codesign CLI throws error on OSX 12 (M1) and Xcode 12/13

Question

Created Jan ’22

Replies 4

Boosts 0

Views 3k

Participants 3

Until I migrated to a new M1 machine running OSX 12, this used to work fine:

codesign --sign <cert> --force --timestamp --options runtime <binaryname>

Now, the exact same command (same cert, same binary) throws an error "errSecInternalComponent"

internal error in Code Signing subsystem

I found a vague reference that there might be some problems currently with Monterey in this regard and that

ENABLE_BITCODE=NO

might need to be used but it's not clear how to set that for CLI use like this.

Any ideas much appreaciated.

Answered by plk in 703098022

This turned out to be an issue with OSX 12+ ad-hoc signing anything compiled on it with a machine-specific signature. This made codesign fail with no useful message. Trying this on OSX11 gave a useful message about Mach-O header segment overlaps. In the end, the solution was to remove the ad-hoc signing with something like optool which made it possible to correctly sign.

Boost

Answer 1

plk OP

Jan ’22

Just to be clear, I have the same issues with Xcode 12 and 13 and so it seems to be OSX 12 related.

0

Answer 2

ssmith_c OP

Jan ’22

It is a target build setting, not a parameter to codesign. Select the target in Xcode, select "All" and filter on "bitcode"

0

Answer 3

plk OP

Jan ’22

Accepted Answer

This turned out to be an issue with OSX 12+ ad-hoc signing anything compiled on it with a machine-specific signature. This made codesign fail with no useful message. Trying this on OSX11 gave a useful message about Mach-O header segment overlaps. In the end, the solution was to remove the ad-hoc signing with something like optool which made it possible to correctly sign.

0

Answer 4

Cogwheel OP

Nov ’24

internal error in Code Signing subsystem

For anyone finding this post from the same error message, our problem was that the working directory for creating the bundle was under a symlink (thanks to Bazel). Moving the app out of the symlinked directory before signing seems to fix the issue.

0