can delete the certificate (Certificate Tab) but Xcode keep generating the file every time I open the project. The certificate sits next to the valid WDRC certificate. I've cleared all the provision profiles, and those in App Store Connect but Xcode keeps creating this expired certificate. I guess it's related to the "App Store Connect access" issue. I have several apps on the App Store, this is the first time I get blocked with such issue. I need help.

Hi! I'm having an issue notarizing my app. I've developed my app in python, packaged it with py2app and then codesigned it using command-line: codesign --deep --sign "Developer ID Application: Name (ID)" MyApp.app and verified it using: codesign --verify --verbose MyApp.app with no problem. I then continued to notarize it with notarytool: xcrun notarytool submit MyApp.zip --keychain-profile "MyProfile" --wait and everything went smoothly, however, the process ended as invalid. This is a recurring issue (used altool beforehand) where I get errors that prevent the notarization due to signature issues, some of them: "The signature of the binary is invalid." "The executable does not have the hardened runtime enabled." "The binary is not signed with a valid Developer ID certificate." "The signature does not include a secure timestamp." And so on. The issue is that this is occurring to the contents of the app and the python libraries and other dependencies it uses, not MyApp.app itself. I've read online in many places and couldn't find what am I missing, I've followed the code-signing and notarization instructions to no prevail. I hope someone here can help me solve this problem or figure out what am I missing. Many thanks :)

Is there a correct way to archive a dynamic library in Xcode? When I try it, Xcode produces a "Generic Xcode Archive", and there is no option to notarize. The article TN3110: Resolving generic Xcode archive issue seems to be all about archiving an app.

can someone please help me, I am new to using Xcode and SwiftUI, I recently updated to Sonoma and now am having issues building and running projects. i am creating this for a class assignment due in a few days any help is appreciated. currently I am having this error upon simply creating a new file: " Showing Recent Errors Only Build target ImageApp of project ImageApp with configuration Debug CodeSign /Users/carina/Library/Developer/Xcode/DerivedData/ImageApp-braozmttxaqevhglgrebdherlmlh/Build/Intermediates.noindex/Previews/ImageApp/Products/Debug/ImageApp.app (in target 'ImageApp' from project 'ImageApp') cd /Users/carina/Desktop/AME\ 430/ImageApp Signing Identity: "Apple Development: [my email] (B75Q73AMVQ)" /usr/bin/codesign --force --sign 9AFE419D4A362429289B899DECCFB65E5F68E135 -o runtime --entitlements /Users/carina/Library/Developer/Xcode/DerivedData/ImageApp-braozmttxaqevhglgrebdherlmlh/Build/Intermediates.noindex/Previews/ImageApp/Intermediates.noindex/ImageApp.build/Debug/ImageApp.build/ImageApp.app.xcent --timestamp\=none --generate-entitlement-der /Users/carina/Library/Developer/Xcode/DerivedData/ImageApp-braozmttxaqevhglgrebdherlmlh/Build/Intermediates.noindex/Previews/ImageApp/Products/Debug/ImageApp.app /Users/carina/Library/Developer/Xcode/DerivedData/ImageApp-braozmttxaqevhglgrebdherlmlh/Build/Intermediates.noindex/Previews/ImageApp/Products/Debug/ImageApp.app: replacing existing signature /Users/carina/Library/Developer/Xcode/DerivedData/ImageApp-braozmttxaqevhglgrebdherlmlh/Build/Intermediates.noindex/Previews/ImageApp/Products/Debug/ImageApp.app: resource fork, Finder information, or similar detritus not allowed Command CodeSign failed with a nonzero exit code Command CodeSign failed with a nonzero exit code "

Hi, Do we need a new Certificate, a new Identifier and a new Profile for each app that we want to create? Thanks, Best, Steeve

