Hi people, I hope you could help me as I am stuck in a dead end.
I am a developper for company and we are changing from altool to notarytool.
Prior to that the code of the app has not been signed.
So now what I do is:
codesign --deep --force --verbose --timestamp --options runtime --sign "Developer ID Application: Phrase a.s. (${PHRASE_ID})" ${codesigne_app}
The result of this operation is verified with
codesign --deep --strict --vvv ${codesigne_app}
which ends in a lot of --prepared and --validated lines with
TranslationEditor.app: valid on disk
TranslationEditor.app: satisfies its Designated Requirement
Yet when I try to upload for notarization
res=$(xcrun notarytool submit te-build/dist/app/TranslationEditor.app.zip --apple-id stepan.svoboda@memsource.com --password $APP_PASSWORD --team-id ${PHRASE_ID} --wait 2>&1)
I get
{
"logFormatVersion": 1,
"jobId": "2b959997-4ac5-4bc5-a220-8f46d6b91a9b",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "TranslationEditor.app.zip",
"uploadDate": "2023-08-29T05:53:39.152Z",
"sha256": "938633e08d17f1d658ada3987017a8e9bf5afee96e5f976b31809df5daf5677c",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "TranslationEditor.app.zip/TranslationEditor.app/Contents/MacOS/TranslationEditor",
"message": "The signature of the binary is invalid.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
"architecture": "x86_64"
}
]
}
I visited the link, tried to google, ChatGPT about it. Tried to verify the codesign ...
Do you know how I can learn why it is signature of the binary is invalid? Maybe to get some more detailed log? Something the hints on what was deemed invalid?
How I can debug that? How I can learn what is wrong? I am short on ideas.
Demystify code signing and its importance in app development. Get help troubleshooting code signing issues and ensure your app is properly signed for distribution.
Post
Replies
Boosts
Views
Activity
I'm trying to sign some PHP binaries so that they are happy to run PHP extensions compiled by other people.
I've tried creating a signing-entitlements.plist such as:
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
</dict>
</plist>
but when trying to run the following:
codesign --entitlements signing-entitlements.plist --force --options runtime --sign '$release_certificate' '$file'
...I get the following error: signing-entitlements.plist: cannot read entitlement data
Do I need to convert the XML to some other format perhaps?
Is it even the right entitlement to achieve what I am trying to do?
Thanks for any help!
In our team we have two apps A and B, unfortunately app B was released with iCloud entitlement with selected container ID of the app A. It lead to a problem that our app A displays in iCloud "Manage Storage" list on iOS as app B. Because of that people are loosing all of theirs data as they thing it is app A. App B stores uses only Key-Value storage in iCloud
How can we override that name so it displays A again?
I have recently moved our CI/CD pipeline to using xcode cloud. Everything has been going great until we tried to test our VoIP pushes in our test environment. In our old system, our entitlements file set the apns-environment to develop, so when we distributed an archived build to our QA team, it would generate sandbox APNS device tokens for testing. But since I have switched to xcode cloud, it looks to be generate production apns device tokens now, so all of our sandbox pushes are failing to send. Is there a way I can make sure xcode cloud send builds that have the apns-environment set to development?
I have build and install a flutter application on iPhone 7 iOS 15. The issue is that when I try to verify the app in device management settings it's not verifying the app and not showing any error I have reinstalled the app check my signing certificates apple developer account each and everything is fine but still not verifying help me out
{
"logFormatVersion": 1,
"status": "Rejected",
"statusSummary": "Team is not yet configured for notarization. Please contact Developer Programs Support at developer.apple.com under the topic Development and Technical / Other Development or Technical Questions.",
"statusCode": 7000,
"ticketContents": null,
"issues": null
}
I've tried notarizing my electron app but I get this error all the time.
I've contacted Apple Developer Technical Team but I've been redirected to Developer Programs Support.
I've asked them to approve the Team for notarization and they've redirected me back to Technical Team and said that the Team is not approved for notarization, which I know already from the logs error.
I've watched every topic related to this Team is not yet configured for notarization issue, like : https://developer.apple.com/forums/thread/118465
But it didn't helped much, because I suppose it's something that the Developer Programs Support needs to approve.
My Team seems configured in App Connect, everything seems to be in place, I've accepted all the agreements, don't know what else to accept or do for Team to be approved, I didn't receive next steps from the Apple Developer Program Support Team.
