I have been working on signing an app from a developer for our own purpose of publishing it to our intune company portal.
The older version of the app I can sign and publish without issue.
We do have an enterprise dev account, and all they provide us is the source code.
The original version does not use Push notifications, nor does it show to have any framework subfolders.
That one I sign by this script I've modified over time,
(
security cms -D -i [mobilprovisionfilenamefromentdevsite].mobileprovision > provision.plist
/usr/libexec/PlistBuddy -x -c 'Print :Entitlements' provision.plist > entitlements.plist
unzip -qq [appname]22_5_1.ipa
rm -rf Payload/[appname].app/_CodeSignature/
cp [mobilprovisionfilenamefromentdevsite].mobileprovision Payload/[appname].app/embedded.mobileprovision
/usr/bin/codesign --force --deep --verify --sign "[Our Certificate name redacted]" -i [the app identity name from the identity creation] --entitlements entitlements.plist Payload/[appname].app/Frameworks/*
codesign -dvv Payload/[appname].app/
zip -qr [appname]22_5_1-resigned.ipa Payload/
#Copy the support files for backup
mkdir [appname]22_5_1-resigned-support
mv entitlements.plist [appname]22_5_1-resigned-support
mv Payload [appname]22_5_1-resigned-support
mv provision.plist [appname]22_5_1-resigned-support
)
This works fine for the old version without Frameworks or Push Notifications
The New One I have just added two lines to the script to sign the FrameWorks.
rm -rf Payload/[appname].app/Frameworks/*/_CodeSignature/
/usr/bin/codesign --force --deep --verify --sign "[Our Certificate name redacted]" -i [the app identity name from the identity creation] --entitlements entitlements.plist Payload/[appname].app/Frameworks/*
When I try it with or without signing the FrameWorks I am unable to get the app to function.
It will load on the IPhones then just give error of "Install Pending" or "Install Failed" (0x87D13B64)
We do not have access to the source code, so I cannot put it into XCode to sign it.
I did recreate the mobile provisioning profile with APN and created a Cert to attach to it.
I'm not sure if I need to add that certificate somewhere else or if I'm signing something wrong, but this new version is kicking my ****..
Hi,
I'm a font designer and making pkg installers for my fonts. Before, I was using Hancock app to code sign my pkg files easily though using my old MBPro (15inch- mid2014). Now almost a month ago, I bought a new MacBook Pro (16-inch, 2019) and renew my subscription to Apple Developper program, when I downloaded my .cer file from "Certificates, Identifiers & Profiles" then import my .cer file through Keychain Access, It get loaded ok but it does not show on "My Certificates" even it's there at "Login" level. So Hancock app won't find it except if it's under "My Certificates" level... and I'm lost, I struggle to copy paste again to "My Certificates" but no way....
Thank you very much in advance for your kind help.
Here is my website:
https://norfonts.ma
I'm also selling my fonts through NC :
https://www.notationcentral.com
Thanks for you kind help,
—Nor Eddine Bahha
(Jazz Piani
st & Font Designer)
Post not yet marked as solved
After archive the app on distribution windows the lists of signing identity and provisioning profiles are empty.
Even I created them in apple developer console.
Do anyone have any idea?
Post not yet marked as solved
1
'Apple IST CA2' (an intermediate certificate) issued by 'Geo Trust' expires this month. The issuer of the next intermediate certificate after this one is 'AAACertificateServices', is it right?
reference Page: https://developer.apple.com/news/?id=7gx0a2lp
2
I want to test in my staging environment. I want to an intermediate certificate issued by 'AAACertificateServices' for this purpose. Please let me know the site where I can download it.
Post not yet marked as solved
Hi.
I've read a lot of different topics on forums and websites about software signing and notarization, and there is progress, but I need some help.
1. From the beginning:
I am building an application on a Jenkins server and downloading the file 'example_app.dmg'.
I am enrolled in the Apple Developer Program.
