My goal is to implement a moving background in a virtual camera, implemented as a Camera Extension, on macOS 13 and later. The moving background is available to the extension as a H.264 file in its bundle. I thought i could create an AVAsset from the movie's URL, make an AVPlayerItem from the asset, attach an AVQueuePlayer to the item, then attach an AVPlayerLooper to the queue player. I make an AVPlayerVideoOutput and add it to each of the looper's items, and set a delegate on the video output. This works in a normal app, which I use as a convenient environment to debug my extension code. In my camera video rendering loop, I check self.videoOutput.hasNewPixelBuffer , it returns true at regular intervals, I can fetch video frames with the video output's copyPixelBuffer and composite those frames with the camera frames. However, it doesn't work in an extension - hasNewPixelBuffer is never true. The looping player returns 'failed', with an error which simply says "the operation could not be completed". I've tried simplifying things by removing the AVPlayerLooper and using an AVPlayer instead of an AVQueuePlayer, so the movie would only play once through. But still, I never get any frames in the extension. Could this be a sandbox thing, because an AVPlayer usually renders to a user interface, and camera extensions don't have UIs? My fallback solution is to use an AVAssetImageGenerator which I attempt to drive by firing off a Task for each frame each time I want to render one, I ask for another frame to keep the pipeline full. Unfortunately the Tasks don't finish in the same order they are started so I have to build frame-reordering logic into the frame buffer (something which a player would fix for me). I'm also not sure whether the AVAssetImageGenerator is taking advantage of any hardware acceleration, and it seems inefficient because each Task is for one frame only, and cannot maintain any state from previous frames. Perhaps there's a much simpler way to do this and I'm just missing it? Anyone?

Developing a ios app in Unreal Engine 5. Everything was alright. Until it wasn’t. Build to iOS device. Click. Cooking. Building… “ERROR: CodeSign Failed” D4mn it! hahaha Here’s the log: UATHelper: Packaging (IOS): Command CodeSign failed with a nonzero exit code UATHelper: Packaging (IOS): ** BUILD FAILED ** UATHelper: Packaging (IOS): The following build commands failed: UATHelper: Packaging (IOS): CodeSign /Users/jordansktorres/My\ Drive/PROJECTS/CRUZEIRO-DO-SUL/ValenteGO/ValenteGO_V1/Binaries/IOS/Payload/ValenteGO_V1.app (in target ‘ValenteGO_V1’ from project ‘ValenteGO_V1’) UATHelper: Packaging (IOS): (1 failure) UATHelper: Packaging (IOS): Took 12,659139s to run env, ExitCode=65 UATHelper: Packaging (IOS): ERROR: CodeSign Failed UATHelper: Packaging (IOS): (see /Users/jordansktorres/Library/Logs/Unreal Engine/LocalBuildLogs/Log.txt for full exception trace) UATHelper: Packaging (IOS): AutomationTool executed for 0h 1m 51s UATHelper: Packaging (IOS): AutomationTool exiting with ExitCode=32 (Error_FailedToCodeSign) UATHelper: Packaging (IOS): RunUAT ERROR: AutomationTool was unable to run successfully. Exited with code: 32 PackagingResults: Error: Failed to Code Sign I have deleted the binaries, build, intermediate, and saved folders. I have generated and created new certificates. I have deleted UE5 and re-install it again. I have thrown the project into the garbage can and created a whole new project file with the same content folder. It all led to the same result. “ERROR: CodeSign Failed” Please, someone, anyone, give me a light here. hahaha

My app has the App Sandbox enabled and the File Access to Downloads folder is set to Read / Write in XCode. Upon clicking on a button the app should open the Finder displaying the Downloads folder. The following code snippet is used to launch the Finder if let inspirationsDirectory = FileManager.default.urls(for: .downloadsDirectory, in: .userDomainMask).first{ NSWorkspace.shared.open(inspirationsDirectory) } On my MacOS it works well. After releasing the app to the AppStore and installing it on another Mac the following message is received upon clicking the button: The application does not have permission to open "Downloads" Which would be the solution to launch the Finder successfully ? Is it possible to launch the Finder showing the Downloads folder sorted by the Date Added column descending ?

