I am creating an app that runs on Mac using objective-c. Since the app requires permission for location information, I used NSLocationUsageDescription to display an OS alert prompting the user to allow location information. When built, the app displays an OS alert prompting the user to allow location information, as expected. However, after signing this app, it no longer displays alerts. The signature was added like this. codesign --force --timestamp --options runtime --sign "SIGN" "AppName" 　 　 Why does just adding a signature stop the OS alert prompting the user to allow location information to appear? Also, is there a way to display OS alerts even with a signature?

I am facing an issue while codesigning the Content/MacOS executable. The executable name is exactly similar to the .app file, and the signing certificates have not expired yet. Steps followed to generate signed files: Executed codesign on files within the .app folder. Then executed codesign on the .app folder. Tried to notarize with the new notarization tool. Do we have to sign each individual file and folder? Observations: .DS_Store files were removed from the .app before signing. Another app with the same certificate is able to sign correctly. Content/MacOS contains multiple files, including the app executable. These files are signed except the main executable. same installed_app after copying at another location showing signed. Getting: App Sandbox-Not enabled Hardening-Enabled - Version 10.9.0 Notarization-Granted Gatekeeper-Can't evaluate Signed By- Can't verify signature

Context I have an app that uses the container for two things: store a realm database, and store a log.txt file with some debugging logs for myself. The realm database path is set via Realm.Configuration.defaultConfiguration The log.txt file path is set with FileManager.default.urls(for: .documentDirectory, in: .userDomainMask)[0].appendingPathComponent("log.txt") I already have released and distributed the version 1 to a few users. Given the complexity around signing an app in Xcode, the app was released and distributed unsigned. And now I'm trying to release the version 2 signed, but here's when I'm getting this weird issue. All unsigned apps (version 1, and the unsigned version 2) are using as container the path ~/Library/Containers/com.dgrcode.{appName}/Data. The signed version 2, however, is using ~/ as the container. So for example log.txt is located at: unsinged apps: ~/Library/Containers/com.dgrcode.{appName}/Data/Documents/log.txt. signed app: ~/Documents/log.txt Realm's default.realm file is located at: unsigned apps: ~/Library/Containers/com.dgrcode.{appName}/Data/Library/Application Support/default.realm signed app: I haven't found it yet 😓 The obvious problem is that any user from version 1 that installs version 2 signed, will start using a new database instead of continuing using the existing database. And obviously having my app's data spread through their ~/ directory is far from ideal. Here's what I get when I run codesign -v -d on the first version (everything between {} has been redacted for clarity: Executable={/path/to/app} Identifier=com.dgrcode.{appName} Format=app bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20500 size=56564 flags=0x10002(adhoc,runtime) hashes=1757+7 location=embedded Signature=adhoc Info.plist entries=29 TeamIdentifier=not set Runtime Version=13.3.0 Sealed Resources version=2 rules=13 files=2 Internal requirements count=0 size=12 Where I think the most relevant part is the Signature=adhoc and TeamIdentifier=not set. Now I archive a version 2 of the app. I make a copy and I sign only one of them using codesign -v --sign. I package them inside a .dmg (not sure if this affects anything, but just in case), and check the .app inside each of the .dmg after mounting them. Here's the result of codesign -v -d for each one: unsigned: Executable={path/to/app} Identifier=com.dgrcode.{appName} Format=app bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20400 size=57452 flags=0x2(adhoc) hashes=1785+7 location=embedded Signature=adhoc Info.plist entries=31 TeamIdentifier=not set Sealed Resources version=2 rules=13 files=4 Internal requirements count=0 size=12 signed Executable={path/to/app} Identifier=com.dgrcode.{appName} Format=app bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20400 size=57335 flags=0x0(none) hashes=1785+3 location=embedded Signature size=4798 Signed Time=13 Nov 2023 at 12:17:24 Info.plist entries=31 TeamIdentifier=2W564BCY7Z Sealed Resources version=2 rules=13 files=4 Internal requirements count=1 size=188 The unsigned app works as expected. When I open the unsigned app, it continues using the realm database in the previous location ~/Library/Containers/com.dgrcode.{appName}/Data, and I can see the log.txt update its content. The signed app, however, doesn't use the same database, and is no longer writing to the log.txt file at ~/Library/Containers/com.dgrcode.{appName}/Data, but it's writing at ~/Documents/log.txt instead. It does use a database, but I have no clue where it is. Questions How can I make the signed app use the path ~/Library/Containers/com.dgrcode.{appName}/Data/ as its container lcoation? How can something like this happen just by signing the .app?