It's been 2 months since I'm trying to notarize and the deadline is coming, so please if anybody can help out to fix this.
Thank you
Hi,
I'm trying to sign and app which is a python compiled exe for Mac OS (one file only).
The app runs perfectly on my own mac (or some else's, but only after being admin authorized)
after running
codesign --sign "$devID" $file2sign
I got the following error:
Warning: unable to build chain to self-signed root for signer "Apple Development:..."
errSecInternalComponent
As per screenshot, I have both a current Dev cert and the intermediate certs installed.
Any help will be highly appreciated!
Hi,
I'm trying to sign an App (original python compiled for MAC) and the codesign process is failing with error:
The command from terminal that produced the error was:
codesign --sign "$devID" $file2sign
Warning: unable to build chain to self-signed root for signer "Apple Development: ..."
errSecInternalComponent
I have both a dev certificate (current, just downloaded a couple of days ago) and the intermediate certificates.
When I run the command
security find-identity -v -p codesigning
I can perfectly see my dev cert, but only listed as "valid identities" nothing is listed as "matching identities"
Any help will be highly appreciated!
I'm trying to notarize a simple Electron app (packaged with electron-forge, zip size: 150MB) using new notarytool.
When submitting the bundle it hangs on IN PROGRESS for more than 20 hours with no result yet.
I verified the app is signed.
Anybody has an idea what's wrong?
notarytool version: 1.0.0 (28)
Hi!
I'm trying to move from CoreMedio I/O DAL Plug-In to CoreMedia I/O camera extensions, announced in macOS 12.3. I created a test extension, placed it inside my app bundle into Contents/Library/SystemExtensions and signed with codesigning certificate. But when I try to install my extension from inside my app, using this code (Swift):
func installDriver()
{
guard let extensionIdentifer = DriverInstaller.extensionBundle().bundleIdentifier else {
return
}
let activationReq = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: extensionIdentifer, queue: .main)
activationReq.delegate = self
OSSystemExtensionManager.shared.submitRequest(activationReq)
}
I'm getting an error:
OSSystemExtensionErrorDomain error 8: Code Signature Invalid
which is rather generic. Can anybody tell me what I am doing wrong? Or at least propose some steps to find it out?
I'm posting here entitlements and codesign output for my extension and containing application for further information.
Executable=../Contents/Library/SystemExtensions/com..RoomDevice.Extension.systemextension/Contents/MacOS/com..RoomDevice.Extension
[Dict]
[Key] com.apple.security.app-sandbox
[Value]
[Bool] true
[Key] com.apple.security.application-groups
[Value]
[Array]
[String] 893K7MTL2H. com..
[Key] com.apple.security.device.camera
[Value]
[Bool] true
Executable=**********/Contents/MacOS/*****
[Dict]
[Key] com.apple.application-identifier
[Value]
[String] 893K7MTL2H.com..RoomDevice
[Key] com.apple.developer.system-extension.install
[Value]
[Bool] true
[Key] com.apple.developer.team-identifier
[Value]
[String] 893K7MTL2H
[Key] com.apple.security.application-groups
[Value]
[Array]
[String] 893K7MTL2H. com..********
Executable=***/Contents/MacOS/****
Identifier=com..RoomDevice
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=1345 flags=0x10000(runtime) hashes=31+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=3584714367d59119b462d0f830247d27ff1fbace
CandidateCDHashFull sha256=3584714367d59119b462d0f830247d27ff1fbace53419d69abaa658fbb7a4f12
Hash choices=sha256
CMSDigest=3584714367d59119b462d0f830247d27ff1fbace53419d69abaa658fbb7a4f12
CMSDigestType=2
Launch Constraints:
None
CDHash=3584714367d59119b462d0f830247d27ff1fbace
Signature size=4688
Authority=Developer ID Application: ****************(893K7MTL2H)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=01-Sep-2023 at 12:00:09 PM
Info.plist entries=22
TeamIdentifier=893K7MTL2H
Runtime Version=13.3.0
Sealed Resources version=2 rules=13 files=6
Internal requirements count=1 size=216
Executable=/Contents/Library/SystemExtensions/com.*****.RoomDevice.Extension.systemextension/Contents/MacOS/com..RoomDevice.Extension
Identifier=com.******.RoomDevice.Extension
Format=bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=3627 flags=0x10000(runtime) hashes=102+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=70580825016b7e262fb15c280ba380ad4e871bc1
CandidateCDHashFull sha256=70580825016b7e262fb15c280ba380ad4e871bc108951adb8cd474d652567f4f
Hash choices=sha256
CMSDigest=70580825016b7e262fb15c280ba380ad4e871bc108951adb8cd474d652567f4f
CMSDigestType=2
Launch Constraints:
None
CDHash=70580825016b7e262fb15c280ba380ad4e871bc1
Signature size=4688
Authority=Developer ID Application: ************ Ltd. (893K7MTL2H)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=01-Sep-2023 at 12:00:05 PM
Info.plist entries=22
TeamIdentifier=893K7MTL2H
Runtime Version=13.3.0
Sealed Resources version=2 rules=13 files=0
Internal requirements count=1 size=224
Please anyone help. Thanks in advance!