I regularly see folks run into problems with their Developer ID signing identities. Historically I pointed them to my posts on this thread, but I’ve decided to collect these ideas together in one place. If you have questions or comments, start a new thread here on DevForums and tag it with Developer ID so that I see it. IMPORTANT Nothing I write here on DevForums is considered official documentation. It’s just my personal ramblings based on hard-won experience. There is a bunch of official documentation that covers the topics I touch on here, including: Xcode documentation Xcode Help Developer Account Help Developer > Support > Certificates For a lot more information about code signing, see the Code Signing Resources pinned post. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" The Care and Feeding of Developer ID Most Apple signing assets are replaceable. For example, if you accidentally lose access to your Apple Development signing identity, it’s a minor inconvenience. Just use the Developer website to revoke your previous certificate and create a replacement. Or have Xcode do that for you. IMPORTANT If you don’t understand the difference between a certificate and a digital identity, and hence signing identity, read Certificate Signing Requests Explained before reading this post. Some signing assets are precious. Losing access to such assets has significant consequences. Foremost amongst those are Developer ID signing identities. These allow you to sign Mac products that ship independently. Anyone with access to your Developer ID signing identity can sign code as you. This has a number of consequences, both for you and for your relationship with Apple. Identify a Developer ID Signing Identity A Developer ID signing identity consists of two parts: the certificate and the private key. There are two different flavours, identifiable by the subject name in the certificate: Developer ID Application — This is named Developer ID Application: TTT, where TTT identifies your team. Use this to sign code and disk images. Developer ID Installer — This is named Developer ID Installer: TTT, where TTT identifies your team. Use this to sign installer packages. Note If you do KEXT development, there’s a third flavour, namely a KEXT-enabled Developer ID Application signing identity. For more details, see KEXT Code Signing Problems. This post focuses on traditional signing identities, where you manage the private key. Xcode Cloud introduced cloud signing, where signing identities are “stored securely in the cloud”. These identities have the Managed suffix in Certificates, Identifiers, and Profiles. For example, Developer ID Application Managed is the cloud signing equivalent of Developer ID Application. To learn more about cloud signing, watch WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing. To identify these certificates ‘in the wild’, see Identifying a Cloud Managed Signing Certificate. Limit Access to Developer ID Anyone with your Developer ID signing identity can sign code as you. Given that, be careful to limit access to these signing identities. This is true both for large organisations and small developers. In a large organisation, ensure that only folks authorised to ship code on behalf of your organisation have access to your Developer ID signing identities. Most organisations have some sort of release process that they use to build, test, and authorise a release. This often involves a continuous integration (CI) system. Restrict CI access to only those folks involved in the release process. Even if you’re a small developer with no formal release process, you can still take steps to restrict access to Developer ID signing identities. See Don’t Leak Your Private Key, below. In all cases, don’t use your Developer ID signing identities for day-to-day development. That’s what Apple Development signing identities are for. Create Developer ID Signing Identities as the Account Holder Because Developer ID signing identities are precious, the Developer website will only let the Account Holder create them. For instructions on how to do this, see Developer Account Help > Create certificates > Create Developer ID certificates. For more information about programme roles, see Developer > Support > Program Roles. IMPORTANT In an Organization team it’s common for the Account Holder to be non-technical. They may need help getting this done. For hints and tips on how to avoid problems while doing this, see Don’t Lose Your Private Key and Don’t Leak Your Private Key, both below. Limit the Number of Developer ID Signing Identities You Create Don’t create Developer ID signing identities unnecessarily. Most folks only need to create one. Well, one Developer ID Application and maybe one Developer ID Installer. A large organisation might need more, perhaps one for each sub-unit, but that’s it. There are two reasons why this is important: The more you have, the more likely it is for one to get into the wrong hands. Remember that anyone with your Developer ID signing identity can sign code as you. The Developer website limits you to 5 Developer ID certificates. Note I can never remember where this limit is actually documented, so here’s the exact quote from this page: You can create up to five Developer ID Application certificates and up to five Developer ID Installer certificates using either your developer account or Xcode. Don’t Lose Your Private Key There are two standard processes for creating a Developer ID signing identity: Developer website — See Developer Account Help > Create certificates > Create Developer ID certificates. Xcode — See Xcode Help > Maintaining signing assets > Manage signing certificates. Both processes implicitly create a private key in your login keychain. This makes it easy to lose your private key. For example: If you do this on one Mac and then get a new Mac, you might forget to move the private key to the new Mac. If you’re helping your Organization team’s Account Holder to create a Developer ID signing identity, you might forget to export the private key from their login keychain. It also makes it easy to accidentally leave a copy of the private key on a machine that doesn’t need it; see Don’t Leak Your Private Key, below, for specific advice on that front. Every time you create a Developer ID signing identity, it’s a good idea to make an independent backup of it. For advice on how to do that, see Back Up Your Signing Identities, below. That technique is also useful if you need to copy the signing identity to a continuous integration system. If you think you’ve lost the private key for a Developer ID signing identity, do a proper search for it. Finding it will save you a bunch of grief. You might be able to find it on your old Mac, in a backup, in a backup for your old Mac, and so on. For instructions on how