Hi,I have an automated build process that produces custom apps for different customers. The only thing that is customized is a resource in the app.I would like to be able to just code sign the entire app once and then for each customer just update and code sign the resource.After doing the initial code signing of the app "codesign -vvv --deep --strict myapp.app" shows that everything is OK.I then replace myapp.app//Contents/Resources/CustomFile with a new one and code sign it:codesign -f -s "Developer ID Application: MY Company" --options runtime --keychain "Buildsystem" "myapp.app/Contents/Resources/CustomFile"But then "codesign -vvv --deep --strict myapp.app" shows there is a problem:myapp.app: a sealed resource is missing or invalidfile modified: myapp.app/Contents/Resources/CustomFileCan anybody explain why this doesn't work?My work around is to always update the resource in an unsigned app and then code sign the entire thing.

Hi,We package an Open Source database system called PostgreSQL. This is signed and notarized by us. PostgreSQL is designed to be user extensible, and has various hooks to allow additional functionality to be loaded from shared libraries, which are dynamically loaded at runtime.We compile the PostgreSQL sources on macOS Mountain Lion (10.8) using MacOSX10.9.sdk with -mmacosx-version-min=10.9. The codesigning is done on the macOS Mojave (10.14) using a Developer ID Application certificate.When linking with the hardened runtime, the loading of third-party extensions is blocked on macOS Catalina because they are not signed by either Apple or with the same team ID used for PostgreSQL itself. How can we resolve this such that our builds of PostgreSQL are able to load third-party extensions? We used the entitlement "com.apple.security.cs.disable-library-validation" already on the command line option for the codesign binary while signing the app bundle.Awaiting your feedback. Thanks.

Hi,I am in a bit of an double corner case here. I have a package which consists of ONLY command-line executables. This package is a number of Unix utilities AND it uses a traditional Unix style build system (autoconf/make). We used to distribute this as a gzipped tar file, but obviously this fails when it comes to Catalina and notarization. This package consists of a number of executables, some shared libraries those executables link against, and a few dylibs that those applications load at runtime using dlopen(). Our plan is to provide a traditional MacOS installer package going forward.I have honestly been trying to do my homework, and I think I've got most of the mechanics down. I have an Apple Developer certificate, and I've been able to codesign executables and shared libraries, and ship them off to be checked by the notarization service, and that works. I have read all of the guides I can find about codesigning and notarization, including Signing a Mac Product For Distribution (thank you for that!). But I haven't QUITE seen something that covers my specific case, in that I am building a package OUTSIDE of Xcode AND it is not an application bundle (the build system is large and incorporating it into Xcode is just TOO much of a heavy lift right now). So I am trying to understand everything that I need to do.Specifically, my questions are:Do I need to compile an Info.plist into every bit of code? I understand HOW to do that, using the -sectcreate option to the linker, but it wasn't clear to me if that is required. Is it only required for executables, or both executables and libraries? The implication that I need to compile an Info.plist came from here https://eclecticlightdotcom.files.wordpress.com/2019/06/notarizecmdtool.pdfThere is a warning in the codesign man page under the --identifier option that says, "It is a very bad idea to sign different programs with the same identifier". Okay, fine. But it ALSO says that either gets the identifier from the Info.plist or the filename if that option isn't present. I am concerned that if I compile in the SAME Info.plist into every bit of code then all of the code gets the same identifier, and that would be "very bad". Obviously I can add the --identifier and --prefix options to codesign, but it wasn't clear if there were any implications in doing that.I was originally under the impression that I had to bundle up the binaries separately to get notarized, but it SOUNDS like that all I need to do is once I create the installer package, with everything signed inside of it, AND I sign the installer package, I can just submit the installer for notarization and that will cover everything?I know I can use spctl to check the status of executables, but it doesn't seem like that works for dylibs. Is that correct?Thanks for any help you can provide.--Ken

