iTunes Connect uploaded app has framework "not signed at all"

Code Signing General
jackwolf81 OP
Created May ’17
Replies 2
Boosts 0
Views 5k
Participants 2

We built an app that uses openssl to validate a receipt.

We added OpenSSL statically as a framework (libcrypto.a and libssl.a).

We added a Run Script build phase that signs those two frameworks with our "3rd Party Mac Developer Application: CompanyName".

Through Xcode, Validation passed normally.


After the upload to the Mac App Store, we received an email from iTunes Connect that says we have issues with the delivery.

Specifically, the email says:

code object is not signed at all In subcomponent: com.companyname.AppName.pkg/Payload/AppName.app/Contents/Frameworks/libcrypto.a


To check what I'm delivering, I exported a .pkg for Mac App Store Deployment. I simulated a Store Installation in /Applications with:

sudo installer -store -pkg /Users/path/to/MASDeployed.pkg -target /

Output:

installer: Note: running installer as an admin user (instead of root) gives better Mac App Store fidelity
installer: AppName.pkg has valid signature for submission: 3rd Party Mac Developer Installer: CompanyName
installer: Installation Check: Passed
installer: Volume Check: Passed
installer: Bundle com.companyname.AppName will be installed to /Applications/AppName.app
installer: Starting install
[...]
installer: Finished install


Then I checked the sign of the whole app and of every framework included with:

codesign -dvv /Applications/AppName.app
codesign -dvv /Applications/AppName.app/Contents/Frameworks/libcrypto.a
codesign -dvv /Applications/AppName.app/Contents/Frameworks/libssl.a

and every one of them returns:

[...]
Authority=3rd Party Mac Developer Application: CompanyName
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
[...]


So, we are delivering a pkg that has no signature on certain components (openssl frameworks in this case), but if I install that pkg locally and check for signatures I see everything signed as I would expect.


I don't know how to correct the issue the email from apple is underlying.


I checked http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and https://developer.apple.com/library/mac/technotes/tn2206/_index.html without being able to spot anything helpful or that we don't do already.


What am I missing here?

Replies  2
Boosts  0
Views  5k
Participants  2
DTS Engineer OP
Apple
May ’17
Accepted Answer

We added OpenSSL statically as a framework (

libcrypto.a
and 
libssl.a
).

This indicates some confusion on your part. A framework always contains a dynamic library, but 

.a
file is a static library. When you add a static library to your project, the contents of that library are copied into your app (or whatever other target you added it to) at link time. There’s no need to then include a separate copy of the static library in your bundle. It won’t do anything useful; it’s just taking up space and, apparently, causing you code signing grief.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
1
jackwolf81 OP
May ’17

You are totally right!

We were including a useless copy of the library.

App submitted for review.

Thank you.

0
iTunes Connect uploaded app has framework "not signed at all"
First post date Last post date
 
 
Q