to extract your private key from a general backup, see Recover a Signing Identity from a Mac Backup. If you’re absolutely sure that you previous private key is lost, use the Developer website to create a replacement signing identity. If the Developer website won’t let you create any more because you’ve hit the limit discussed above, talk to Developer Programs Support. Go to Apple > Developer > Contact Us and follow the path Development and Technical > Certificates, Identifiers, and Provisioning Profiles. Don’t Leak Your Private Key Anyone with your Developer ID signing identity can sign code as you. Thus, it’s important to take steps to prevent its private key from leaking. A critical first step is to limit access to your Developer ID signing identities. For advice on that front, see Limit Access to Developer ID, above. In an Organization team, only the Account Holder can create Developer ID signing identities. When they do this, a copy of the identity’s private key will most likely end up in their login keychain. Once you’ve exported the signing identity, and confirmed that everything is working, make sure to delete that copy of the private key. Some organisations have specific rules for managing Developer ID signing identities. For example, an organisation might require that the private key be stored in a hardware token, which prevents it from being exported. Setting that up is a bit tricky, but it offers important security benefits. Even without a hardware token, there are steps you can take to protect your Developer ID signing identity. For example, you might put it in a separate keychain, one with a different password and locking policy than your login keychain. That way signing code for distribution will prompt you to unlock the keychain, which reminds you that this is a significant event and ensures that you don’t do it accidentally. If you believe that your private key has been compromised, follow the instructions in the Compromised Certificates section of Developer > Support > Certificates. Back Up Your Signing Identities Given that Developer ID signing identities are precious, consider making an independent backup of them. To back up a signing identity to a PKCS#12 (.p12) file: Launch Keychain Access. At the top, select My Certificates. On the left, select the keychain you use for signing identities. For most folks this is the login keychain. Select the identity. Choose File > Export Items. In the file dialog, select Personal Information Exchange (.p12) in the File Format popup. Enter a name, navigate to your preferred location, and click Save. You might be prompted to enter the keychain password. If so, do that and click OK. You will be prompted to enter a password to protect the identity. Use a strong password and save this securely in a password manager, corporate password store, on a piece of paper in a safe, or whatever. You might be prompted to enter the keychain password again. If so, do that and click Allow. The end result is a .p12 file holding your signing identity. Save that file in a secure location, and make sure that you have a way to connect it to the password you saved in step 9. Remember to backup all your Developer ID signing identities, including the Developer ID Installer one if you created it. To restore a signing identity from a backup: Launch Keychain Access. Choose File > Import Items. In the open sheet, click Show Options. Use the Destination Keychain popup to select the target keychain. Navigate to and select the .p12 file, and then click Open. Enter the .p12 file’s password and click OK. If prompted, enter the destination keychain password and click OK. Alternatively, Xcode has a feature to export and import your developer account, including your Developer ID signing identities. Do this using the action menu in Xcode > Settings > Accounts. For the details, see Xcode Help > Maintaining signing assets > Export signing certificates and provisioning profiles. Recover a Signing Identity from a Mac Backup If you didn’t independently backup your Developer ID signing identity, you may still be able to recover it from a general backup of your Mac. To start, work out roughly when you created your Developer ID signing identity: Download your Developer ID certificate from the Developer website. In the Finder, Quick Look it. The Not Valid Before field is the date you’re looking for. Now it’s time to look in your backups. The exact details depend on the backup software you’re using, but the basic process runs something like this: Look for a backup taken shortly after the date you determined above. In that backup, look for the file ~/Library/Keychains/login.keychain. Recover that to a convenient location, like your desktop. Don’t put it in ~/Library/Keychains because that’ll just confuse things. Rename it to something unique, like login-YYYY-MM-DD.keychain, where YYYY-MM-DD is the date of the backup. In Keychain Access, choose File > Add Keychain and, in the resulting standard file panel, choose that .keychain file. On the left, select login-YYYY-MM-DD. Chose File > Unlock Keychain “login-YYYY-MM-DD“. In the resulting password dialog, enter your login password at the date of the backup. At the top, select My Certificates. Look through the list of digital identities to find the Developer ID identity you want. If you don’t see the one you’re looking for, see Further Recovery Tips below. Export it using the process described at the start of Back Up Your Signing Identities. Once you’re done, remove the keychain from Keychain Access: On the left, select the login-YYYY-MM-DD keychain. Choose File > Delete Keychain “login-YYYY-MM-DD”. In the confirmation alert, click Remove Reference. The login-YYYY-MM-DD.keychain is now just a file. You can trash it, keep it, whatever, at your discretion. This process creates a .p12 file. To work with that, import it into your keychain using the process described at the end of Back Up Your Signing Identities. IMPORTANT Keep that .p12 file as your own independent backup of your signing identity. Further Recovery Tips If, in the previous section, you can’t find the Developer ID identity you want, there are a few things you might do: Look in a different backup. If your account has more than one keychain, look in your other keychains. If you have more than one login account, look at the keychains for your other accounts. If you have more than one Mac, look at the backups for your other Macs. The login-YYYY-MM-DD keychain might have the private key but not the certificate. Add your Developer ID certificate to that keychain to see if it pairs with a private key. Revision History 2023-10-05 Added the Recover a Signing Identity from a Mac Backup and Further Recovery Tips sections. 2023-06-23 Added a link to Identifying a Cloud Managed Signing Certificate. 2023-06-21 First posted.