We have run into a very unique situation with codesigning and testing the apps under TestFlight under macOS 12 and macOS 13/14. We have existing apps on the macApp store and we are trying to basically update them. When we run the newly updated versions via Testflight under macOS 12, everything is working. However, the same apps under macOS 13/14 and Testflight crashes and we have narrowed it to a codesigned dylib issue of ours. We are getting a invalid code signature message when we try to load a dylib under macOS 13/14 and the app crashes as we cant get the dylib code pointer. Basically CFBundleGetFunctionPointerForName returns an invalid value. Just to explain we build our dylibs/bundles and codesign them outside - as these are built at the command line level and finally we package these within our apps under XCODE and go through the whole app building/archiving, code signing, validation and uploading that to the appstore. The crash log shows - Code Type: ARM-64 (Native) Parent Process: launchd [1] User ID: 501 Date/Time: 2023-11-28 23:31:11.9903 +0900 OS Version: macOS 13.6 (22G120) Report Version: 12 Anonymous UUID: Time Awake Since Boot: 370000 seconds System Integrity Protection: enabled Crashed Thread: 7 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000 Exception Codes: 0x0000000000000001, 0x0000000000000000 Termination Reason: Namespace SIGNAL, Code 11 Segmentation fault: 11 Terminating Process: exc handler [91418] VM Region Info: 0 is not in any region. Bytes before following region: 4368842752 REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL UNUSED SPACE AT START ---> __TEXT 104674000-1047f0000 [ 1520K] r-x/r-x SM=COW ...essional 2017 Thread 0:: Dispatch queue: com.apple.main-thread 0 libsystem_kernel.dylib 0x195a83de4 _kernelrpc_mach_port_deallocate_trap + 8 1 libsystem_kernel.dylib 0x195a85270 mach_port_deallocate + 28 2 QuartzCore 0x19d0cc458 CA::Context::destroy() + 512 3 QuartzCore 0x19d22135c invocation function for block in CA::Context::commit_transaction(CA::Transaction*, double, double*) + 100 We have double checked/triple checked the certificates and profiles and everything is valid. What is strange is that it works under macOS 12 and Testflight but not under macOS 13/14. For both Intel/Arm. Any ideas anyone?

I am unable to run any Xcode projects - new or old. I think I messed up my certificates or profiles as I kept deleting and adding new versions but I have no idea how to fix this. Any help would be greatly appreciated.

Have been working on a Java Open Source project for 8 years with the last 2+ years on a cross-platform desktop GUI for it with a separate updater. The self-contained application runs on Linux and Windows - now I'm trying to figure-out Mac. Have had a Macbook Pro 13" Late 2013 Retina running Big Sur 11.7.10 for 3 weeks. Very new to Apple, but a retired 48-year engineer trying to support MacOS for the first time. Building with Ant and appbundler task, https://github.com/TheInfiniteKind/appbundler, then creating a DMG with DMG Canvas, https://www.araelium.com/dmgcanvas. Deliberately supporting older systems due to the nature of this data management and back-up application. It's been adapted to the MacOS look 'n feel. Questions: If I sign-up as an Apple Developer and pay the fee will this 2013 Macbook Pro still be able to sign DMG files - that will work on the latest MacOS - after the end-of-support in December 2023? For a updater: Should both the main application and separate updater both be signed? The basic process is: Download updater into system temp folder, prepare and execute updater, stop desktop application, updater downloads new version, prepares and copies update to installed location, then restarts desktop application and ends the updater. I'm old and have setup this Open Source project and web site so that it can be passed-off to others when I stop, one way or another. Can the developer account or certificate credentials be transferred to someone else at that time? Guidance for a noob would be appreciated. Thank you for your time. The project, not released yet: https://github.com/Corionis/ELS/tree/Version-4.0.0

When I try to add HealthKit capabilities to my app, I get the following signing errors: Communication with Apple failed. Your account does not have sufficient permissions to modify containers. Provisioning profile "iOS Team Provisioning Profile: com.domain.app" doesn't support the HealthKit capability. Provisioning profile "iOS Team Provisioning Profile: com.domain.app" doesn't include the com.apple.developer.healthkit and com.apple.developer.healthkit.access entitlements. In my developer account, the HK capability is enabled. And the entitlements needed are automatically generated by Xcode when I add HK capability, if I try to add them, it says they're already there. I have automatically managed signing selected. Clinical health records are not enabled for Health Kit. Common solutions like cleaning, derived data, and restarts don't help. Does anybody know what this is?

I am getting this error while synching the automatic signing profiles on my Xcode. Can anyone help with what this error indicates and where is the issue?

I have an Apple Development certificate issued by: Apple Worldwide Developer Relations Certification Authority (until February 20, 2030). From time to time the Xcode build fails and I see that my certificate is invalid. In this situation, I see two "Apple Worldwide Developer Relations Certification Authority" certificates. One is valid until 2030 and the other is valid until 2023. When I remove the second one (until 2023), my Apple Development certificate becomes valid and the build goes fine. But after a while CodeSign fails again, and I have to remove the second certificate again to build the application. Seems to be that second certificates is auto downloaded by Xcode, how can i fix it?

Hey everybody, We're trying to migrate from one CI to another and we've met a problem. Our setup is mostly Fastlane+match so there are little build changes in terms of CI, but the same certificate we used on prev CI doesn't work on the new one (we have both CIs now and the same commit passes on the old one and fails on the new one). Two steps from the match with installing certs: Output of security find-identity These are virtual machines.