Hi!The problem I want to discuss is not new, but it is becoming more and more critical for the project I'm working on. So I have to rise it again.Our project is a virtual webcam for macOS implemented as a CoreMedia I/O DAL plug-in. Plug-in is installed at /Library/CoreMediaIO/Plug-Ins/DAL and can be loaded into any client application that wants to use the webcam.The problem appeared when Apple introduced 'Hardened Runtime' in macOS Mojave which by default turns on 'Library Validation' feature. Library validation disables loading for frameworks/plugins/libraries which are either: 1) not signed; 2) signed but 'Team Identifier' in signing certificate is different than certificate of a client application signature. As a result, even though our plugin is properly signed and notarized, it can't be loaded into client application with hardened runtime because of that 2nd case.First alarming incident was last year when Google Chrome on macOS enabled hardened runtime, and stopped showing our webcam in the list. I requested a technical support (case ID for TSI: 718328224), then made a feedback to Apple (FB7071665) about any possible solutions for our case, at least in the future versions of macOS. But I see there's still no reaction there.Now things are getting worse. Skype and Zoom stopped support our webcam for the same reason. Some others announced they will do this too. There's a possibility to add 'com.apple.security.cs.disable-library-validation' entitlement to the client application - that would help with our issue. But Zoom and Skype refuse to add this because of security reasons - after some security exploits were uncovered.The situation is quite critical for our product as many users use our webcam only for Zoom, Skype and similar applications.So, the question is: are there any possible workarounds for our case? I know that for audio plugins (VST, etc.) there's a special entitlement: 'com.apple.security.temporary-exception.audio-unit-host' that allows loading even unsigned plugins into hosting application. Why there's no such entitlement for DAL plugins? Or will it appear in macOS 10.16? I think it would be reasonable to add an entitlement that would only reject loading of unsigned plugins, but would allow loading of plugins with different 'Team ID' in signing certificate.

What is the purpose of Apple Development and Apple Distribution certificates for macOS application?It is quite new types of certificates in addition to existing iOS/Mac Development/Distribution.According to the documentation https://help.apple.com/xcode/mac/current/#/dev154b28f09?sub=dev23755c6c6Apple Development — For macOS apps, use app services during development and testing.Apple Distribution — For macOS apps, sign an app before distributing it through the Mac App Store.What does it mean sign an app before distributing because for distributing it through the Mac App Store I have to use Mac App Distribution (the name is `3rd Party Mac Developer Application`) and Mac Installer Distribution (the name is `3rd Party Mac Developer Installer`).

After uploading a new App to the App Store Connect i receive an e-mail stating:ITMS-90034: Missing or invalid signature - The bundle '...' at bundle path 'Payload/...' is not signed using an Apple submission certificate.The App don't use any capability.I've used Xcode to upload, as in a previous App which now is on the App Store.All the apps use the default configuration: "Automatically manage signing", Provisioning profile "Xcode Managed Profile", Signing Certificate Apple Development: ############The requested Signing Certificate is present in the keychain in 3 versions, the last one is valid (the older 2 are revoked).What I should correct?

I am working on a basic installer that has only option - "Install for me only". However, when I try to run the installer, it skips the Destination Select panel and goes directly from Introduction to Installation Type. I assumed that it was happening since I have only enabled a single domain in the distribution.xml. Snippet:<domains enable_localSystem="false" enable_currentUserHome="true" enable_anywhere="false" />However, when I click install it asks for admin password and tries to install under /Library instead of ~/Library.If I click on "Change install location", I see only one option active which is "Install for me only" but it is not selected. As a result of this, the install procedure is very confusing. Is there an option in distribution.xml to eithera. Force to not skip the destination select stepb. If only one option is available, that is the one selected for the next step (I tried setting customLocation to "~" and "$HOME" but that did not help)An an experiment, I also tried enabling the option to "Install for all users on this computer" and I still see the destination select being skipped. I am trying this on 10.15.5 version of macOS.

