After codesigning, validation fails

Question

Created Apr ’22

Replies 4

Boosts 0

Views 1.1k

Participants 2

After a lot of googling, I'm still unable to find an answer. We are building our product within Azure Pipelines with macOS hosts. After the pipeline is done, we get corrupted packages out of it. I could reproduce it locally with 12.3.1.

As you can see below, after overwriting the code sign, it fails to validate. Anyone got any idea how this can happen?

Btw, we don't have any embedded bundles, same result without --deep, the notarization reports on the same file: The signature of the binary is invalid.

# Force to override any codesign
codesign --force --deep --sign "xxx" --timestamp --options=runtime xxx.app

# Verify the codesign
codesign -vvv --deep --strict xxx.app                                                      
xxx.app: a sealed resource is missing or invalid
file modified: /Users/xxx/Desktop/xxx.app/Contents/MacOs/xxx

Only one file is having this issue, that is the main binary that is specified in the Info.plist as the startup program.

Boost

Answer 1

DTS Engineer OP

Apple

Apr ’22

You are signing with the --deep flag, which is something I specifically recommend against. Based on the error you posted it seems likely that your product is not following the rules in Placing Content in a Bundle and thus deep code signing has messing up your code signature. However, even if that weren’t the case I still recommend against using --deep. See --deep Considered Harmful for more on this.

My advice is that you sign each code item separately, from the inside out. See the following posts for all the gory details:

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

AlexElderson OP

Apr ’22

Thanks for your answer, I reduced the test to a single file within the .app. If I use a dotnet 6 published executable the signing won't work. If I replace the dotnet executable with, for example, a copy of "cp" then the signing is working. It looks like an issue with signing app hosted dotnet 6 executables.

Any resource(s) or information that you can point me too about this?

0

Answer 3

DTS Engineer OP

Apple

Apr ’22

Where in the bundle is this file being placed? Based on your earlier posts, I suspect its Contents/MacOS. Is that right?

Is this file a Mach-O image? Or some other sort of code? To confirm this, run file against it. What does it say?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

AlexElderson OP

Apr ’22

Hey Quinn,

I've solved this last night, the problem was that it wasn't a Mach-O image and the extended attributes were dropped so the signature was lost. Thanks for your help!

0