"Finder info and similar detritus now allowed" error message while code signing.

I have an app not made in Xcode, which I notarize. I have no problem notarizing it in a Catalina VM I run with Xcode 11.4 but on my BigSur MacBook Pro with Xcode 12.5.1 (the latest) I cannot code sign. I get the message "resource fork and finder info and similar detritus not allowed". I get this even if I do Xattrib -cr first to clear it all. Code signing my app takes a few code signing commands. The first few go OK but then on the next couple it immediately says that error message as if the first ones inserted more detritus. I cannot finish code signing.

First I do this:

xattr -cr "/Users/richard/Desktop/Deploying/Jyotish Studio 5/Jyotish Studio 7.1.app"

Then I do this:

codesign -f --deep -o runtime --entitlements /Users/richard/Desktop/Deploying/standard_entitlements.plist --timestamp --verbose -s "Developer ID Application: Das Goravani (K6ZXXXXRU)" /Users/richard/Desktop/Deploying/Jyotish\ Studio\ 5/Jyotish\ Studio\ 7.1.app

that one above signs everything, and it seems to insert some detritus because when I issue the next one to seal up the app it gives the error now, but note it does not give the error using the exact same commands in 11.4 on Catalina. Here's the command that gives the error after doing the above:

codesign -f -o runtime --entitlements /Users/richard/Desktop/Deploying/standard_entitlements.plist --timestamp --verbose -s "Developer ID Application: Das Goravani (K6XXXXXRU)" /Users/richard/Desktop/Deploying/Jyotish\ Studio\ 5/Jyotish\ Studio\ 7.1.app

Why do the exact same commands work on 11.4 Xcode and Catalina on a Virtual machine I run and not on BigSur with Xcode 12.5.1?

I cannot now notarize if I use only my main Mac main OS which is BigSur.. can't notarize. I have to run the VM, I have to keep it around, which takes up a lot of drive space, just for notarizing, which bugs me.

Note that I AM doing the xattrib -cr command first to clear all finder info etc.. but somehow it comes back due to signing the app. I also downloaded and tried an app for cleaning detritus from the app, it's called Clean Detritus.. I tried that, ran it, and got the same problem anyway.

Please help.

Up vote post of Das Goravani Down vote post of Das Goravani
1.3k views
Posted by
Das Goravani
Reply
Add a Comment

Replies

Why do the exact same commands work on 11.4 Xcode and Catalina on a Virtual machine I run and not on BigSur with Xcode 12.5.1?

I'm not certain that you are running the exact commands, but I could be wrong. Notice the --deep argument here:

codesign -f --deep -o runtime --entitlements /Users/richard/Desktop/Deploying/standard_entitlements.plist --timestamp --verbose -s "Developer ID Application: Das Goravani (K6ZXXXXRU)" /Users/richard/Desktop/Deploying/Jyotish\ Studio\ 5/Jyotish\ Studio\ 7.1.app

That is not present here:

codesign -f -o runtime --entitlements /Users/richard/Desktop/Deploying/standard_entitlements.plist --timestamp --verbose -s "Developer ID Application: Das Goravani (K6XXXXXRU)" /Users/richard/Desktop/Deploying/Jyotish\ Studio\ 5/Jyotish\ Studio\ 7.1.app

The first thing I would do is get rid of this argument. Quinn wrote a excellent post explaining the reasons why, but essentially if you have a bundle structure that contains signed code that is not in a recommended code location, this can cause issues. Another problem --deep presents is that it can force codesign to sign your dylibs and embedded helper apps with unintended entitlements, potentially violating general macOS code signing rules.

