Hi,I am in a bit of an double corner case here. I have a package which consists of ONLY command-line executables. This package is a number of Unix utilities AND it uses a traditional Unix style build system (autoconf/make). We used to distribute this as a gzipped tar file, but obviously this fails when it comes to Catalina and notarization. This package consists of a number of executables, some shared libraries those executables link against, and a few dylibs that those applications load at runtime using dlopen(). Our plan is to provide a traditional MacOS installer package going forward.I have honestly been trying to do my homework, and I think I've got most of the mechanics down. I have an Apple Developer certificate, and I've been able to codesign executables and shared libraries, and ship them off to be checked by the notarization service, and that works. I have read all of the guides I can find about codesigning and notarization, including Signing a Mac Product For Distribution (thank you for that!). But I haven't QUITE seen something that covers my specific case, in that I am building a package OUTSIDE of Xcode AND it is not an application bundle (the build system is large and incorporating it into Xcode is just TOO much of a heavy lift right now). So I am trying to understand everything that I need to do.Specifically, my questions are:Do I need to compile an Info.plist into every bit of code? I understand HOW to do that, using the -sectcreate option to the linker, but it wasn't clear to me if that is required. Is it only required for executables, or both executables and libraries? The implication that I need to compile an Info.plist came from here https://eclecticlightdotcom.files.wordpress.com/2019/06/notarizecmdtool.pdfThere is a warning in the codesign man page under the --identifier option that says, "It is a very bad idea to sign different programs with the same identifier". Okay, fine. But it ALSO says that either gets the identifier from the Info.plist or the filename if that option isn't present. I am concerned that if I compile in the SAME Info.plist into every bit of code then all of the code gets the same identifier, and that would be "very bad". Obviously I can add the --identifier and --prefix options to codesign, but it wasn't clear if there were any implications in doing that.I was originally under the impression that I had to bundle up the binaries separately to get notarized, but it SOUNDS like that all I need to do is once I create the installer package, with everything signed inside of it, AND I sign the installer package, I can just submit the installer for notarization and that will cover everything?I know I can use spctl to check the status of executables, but it doesn't seem like that works for dylibs. Is that correct?Thanks for any help you can provide.--Ken

Hi!The problem I want to discuss is not new, but it is becoming more and more critical for the project I'm working on. So I have to rise it again.Our project is a virtual webcam for macOS implemented as a CoreMedia I/O DAL plug-in. Plug-in is installed at /Library/CoreMediaIO/Plug-Ins/DAL and can be loaded into any client application that wants to use the webcam.The problem appeared when Apple introduced 'Hardened Runtime' in macOS Mojave which by default turns on 'Library Validation' feature. Library validation disables loading for frameworks/plugins/libraries which are either: 1) not signed; 2) signed but 'Team Identifier' in signing certificate is different than certificate of a client application signature. As a result, even though our plugin is properly signed and notarized, it can't be loaded into client application with hardened runtime because of that 2nd case.First alarming incident was last year when Google Chrome on macOS enabled hardened runtime, and stopped showing our webcam in the list. I requested a technical support (case ID for TSI: 718328224), then made a feedback to Apple (FB7071665) about any possible solutions for our case, at least in the future versions of macOS. But I see there's still no reaction there.Now things are getting worse. Skype and Zoom stopped support our webcam for the same reason. Some others announced they will do this too. There's a possibility to add 'com.apple.security.cs.disable-library-validation' entitlement to the client application - that would help with our issue. But Zoom and Skype refuse to add this because of security reasons - after some security exploits were uncovered.The situation is quite critical for our product as many users use our webcam only for Zoom, Skype and similar applications.So, the question is: are there any possible workarounds for our case? I know that for audio plugins (VST, etc.) there's a special entitlement: 'com.apple.security.temporary-exception.audio-unit-host' that allows loading even unsigned plugins into hosting application. Why there's no such entitlement for DAL plugins? Or will it appear in macOS 10.16? I think it would be reasonable to add an entitlement that would only reject loading of unsigned plugins, but would allow loading of plugins with different 'Team ID' in signing certificate.

What is the purpose of Apple Development and Apple Distribution certificates for macOS application?It is quite new types of certificates in addition to existing iOS/Mac Development/Distribution.According to the documentation https://help.apple.com/xcode/mac/current/#/dev154b28f09?sub=dev23755c6c6Apple Development — For macOS apps, use app services during development and testing.Apple Distribution — For macOS apps, sign an app before distributing it through the Mac App Store.What does it mean sign an app before distributing because for distributing it through the Mac App Store I have to use Mac App Distribution (the name is `3rd Party Mac Developer Application`) and Mac Installer Distribution (the name is `3rd Party Mac Developer Installer`).

