codesign: "A timestamp was expected but was not found"


My CI builds are failing regularly since July 1st with this codesign error: "A timestamp was expected but was not found.".

The Mac app has a few frameworks which are properly signed, and sometimes it gets through the signing process but fails at a seemingly random code signing command with this error.

I have checked and the signing certificate (Developer ID) expires in 2017. I also made sure that the CI servers had their time set automatically using the servers to prevent clock drift.

Short of disabling timestamps with --timestamp none in the codesign command, is there anything I can do? Am I tied to Apple's timestamp servers' whims?

Thanks for any insight,


7 Replies

[Updating for posterity]

We finally got this resolved internally. Turns out that some firewall rules were implemented without our knowledge a few days prior, and those rules started to drop only some of the replies from Apple's code-signing servers, leading to the abovementioned failures.

The intermittent nature of the failures made us not believe it was a networking issue, but in fact it was.

So in our case, we had to audit our corporate firewall and make sure that our own networking was OK. If you get these spurious errors, I suggest you do the same.

Moving to a completely different network did the trick for me (switching from my regular network connection to tethering off my iPad).

We experience such problems from time to time. In Apr 24/25 there were too many errors, through.

I too got this problem today and I haven't made any changes to my network configuration that I'm aware of.

We've recently started seeing this problem.

It's happening on 3 CI machines which share a single location - machines in a different location don't suffer the same problem, which does suggest that it's a networking / firewall issue.

Can you give any clues as to what you had to do to your firewall / what the networking issue was? We aren't directly in control of the firewall for the affected machines, so it would be good to know what changes to ask for...



if you are completely blocked from internet via firewall , what address and port and/or application must be opened to allow successfull signing a package please?