Issue launching a Developer ID signed app

Question

Created Oct ’15

Replies 4

Boosts 0

Views 1.3k

Participants 3

I work on a mac app that gets signed by a script written by another group at my company. In the past that script, which runs on 10. has produced a valid signed binary (according to checking with codesign and spctl).

It seems starting with 10.10.4, our signed binary isn't being checked as correct when a user launches (after downloading from a website, which puts the binary in quarenteen).

On 10.10.5, I get this when I attempt to launch:

10/13/15 12:58:38.456 PM CoreServicesUIAgent[32675]: Error -60005 creating authorization

10/13/15 12:58:40.551 PM CoreServicesUIAgent[32675]: Error: No signature database

10/13/15 12:58:40.554 PM CoreServicesUIAgent[32675]: Cannot load Interface Builder file '/System/Library/Frameworks/AppKit.framework/Resources/English.lproj/NSAlertPanel.nib'

10/13/15 12:58:40.554 PM com.apple.xpc.launchd[1]: (com.apple.xpc.launchd.oneshot.0x10000038.<appname replaced by me>[32822]) Service exited due to signal: Killed: 9

I tried with the latest beta of 10.11.1, and it seems to launch correctly with no issues.

Anyone run into this?

Thanks,

Lucien

Boost

Answer 1

DTS Engineer OP

Apple

Oct ’15

OS X 10.10.4 included new code signature hardening that tripped up lots of folks who are doing their own signing (rather than having Xcode sign your product, which is what we recommend). You can read about this in Technote 2206 OS X Code Signing In Depth.

Share and Enjoy
—
Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

lwdupont OP

Oct ’15

Thanks Quinn 🙂

That's the first place I went to in an attempt to diagnose it. I'll double check the system log to see if there are any issues mentioned here: https://developer.apple.com/library/mac/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG207

Moving to having Xcode sign would be a great idea, but difficult to implement in the short term. Since it seems it's just an issue with 10.10.4 and 10.10.5, we might live with it.

BTW, wrote a radar: rdar://23114191

0

Answer 3

sanketh_bhat OP

Oct ’15

Hi Eskimo,

Some more data about how we are signing the app. Let us know your inputs on the signing process below.

We also do the export CODESIGN_ALLOCATE variable as recommended by Apple as below:

export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate"

We run the below commands sequentially,

Sign frameworks:
Sample: codesign --verbose --force --deep --sign Developer ID Application: Intuit Inc. /private/var/lib/workspaces/app/Contents/Frameworks/Sparkle.framework/Versions/A
We do this sequentially for all frameworks in the frameworks folder.
Sign TurboTax App:
Sample: codesign --f --s "Developer ID Application: XYZ Inc" --deep <PATH TO .app>
Verify Codesign:
codesign --verify --verbose=4 <PATH TO .app folder>
Verify Gatekeeper acceptance:
spctl --verbose=4 --assess --type execute <PATH TO .app folder>
Final verification for App:
codesign -dvvv <PATH TO .app folder>

These are the commands we run using the developer certificates we have.

We sign on 10.9.4 version of MAC OSX. Hope this helps.

Please let me know if more information is required.

Thanks,

Sanketh Bhat

0

Answer 4

sanketh_bhat OP

Nov ’15

Hi Apple,

We were able to find the issue which was causing us from launching the app.

It was related to some of our files which were being treated as executable (as terminal command).

Fix:

Our top level files like version information files had the executable bit set. We removed the same and then the application opens without any issues.

Our security settings is in the default setting of "Mac app store and identified developers"

Requesting Apple to please let us know what do you think about the fix and wanted to validate the above changes.

Please suggest if any inputs on the fix we have found.

Thanks,

Sanketh Bhat

0