Since updating to macOS 10.15.4 I am no longer able to launch applications. They fail with the error message "The signature could not be validated because AMFI could not load its entitlements for validation: entitlements cannot be parsed".I am not entirely sure what exactly the problem with the entitlements file is. The exact same entitlements file worked fine before, and running plutil -lint does not find any problems with it. I would be fine with updating the entitlements file in some way due to recent changes, but because the error message doesn't actually explain what the problem is this is kind of hard.https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/resolving_common_notarization_issues

Hello, I've searched for other posts on this topic but I haven't found anything that provides an answer.Here's my test program snippet, using the Xcode Mac Application Obj-C starter project:- (void)applicationDidFinishLaunching:(NSNotification *)aNotification { // Insert code here to initialize your application char const * dyld_library_path_original = getenv("DYLD_LIBRARY_PATH"); char dyld_library_path_new[1024]; strcpy(dyld_library_path_new, "/Applications/MATLAB_R2020a.app/bin/maci64:"); strcat(dyld_library_path_new, dyld_library_path_original); int rc = setenv("DYLD_LIBRARY_PATH", dyld_library_path_new, 1); NSLog(@"DYLD_LIBRARY_PATH=%s, rc=%d", getenv("DYLD_LIBRARY_PATH"), rc); void * handle1 = dlopen("libeng.dylib", RTLD_NOW); NSLog(@"Test 1: dlopen(libeng.dylib) = %p, err=%s", handle1, dlerror()); void * handle2 = dlopen("/Applications/MATLAB_R2020a.app/bin/maci64/libeng.dylib", RTLD_NOW); NSLog(@"Test 2: dlopen(libeng.dylib) = %p, err=%s", handle2, dlerror()); }As you can see, I'm trying to dlopen a dylib in the installed MATLAB application. But I don't think the specific dylib matters. What matters is that I'm dlopening it using just the leaf name of the path, after setting DYLD_LIBRARY_PATH at runtime to include MATLAB's dir (Test 1). This fails.But when I dlopen it with the full path (Test 2) it works. Here's the output:DYLD_LIBRARY_PATH=/Applications/MATLAB_R2020a.app/bin/maci64:/Users/hecht/Library/Developer/Xcode/DerivedData/TestML-droybqyctybedebamivvyiixjhnn/Build/Products/Debug:/usr/lib/system/introspection, rc=0 Test 1: dlopen(libeng.dylib) = 0x0, err=dlopen(libeng.dylib, 2): image not found Test 2: dlopen(libeng.dylib) = 0x6000039041a0, err=(null)I have Hardened Runtime enabled, with these entitlements turned on:Allow DYLD Environment VariablesDisable Library ValidationThe second one is doing its job, because without it, Test 2 fails also.But the first one doesn't help in allowing me to modify DYLD_LIBRARY_PATH at runtime. If I set the environment variable before launching (Xcode > Product > Scheme > Edit Scheme > Arguments > Environment Variables) then Test 1 works. Is there a way to get dyld to honor changes to this environment variable made at runtime?

I have created a package installer for MacOS with "productbuild" command line and adding the postinstall script in the package through command. And even I have changed the file mode to executable "chmod a+x" before using it in "productbuild" command. Here is what I am using for command line and in postinstall script and I have name the file to "postinstall.sh". command line:- productbuild --component "$appDir" "/Applications" --scripts "../Scripts" --sign "Developer ID Installer: $DEVNAME" "$appName.pkg" postinstall.sh:- #!/usr/bin/env bash open -n -a /Applications/appname.app exit 0 when package is created and I try to install the application on my mac, Installation runs smooth and app is install under application folder but postinstall script does not for some reason. please advise if I have missed out something or anything on running the postinstall script would be appreciated. Thanks in advance Note : This app is generated by Unity engine.

How to remove the "Developer ID Application" type certificate? A maximum of 5 such certificates can be created. There is no remove button on the certificate detail page. Is there any way to delete it?