After uploading a new App to the App Store Connect i receive an e-mail stating:ITMS-90034: Missing or invalid signature - The bundle '...' at bundle path 'Payload/...' is not signed using an Apple submission certificate.The App don't use any capability.I've used Xcode to upload, as in a previous App which now is on the App Store.All the apps use the default configuration: "Automatically manage signing", Provisioning profile "Xcode Managed Profile", Signing Certificate Apple Development: ############The requested Signing Certificate is present in the keychain in 3 versions, the last one is valid (the older 2 are revoked).What I should correct?

I am working on a basic installer that has only option - "Install for me only". However, when I try to run the installer, it skips the Destination Select panel and goes directly from Introduction to Installation Type. I assumed that it was happening since I have only enabled a single domain in the distribution.xml. Snippet:<domains enable_localSystem="false" enable_currentUserHome="true" enable_anywhere="false" />However, when I click install it asks for admin password and tries to install under /Library instead of ~/Library.If I click on "Change install location", I see only one option active which is "Install for me only" but it is not selected. As a result of this, the install procedure is very confusing. Is there an option in distribution.xml to eithera. Force to not skip the destination select stepb. If only one option is available, that is the one selected for the next step (I tried setting customLocation to "~" and "$HOME" but that did not help)An an experiment, I also tried enabling the option to "Install for all users on this computer" and I still see the destination select being skipped. I am trying this on 10.15.5 version of macOS.

Since updating to macOS 10.15.4 I am no longer able to launch applications. They fail with the error message "The signature could not be validated because AMFI could not load its entitlements for validation: entitlements cannot be parsed".I am not entirely sure what exactly the problem with the entitlements file is. The exact same entitlements file worked fine before, and running plutil -lint does not find any problems with it. I would be fine with updating the entitlements file in some way due to recent changes, but because the error message doesn't actually explain what the problem is this is kind of hard.https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/resolving_common_notarization_issues

Hello, I've searched for other posts on this topic but I haven't found anything that provides an answer.Here's my test program snippet, using the Xcode Mac Application Obj-C starter project:- (void)applicationDidFinishLaunching:(NSNotification *)aNotification { // Insert code here to initialize your application char const * dyld_library_path_original = getenv("DYLD_LIBRARY_PATH"); char dyld_library_path_new[1024]; strcpy(dyld_library_path_new, "/Applications/MATLAB_R2020a.app/bin/maci64:"); strcat(dyld_library_path_new, dyld_library_path_original); int rc = setenv("DYLD_LIBRARY_PATH", dyld_library_path_new, 1); NSLog(@"DYLD_LIBRARY_PATH=%s, rc=%d", getenv("DYLD_LIBRARY_PATH"), rc); void * handle1 = dlopen("libeng.dylib", RTLD_NOW); NSLog(@"Test 1: dlopen(libeng.dylib) = %p, err=%s", handle1, dlerror()); void * handle2 = dlopen("/Applications/MATLAB_R2020a.app/bin/maci64/libeng.dylib", RTLD_NOW); NSLog(@"Test 2: dlopen(libeng.dylib) = %p, err=%s", handle2, dlerror()); }As you can see, I'm trying to dlopen a dylib in the installed MATLAB application. But I don't think the specific dylib matters. What matters is that I'm dlopening it using just the leaf name of the path, after setting DYLD_LIBRARY_PATH at runtime to include MATLAB's dir (Test 1). This fails.But when I dlopen it with the full path (Test 2) it works. Here's the output:DYLD_LIBRARY_PATH=/Applications/MATLAB_R2020a.app/bin/maci64:/Users/hecht/Library/Developer/Xcode/DerivedData/TestML-droybqyctybedebamivvyiixjhnn/Build/Products/Debug:/usr/lib/system/introspection, rc=0 Test 1: dlopen(libeng.dylib) = 0x0, err=dlopen(libeng.dylib, 2): image not found Test 2: dlopen(libeng.dylib) = 0x6000039041a0, err=(null)I have Hardened Runtime enabled, with these entitlements turned on:Allow DYLD Environment VariablesDisable Library ValidationThe second one is doing its job, because without it, Test 2 fails also.But the first one doesn't help in allowing me to modify DYLD_LIBRARY_PATH at runtime. If I set the environment variable before launching (Xcode > Product > Scheme > Edit Scheme > Arguments > Environment Variables) then Test 1 works. Is there a way to get dyld to honor changes to this environment variable made at runtime?