Currently building a freemium iOS app without any login features. In order to track the paid features (i.e. unlimited token usage) I am using device ID in the database (using Google Firebase).
Problem is I see new device IDs pop up in the database for the same user using the same device. This breaks the paid feature and removes their access to unlimited tokens when this new device ID activates.
Other then creating a formal login system (e.g. username and password) what is the best way to log a user's device info so that the app user can keep their paid features?
Thanks for the help!
Failed to build iOS app
Error (Xcode): No profiles for 'com.jurabek7788.sos' were found: Xcode couldn't find any iOS App Development provisioning profiles matching
'com.jurabek7788.sos'. Automatic signing is disabled and unable to generate a profile. To enable automatic signing, pass -allowProvisioningUpdates to
xcodebuild.
/Users/user/Desktop/SOS%20flutter%20/set_of_service_app/ios/Runner.xcodeproj
It appears that there was a problem signing your application prior to installation on the device.
Verify that the Bundle Identifier in your project is your signing id in Xcode
open ios/Runner.xcworkspace
Also try selecting 'Product > Build' to fix the problem.
Encountered error while building for device.
this is my error coming when i build ios app. And main problem is already did all the things
Hello,
I have a valid developer ID downloaded from Apple. I signed the code (compiled exe file for intel Macs) and put it into a ZIP, which I also signed.
While signing I use timestamp and hardener option:
codesign -s "$LbaDevID" -o runtime -f --timestamp $conFile3
codesign -s "$LbaDevID" -o runtime -f --timestamp $conZip3
where variable $LbaDevID represent my Dev code id (VALID, downloaded from Apple after request cert; and $conFile3 the path to the exe file and $conZip3 the path to the ZIP (just $conFile3 zipped)
I attempt to notarize using the following command:
xcrun notarytool submit $compZip3 --keychain-profile "TestAppNotarz" --wait
the reply Log downloaded says:
Invalid dev ID (which is valid)
no timestamp... I corrected this error after the 1st attempt but the reply says exactly the same, even when I can see "TIMESTAMP" in the signature.
The third and last error refers to the runtime, which is present but not being seen.
Any help on how to troubleshoot this issue will be highly appreciated!
Please point me to the relevant documentation to solve this issue...
I'm the developer of a small utility for Mac called "MusicDeviceHost".
https://apps.apple.com/us/app/musicdevicehost/id1261046263?mt=12
As the name suggests, it is a host application for audio units (music device components).
See also "Using Sound Canvas VA with QMidi":
https://youtu.be/F9C4BiBR
A problem occurs while trying to authorize the "Sound Canvas VA" component, Roland Cloud Manager (v3.0.3) returns the following error:
“Authorization Error - RM Service not connected
Error Connecting to Roland Cloud Manager Service”
I guess the error is caused by some permission denied to the sandboxed application version. The NOT sandboxed version of MDH actually works flawlessly.
I am using the following entitlements:
com.apple.security.app-sandbox
com.apple.security.network.client
So connecting to the service should work, because "com.apple.security.network.client" is enabled.
At Roland, they say:
"Cloud Manager isn't supported in a sandboxed environment."
But as far as I can see, MainStage and other sandboxed apps works fine...
So what is the right answer? Is there someone out there with the same issue? Thanks for helping :)
I am trying to notarise a .dmg of my desktop application, but the process seems to just hang on 'In Progress'. It's not actually hanging, as I accumulate extra '.', but clearly it isn't working.
This exact same codebase notarised fine recently. The only change has been a downgrade in OS from Monterey to Big Sur.
I appreciate this is unusual, but I am required to support my client, who is running a 2013 MacBook Pro with Big Sur.
I appreciate that some of these tools are newer than Big Sur, but surely it should work?
