Launch constraints disappear

Question

Created 1w

Replies 6

Boosts 0

Participants 2

I use launch constraints in a project. If I archive the project and save a copy of the app locally, everything works as expected but if I choose "Direct Distribution" and submit the app to Apple for notarization, the notarized app does not contain any launch constraints. What are I am doing wrong? Thanks.

Answered by DTS Engineer in 796121022

Oh, that’s interesting. Launch constraints are baked into your code signature. When you export from an Xcode archive, Xcode re-signs your app and that represents an obvious point where they could get dropped.

The way this is meant to work is that Xcode passes the --preserve-metadata option to codesign and that preserves stuff like this. See codesign man page for more details on that.

It’s possible that the version of Xcode you’re using hasn’t been updated to preserved launch constraints. Have you tried this with the latest Xcode 16 beta?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

1w

Recommended

Oh, that’s interesting. Launch constraints are baked into your code signature. When you export from an Xcode archive, Xcode re-signs your app and that represents an obvious point where they could get dropped.

The way this is meant to work is that Xcode passes the --preserve-metadata option to codesign and that preserves stuff like this. See codesign man page for more details on that.

It’s possible that the version of Xcode you’re using hasn’t been updated to preserved launch constraints. Have you tried this with the latest Xcode 16 beta?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

marcthielemann OP

1w

@DTS Engineer

I tried this with Xcode 16 beta 3.

0

Answer 3

DTS Engineer OP

Apple

5d

… and that fixed the problem? Or it still failed?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

marcthielemann OP

5d

@DTS Engineer

It fails in Xcode 16 beta 3.

Also tried your sample project from here: https://developer.apple.com/documentation/security/constraining_a_tool_s_launch_environment but as soon as I upload it for notarizing the constraints also disappear. So the issue seems not to be related to my project.

0

Answer 5

DTS Engineer OP

Apple

4d

Accepted Answer

OK.

Did you look at the logs that Xcode generates when you export? I suspect you’ll see that it’s not passing the right values for --preserve-metadata.

Regardless, you should file a bug against Xcode here. Please post your bug number, just for the record.

As to the workaround, you’ll have to manually export your code from your Xcode archive. See Creating distribution-signed code for macOS, starting at the Export a non-app product built with Xcode section.

Note that this isn’t as tricky than it might seem because you can follow the trail blazed by Xcode:

Export using Xcode.
Look in the logs to see what Xcode did.
Apply the minor tweak to the --preserve-metadata option.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 6

marcthielemann OP

23h

FB14511046

0