Hello everyone, I'm developing a macOS app with Python and PyInstaller, and I've hit a roadblock with microphone permissions. The app prompts for microphone access correctly when running unsigned. However, after signing with the hardened runtime option, the prompt no longer appears, and the app can't access the mic. Here's what my setup looks like: Python app packaged with PyInstaller Entitlements file with com.apple.security.device.microphone and com.apple.security.cs.allow-unsigned-executable-memory Signing command: codesign --deep --force --verify --timestamp --verbose --sign "Developer ID Application: [******]" --options=runtime --entitlements ./entitlements.plist main.app I've tried resetting microphone permissions and PRAM to no avail. entitlements.plist looks like: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <!-- 允许应用使用未签名的可执行内存 --> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> <!-- 其他你的应用可能需要的键 --> <!-- 比如麦克风使用权限 --> <key>com.apple.security.device.microphone</key> <true/> </dict> </plist> Testing without the --options=runtime flag works perfectly - the mic prompt appears, and the log file is created. With the flag, neither the prompt nor the log file appears. Has anyone faced a similar issue or can offer insight into why the hardened runtime option might be causing this? Any guidance or workaround to have the microphone permission prompt appear with hardened runtime enabled would be highly appreciated. Thanks in advance for your help!

I have an app that was built on my first mac, i got a new one and moved the code and everthing to this new mac. I exported the private key and certificate from the old mac to the new one. Tried everthing on the internet about signing an app, but it just doesn't work. Now i'm stuck in a loop on xcode. I get the message "Revoke Certificate", when i click it, xcode create a new one, but it's already expired(despites it saying that will expire in 2024), if i try to manage certificates and create from there, nothing happens. If i delete the expired certificate from keychain, the revokate certificate message comes back. Any tips?

Xcode version : 14.0 Beta 3 macOS version : 13 Beta 3(22A5295i) Hi, I'm signing the DriverKit in Developer ID Application type profile with Developer ID Application (With Kext) type certificate on Xcode. But status shows error with"Xcode 14 and later requires a DriverKit development profile enabled for IOS and macOS.Visit the developer website to create or download a DriverKit profile" I have downloaded all profiles and Certificates to my Mac and installed all of them, then checked the website. I'm wondering what's different between "Development type" &amp; "Developer ID Application type" profile ? and the reason why "2022-07-22 14:41:54.162815+0800 0x22ee2    Error       0x0                  138    0    kernelmanagerd: Error occurred while handling request "DextLaunch(arguments: Optional(["Driver Extension Server Name": com.asix.dext.usbdevice, "Check In Token": 371, "Driver Extension Server Tag": 4294975444, "CFBundleIdentifier": com.asix.dext.usbdevice, "DriverKit Reslide Shared Cache": 0, "kOSBundleDextUniqueIdentifier": &lt;222f1e51 f5e890f7 b467c2a0 da761dbd 9b14dc5f 1bf56ff6 4eeab6b2 fed9683c&gt;]))": Error Domain=NSPOSIXErrorDomain Code=8 "Exec format error" error code show on when I starting the app. I'll appreciate that someone can give me some idea or suggestions. Thanks a lot.

Hi everyone, I've been trying for a few days and still getting the same errors..so any help would be appreciated!! I've got the app to pass the Validation in XCode Organizer, but after I uploaded to Apple Store Connect through the Organizer, I'd get an email with errors, ITMS-90238: Invalid Signature, mentioning a long list of plugins, and then ITMS-90296: App sandbox not enabled. I'm not sure how to investigate these problems, so I've been just blindly trying everything. I've added the Sandbox capability in Xcode and have the entry in the entitlement file. The app even shows Sandbox Yes in Activity Monitor. This is an Qt app. I generated an Xcode project using qmake, then use Xcode to sign and upload. I tried both manually selecting the profile and letting Xcode manage signing automatically. I've tried both Distribution profiles and Development profiles. It was giving build errors in signing unless I used the --deep flag in Other Code Signing Flags. Then I read online that it's not recommended. So I've tried using the -codesign option in the Qt's mac deployment tool, macdeployqt. It passed the validations but still gives the same error. I suspect it's doing a codesign --deep internally. This is how I'm using macdeployqt macdeployqt myapp.app -qmldir="$SOURCE_DIR"/qml -always-overwrite -appstore-compliant -codesign="$SIGNING_CERT" Any advice would be much appreciated!! I'm on macOS Sonoma 14.0, Apple M2, Qt 6.5.3