2. Then I use the command to sign the software:
codesign --force --sign "Developer ID Application: name_of_my_certificate_in_keychain (number)" example_app.dmg
3. Checking the status:
spctl -a -t open -vvv --context context: primary-signature example_app.dmg
Result:
example_app.dmg: rejected
source = Unnotarized Developer ID
origin = Developer ID Application: name_of_my_certificate_in_keychain (number)
Why is it rejected?
4. Then notarization:
xcrun altool --notarize-app \
--primary-bundle-id "example" \
--username "my_AppleID" \
--password "@keychain: NOTARIZED" \
--file "example_app.dmg"
NOTARIZED is in the keychain with the generated password on my Apple account.
5. I get:
No errors uploading 'example_app.dmg'.
RequestUUID = 'number_of_my_request'
6. I check the notarization status:
xcrun altool --notarization-info "number_of_my_request" \
--username "my_AppleID" \
--password "@keychain: NOTARIZED"
Result:
No errors getting notarization info.
Date: 2022-05-10 14:15:35 +0000
Hash: hash_number
LogFileURL: link_to_log_file
RequestUUID: number_of_my_request
Status: invalid
Status Code: 2
Status Message: Package Invalid
Inside the log_file, a lot of files have a status like:
The binary is not signed.
The signature does not include a secure timestamp.
The executable does not have the hardened runtime enabled.
Am I doing something wrong or what can I do better?
And how I can make empty line here (this forum)?
Post not yet marked as solved
Hi,
I'm using fastlane to build/sign my project and it works perfectly when I ran it in my Mac. I'm trying to setup some Jenkins CI/CD server in AWS EC2, and I started to have a problem with code sign.
I realized that it's not something related to AWS, because if I ssh to my own Mac using "ssh localhost" it's possible to simulate the problem.
To isolate the problem, I'm using this very simple project with fastlane:
https://github.com/rlechetaudemy/helloios
This issue is also not related with match, because if you setup fastlane with manual signing, it returns the same error.
I also tried to use the 'setup_ci' action before build/sign but without success.
setup_ci(
force: true
)
These are the logs:
[13:11:36]: ▸ Copying GoogleService-Info.plist
[13:11:37]: ▸ Processing Info.plist
[13:11:38]: ▸ ** ARCHIVE FAILED **
[13:11:38]: ▸ The following build commands failed:
[13:11:38]: ▸ CodeSign /Users/user/Library/Developer/Xcode/DerivedData/HelloIOS-eibmqfokwytdeddxnnluvsuzbtlp/Build/Intermediates.noindex/ArchiveIntermediates/HelloIOS\ (iOS)/InstallationBuildProductsLocation/Applications/HelloIOS.app (in target 'HelloIOS (iOS)' from project 'HelloIOS')
[13:11:38]: ▸ (1 failure)
▸ Processing Pods-HelloIOS (iOS)-Info.plist
▸ Processing Info.plist
** ARCHIVE FAILED **
The following build commands failed:
CodeSign /Users/user/Library/Developer/Xcode/DerivedData/HelloIOS-eibmqfokwytdeddxnnluvsuzbtlp/Build/Intermediates.noindex/ArchiveIntermediates/HelloIOS\ (iOS)/InstallationBuildProductsLocation/Applications/HelloIOS.app (in target 'HelloIOS (iOS)' from project 'HelloIOS')
(1 failure)
[13:11:38]: Exit status: 65
+---------------+-------------------------+
| Build environment |
+---------------+-------------------------+
| xcode_path | /Applications/Xcode.app |
| gym_version | 2.205.2 |
| export_method | ad-hoc |
| sdk | iPhoneOS15.2.sdk |
+---------------+-------------------------+
[13:11:38]: ▸ (ef0fada7-88c4-413f-a9e5-7d875f07e324)
[13:11:38]: ▸
[13:11:38]: ▸ /usr/bin/codesign --force --sign CB4DB01189506EF6F172982414A36378AE18F48F --entitlements /Users/user/Library/Developer/Xcode/DerivedData/HelloIOS-eibmqfokwytdeddxnnluvsuzbtlp/Build/Intermediates.noindex/ArchiveIntermediates/HelloIOS\ (iOS)/IntermediateBuildFilesPath/HelloIOS.build/AdHoc-iphoneos/HelloIOS\ (iOS).build/HelloIOS.app.xcent --generate-entitlement-der /Users/user/Library/Developer/Xcode/DerivedData/HelloIOS-eibmqfokwytdeddxnnluvsuzbtlp/Build/Intermediates.noindex/ArchiveIntermediates/HelloIOS\ (iOS)/InstallationBuildProductsLocation/Applications/HelloIOS.app