I distribute an application in a zip file from my website. the application needs access to some files next to it to run properly. The application is correctly signed and notarized and stapled.Of course if I download it from my website, it gets the quarantine attribute. When I try to open it for the first time, a gatekeeper warning saying that the application comes from the internet, but has been checked by apple and no malware has been detected is displayed. My impression is that the application has been correctly signed and notarized. but If confirm that I wan to open it, the quarantine attribute is not deleted. spctl -a -v /path/to/Myapp.app path/to/Myapp.app: accepted source=Notarized Developer ID

I need an OV certificate to code sign an Electron application. I was used to build in Jenkins the application oth for Windows and macOS using Electron-Forge (https://www.electronforge.io/guides/code-signing/code-signing-macos). To be more specific use XCode and Keychain to store the certificate. Sadly, new certificate industry requirements will force me to use Azure Key Vaults (or other cloud HSM alternatives) to store the certificate. I need to find a way to code-sign it for macOS from Azure Key Vaults or equivalent solutions. Thank you

Hello all, I apologize if it's not in the right section. I'm working on a little app, mostly a CRUD and three HTTP requests. We will use MDM software to deploy the application (not the App Store). There is no pods, package, or specific framework, it's only basic Swift code. Unfortunately, I must do a pentest to push my app into production. The security engineer said he would use the mobile security framework tools. So I tried myself before to be sure that we would succeed. After using the static analyzer, I discovered several issues. The first issue is : The binary may use _malloc function instead of calloc. And I don't know how to prevent that since it is low level, and I don't have access to that. My second issue is a warning : This binary is not encrypted. Honestly, I don't know how to fix that since it seems impossible to encrypt the codebase. Or maybe I'm wrong? Thanks to everyone who will take the time to read and try to help. Regards

I've read just about everything I can regarding this but no one seems to offer any simple steps to resolve this situation. I'm guessing that the original developer certificates were created by an employee who is no longer with our company and his laptop is no longer accessible - it's been wiped. I deleted all the certificates from my keychain and recreated new developer certificates so that we can code sign apps - not for any of the app stores just for distribution on our website. However, none of them have a private key so I need to be able to create private keys for them. Does anyone know how to do this? Every thing I've tried has failed.

Dear iOS Developers, I have a question about In-House distribution for iOS 17, currently I am using Xcode 14.x for distribute my application (for iOS 16.x and below). In the future, Apple will release the new iOS version that is iOS 17. So, my question is 1./ "Do I need to build and distribute the mobile application with Xcode 15 for supporting iOS 17? 2./ or iOS 17 can run In-house mobile application fine with building and distribution with Xcode 14.x?" Anybody have knowledge about it? Thanks, Lam

Good day. We are moving our CI to Github Actions and we have met a problem whereby even though we have 1/1 codesigning identities that are valid, trying to sign MyTrue as per guides posted in the forum still results in this error. SSH is fine. Would appreciate to have some light shed on this. Thanks in advance!

I have an App bundle that I signed with the certificate I received from my boss. despite signing and verifying it. it doesn't run on our test Mac without changing the trust settings. It gives an error saying that apple cannot check it for malicious software and software needs to be updated. this is the result of running the code sign verification: `codesign --display --requirements - --verbose=4 ./myapp.app Executable=/Users/*removed*/Documents/test/myapp.app/Contents/MacOS/app Identifier=com.*removed*.*removed*/ Format=app bundle with Mach-O thin (arm64) CodeDirectory v=20400 size=582872 flags=0x0(none) hashes=18208+3 location=embedded VersionPlatform=1 VersionMin=851968 VersionSDK=852736 Hash type=sha256 size=32 CandidateCDHash sha256=*removed* CandidateCDHashFull *removed* Hash choices=sha256 CMSDigest=*removed* CMSDigestType=2 Executable Segment base=0 Executable Segment limit=48218112 Executable Segment flags=0x1 Page size=4096 Launch Constraints: None CDHash=*removed* Signature size=9060 Authority=Developer ID Application: *removed* Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=*Removed* Info.plist entries=15 TeamIdentifier=*Removed* Sealed Resources version=2 rules=13 files=475 designated => identifier "com.*removed*.*removed*" and anchor apple generic and certificate 1[*removed*] /* exists */ and certificate leaf[*removed*] /* exists */ and certificate leaf[subject.OU] = *removed*` I removed some info as I'm not sure if it'd be safe to share online. I apologize. The projector is written in c++ and uses wxWidgets for GUI

I have a macOS app that I have been distributing for free outside the app store for more than 15 years, without notarization, without sandboxing, and without hardened runtime, all with no problems. If I understand correctly, macOS will soon be modified so that it will not launch any developer-distributed apps that are not notarized. Notarization will require both hardened runtime and sandboxing, and unhappily, my app will not run when notarized -- I have added sandboxing and hardened runtime, than gotten it notarized and tried -- and that is because it will not run when sandboxed. Thus I have two questions: Will there be some means, that I perhaps have missed, for my users to run my app as is, in un-notarized form with no sandboxing and no hardened runtime? (Assume that they are willing to click "Okay" on any macOS popups of the form "Abandon hope, all ye who enter here.") Perhaps I have missed something about the signing or distribution process ... ? If not, is there some entitlement I can obtain to allow my app to run when sandboxed? Perhaps the question is even "Should there be such an entitlement?" And to that end, I must now explain why it cannot run sandboxed: My app is a parallel processing system: To work properly it must open multiple copies of itself -- that's right, there will be multiple instances of the app window visible on the console, distinguished by tint, title and location so the user can tell which is which, and multiple app badges in the dock, similarly distinguished. Doing so is easy -- I use the c++ "system" function to call the Unix executable that is buried within the ".app" folder, passing it a command tail whereby the launched copy can tell how to distinguish itself. I build up the text string for the call piece by piece, but the result looks rather like this: system("<path-to-my-app>/MyApp.app/Contents/MacOS/MyApp -tail-item-1 -tail-item-2 ... &"); The app is written in mixed C++ and Objective C. The usual "Main.mm" file contains the entry point for the program, a "main()" function that does nothing but call "NSApplicationMain()", but I have added code to "main()" that runs before the call of NSApplicationMain(). That code uses C function "getopt()" to look for the extra command-tail items. If any are present, the app acts appropriately -- generally assigning non-default values to global variables that are used later in initialization. The first instance of the app that is called -- presumably by the user mousing on an icon somewhere -- knows by the absence of extra command-tail items that it is the first one launched, and thus knows to launch multiple additional instances of itself using this mechanism. The launched instances know by the presence of extra command-tail items that they are not the first one launched, and act differently, based on the command-tail items themselves. All this has been working fine for over a decade when the app is not sandboxed and does not have a hardened runtime. For what it is worth, the app will run with hardened runtime, provided the option "Disable Executable Memory Protection" is checked. Furthermore, when it is also sandboxed and I open it with no extra copies of itself launched (the number to launch is a preferences option), that single app instance runs fine. I have instrumented the code, and what seems to be happening is that the system call to launch another app returns zero -- implying it succeeded -- but has no effect: It is as if someone had special-cased "system" to do nothing, but to report success nonetheless. That is an entirely reasonable feature of a hardened runtime -- allowing arbitrary system calls would be a security disaster looking for a place to happen. The point is that my app would not be making an arbitrary system call -- it would be trying to open one specific app -- itself -- which would be sandboxed with a hardened runtime, and notarized. That is not likely to be a huge security problem. Incidentally, not all system calls fail this way -- I can do system("osascript -e 'tell app \"Safari\" to activate';"); or system( "open -a \"Safari\" <path to a help file located in MyApp's Resources>"); with impunity. Also incidentally, using AppleScript to launch another copy of MyApp from within itself doesn't do what I want: The system notices that MyApp is already running and just makes it active instead of launching a new copy, and there is no way to pass in a command tail anyway. I don't wish to appear to be advertising, so I won't identify my app, but a little more detail might be useful: It is a parallel program interpreter. The language implemented is the "Scheme" dialect of Lisp. Each instance running is a complete read/eval/print loop embedded in an application window where the user can read and type. The first instance of the app launched mmaps a large memory area for the Lisp system's main memory: That works kind of like a big heap in more conventional programs. It is not executable code, it contains Lisp data structures that an application instance can access. The other instances launched use the same mmapped area. The shared memory has lots of lock bits. I use low-level "lockless coding" -- hand-coded assembler with the Intel "lock" prefix or the more complicated arm64 stuff -- to keep simultaneous access by different app instances from corrupting the shared memory. Parallel Scheme has many uses, which include debugging and monitoring of running Scheme programs, and having multiple tail-recursive "actors" (Lisp jargon) operate on the same data at the same time. Enough said. I would like to be able to notarize this app so that users who obtained it outside the app store could understand that Apple had checked it for dangerous code. If that were possible, I might even try submitting it to the app store -- but that would be another story. Do I have any hope of keeping this product available?

I have a Flutter app that should be sandboxed for Appstore and this app should run a binary that I build with make. I sign that binary with Developer ID certificate: codesign -v -f --options=runtime --entitlements "./macos/Runner/binary_sandboxed.entitlements" --sign "Developer ID Application: ..." ./path/to/binary here is binary_sandboxed.entitlements: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.inherit</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>$(TEAM_ID).$(PRODUCT_BUNDLE_IDENTIFIER)</string> </array> <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.network.server</key> <true/> <key>com.apple.security.network.client</key> <true/> </dict> </plist> and the main app runned with entitlements: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.inherit</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>Q7Q43CUMWT.$(PRODUCT_BUNDLE_IDENTIFIER)</string> </array> <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.network.server</key> <true/> <key>com.apple.security.network.client</key> <true/> <key>keychain-access-groups</key> <array> <string>$(AppIdentifierPrefix)$(PRODUCT_BUNDLE_IDENTIFIER)</string> </array> </dict> </plist> When I run app I get an error ProcessException: Operation not permitted In console log I see this message: denied since it was quarantined by Main app and created without user consent, qtn-flags was 0x00000086 if delete quarantine flag binary in Containers xattr -d com.apple.quarantine /Users/appuser/Library/Containers/com.bin/Data/Library/Application Support/com.bin/binary I got an error when run binary zsh: illegal hardware instruction failed: Unable to get bundle identifier because code signature information has no Info.Plist. What did I do wrong? And what should I do?

I am new to macOS programming. I am trying to run an example from Apple that installs a "NullDriver" and then accesses it from a client CPP app (example available on line, driver kit, "com.example.apple-samplecode.dext-to-user-client) I seem to be able to install the the DEXT correctly; I can see the system extension and the IOUserService. When I run the CPP client access program auto signed by Xcode, the app crashes with "CODESIGNING 1 Taskgated Invalid Signature". If I sign the app with "Sign to Run Locally", the app runs but is unable to connect to the IOUserService. This is being run on Sonoma Beta 5 with a newly paid membership. I am willing to attach whatever files are required but I wonder whether others have had the same code signing problem. My apology if I did not read a post with the answer I hope to find. Gene

Hey everyone, I've ported an app based on Python from Windows to macOS. I can run the app from command line and I was also able to make an .app file an start it on my mac using auto-py-to-exe. Now I want to codesign (and later notarize) it. To do so I set the codesign_identity option of auto-py-to-exe to my Developer ID Application and rerun it. After 2 days it was still running (and I guess collecting information on submodules of the used Python modules). Without the codesigning it takes about 5-10 minutes to build. Any ideas how I could accelerate this or what i happening here? Unfortunately, I am not able to copy the output of auto-py-to-exe while it is still running. thanks :).

