Hello,
I am setting up a build (Gitlab CICD) runner. I create a keychain and imported certificate and my signing key.
$ security find-identity -v
XXXXXX "Developer ID Application: XXXXXX, INC. (XXXXXX)" (CSSMERR_TP_NOT_TRUSTED)
1 valid identities found
$ security find-identity -p codesigning -v
XXXXXX "Developer ID Application: XXXXXX, INC. (XXXXXX)"
1 valid identities found
Codesign fails with
unable to build chain to self-signed root for signer "Developer ID Application: XXXXXX, INC. (XXXXXX)" errSecInternalComponent
On the local machine everything is fine.
I think the point is that the identity is both valid and CSSMERR_TP_NOT_TRUSTED.
What can I do about it?
Certificates, Identifiers & Profiles
RSS for tagDiscuss the technical details of security certificates, identifiers, and profiles used by the OS to ensure validity of apps and services on device.
Post
Replies
Boosts
Views
Activity
Hello,
I'm have a new Macbook and setup my Enterprise account. Part of my job is to view the expiration dates on certificates for other users. This should be a simple process but when I click on the certificate, there's a button "view certificates" I should be able to click on and see the expiration date and basic details on that specific certificate.
The problem I have is that when I click on "view certificates", I get the error: "An error has occurred. Unable to display information about the selected item."
I've tried steps online but to no avail. How can I get this fixed? My two other coworkers are able to just click on that button and view the certificate details, except for me. I've attached the screenshot.
Thank you for your help
Regards
JJ
Electron-Builder Version: 24.12.0
Electron-Builder-notarize Version: 1.5.1
Node Version: v15.14.0
Electron Version: 11.3.0
Electron-updater version: ^4.3.5
Target: Mac Apple Store (mas)
Hello, I am trying to build and sign a new version of my electron app for the mac apple store (mas), but when I get to the final step of uploading the RenderTune.pkg file to the mac transporter app, I get a failed status with 22 errors all the same formatting like so:
Asset validation failed (90284)
Invalid Code Signing. The executable 'com.martinbarker.digifyunique.pkg/Payload/RenderTune.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/etc....dylib' must be signed with the certificate that is contained in the provisioning profile. (ID: abc-abc-abc-abc-abc)
In order to build and sign this RenderTune.pkg file, first I run the command npm run build-mas locally while on branch v1.1.5 ( code here )
Which runs the following command:
"build-mas": "electron-builder build --mac && sh signmasscript.sh",
So first it runs electron-builder build --mac and gives this output:
Martins-MacBook-Air:rendertune-v1.1.5-feb-24 martinbarker$ npm run build-mas
> rendertune@1.1.5 build-mas
> electron-builder build --mac && sh signmasscript.sh
• electron-builder version=24.12.0 os=20.6.0
• loaded configuration file=package.json ("build" field)
• writing effective config file=dist/builder-effective-config.yaml
• packaging platform=darwin arch=x64 electron=11.3.0 appOutDir=dist/mac
• signing file=dist/mac/RenderTune.app platform=darwin type=distribution identity=ACBACBACBACBACBACBACBACBACB provisioningProfile=none
• skipped macOS notarization reason=`notarize` options were not provided
• building target=DMG arch=x64 file=dist/RenderTune-mac.dmg
• building target=macOS zip arch=x64 file=dist/RenderTune-mac.zip
• building block map blockMapFile=dist/RenderTune-mac.dmg.blockmap
• building block map blockMapFile=dist/RenderTune-mac.zip.blockmap
Completes without issue. The next part is running the signmasscript.sh file, which does complete but gives these errors:
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
productbuild: Adding component at /Users/martinbarker/Documents/projects/rendertune-v1.1.5-feb-24/dist/mas/RenderTune.app
productbuild: Signing product with identity "3rd Party Mac Developer Installer: Martin Barker (LV6WXG529F)" from keychain /Users/martinbarker/Library/Keychains/login.keychain-db
productbuild: Adding certificate "Apple Worldwide Developer Relations Certification Authority"
productbuild: Adding certificate "Apple Root CA"
productbuild: Wrote product to /Users/martinbarker/Documents/projects/rendertune-v1.1.5-feb-24/RenderTune.pkg
productbuild: Supported OS versions: [10.10.0, )
The final output RenderTune.pkg file gives 22 error messages saying `` when I try to deliver it via the mac os transport app.
Asset validation failed (90284)
Invalid Code Signing. The executable must be signed with the certificate that is contained in the provisioning profile
Is my app even being signed correctly? Or is there just one file that I need to fix? Please help me out !
I am having trouble with my Team/Bundle Identifier and the iOS box right under it in Signing & Capabilities. I went and tried to add my device to the apple developer website but it was already logged in. If anyone can help me that would be most appreciated.