Looking to make my existing IOS application available on Mac. I have done all of the steps as best I can determine across all the articles tools and topics for Xcode/App Connect/Transporter. I have no builds to upload in the MacO/S apps part of Apple Connect. The app runs fine in the simulator for Mac OS and I have managed to export an executable which I might be able to send to someone outside of the App Store but haven't tried/tested. Transporter won't load the exported (notarized? supposedly) file into Xcode because its already got a build with the same number. I targeted Standard Architecture option, which says should run on Intel or ARM, - I am not clear on which OS I should have selected to target to make that happen. Any hints to a concise todo list to make it happen would be good. My observation is that most of the examples in the various documentation are either MacOS Store oriented or Xcode on IOS for details. The high level information describes the planned/expected support but doesn't match the tools examples

Hey all, I am facing a weird issue when exporting my multi platform project. The project does not make use of the multi platform targets of Xcode yet. For each "module" in the app there exists two targets, one for iOS and one for watchOS. Each of these targets link agains a binary framework that is imported via SPM. Building works fine but as soon as I want to archive the project at the last step it complains that the Signature for the third party binary framework already exists. Which I think is a valid error message, but it seems to be a bug that the archive process either: Does not override it, which would be reasonable Or it should distinguish between the platforms Or should just not create two signature and just have one signature file created The error message I see “ThirdParty.xcframework.signature” couldn’t be copied to “Signatures” because an item with the same name already exists. Domain: NSCocoaErrorDomain Code: 516 Failure Reason: A file with the name “ThirdParty.xcframework.signature” already exists. Recovery Suggestion: To save the file, either provide a different name, or move aside or delete the existing file, and try again. -- The operation couldn’t be completed. File exists Domain: NSPOSIXErrorDomain Code: 17 Failure Reason: File exists -- System Information macOS Version 13.4.1 (Build 22F82) Xcode 15.0 (22221.2) (Build 15A5195k) Timestamp: 2023-07-08T12:43:57+02:00 A simplified project setup is like the following. ┌──────────────────────────────────────────────┐ │ SPM Package │ │ │ │ ┌────────────────────────┐ │ │ │ ThirdParty.xcframework │ │ │ └────────────────────────┘ │ │ │ │ └──────────────────────┼───────────────────────┘ ┌────────────┴───────────┐ ┌─────────┼────────────────────────┼───────────┐ │ │ CoreFramework │ │ │ ▼ ▼ │ │ ┌───────────────┐ ┌────────────────┐ │ │ │ iOS Target │ │ watchOS Target │ │ │ └───────────────┘ └────────────────┘ │ │ │ │ │ └─────────┼────────────────────────┼───────────┘ │ │ │ │ │ │ │ ▼ │ Embedded in ┌───────────────┐ │ (not ┌───│ watchOS App │ │ standalone) └───────────────┘ │ │ │ │ │ │ │ │ ▼ │ ┌─────────────────┐ │ │ iOS App │◀──┘ └─────────────────┘ I have the feeling it's rather a beta bug, but I wanted to ensure that's the case and its not me doing something wrong. Does anyone know if this setup is correct or if there is something I oversee here ? Any help is highly appreciated ! Feedback is also filed under: FB12373687

Hello fellow developers, I hope you're all doing well. I've encountered an issue that I'm hoping someone here might have some insights on. When I try to package my IPA for the production version, I receive a notification that the provisioning profile doesn't match the private key certificate. However, when packaging for the test version, everything works perfectly. I've ensured that I'm using the provisioning profile for the production version and even exported the key for this profile, but they still don't seem to match. Upon further inspection, I noticed that when I applied for the production version of the mobileprovision, the Certificate Name automatically changed to the company name. Has anyone else experienced this issue? If so, how did you resolve it? Any guidance would be greatly appreciated. Thank you in advance for your time and assistance. Best regards

