codesign stubbornly failing

Code Signing Certificates, Identifiers & Profiles
dreisicht OP
Created 1d
Replies 2
Boosts 0
Views 194
Participants 2

I'm trying to sign a .app package coming from Py2app. Unfortunately I keep running into the same two issues:

The binary is not signed with a valid Developer ID certificate.

and

The signature does not include a secure timestamp.

I tried everything, from recreating the signatures, with different arguments, different keys and certificates, but it keeps complaining with these two errors on a long list of files.

For reference I added the python script I use for signing the files.

code_singing.py
Answered by DTS Engineer in 860497022

I have a few resources to share with you:

You have a couple of choices here:

  • You can strictly follow the rules in Placing content in a bundle, which is a bunch of extra work right now but will likely work better in the long term.
  • You can bend those rules by simply signing your code as it’s currently structured.

Based on the script you included, it looks like you’re attempting the second approach. It’s likely you’ll be able to make that work, but that script will need significant enhancement. For example, Creating distribution-signed code for macOS explains that you need to sign code from the inside out from a dependency perspective, and your script is doing it from a file system hierarchy perspective.

Can you share a copy of your app here? I’m talking about the .app bundle prior to you running your script over it. I’d like to get a better handle on what py2app is doing these days.

If not, that’s cool. At some point I’ll find the time to play around with py2app myself.

If so, you’ll need to upload it to a file sharing service and post a link. Post that link in the clear, per tip 14 of Quinn’s Top Ten DevForums Tips.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  2
Boosts  0
Views  194
Participants  2
DTS Engineer OP
Apple
13h
Recommended

I have a few resources to share with you:

You have a couple of choices here:

  • You can strictly follow the rules in Placing content in a bundle, which is a bunch of extra work right now but will likely work better in the long term.
  • You can bend those rules by simply signing your code as it’s currently structured.

Based on the script you included, it looks like you’re attempting the second approach. It’s likely you’ll be able to make that work, but that script will need significant enhancement. For example, Creating distribution-signed code for macOS explains that you need to sign code from the inside out from a dependency perspective, and your script is doing it from a file system hierarchy perspective.

Can you share a copy of your app here? I’m talking about the .app bundle prior to you running your script over it. I’d like to get a better handle on what py2app is doing these days.

If not, that’s cool. At some point I’ll find the time to play around with py2app myself.

If so, you’ll need to upload it to a file sharing service and post a link. Post that link in the clear, per tip 14 of Quinn’s Top Ten DevForums Tips.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
dreisicht OP
1h

Thanks for the provided links! Makes sense that the signing needs to be from the dependencies backwards. Regarding placing of the content, I think py2app does a good job with that. Especially the log states there is some signing happening already. Of course I can provide you with a copy, the project is open source anyway. Here is the zipped .app: http://dreisicht.net/share/renderrob.zip

0
codesign stubbornly failing
First post date Last post date
 
 
Q