I'm trying to staple a validation ticket to an exe file that is already notarized. The process ended with the following error:
Downloaded ticket has been stored at file:///var/folders/bj/ry08v0694972s03cswkq5md80000gq/T/7f1a34f0-8628-4157-92b0-b59cebe70951.ticket.
Could not remove existing ticket from file:///Users/efi-admin/Downloads/ActualSignedFile/Contents/CodeResources because an error occurred. Error Domain=NSCocoaErrorDomain Code=512 "“CodeResources” couldn’t be removed." UserInfo={NSUserStringVariant=(
Remove
), NSFilePath=/Users/efi-admin/Downloads/ActualSignedFile/Contents/CodeResources, NSUnderlyingError=0x600000151e90 {Error Domain=NSPOSIXErrorDomain Code=20 "Not a directory"}}
The staple and validate action failed! Error 73.
The above was captured using the verbose option of the cmd...
Among the response, I can see the ticket:
fields = {
signedTicket = {
type = BYTES;
value = "czhjaAEAAADxBQAALQAAADCCBe0wggL/MIICpKADAgECAghWLFU2G59vVTAKBggqhkjOPQQDAjByMSYwJAYDVQQDDB1BcHBsZSBTeXN0ZW0gSW50ZWdyYXRpb24gQ0EgNDEmMCQGA1UE.... (partial)
I need help to properly understand what is this cmd doing as the issue might be permissions one.
The path mentioned above under /ActualSignedFile:
/ActualSignedFile/Contents/CodeResources
Does not exist. Is that the cmd wants to create it?
Is there any way to manually attach the ticket to the file, given the fact that is printed in verbose mode?
Thanks!
Any help will he highly appreciated!
I seems like a pretty common issue but i'll make a post about it specifically for what i'm seeing. Its my first time notarizing an app so maybe its something in my config, but i'm not seeing any errors.
For simplicity I cloned, built and signed the sample Electron Forge app following the steps on https://www.electronforge.io/ "Getting Started". The build zip is 90MB so its not that large. My production application will be DMG, but even that is stuck (Maybe because the zips before it are currently stuck)
Trying to manually notarize via notarytool just hangs. I used xcrun notarytool submit <Package> --keychain-profile "NotaryProfile" --wait
Running xcrun notarytool history --keychain-profile "NotaryProfile" outputs the following.
createdDate: 2023-09-06T14:49:59.810Z
id: 838c0903-d136-4241-be98-174152a7e3cf
name: my-new-app.zip
status: In Progress
--------------------------------------------------
createdDate: 2023-09-06T14:31:08.880Z
id: 1ce6ef46-8b09-4b20-9f61-81292b2dcbb9
name: my-new-app.zip
status: In Progress
--------------------------------------------------
createdDate: 2023-09-06T14:10:23.726Z
id: 71bc9206-036e-46c7-aadf-6bfaa4097743
name: my-new-app.zip
status: In Progress
--------------------------------------------------
createdDate: 2023-09-06T13:54:35.527Z
id: 7c7fd365-1f08-48c6-a314-3a1809019f9c
name: my-new-app.zip
status: In Progress
Its been about 7 hours since my first attempt.
I tried to pull logs by calling xcrun notarytool log --keychain-profile "NotaryProfile" aa6e9df3-ef62-4058-8bcc-683f015b412a but it seems like non exist yet.
Submission log is not yet available or submissionId does not exist
id: aa6e9df3-ef62-4058-8bcc-683f015b412a
Not sure whats going on, but its pretty far off from the time estimate of 5 - 45 minutes.
Any help is appreciated.
NotaryTool version is 1.0.0 (28)
I am getting the error below after successfully notarizing my app and then I try to install from the DMG and try to launch it, it crashes.
Termination Reason: Namespace TCC, Code 0
This app has crashed because it attempted to access privacy-sensitive data without a usage description. The app's Info.plist must contain an com.apple.security.device.audio-input key with a string value explaining to the user how the app uses this data.
