Signing code for older versions of macOS on Apple Silicon

This thread has been locked by a moderator; it no longer accepts new replies.
Note This content is a repost of info from another thread because that thread is not world readable (it’s tied to the DTK programme).

A number of folks have reported problems where:
  • They have a product that supports older versions of macOS (anything prior to 10.11).

  • If they build their product on Intel, everything works.

  • If they build their product on Apple Silicon, it fails on those older versions of macOS.

A developer filed a bug about this (FB8830007) and, based on the diagnosis of that bug, I have some info to share as to what’s going wrong and how you can prevent it. Let’s start with some background.

macOS’s code signing architecture supports two different hash formats:
  • sha1, the original hash format, which is now deprecated

  • sha256, the new format, support for which was added in macOS 10.11

codesign should choose the signing format based on the deployment target:
  • If your deployment target is 10.11 or later, you get sha256.

  • If your deployment target is earlier, you get both sha1 and sha256.

This problem crops up because, when building for both Intel and Apple Silicon, your deployment targets are different. You might set the deployment target to 10.9 but, on Apple Silicon, that’s raised to the minimum Apple Silicon system, 11.0. So, which deployment target does it choose?

Well, the full answer to that is complex but the executive summary is that it chooses the deployment target of the current architecture, that is, Intel if you’re building on Intel and Apple Silicon if you’re building on Apple Silicon. For example:

Code Block
intel% codesign -d --arch x86_64 -vvv Test664892.app
Hash choices=sha1,sha256
intel% codesign -d --arch arm64 -vvv Test664892.app
Hash choices=sha1,sha256
arm% codesign -d --arch x86_64 -vvv Test664892.app
Hash choices=sha256
arm% codesign -d --arch arm64 -vvv Test664892.app
Hash choices=sha256


The upshot is that you have problems if your deployment target is less than 10.11 and you sign on Apple Silicon. When you run on, say, macOS 10.10, the system looks for a sha1 hash, doesn’t find it, and complains.

The workaround is to supply the --digest-algorithm=sha1,sha256, which overrides the hash choice logic in codesign and causes it to include both hashes:

Code Block
arm% codesign -s - --digest-algorithm=sha1,sha256 Test664892.app
arm% codesign -d --arch x86_64 -vvv Test664892.app
Hash choices=sha1,sha256
% codesign -d --arch arm64 -vvv Test664892.app
Hash choices=sha1,sha256


Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Boost
Signing code for older versions of macOS on Apple Silicon
 
 
Q