Hi , In one of our application we are having issues of bundle Id mismatch in the distribution profile. Say there are two applications X and Y.
Issue Description : On the developer portal inside the distribution profile the App Id shown is correct I.e of X but when we download the distribution profile and open it in the textedit we can see that the bundle id is of another application i.e of Y .
Due to which are are unable to submit or upload the application.
Note: Both of them have contact notes as additional permission.
I've installed the same developer certificate onto three different Macs.
When viewed in the keychain (or in Xcode) on one Mac it says its revoked, on another it says its not trusted, but on a third there's no issue reported.
How could there be a difference between the three Macs?
(Both Macs have the date/time set to be the same).
Can 3rd party software, VPNs etc. interfere in this at all?
Learn how code signing uses certificates to identify code authors.
View Technote TN3161 >
It requires a provisioning profile, and while I have one, I cannot select it within Signing & Capabilities since it is empty.
On blank projects it works as intended, but whenever the Unity stuff gets imported, it just disappears entirely, making it impossible to export Unity Titles to visionOS.
I'm not able to run my app on my device as Xcode is unable to create a provisioning profile for my app without the paid developer membership.
I followed the troubleshooting steps on stack overflow here but to no avail.
Any help?
I want to update the provisioning profile from the developer account.
There were errors in the data supplied. Please correct and re-submit.
No value was provided for the parameter 'appIdId'. No value was provided for the parameter 'provisioningProfileName'.
Does anyone know how to fix this error?
I've developed a Java application for ad hoc distribution, not intended for the Apple Store. Using the jpackage utility and the parameters...
--mac-sign
--mac-signing-keychain
--mac-signing-key-user-name
...I'm able to point the software to a signing certificate.
My problem is that jpackage requires a certificate with a "Developer ID Application" type/prefix, and I'm not authorized to create a certificate of this type, as "This operation can only be performed by the account holder."
I thought it might be sufficient to create a "Distribution" certificate, since this allows a developer to "Sign your iOS, iPadOS, macOS, tvOS, watchOS, and visionOS apps for release testing using Ad Hoc distribution or for submission to the App Store." However, there doesn't appear to be any way to get jpackage to accept anything other than a "Developer ID Application" -prefixed certificate.
I gather from this, and the fact that the Developer ID Application certificate is described as "This certificate is used to code sign your app for distribution outside of the Mac App Store," that this is the only type of "legitimate" security certificate Apple will accept when launching out-of-store apps. I'm not certain of this, however, and I'd like to be certain before pestering my client about it.
My questions are:
Is a "Developer ID Application" certificate specifically required, or can I sign the app using, e.g., a "Distribution" certificate without issues?
If a "Developer ID Application" certificate is required, is it possible for my client (the "Account Holder") to grant me access to download it and use it?
If a "Developer ID Application" certificate is required, what exactly is a "Distribution" certificate good for? Why isn't it sufficient to distribute software?
If I can sign the app using a Distribution certificate, is there a way to force jpackage to do this, or do I have to it manually using, e.g., codesign ex post facto?
Note that this issue has cropped up before on this thread, but the developer there ultimately found his developer ID certificate and the discussion was abandoned before any answers were forthcoming.
I'm working on a macOS app that uses a JSContext and I want to debug it with the Safari Web Inspector.
According to Session 402 at WWDC 2016 the following entitlement is required:
<key>com.apple.webinspector.allow</key>
<true/>
This is easy enough to add, but it causes the app to crash at launch with a code signing issue. The console shows that taskgated-helper is reporting just before the crash:
Unsatisfied entitlements: com.apple.webinspector.allow
For anyone who finds this, here's what you need to know:
https://webkit.org/blog/13936/enabling-the-inspection-of-web-content-in-apps/
Basically, there's now a inspectable property on both the WKWebView and JSContext. Unfortunately, there's no mention of the old entitlement in the WebKit blog post, so it's impossible for folks using the old technique to find.
Hopefully this post will bridge this gap.
It also might be something for @eskimo to add to his (always helpful) code signing documentation.
-ch
I have a strange problem and I don't know what's causing it
A year ago, I purchased this account and created a certificate and it was working successfully, but its time expired on 1/8/2024, and I want to create a new one in order to update my applications. So I went to create a new certificate of type (iOS Distribution) and it was downloaded successfully, and when I called it in the (Keychain access) program in order to convert it to (.P12) instead of (.cer). But the program refuses to recall it, and I choose the (Local Item) section.
thus :
But when the file is dragged or double-clicked while I am standing in the (Login) section, the certificate is summoned successfully, and here the real problem begins. It is assumed that in order for me to convert the certificate from (cer) to (p12), there must be an arrow next to the certificate so that the key appears so that it can be pressed. Right-click, then we choose Export, and then we choose (p12). This happens because there is no arrow next to the certificate, and also when I By clicking on the certificate to export it, I am not allowed to choose (p12).