Start with the removal of --deep, then take a look at your bundle structure to see if you have signed code in a location that violates the Nested Code locations. Lastly, I suspect if you have a complex bundle structure, you may need to sign certain parts of your app by hand. If this is the case, Quinn has another post explaining the steps to manually code sign a macOS app.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton

  • I code signed having gotten rid of the --deep argument, just removed it and proceeded with the same commands. It made it through the code signing and uploaded OK but was not notarized. The feedback is code 2 package invalid.. not much feedback. I don't know what it means. The program I'm trying to code sign is an app written in Omnis Studio, a programming language that is interpreted. So you notarize the Omnis application with your stuff inside it in a certain folder in the bundle structure. Note again that I notarize with --deep on Catalina in Xcode 11.4 no problem. I have not been able to do it in Mojave or Big Sur with other versions of Xcode... only that one specific grouping. "Invalid package" is so generic I don't know if that can give me any real direction to work on. I will just keep my Catalina VM and do it that way for now. It is sad that I need to keep it just for this and for how long.. will that go on.. there are many others who need to notarize Omnis applications.. they are doing it for the most part, but we all have the same bundle structure and in most cases it is working. I don't know what my problem is. -Das Goravani, small developer solo, thanking you for your input.

    Das Goravani
Add a Comment

The feedback is code 2 package invalid..

Is suspect that this is something either to do with your bundle structure or possibly the pkg that is being sent to the Notary service. If you are sending a pkg make sure you are using a native tool like productbuild and not a 3rd party tool to create this package. If you are sending a zip or dmg to the Notary service then I would look into your bundle structure and align it to the paths listed in the Nested Code Location from macOS Code Signing In Depth. If you do not align your bundle structure in this way, you will always fight issues with Notarization and Gatekeeper.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton

  • Omnis Inc. controls the bundle structure. I have no idea if it's standard or compliant. I just notarized my app on Catalina and Xcode 11.4 command line tools etc. So I am still able to notarize on Catalina VM with 11.4. I tried again on BigSur and 12.5.1 Xcode and got the "detritus" error again on the code signing attempts. Because of Catalina, I feel that the commands I have down on my cheat sheet are correct (I posted some of them above). I was having trouble notarizing a pkg that simply has four fonts in it.. it's part of my final dmg package, I figured I needed to notarize it separately first as it sits as a pkg at root level in my final dmg.. so it won't notarize when I notarize the dmg.. and I was able to notarize this pkg by itself once I found input from Apple about the command "product sign".. I didn't know about that command.. it worked to sign that pkg and it notarized (on Catalina with 11.4) So it seems I am stuck with my Catalina VM for now.. must keep it so that I can notarize. On BigSur with 12.5.1 I use the same commands as from Catalina.. I have them typed out on a text file, I copied that over to BigSur and am using the exact same commands that work on Catalina, and on Big Sur, it seems that the code signing commands are themselves inserting detritus.. because I do the stripping of xattrib -cr, and then I check and indeed all detritus is stripped.. then I code sign the bundle deep.. I know you said not to, but my original working on Catalina commands go deep.. after doing that code signing I try signing again just at the top of the bundle itself, with a command that works on Catalina, and on Big Sur it says "Detritus..." and the only thing I did since stripping the detritus is run that deep code signing.. then there's detritus again.. and I can't go on.. get stuck in a loop.. I wish I could code sign on BigSur so that I could dump that VM but alas, so far it's not in the cards. Thank you Matt for your help.. it was helpful.. I will refer back to it if I approach this again..

    Das Goravani
Add a Comment

So it seems I am stuck with my Catalina VM for now. Omnis Inc. controls the bundle structure. I have no idea if it's standard or compliant.

Being's how your vendor is controlling the bundle structure, this means that you need to talk to them about this. If the vendor is using a bundle structure that is not compliant with the Nested Code locations defined in macOS Code Signing In Depth then this is not doing you any favors at all.

For example, try this out: on Big Sur create a blank test app in Xcode and try to Notarize it with the same commands that you are using in Catalina, minus the --deep argument on the codesign command of course. I suspect that everything will go through fine. Now, on the successfully Notarized app, right click it and do "Show Package Contents" in Finder to show the directory structure. Now, do the same for your app created by your Vendor. I suspect that you will see some differences here and if any of those difference violate the Nested Code locations, this is something your vendor needs to change.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment