codesign not signing .app MacOS executable 'can't verify signature'

App & System Services Core OS
abappdev OP
Created Nov ’23
Replies 3
Boosts 0
Views 782
Participants 2

I am facing an issue while codesigning the Content/MacOS executable. The executable name is exactly similar to the .app file, and the signing certificates have not expired yet.

Steps followed to generate signed files:

  1. Executed codesign on files within the .app folder.
  2. Then executed codesign on the .app folder.
  3. Tried to notarize with the new notarization tool.

Do we have to sign each individual file and folder?

Observations:

  • .DS_Store files were removed from the .app before signing.
  • Another app with the same certificate is able to sign correctly.
  • Content/MacOS contains multiple files, including the app executable. These files are signed except the main executable.
  • same installed_app after copying at another location showing signed.

Getting:

  • App Sandbox-Not enabled
  • Hardening-Enabled - Version 10.9.0
  • Notarization-Granted
  • Gatekeeper-Can't evaluate
  • Signed By- Can't verify signature
Answered by abappdev in 860690022

Found out solution, we were not using ditto for extracting the application causing sign loss.

Ticket can be closed

Replies  3
Boosts  0
Views  782
Participants  2
DTS Engineer OP
Apple
Nov ’23

If you’re signing stuff by hand, see Creating Distribution-Signed Code for Mac for general instructions. That covers most of what’s discussed here but I’ll address some specific points below.

Do we have to sign each individual file and folder?

No. Rather, you should identify each code item and sign that from the inside out. And if the code item is wrapped in a bundle, just sign the bundle. That will seal over the bundle’s main executable, its resources, and any nested code (which you will have already signed because of the inside out rule).

Content/MacOS contains multiple files, including the app executable. These files are signed except the main executable.

Are these other files executables? If not, they’re in the wrong place. See Placing Content in a Bundle for specific guidance on that.

Putting non-executables in Contents/MacOS is a very common source of weird code signing problems.

Another thing to look out for here is that your bundle correctly identifies its main executable via the CFBundleExecutable property in the Info.plist. If you have something weird there, like a misspelling or a value with the wrong case, you’ll see some very odd behaviour.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
abappdev OP
Dec ’23

Thanks @eskimo

Tried all the steps above. Can you please share any internet article or video to perform given steps.

Regards

0
abappdev OP
Oct ’25
Recommended

Found out solution, we were not using ditto for extracting the application causing sign loss.

Ticket can be closed

0
codesign not signing .app MacOS executable 'can't verify signature'
First post date Last post date
 
 
Q