I've developed and distributed a plugin for Unreal Engine (builds as a .dylib). The plugin dynamically loads an external library that is a .bundle The plugin has been notarized successfully. (Both the .dylib and the .bundle were signed with a Developer Application ID certificate.) When the plugin is downloaded, both the .dylib and the .bundle get flagged with the quarantine attribute, however because it was notarized, the plugin is able to be loaded inside of Unreal Engine with no problem. The issue occurs when the user moves the Unreal Engine project (with said plugin) to an external drive. In this case, once the project is opened and tries to load the plugin, an error saying is "***.bundle is damaged and can’t be opened. You should move it to the Trash." I'm wondering if this is an Unreal Engine issue, or a MacOS(notarization/signing/entitlements/etc) issue. Feels like if the .bundle is placed on an external drive, the OS does not check for notarization. If i move the project back to the HD of the laptop, everything works as expected. If i move the project to an external drive AND manually remove the com.apple.quarantine attribue (via terminal), then everything works as expected.

How to Re-sign a ipa file with our apple account and install on physical device for testing , as apps like BrowserStack does, Thanks.

I've recently updated my development laptop, and my continuous integration build nodes (a pair of Mac minis) to macOS Sonoma. Prior to this update, my CI workflows passed without issue. Since updating, every time I attempt to run my app's unit tests, an impassible alert is shown stating: “MyApp” differs from previously opened versions. Are you sure you want to open it? Opening “MyApp” will allow it to access data from previously used versions of “MyApp”. My tests go no further, and my CI workflows fail. I found that if I switched from using Ad-Hoc code signing for my tests, that this dialog is no longer shown on my local development laptop, however it is still shown on my CI nodes. Is there some way to tell Xcode to bypass this warning? If there's not, Sonoma doesn't seem to be usable for doing testing.

I joined the Apple Developer Program using my existing Apple ID, the account identifier changed but when I create a new certificate in the developer portal the certificate has the old identifier. (i.e when installed in my keychain) I have revoked and recreated my certificates, profiles and identifiers, cleared derived data, deleted certificates in keychain many times without any success. When I build my iOS App and run it on my iOS 14 Max Pro directly connected to my Mac Mini I get the error: Command CodeSign failed with a nonzero exit code. Am I missing something? Please help. Thanks.

On Sonoma I develop with gcloud and python2.7 and python3.9 from MacPorts. I always get MULTIPLE dialogue pop-ups when starting the python webserver in Terminal.app Choices are not remembered (neither block nor allow!!) I tried to solve that with socketfilterfw and codesign but it has NO effect at all. Questions like this creep around since 10 years on Stackexchange. I am searching since several hours for a solution of this problem. Is there any solution? 20 : /opt/local/Library/Frameworks/Python.framework/Versions/3.9/Resources/Python.app ( Allow incoming connections ) 21 : /opt/local/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app ( Allow incoming connections ) sudo codesign -s - -f /opt/local/Library/Frameworks/Python.framework/Versions/3.9/Resources/Python.app

Hi, I am running into a strange issue where my universal links work fine on devices when using USB, simulators and TestFlight, it works with no problem on all test environments But once I submit it for App Review, they don't work. And I have no way to replicate it. At some point they get it working somehow but every resubmission the process repeats where I go back and forth for days until they finally get it working. Anyone run into this strange issue or has a clue what might be going on?