Note: I have already added the entitlements to my electron-builder config and and I can see the entitlements in the Info.plist of my .app in the Applications directory.
hardenedRuntime: true,
extendInfo: {
NSMicrophoneUsageDescription: 'Need microphone access for recognizing audio',
'com.apple.security.app-sandbox': true,
'com.apple.security.cs.allow-jit': true,
'com.apple.security.device.audio-input': true,
'com.apple.security.cs.allow-unsigned-executable-memory': true,
'com.apple.security.cs.disable-executable-page-protection': true,
'com.apple.security.cs.disable-library-validation': true,
'com.apple.security.device.microphone': true,
'com.apple.security.network.client': true,
'com.apple.security.files.user-selected.read-write': true,
'com.apple.security.cs.allow-dyld-environment-variables': true,
}
Behavior:
I was recently having issues with errSecInternalComponent during codesign when using sudo su but NOT when logged into the non administrator account. Which appears to be due to the intermediate certificate not being in the admin user's keychain.
Workaround:
Add intermediate certificate (in my case the Apple Worldwide Developer Relations Certification Authority (G3) available here) to the Admin (who is running sudo su) user's keychain.
Why this is unexpected:
security find-identity -p codesigning indicates the identity is valid, but codesign fails with Warning: unable to build chain to self-signed root for signer and errSecInternalComponent. This behavior also seems to imply that while using codesign and sudo su, we are using the switched user (myuser)'s keychain for the signing identity, but the admin user's keychain for intermediate certificates.
Setup:
Admin user (referred to as admin)
Regular user (referred to as myuser)
For resting purposes do cp /usr/bin/true /Users/myuser/MyTrue
Steps to reproduce:
Login to the computer via Mac OS GUI as myuser
Install developer certificate and intermediates as myuser such that myuser's keychain has the development certificate and apple WWDR certificate
Verify that development certificate is valid and can codesign
myuser@mymachine % security find-identity -p codesigning
Policy: Code Signing
Matching identities
1) <REDACTED> "Apple Development: My User (<REDACTED>)"
1 identity found
Valid identities only
1) <REDACTED> "Apple Development: My User (<REDACTED>)"
1 valid identity found
Verify that signing works
myuser@mymachine % codesign -s "Apple Development" -f ~/MyTrue
/Users/myuser/MyTrue: replacing existing signature
Login to computer via Mac OS GUI as admin
As admin verify your login keychain does NOT contain the Apple Development identity or any intermediate WWDR certificates (delete them if present).
Use sudo su myuser to switch to myuser while in the admin GUI account.
admin@mymachine % sudo su myuser
myuser@mymachine %
Verify that development certificate is valid and can codesign after switching
myuser@mymachine % security find-identity -p codesigning
Policy: Code Signing
Matching identities
1) <REDACTED> "Apple Development: My User (<REDACTED>)"
1 identity found
Valid identities only
1) <REDACTED> "Apple Development: My User (<REDACTED>)"
1 valid identity found
Verify that codesigning fails
myuser@mymachine % codesign -s "Apple Development" -f ~/MyTrue
Warning: unable to build chain to self-signed root for signer: <REDACTED> "Apple Development: My User"
/Users/myuser/MyTrue: errSecInternalComponent
Verify that after installing the WWDR G3 intermediate in the admin user's keychain, signing works as expected.
myuser@mymachine % codesign -s "Apple Development" -f ~/MyTrue
/Users/myuser/MyTrue: replacing existing signature
Hello,
I have sandboxed mac app which is launching a helper app. The main app has sandbox enabled and has get-task-allow entitlement. From main app I launch[1] a helper which is an application bundle located in Contents/Helpers of the main bundle. The helper has sandbox enabled and com.apple.security.inherit entitlement.
Currently I have a problem attaching debugger to helper process or getting access to location services from it (but that's probably different issue). I checked the responsible process and it seems to set up to correct PID of the main application.
The Xcode is reporting "Not allowed to attach to process" error and I see the same in the log:
macOSTaskPolicy: (com.apple.debugserver) may not get the task control port of (com.****) (pid: 31628): (com.****) is hardened, (com.****) doesn't have get-task-allow, (com.apple.debugserver) is a declared debugger(com.apple.debugserver) is not a declared read-only debugger
To add a more of the context what I'm trying to achieve is that we run certain parts of our app in separate child processes so we can restart then if anything goes wrong [2].
So I have few questions:
Do I need to launch the helper (child) process a particular way to be able to attach debugger to it?
Is there a tool to inspect sandboxes (rules applied and the inheritance)?
Do I really need to explicitly enable sandboxing and inheritance on the helper app, doesn't it run in the parent' s sandbox anyway?
Thank you.
[1] We use boost::child_process for launching the helper, which is using popen behind the scene, but I have the same experience with NSTask.
[2] I know that's what XPCServices are for but don't ask :-)