Hey guys! Was wondering if you guys knew where the macOS icons in BigSur are stored. I checked in the following places and pretty much the whole /System/Library folder: /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources -- where they usually are Finder app in /System/Library/CoreServices/Finder.app Dock app in that same directory CoreTypes.bundle in /System/Volumes/<whatever your startup disk is named>/System/Library/CoreServices/CoreTypes.bundle/Contents/ I need those icons for stuff. Please let me know if you guys know where they are!

Last login: Sun Jan 3 08:12:33 on ttys000 harshdeepuppal@harshdeeps-MacBook-Pro ~ % sudo spctl --master disable Password: objc[2629]: Class SPExecutionPolicy is implemented in both /System/Library/PrivateFrameworks/SystemPolicy.framework/Versions/A/SystemPolicy and /usr/sbin/spctl. One of the two will be used. Which one is undefined. objc[2629]: Class AppWrapper is implemented in both /System/Library/PrivateFrameworks/SystemPolicy.framework/Versions/A/SystemPolicy and /usr/sbin/spctl. One of the two will be used. Which one is undefined. objc[2629]: Class AppWrapperPolicyResult is implemented in both /System/Library/PrivateFrameworks/SystemPolicy.framework/Versions/A/SystemPolicy and /usr/sbin/spctl. One of the two will be used. Which one is undefined. objc[2629]: Class AppWrapperPolicy is implemented in both /System/Library/PrivateFrameworks/SystemPolicy.framework/Versions/A/SystemPolicy and /usr/sbin/spctl. One of the two will be used. Which one is undefined. objc[2629]: Class SPLog is implemented in both /System/Library/PrivateFrameworks/SystemPolicy.framework/Versions/A/SystemPolicy and /usr/sbin/spctl. One of the two will be used. Which one is undefined. objc[2629]: Class MIS is implemented in both /System/Library/PrivateFrameworks/SystemPolicy.framework/Versions/A/SystemPolicy and /usr/sbin/spctl. One of the two will be used. Which one is undefined. objc[2629]: Class SPExecutionHistoryItem is implemented in both /System/Library/PrivateFrameworks/SystemPolicy.framework/Versions/A/SystemPolicy and /usr/sbin/spctl. One of the two will be used. Which one is undefined. objc[2629]: Class SPExecutionPolicyItem is implemented in both /System/Library/PrivateFrameworks/SystemPolicy.framework/Versions/A/SystemPolicy and /usr/sbin/spctl. One of the two will be used. Which one is undefined. objc[2629]: Class SPDeveloperPolicy is implemented in both /System/Library/PrivateFrameworks/SystemPolicy.framework/Versions/A/SystemPolicy and /usr/sbin/spctl. One of the two will be used. Which one is undefined. objc[2629]: Class GKScanResult is implemented in both /System/Library/PrivateFrameworks/SystemPolicy.framework/Versions/A/SystemPolicy and /usr/sbin/spctl. One of the two will be used. Which one is undefined. spctl: option `--master' is ambiguous System Policy Basic Usage:     spctl --assess [--type type] [-v] path ... assessment     spctl --add [--type type] [--path|--requirement|--anchor|--hash] spec ... add rule(s)     spctl [--enable|--disable|--remove] [--type type] [--path|--requirement|--anchor|--hash|--rule] spec change rule(s)     spctl --status | --master-enable | --master-disable system master switch Developer Mode Usage:   spctl developer-mode <action>     enable-terminal       Add Terminal as a developer tool. Kernel Extension User Consent Usage:   spctl kext-consent <action>      Modifications only available in Recovery OS     status       Print whether kernel extension user consent is enabled or disabled.     enable       Enable requiring user consent for kernel extensions.     disable       Disable requiring user consent for kernel extensions.     add <team-id>       Insert a new Team Identifier into the list allowed to load kernel extensions without user consent.     list       Print the list of Team Identifiers allowed to load without user consent.     remove <team-id>       Remove a Team Identifier from the list allowed to load kernel extensions without user consent. harshdeepuppal@harshdeeps-MacBook-Pro ~ % 

