Xcode 16.2 Framework Signing Issues with Cloud Managed Developer ID in Automated Builds
Issue Description
After upgrading from Xcode 15.4 to 16.2, our macOS app's frameworks are failing notarization with the error "The binary is not signed with a valid Developer ID certificate" for embedded frameworks when building through fastlane. This worked correctly in Xcode 15.4. Importantly, manually archiving and notarizing through the Xcode GUI still works correctly - the issue only occurs during automated builds.
Build Configuration
We use fastlane to build and notarize our macOS app:
build_mac_app(
scheme: 'Runner',
export_method: "developer-id",
xcargs: '-allowProvisioningUpdates'
)
This generates the following xcodebuild commands:
- Archive:
xcodebuild -workspace ./Runner.xcworkspace -scheme Runner -destination 'generic/platform=macOS' -archivePath /path/to/archive -allowProvisioningUpdates archive
- Export with plist:
xcrun -exportArchive -exportOptionsPlist '/path/to/plist' -archivePath /path/to/archive -exportPath '/output/path' -allowProvisioningUpdates
Export options plist contents:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>installerSigningCertificate</key>
<string>Developer ID Installer: Company Inc (1234567891)</string>
<key>method</key>
<string>developer-id</string>
<key>signingStyle</key>
<string>automatic</string>
</dict>
</plist>
- Notarization:
ditto -c -k --rsrc --keepParent "My App.app" "My App.app.zip"
xcrun notarytool submit "My App.app.zip" --output-format json --wait --key /path/to/key --key-id ABCDEFGHIJ --issuer 12345678-abcd-1234-5678-fc2d96b1735a
Error Output
Notarization fails with the following errors:
{
"severity": "error",
"code": null,
"path": "My App.app.zip/My App.app/Contents/Frameworks/some_package.framework/Versions/A/some_package",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "arm64"
}
Key Details
- Using Xcode Cloud managed Developer ID certificates (not local certificates)
- ✅ Building, archiving, and notarizing through Xcode GUI works correctly
- Automatic signing is enabled
Expected Behavior
Frameworks should be automatically signed with the cloud managed Developer ID certificate during the export process, as they were in Xcode 15.4.
Has there been a change in how framework signing is handled with cloud managed certificates in Xcode 16.2's command line tools? Any guidance on how to ensure frameworks are properly signed during automated builds when using automatic signing with cloud managed Developer ID certificates would be appreciated.