Hi people! Since awhile I am not able to open up my own built apps anymore from my device. When trying to open it I get the message: "My App Name" Is No Longer Available. Xcode console gives the following: Attempted to launch an untrusted application scene sceneID:com.mycompany.myname I think it has something to do with my just extended Apple Developer account and the certifications, but I'm not so familiar with it that I could tell what exactly.... I have a ton of apps and old builds on my device, so rebuilding them will be a huge task. Hopefully you can help me out!

I have been having problems signing an app with jpackage. I am confused and I'm not sure if it's because I don't have the correct certificate from Apple. Or I am doing something wrong when I pass the signature to apple. I find Apple certificates very confusing. And I think I have made several unnecessary certificates while trying to figure this out. What I think is the problem is Jpackager seems to want the certificate to be of type: "Developer ID Application" and I seem to be only able to create "Apple Development" or "Mac Development" signatures. My role on my team ris a "developer" and I am wondering if I need my boss to create the correct certificate? I have been googling like crazy and am not even sure if I understand what values are needed. For "signing-prefix" or "key-user-name" `--mac-bundle-signing-prefix --mac-sign --mac-signing-keychain --mac-signing-key-user-name ` I have used the following and Keychain Access to view my codesign values: security find-identity -v -p codesigning P.S. My program uses Swing and needs to run on MacOS, Windows 10 and linux which is why I use Java in the first place.

I'm working on a MacOS desktop Electron app that is for distribution outside the app store using Developer ID. Before code signing, the app opened and was working well. But after code signing, I get the following error. stderr:dyld: Library not loaded: /Library/Frameworks/R.framework/Versions/3.5/Resources/lib/libR.dylib Referenced from: /Users/home/Desktop/electron-start/dist/mac-arm64/electron1.app/Contents/Frameworks/R.framework/Versions/3.5/Resources/bin/exec/R Reason: image not found Before code signing I think the file was looking for a path within the app /Users/home/Desktop/electron-start/dist/mac-arm64/electron1.app/Contents/Frameworks/R.framework/Versions/3.5/Resources/bin/exec/R But now I think the file is looking for a path outside Library/Frameworks/R.framework/Versions/3.5/Resources/lib/libR.dylib I used this entitlements file: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> <key>com.apple.security.cs.disable-library-validation</key> <true/> <key>com.apple.security.cs.allow-dyld-environment-variables</key> <true/> </dict> </plist> Can anyone please help me? I've looked at many places and willing to learn. Thanks for your time. I really appreciate it.

When trying to upload an App for review I get an App Store Connect Operation Error Couldn't posix_spawn: error 1.

I have few queries related to certificates. Platform supported by (iOS App Development and iOS App Distribution) Certificate. Can we use "iOS Distribution" certificates for macOS, tvOS, and watchOS apps(to make these app live) or it's just for the iphone/ipad apps. Which certificate we need if we just want to make iphone/ipad app live.(iOS Distribution or Apple Development) and Why? Can we make watchOs App live without using "Apple Distribution" certificate. When to use "Apple Development" and "iOS App Development" certificate. When to use "Apple Distribution" and "iOS Distribution (App Store and Ad Hoc)" certificate. Waiting for your understandable and good explained responses.

I use a NetworkExtension(packet-tunnel) and its container app to implement VPN on macOS. It's works well in my develop computer. But when I use Developer ID certification to distribute this container app, I have the following error. Provisioning profile "***" doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement. I followed an answer on this forum discussion, adding -systemextension to the entitlement. https://developer.apple.com/forums/thread/133296 After that, I could successfully build, archive, upload (for notary service approved), and export. But the VPN app is not working. As far as I see, it is not the reason of VPN app function itself. It is related with environmental & system side issue. The network extension seems to be stopped working. Here are the entitlements for Release mode of container app and network extension. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider-systemextension</string> </array> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>$(DEVELOPMENT_TEAM).group.$(APP_ID_MACOS)</string> </array> <key>com.apple.security.files.user-selected.read-write</key> <true/> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> </dict> </plist> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider-systemextension</string> </array> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>$(DEVELOPMENT_TEAM).group.$(APP_ID_MACOS)</string> </array> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> </dict> </plist>