I have discovered this executable, RemotePairingDataVaultHelper, is not validly signed. This was brought to my attention while experimenting with Google's Santa (https://santa.dev). Has anyone else come across this or something similar? I want to know if this executable can be trusted or if it should be suspected of corruption. Malwarebytes and ClamXAV do not report a virus within the RemotePairing.framework. I am running macOS 14.0 (23A344) on a Mac Studio 2023 with an Apple M2 Ultra processor. Here is what I get with codesign: (python-3.11)zsh % codesign -v /Library/Apple/System/Library/PrivateFrameworks/RemotePairing.framework/Versions/A/Resources/bin/RemotePairingDataVaultHelper /Library/Apple/System/Library/PrivateFrameworks/RemotePairing.framework/Versions/A/Resources/bin/RemotePairingDataVaultHelper: invalid Info.plist (plist or signature have been modified) In architecture: arm64e (python-3.11)zsh % codesign -dvvv /Library/Apple/System/Library/PrivateFrameworks/RemotePairing.framework/Versions/A/Resources/bin/RemotePairingDataVaultHelper Executable=/Library/Apple/System/Library/PrivateFrameworks/RemotePairing.framework/Versions/A/Resources/bin/RemotePairingDataVaultHelper Identifier=com.apple.CoreDevice.RemotePairingDataVaultHelper Format=Mach-O universal (x86_64 arm64e arm64) CodeDirectory v=20400 size=1290 flags=0x0(none) hashes=29+7 location=embedded Hash type=sha256 size=32 CandidateCDHash sha1=8976226501f2cbf161e3d7559b3ccb038e83669a CandidateCDHashFull sha1=8976226501f2cbf161e3d7559b3ccb038e83669a CandidateCDHash sha256=5afa3b8c21c1c48d725fde5c039ecb0a98c12627 CandidateCDHashFull sha256=5afa3b8c21c1c48d725fde5c039ecb0a98c126276fab3d55a5b28d29c72c7158 Hash choices=sha1,sha256 CMSDigest=23c24570be68e98aa95c9152004324d5ea81e85705bc747ac42cbb7e02bef9be CMSDigestType=2 CDHash=5afa3b8c21c1c48d725fde5c039ecb0a98c12627 Signature size=4493 Authority=Software Signing Authority=Apple Code Signing Certification Authority Authority=Apple Root CA Info.plist=not bound TeamIdentifier=not set Sealed Resources=none Internal requirements count=1 size=100

Hi, After spending two months trying to launch this app I decided to start from scratch, and regenerate everything from code signing requests, certs, apps, appIDs, App Store entries, EVERYTHING, and at the end of all of it, I get exactly the same problem I've had for months: "Invalid Provisioning Profile. The provisioning profile included in the bundle com.chiltonwebb.secretprojectname [com.chiltonwebb.secretprojectname.pkg/Payload/secretprojectname.app] is invalid. [Invalid 'com.apple.application-identifier' entitlement value.] For more information, visit the macOS Developer Portal. (ID: 723cede2-3c9f-4069-b4fa-581ebd3468b9)" I'm tired of guessing. I've tried everything I can find in these forums. What is the official way to diagnose this problem? -Chilton

I have created Apple Development Signing Certificate for my macbook-air device with my developer account email here and when i export the certificate to view details but I found this then, How can I convert it to human readable language or any other better than this to see its content?

Hi there, I want to build an application that can be run on different macos machines. That app uses libpython3.11.dylib. It could not be just linked with libpython because in out binary path to library may be different: /System/Library/Frameworks/Python.framework/... /usr/local/Cellar/python/3.X.Y/Frameworks/Python.framework/Versions/... /Library/Frameworks/Python.framework/Versions/... $(pyenv root)/versions/{VERSION} .... I need to ensure that the application uses the Python library corresponding to the Python version that the user is using. Attempted to make a workaround by creating a symlink to the current library and setting the library path to @executable_path/../lib/libpython3.11.dylib, but it did not work. Here's the error I encountered: % /Users/user/Downloads/xtensa-esp-elf-gdb/bin/xtensa-esp-elf-gdb-3.11 dyld[92502]: Library not loaded: @executable_path/../lib/libpython3.11.dylib Referenced from: <F6F408DC-F698-3545-9C75-82486ADA77BE> /Users/user/Downloads/xtensa-esp-elf-gdb/bin/xtensa-esp-elf-gdb-3.11 Reason: tried: '/Users/user/Downloads/xtensa-esp-elf-gdb/lib/libpython3.11.dylib' (code signature in <666A28FE-7CD3-384C-A727-7DE3D98625A2> '/Library/Frameworks/Python.framework/Versions/3.11/Python' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), '/System/Volumes/Preboot/Cryptexes/OS@executable_path/../lib/libpython3.11.dylib' (no such file), '/Users/user/Downloads/xtensa-esp-elf-gdb/lib/libpython3.11.dylib' (code signature in <666A28FE-7CD3-384C-A727-7DE3D98625A2> '/Library/Frameworks/Python.framework/Versions/3.11/Python' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), '/usr/lib/libpython3.11.dylib' (no such file, not in dyld cache) zsh: abort I cannot distribute libpython within the application because it requires Python modules. Moreover, the application should use Python modules that are installed on the user's system. What can I do to make this work properly? E.g. user have pythons installed: /usr/local/Cellar/python/3.11.3/Frameworks/Python.framework/Versions/3.11... /Library/Frameworks/Python.framework/Versions/3.11/... Obviously, the user has only one active Python from this list. How can my application use the correct libpython?