I made a simple Python based app for macOS using this code (empty lines removed): import tkinter as tk window = tk.Tk() label = tk.Label(text="\n I am a macOS app \n") label.pack() window.mainloop() Next I made it an .app using PyInstaller with this command (identity and paths shortened): pyinstaller --noconfirm --onedir --windowed --osx-bundle-identifier "org.tk_test.tk_test" --codesign-identity "<my_identity>" path/to/tk-test.py It worked like a charm and I was also able to notarize and staple the app for distribution. ... 4748 INFO: Signing the BUNDLE... 24899 INFO: Building BUNDLE BUNDLE-00.toc completed successfully. I wanted to repeat the process to do some more testing and now without any reason I cannot sign the .app anymore (identity and paths shortened). Of course, I cleared the folder before trying: ... 5263 INFO: Signing the BUNDLE... 23050 WARNING: Error while signing the bundle: codesign command (['codesign', '-s', '<my_identity>', '--force', '--all-architectures', '--timestamp', '--options=runtime', '--deep', '/abs/path/to/dist/tk-test.app']) failed with error code 1! output: /abs/path/to/dist/tk-test.app: replacing existing signature /abs/path/to/dist/tk-test.app: A timestamp was expected but was not found. In subcomponent: /abs/path/to/dist/tk-test.app/Contents/MacOS/lib-dynload/math.cpython-311-darwin.so 23050 WARNING: You will need to sign the bundle manually! 23050 INFO: Building BUNDLE BUNDLE-00.toc completed successfully. I tried to create it in a fresh and differently named directory and I also made a complete fresh conda env. I don't see any reason, why this should not work anymore. Does anybody have an idea?

I have build and install a flutter application on iPhone 7 iOS 15. The issue is that when I try to verify the app in device management settings it's not verifying the app and not showing any error I have reinstalled the app check my signing certificates apple developer account each and everything is fine but still not verifying help me out

Hello, I want to modify app bundle for my macbook air, but having some troubles. If I try to sign with my dev certificate (created with xcode) - invalid signature error appeared: /Applications/Foo.app/Contents/MacOS/Foo not valid: Error Domain=AppleMobileFileIntegrityError Code=-423 "The file is adhoc signed or signed by an unknown certificate chain" UserInfo={NSURL=file:///Applications/Foo.app/Contents/MacOS/Foo, NSLocalizedDescription=The file is adhoc signed or signed by an unknown certificate chain} If I modify mach-o binary in folder - app can not be started So what I should to do? Thanks!

I'm running into a code signing issue with an (existing) app that I recently started working on. I haven't run into this problem with other apps built on the same computer using the same framework (Capacitor). When I try to build the app from Xcode, either to run on a linked iPhone or to archive/publish, I get the error message: "Command PhaseScriptExecution failed with a nonzero exit code" That script fails when running /usr/bin/codesign and shows the message errSecInternalComponent. I tried running the same command directly in the terminal and got the same error message. I started going through this forum post and the initial sanity check failed. I ran this from a local terminal, not over ssh or inside tmux. I didn't get any dialog prompts when running it, though that may make sense since I was already logged in: $ cp /usr/bin/true MyTrue $ codesign -s "Apple Development: ..." -f MyTrue MyTrue: replacing existing signature MyTrue: errSecInternalComponent $ echo $? 1 The identity I attempted to use is listed by security find-identity -p codesigning in both the "Matching identities" and "Valid identities only" sections. Keychain Access shows that the certificate is valid. I've tried restarting the computer. I've tried cleaning the build folder from Xcode. Any other suggestions for diagnosing and/or fixing the problem?

Hi I'm using library in my project which create, modify and read file in iConf. How to get access for the app to read from that file. Tnx, Filip