Whenever I'm trying to open Eclipse or SpringToolSuite 4 I'm getting the same permission related issues It was working fine a day before yesterday but now It's showing weird stuff. You do not have permission to open the application “SpringToolSuite4”. You do not have permission to open the application “Eclipse”. If anyone has any solutions please share

The application cannot be opened for an unexpected reason, error=Error Domain=NSOSStatusErrorDomain Code=-10826 "kLSNoLaunchPermissionErr: User doesn't have permission to launch the app (managed networks)" UserInfo={_LSFunction=_LSLaunchWithRunningboard, _LSLine=2539, NSUnderlyingError=0x7f7f76b11c10 {Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x7f7f76b124d0 {Error Domain=NSPOSIXErrorDomain Code=111 "Unknown error: 111" UserInfo={NSLocalizedDescription=Launchd job spawn failed with error: 111}}}}}**

Hello there, I'm using M1 macOS BigSur MacBook Air and tried "sudo spctl –master-disable" in terminal but i got the below response ? Sravans-Air ~ % sudo spctl--master-disable. sudo: /etc/sudoers is world writable sudo: no valid sudoers sources found, quitting sudo: error initializing audit plugin sudoers_audit Sravans-Air ~ %  how do I resolve this and be able to download apps from the browser? Thanks for your help!

On macos 10.13.6 I open the app and it shows an error "Can’t be opened because the identity of the developer cannot be confirmed." but on macos 11.4 the app is safety opened. this is my app download url https://cainiao-oss-sh-read.oss-cn-shanghai.aliyuncs.com/waybill-print/multiplatform-client/cainiao-x-print.dmg

All customers that are using some versions of our product are complaining because they are not able to connect to the service. This happens because a certificate validation done in the code is failing. The certificate didn't expire but looking into the console logs these error is observed: default 08:39:03.218259 -0300 trustd cert[1]: BlackListedLeaf =(leaf)[force]> 0 default 08:39:03.218790 -0300 trustd cert[1]: BlackListedLeaf =(leaf)[force]> 0 default 08:39:03.218897 -0300 trustd cert[2]: AnchorTrusted =(leaf)[force]> 0 default 08:39:03.219086 -0300 trustd cert[1]: BlackListedLeaf =(path)[force]> 0 default 08:39:03.221455 -0300 dsAccessService Trust evaluate failure: [ca1 BlackListedLeaf] default 08:39:03.221929 -0300 NNNService SecStaticCode: verification failed (trust result 6, error -2147409652) default 08:39:03.221964 -0300 NNNService MacOS error: -2147409652 default 08:39:03.226483 -0300 NNNService MacOS error: -2147409652 default 08:39:03.853294 -0300 trustd cert[1]: BlackListedLeaf =(leaf)[force]> 0 default 08:39:03.853663 -0300 trustd cert[1]: BlackListedLeaf =(leaf)[force]> 0 default 08:39:03.853791 -0300 trustd cert[2]: AnchorTrusted =(leaf)[force]> 0 default 08:39:03.854047 -0300 trustd cert[1]: BlackListedLeaf =(path)[force]> 0 default 08:39:03.855542 -0300 NNNService Trust evaluate failure: [ca1 BlackListedLeaf] default 08:39:03.856172 -0300 NNNService SecStaticCode: verification failed (trust result 6, error -2147409652) As you can see this is the certificate validation that fails: Trust evaluate failure: [ca1 BlackListedLeaf] We need to understand why the app certificate is blacklisted. Is there any new policy enforced by Apple to blacklist certificates?

Hi there, We are developing an applicaton that can update itself. For example, we have two version 1 & 2. Both of them are signed, notarlized and stapled mac app bundle. When the version 1 find that there is a new version. It would download the difference. Then open another application named updater we developed. The updater use some posix function such as fopen, fwrite, chmod and link to copy/delete files to make the original one as the same as the version 2. The problem comes out here. When we open the updated one, the syslog says that binary is improperly signed. I don't know which step is incorrect. I make a copy of this app, it works perfectly. I guess there is something wrong with the application updater. We tried make the updater to be a single executable file or an signed, notarlized and stapled application bundle and still not work. After read some threads I still could not find out what is it. Hope someone could help me about this. Thanks in advance!

I'm a web design teacher, and I create tutorials that require students to download start files that are zipped. With current security protocols, my zip files are difficult to open after downloading. How do I sign a folder so it can be easily opened by my students after downloading? I'm having issues finding information concerning my issue given that I'm not making an app. I just need to identify my files so they can be unzipped from an identified developer.