code signature validation failed fatally - Unsatisfied Entitlements

Question

Created 1w

Replies 1

Boosts 0

Participants 2

Hello,

We have a working application with several entitlements - com.apple.developer.endpoint-security.client and com.apple.developer.team-identifier.

Recently, the Developer ID signing certificate expired and we created a new one according to the instructions on the website. Also the provisioning profile for those entitlements expired so we edited it to use the new certificate.

We built using xcodebuild in a script and signed with codesign, We supply the certificate id and the entitlement in a plist file like this :

codesign --timestamp --force --sign "${application_signature}" --options=runtime "${obj}" --entitlements "${SR_ENTITLEMENT_PATH}"

(those env vars hold the correct values for the cert id and plist path as far as we checked).

The signing works and looks ok with "codesign -dvvv": (XXXX replaces the real file name for privacy)

Signature size=9050 Authority=Developer ID Application: XXXXXX. (XXXXX) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=16 Oct 2025 at 11:09:53 AM Info.plist=not bound TeamIdentifier=XXXXX Runtime Version=14.5.0 Sealed Resources=none Internal requirements count=1 size=184 [Dict] [Key] com.apple.application-identifier [Value] [String] XXXXX.com.XXXX.XXXX [Key] com.apple.developer.endpoint-security.client [Value] [Bool] true [Key] com.apple.developer.team-identifier [Value] [String] XXXXXX`

But when the app need to run it is killed and the console shows the following:

amfid: /private/tmp/XXXXX not valid: Error Domain=AppleMobileFileIntegrityError Code=-420 "The signature on the file is invalid" UserInfo={NSURL=file:///private/tmp/XXXXX, NSLocalizedDescription=The signature on the file is invalid} kernel: mac_vnode_check_signature: /private/tmp/CybereasonSensor: code signature validation failed fatally: When validating /private/tmp/XXXXX: Code has restricted entitlements, but the validation of its code signature failed.

We didn't change any code or build differently (it's done by a CI jenkins job.

So if the file is signed and the and has the entitlements why does it fail? what should be done?

Thanks, Boaz

Answered by DTS Engineer in 862971022

It’s likely that the provisioning profile embedded in your app doesn’t authorise the new Developer ID certificate that you just created. See the Check the Signing Certificate section of Resolving Code Signing Crashes on Launch.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

5d

Recommended

It’s likely that the provisioning profile embedded in your app doesn’t authorise the new Developer ID certificate that you just created. See the Check the Signing Certificate section of Resolving Code Signing Crashes on Launch.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0