[13:11:38]: ▸ /Users/user/Library/Developer/Xcode/DerivedData/HelloIOS-eibmqfokwytdeddxnnluvsuzbtlp/Build/Intermediates.noindex/ArchiveIntermediates/HelloIOS (iOS)/InstallationBuildProductsLocation/Applications/HelloIOS.app: errSecInternalComponent
[13:11:38]: ▸ Command CodeSign failed with a nonzero exit code
[13:11:38]:
[13:11:38]: ⬆️ Check out the few lines of raw xcodebuild output above for potential hints on how to solve this error
[13:11:38]: 📋 For the complete and more detailed error log, check the full log at:
[13:11:38]: 📋 /Users/user/Library/Logs/gym/HelloIOS-HelloIOS (iOS).log
[13:11:38]:
[13:11:38]: Looks like fastlane ran into a build/archive error with your project
[13:11:38]: It's hard to tell what's causing the error, so we wrote some guides on how
[13:11:38]: to troubleshoot build and signing issues: https://docs.fastlane.tools/codesigning/getting-started/
[13:11:38]: Before submitting an issue on GitHub, please follow the guide above and make
[13:11:38]: sure your project is set up correctly.
[13:11:38]: fastlane uses xcodebuild commands to generate your binary, you can see the
[13:11:38]: the full commands printed out in yellow in the above log.
[13:11:38]: Make sure to inspect the output above, as usually you'll find more error information there
[13:11:38]:
+---------------------------+----------------------------------------------------------+
| Lane Context |
+---------------------------+----------------------------------------------------------+
| DEFAULT_PLATFORM | ios |
| PLATFORM_NAME | ios |
| LANE_NAME | ios firebase |
| KEYCHAIN_PATH | ~/Library/Keychains/fastlane_tmp_keychain |
| ORIGINAL_DEFAULT_KEYCHAIN | "/Users/user/Library/Keychains/fastlane_tmp_keychain-db" |
+---------------------------+----------------------------------------------------------+
[13:11:38]: Error building the application - see the log above
+------+-------------------------------+-------------+
| fastlane summary |
+------+-------------------------------+-------------+
| Step | Action | Time (in s) |
+------+-------------------------------+-------------+
| 1 | Verifying fastlane version | 0 |
| 2 | default_platform | 0 |
| 3 | Switch to ios buildAdHoc lane | 0 |
| 4 | setup_ci | 0 |
| 5 | cocoapods | 4 |
| 💥 | build_app | 36 |
+------+-------------------------------+-------------+
Post not yet marked as solved
'AppleISTCA2G1.cer’ that I use now will expire soon. In this case, which should be used as the new intermediate certificate, 'Worldwide Developer Relations - G4’ or ‘AppleISTCA8G1.cer’?
reference page: https://www.apple.com/certificateauthority/
Post not yet marked as solved
Example for google.com as an item name, I have two keychain items with the name "Foo", one in KeychainA another in keychainB.
When I run the following which password should be retrieved? Password from KeychainA or KeychainB?
Does it retrieve items from keychains by prioritizing retrieval from 'default' keychain first? Or it's sorted by the keychain name? or it prioritizes items based on date?
security find-generic-password -w -s 'google.com' -a 'Foo'
I asked because we often have certs that are duplicated across keychains and when I run the command above, the item is retrieved from a locked keychain. Which causes an OS prompt and that halts our Jenkins/CI.
Post not yet marked as solved
I have two certificates in my Apple Developer Portal as follows:
I have created a Development Profile just fine for a new app. Now when I try to create a Distribution Profile I get an error as follows:
No Certificates are available.