I am trying to build a Unity 3D app for iOS using Xcode. My app used to build successfully earlier but for some reason it has stopped building now and I get the error saying signing for "Unity-iPhone" requires a development team. I have selected automatically manage signing and also selected my personal development team.

I have a dext target in a project which fails to install on my iPad because "the code signature version is no longer supported". Indeed, when I look at the built dext (before or after is has been copied into the hosting app's System Extensions folder), codesign -dv tells me that it has CodeDirectory = 20200. The hosting app has CodeDirectory = 20400. Curiously, in the same workspace, I have another iOS app which hosts another version of the driver (using the same source code files). The other app is a minimal test app. It is signed with CodeDirectory = 20500 and the driver has CodeDirectory = 20400 inside this minimal app. In both the more complex target and the simple target, the codesign invocation has the same options. Only the provisioning profile and the name of the dext differs between the working and non-working version. Here are the options, on multiple lines to make them easier to read /usr/bin/codesign --force --sign D0...A0F (same for both) -o runtime --entitlements <path to driver>.dext.xcent --timestamp\=none --generate-entitlement-der <path to driver.dext> I've searched high and low for a solution to this problem, but found none. It has come up before, in particular here https://developer.apple.com/forums/thread/683214?answerId=679712022#679712022 I'm using Xcode 15 on macOS Sonoma 14.0. I've thrown away the Derived Data for the project, I've thrown away the ModuleCache.index and the SymbolCache.index I've restarted my Mac. I've restarted the iPad. There's no legacy code here. This is all new, newly built and signed by a new version of Xcode. But I don't seem to have any control over what version of signature Xcode chooses to use - what influences that? Obviously there's some difference, perhaps in the hosting app or target, between the environment where everything works and where nothing works. If it helps, the more complex app was already built, signed and deployed to the App Store without a driver. The driver is under development, and it is a new addition to the target, so the existing Identifier, Certificate and Profile for the app pre-date the addition of the embedded driver target. Any ideas. Anyone?

I think there's something broken with certificates or Xcode that's preventing me to sign a new version of a Mac app I've made. First, I know my "login" keychain password. I can use this password to export a .p12 file for my "Apple Development: {email} (CLW499436V)" item in my login keychain. Second, I can use security find-identity -v -p codesigning to see my signing identities. It shows two of them. They have a different initial number, and then the same string "Apple Development: {email} (CLW499436V)". The behavior using codesign -vf --sign SIGNING_ID ./test.app is different for each one of them. One requests the signature with the following message: I can input my "login" keychain password, which I know, and all is good The other uses the following message: It requires "the keychain password", which I have no clue what it is. Now, in Xcode, if I go to the Build Settings/Signing, I can set my "Coding Signing Identity". Opening the dropdown I can see a section named "Certificates in Keychain", and there's one "Apple Development: {email} (CLW499436V)". I don't know which one is that. Anyways, if I select that, going to "Signing &amp; Capabilities" I see an error that tells me to select "Apple Developer" in the previous setting. When I do that, however, it seems Xcode is trying to sign the app with the certificate that request a password I don't know. I don't think I had this problem in the past, so I'm not sure how I've reached this situation. I also don't seem to be able to remove certificates and create new ones because I'm not subscribed (paying) to the Apple Developer program. Maybe there's a way to remove them that I have missed? How can I go back to having Xcode automatically sign my app?

I've been at this for hours, searching all over, trying to find a solution. I've created a very simple app, basically 1 window that has a label saying "Hello World". 'm trying to sign this app with a Provisioning Profile that was created like so: Created "Mac App Distribution" and "Mac Installer Distribution" certificates. Installed them, they show as valid "3rd Party Mac Developer..." in Keychain Access. Created an Identifier for an "app", gave a Description and Bundle ID Created a Profile for a "Mac App Store" type Distribution, used my ID from step 2, chose the "Mac App Distribution" certificate (there was only one), inputted a profile name Then, over to xcode. In Signing & Capabilities uncheck "Automatically manage signing", enter the Bundle Identifier as it was made in step 2 above, import profile as was created in step 3 above. All seems well, however when I press that play button in order to compile and run, I immediately get a "quit unexpectedly" with the following in the details: Exception Type: EXC_CRASH (SIGKILL (Code Signature Invalid)) Exception Codes: 0x0000000000000000, 0x0000000000000000 Termination Reason: CODESIGNING 1 Taskgated Invalid Signature I can create a "Developer ID Application" no problem, but all goes awry when trying to build in order to make it to the Apple Store. I'm on 16-inch 2019 MacBook Pro, Sonoma 14.1.1, xcode 15.0.1. Is there something super lame I've looked over?