Error "Launch failed." after code signing with entitlements

Hello,

I'm running into an issue when code signing my .app file on macOS. After introducing the --entitlements flag, I'm encountering an error that prevents the app from launching:

Error Messages:

  • App UI: "Cannot open the file"
  • Terminal (using open file.app)
The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x60000216d620 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}

Troubleshooting Details:

  • Without code signing, the app launches and permission pop-ups function correctly (the file tauri generates).
  • With code signing (but without --entitlements), the app launches but there are no permission pop-ups.
  • All scenarios (without signing, with signing, with signing + --entitlements) all have Info.plist in the /Contents of the .app file
  • Notarizing and stapling works fine when I do not include the --entitlements flag when signing.
  • Code for signing with entitlements:
codesign --timestamp --sign "Developer ID Application: ()" --options=runtime --entitlements ./src-tauri/Info.plist "${APP_FILE}"

Specifications

  • MacBook Air, M2, 16GB
  • macOS Sonoma 14.3.1
  • Xcode 15.2 (Build version 15C500b)
Answered by DTS Engineer in 780006022

The most common reason for this is that you’re using a restricted entitlement that’s not authorised by your profile. I talk about this in some detail in Resolving Trusted Execution Problems. A good place to start is to run syspolicy_check against your app.

When it comes to fixing this, I have two posts that explain how to sign code by hand:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Accepted Answer

The most common reason for this is that you’re using a restricted entitlement that’s not authorised by your profile. I talk about this in some detail in Resolving Trusted Execution Problems. A good place to start is to run syspolicy_check against your app.

When it comes to fixing this, I have two posts that explain how to sign code by hand:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

So I have read through the Creating Distribution-Signed Code for Mac and it better fits my example as I am trying to sign .app file with contents inside it. Here's the rough structure of the app:

test.app
└── Contents
    ├── CodeResources
    ├── Info.plist
    ├── MacOS
    │   └── test (Unix Executable File)
    ├── Resources
    │   └── icon.icns
    └── _CodeSignature
        └── CodeResources

When running the codesign -d -vv here's the output:

Executable=.../test.app/Contents/MacOS/test
Identifier=...
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20400 size=91065 flags=0x20002(adhoc,linker-signed) hashes=2842+0 location=embedded
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements=none

Since the test (exec) is a main executable, I think it is a bundle and therefore concluded:

| File        	| Bundle? 	| Main Exec 	|
|-------------	|---------	|-----------	|
| test (exec) 	| yes     	| yes       	|
| test.app    	| yes     	| yes       	|

so I need to add -o runtime and --entitlements when codesigning, here's my Info.plist (this is different to the one from the tree above):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
	<dict>
		<key>NSCameraUsageDescription</key>
		<string>camera access needed</string>
		<key>NSMicrophoneUsageDescription</key>
		<string>microphone access needed</string>
		<key>com.apple.security.device.audio-input</key>
		<true />
		<key>com.apple.security.device.camera</key>
		<true />
		<key>com.apple.security.device.microphone</key>
		<true />
	</dict>
</plist>

so I signed the executable first using the command below:

codesign --timestamp --verbose --sign "Developer ID Application" --options=runtime --entitlements Info.plist test.app/Contents/MacOS/test

but unfortunately I still have the error where the .app is not failing to launch. I have tried the below too:

  • I tried using the Info.plist from the tree which is inside the .app but it gave an error saying 'invalid entitlements`
  • I have tried without the --entitlements and -o runtime and it runs now but no permission popups and syspolicy_check shows its good to go.

fixed this by using a different entitlements file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.device.usb</key>
    <true/>
    <key>com.apple.security.device.audio-input</key>
    <true/>
    <key>com.apple.security.device.camera</key>
    <true/>
    <key>com.apple.security.network.server</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
  </dict>
</plist>

which works fine while signing and launches perfectly.

Error "Launch failed." after code signing with entitlements
 
 
Q