Click "Create Certificate" to create a
Certificate. You need a Certificate to configure a Provisioning
Profile.
I am not understanding why it's saying no certificates are available when I clearly have a certificate listed here.
I have released a couple of apps previously with these certificates and don't quite remember the steps but I believe I am supposed to be creating the identifier for the app and the two profiles (one for development and one for distribution).
Am I remembering the process incorrectly or is there some reason it is no longer seeing my certificate?
Any help would be greatly appreciated. Thank you.
Post not yet marked as solved
I have two certs with same name so prevent the ambiguity that codesign has when it finds two certs with same name in the keychain, I tried to create a new keychain and moved the cert I want into it and passed the path with --keychain param to the codesign tool. But it still looks for the cert in the login keychain. What's wrong with the below command?
codesign -fs "$CODE_SIGN_IDENTITY" --keychain "full/path/to/codesigning.keychain-db" $FILE
Post not yet marked as solved
Hello,
I've been working on and troubleshooting some Pass Type IDs for apple wallet development, and I've incorrectly made a few certificates and I would like to revoke them. Viewing those certificates from both the Admin and Account Holder accounts, I am unable to revoke these certificates. They are not in use, and the "Revoke" button is grayed out.
How do I revoke these certificates?
Thanks,
chuck
Hi,
Created new "Dev ID Application" certificate and it shows in my local Keychain where I created CSR as "Certificate is not trusted".
I also see some Push Notification certs created recently have the same warning.
Items tried.
Installed new Intermedate certs as recommended in post https://developer.apple.com/forums/thread/672933 :-
WDRCA-G3 expiring 20-Feb 2030 installed on (Login -> Certifcate)
WDRCA expiring 7-Feb 2023 installed on (Login -> Certifcate)
Deleted and reinstalled both of the above WDRCA certs
Restarted Keychain & Mac several times.
The same warning is seen on each of Mac nodes that I have installed the new certs on.
Does anyone know how to resolve or have any suggestions on how I can debug this problem.
Hi there,
I built a Mac OS desktop utility app that will make an API request, retrieve json data and write the data to an Excel file.
This app was scripted in python 3.10, compiled with pyinstaller 4.10, codesigned with entitlements, hardened runtime and notarised successfully in Mojave 10.14.6. Every step was successful and without any errors.
This app was tested in Mojave, Catalina, Big Sur and Monterey. In all 4 OS's, the notarised app worked perfectly. The issue seems to stem from running the app in an OS that is not logged in with my primary Apple ID.
When tested in seperate Mojave and Catalina and Big Sur (Intel) machines that were logged in with different Apple IDs, the app isn't able to execute the API request, retrieve json data, and write to file.
I'm running out of leads here but think it could be something to do with the entitlements in the entitlements.plist or something that I am unaware of such as additional permissions that are neccessary.
These are the entitlements that I added in the plist.
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.disable-executable-page-protection</key>
<true/>
I have tried adding this : "com.apple.security.app-sandbox" but the app would end up bouncing in the dock so this was left out.
I have also tried using this line alone : "com.apple.security.cs.allow-unsigned-executable-memory" and this would also cause the app to not work.
As I have been working on this issue for quite a while now and at my wits end, any heads up would be very much and greatly appreciated.
Thanks in advance,
Justin
Post not yet marked as solved
Hello, I'm working with a development team, and we're at the point of deploying the app to the app store. They are asking me for my apple dev credentials to link the account to Xcode and create a matching cert. I have added them as Admins to the instance, so do I need to give them my User Name and Password?
I'm very wary of doing this, I would love to know if there is another way.