How can I convert the file successfully because I want to update my applications, which is very important.
I am trying to register my iPad as a device on the developer portal but it keeps declaring it as an iMac. Do you know if this is a typical problem?
Hi,
I have upgraded my Mac to Sonoma and for some reason I get lost now when backup up a certificate.
As I wasn't able to import my old certificate (exported as p12, but this is another issue) I started from scratch.
I have created from KeyChain a new CertificateSigningRequest. Then I've uploaded it to the Apple Developer Portal and created a new certificate, that I have successfully downloaded as cer file.
Now, I would like to save the certificate, including the private key.
From KeyChain, I don't get a Reveal option to be able to export the private key of my certificate. Was it available in old versions of KeyChain, and now not anymore? Or my certificate doesn't have the private key? (imo this doesn't make sense at all)
So I right click on the certificate but I can't export as p12 file, with the private key:
Can please anyone refer me to the official documentation about this? (I have searched for it, but unable to find anything)
I’m developing this tvOS app, and it builds and runs fine locally in Simulator.
However, when I do Product > Archive (so I can upload it to app store later), it fails with error in the screenshot.
Looks like Xcode is trying to sign the app with a certificate, but could not find a valid profile to do so.
Since I don't have a physical Apple TV device, I'm unable to add an Apple TV to the Devices list on developer.apple.com, thus unable to create a profile.
Is the any way around this issue to archive my tvOS app?
I am stuck. I have an iPadOS app that installs and calls a DEXT. I have a provisioning file for the DEXT and another for the app. Xcode shows me that the respective provisioning files match the bundle ids and that the entitlements and provisions match up. I have a developer certificate (two, actually) on the iPad. Xcode shows me, via "Devices" that the provisioning files are installed. When I try to run the app, I get:
0x16d3db000 +[MICodeSigningVerifier _validateSignatureAndCopyInfoForURL:withOptions:error:]: 78: Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.vyncZ7/extracted/USBApp.app/SystemExtensions/w1ebr.MUUI.ipadOS.driver.dext : 0xe8008015 (A valid provisioning profile for this executable was not found.)
I don't know what to check next.
I send a macOS app build to appStoreConnect. The app is displayed inside TestFlight but when I click on it to open it, two modal appear.
The first one:
the application "AppName" can't be opened. -10673
The second one:
"AppName" No longer Available. The beta app, AppName, is no longer available. The provisioning profile is invalid.
I followed the following step before uploading the app archive:
I made sure to purge my Mac from all the old provisioning profile
having all my provisioning profile from my apple developer account valid
retrieve provisioning profile Xcode settings > Accounts to export an archive.
I choose TestFlight & App Store to send the Archive.
I am still no understanding which part of my provisioning profiles are not valid, I would love to have insight about it or a way to fix the issue.
Hi,
Xcode Cloud just started failing with with this error. I can archive builds just fine locally in Xcode. Using Xcode 14.3.1. All my certs on my developer portal are current.
2024-01-02T16:26:44.707563433Z Error Domain=DeveloperAPIServiceErrorDomain Code=5 "There is a problem with the request entity" UserInfo={IDEDistributionIssueSeverity=3, NSLocalizedDescription=There is a problem with the request entity, NSLocalizedRecoverySuggestion=You already have a current Development Managed certificate or a pending certificate request.}
2024-01-02T16:26:44.707568258Z
2024-01-02T16:26:44.707575827Z error: exportArchive: No signing certificate "iOS Development" found
The post at https://developer.apple.com/forums/thread/734179 is similar but without a resolution.
Any help would be appreciated.
Thank you.
Hello, I am rather new at publishing apps for Iphone and I am facing some difficulties. Maybe someone could point me what I am not understanding.
I am having some issues handling the usage of the Development Certificate . I have created a CSR, supplied it at apple.developer system to get a development certificate. I downloaded such a certificate and installed it. When I try to use it I get this status saying it is not trusted :
The result is this when trying to use it:
"
/Users/eao/build/dev/aquila_companion.xcodeproj: error: Missing private key for signing certificate. Failed to locate the private key matching certificate "Apple Development: Tiago DAagostini (GDH9UYDL8A)" in the keychain. To sign with this signing certificate, install its private key in your keychain. If you don't have the private key, select a different signing certificate for CODE_SIGN_IDENTITY in the build settings editor. (in target 'appaquila_companion' from project 'aquila_companion')
"
What am I missing? Where this p12 key should be? And is that related to that image where the Certificate is deemed not trusted?