Post not yet marked as solved
Hello,
Since few days we cannot sign our application due to CodeSignin error: A timestamp was expected but was not found
I have opened FB9997275
I tried to traceroute timestamp.apple.com but it never ends
1 51.159.121.1 (51.159.121.1) 1.214 ms 0.551 ms 0.459 ms
2 51.158.2.13 (51.158.2.13) 1.061 ms
51.158.2.11 (51.158.2.11) 0.968 ms 0.728 ms
3 51.158.2.32 (51.158.2.32) 0.696 ms
51.158.2.34 (51.158.2.34) 0.874 ms
51.158.2.36 (51.158.2.36) 0.716 ms
4 51.158.2.8 (51.158.2.8) 0.871 ms
51.158.2.0 (51.158.2.0) 1.011 ms 0.851 ms
5 apple-1.par.franceix.net (37.49.237.176) 1.258 ms 1.386 ms 1.113 ms
6 17.0.11.136 (17.0.11.136) 95.672 ms 96.637 ms
17.0.11.130 (17.0.11.130) 99.582 ms
7 17.0.15.136 (17.0.15.136) 96.593 ms
17.0.15.134 (17.0.15.134) 96.727 ms
17.0.15.136 (17.0.15.136) 96.523 ms
8 17.0.15.177 (17.0.15.177) 95.605 ms
17.0.15.175 (17.0.15.175) 96.647 ms 95.433 ms
9 17.0.15.41 (17.0.15.41) 96.356 ms 95.740 ms *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
...
I also tried to nc -v timestamp.apple.com 80 but it succeeds: Connection to timestamp.apple.com port 80 [tcp/http] succeeded!
Anything we can do on our side ? Nothing changes since this error happened.
Regards
Post not yet marked as solved
Does someone know if already running iOS Application will stop working after Distribution Certificate expire?
I know that I will not be able to run it again but I would like to know if it stops working even if its already opened.
In my case I am using Ad-Hoc and In-House provisioning profiles.
Post not yet marked as solved
I'd like to delete these, but I can't because they are greyed-out. They also prevent me from creating a new certificate.
There was an error attaching screenshots on this forum for some reason, so I uploaded them here: https://imgur.com/a/ZHlJ4yC
Can anyone help me out please?
I tried deleting my Apple ID from Xcode and sign in again, I tried doing it with the root user, I tried safe mode, I tried completely deleting the app along with its related files and reinstall it... Is there a command I could execute with the Terminal to delete those?
Thanks!
Post not yet marked as solved
Hello,
I am trying to deploy my app to the Store and during the process the archive gets build just fine, however when I export it I get the following error:
No IOS App Store profiles for team *** matching *** are installed
Now I have a feeling this may be because I may have muddled up the certificates/files?
Can anyone point me to a clear explanation of what exactly needs to be created or what this error could be?
Many thanks.
I new to the distribution process so I appreciate any help I may get here.
I wish to produce an approved app for private distribution; however, when I submit the app for authorization with the App store connect--as now required for all apps--it always gets rejected with the terse log: "asset validation failed". I note that my app also shows the warning:
"SpellAnalysis isn't code signed but requires entitlements. It is not possible to add entitlements to a binary without signing it."
--My app is free of all bugs screened by the compiler.
--I have checked the "Automatically manage signing" option with the build panel and, although I am inclined to also select a valid signing certificate in the same panel, this option persists with the value "none" when I look for a certificate listing. Also, it looks like I am not even listed as a team member for the app.
--I have checked to see that I have a valid Developer ID Application certificate in my online Account.
--I have confirmed that my app bundle identifier matches my online app id listing.
What could I be doing wrong? Thanks for life-line you may toss me.
Post not yet marked as solved
After updating the Xcode to 13.3.1, and after some time since my last release, I can't seem to upload my app to AppStore.
And I get the following error:
Invalid Provisioning Profile Signature. The provisioning profile included in the bundle 'MY BUNDLE HERE' (Payload/Runner.app) cannot be used to submit apps to the iOS App Store until it has a valid signature from Apple. For more information, visit the iOS Developer Portal. With error code STATE_ERROR.VALIDATION_ERROR.90165
I'm not sure what I broke with the latest update, since it worked fine until now. I tried messing with Archive Scheme in Xcode, I tried adding new provisioning profiles (AppStore and AdHoc) on the developer.apple site, but it doesn't help.
My gut's telling me that the solution is obvious, but...
