Hello! I've just recently discovered LaunchCodeRequirement API and I'm exploring how it works compared to existing alternatives available for macOS versions below 14.4. Some questions I have with regards to safety of older and newer APIs examining the given example: func runProcess(executableURL: URL) throws { let process = Process() process.executableURL = executableURL if #available(macOS 14.4, *) { process.launchRequirement = try LaunchCodeRequirement.allOf { ValidationCategory(.developerID) SigningIdentifier("some-signing-identifier") TeamIdentifier("some-team-identifier") } } else { try secStaticCodeCheckValidity(executableURL) // Point #1 } do { try process.run() // Point #2 if #available(macOS 14.4, *) { // process.launchRequirement should take care of the process // and kill it if launchRequirement constraint is not satisfied } else { try secCodeCheckValidity(process.processIdentifier) // Point #3 } process.waitUntilExit() } catch { process.terminate() throw error } // Point #4 guard process.terminationReason == .exit else { throw SomeError() } } let requirement = """ anchor apple generic and identifier = "some-signing-identifier" and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf [subject.OU] = "some-team-identifier" """ func secStaticCodeCheckValidity(_ executableURL: URL) throws { // Init SecStaticCode from `executableURL` // Init SecRequirement from `requirement` let flags = SecCSFlags(rawValue: kSecCSBasicValidateOnly) guard SecStaticCodeCheckValidityWithErrors(code, flags, secRequirement, nil) == errSecSuccess else { throw CodeSignError() } } func secCodeCheckValidity(_ processIdentifier: Int32) { // Init SecCode from `processIdentifier` // Init SecRequirement from `requirement` guard SecCodeCheckValidityWithErrors(code, [], secRequirement, nil) == errSecSuccess else { throw CodeSignError() } } Before macOS 14.4+ flow There's still a small chance that between checking executable binary codesign requirement (Point #1) and launched process' one (Point #3) the binary could be replaced with something malicious and even get some CPU between Points #2 and #3 so technically it can't be 100% safe. Is that a correct statement? Any advices on making it safer? macOS 14.4+ flow Now let's see how launchRequirement is better. I guess initialized launchRequirement gets evaluated on running the process (Point #2). What does it exactly check? Executable at URL before launching the process (as OnDiskConstraint) or launched process (as ProcessConstraint)? Is there any chance the process gets some CPU before it's killed in case of failed codesign check? Any way to distinguish between codesign requirement termination and other reasons at point #4? It returns SIGKILL (9) as terminationStatus but it's not precise enough to be sure it was killed due to failed requirement check. I guess newer SecStaticCodeCheckValidityWithOnDiskRequirement & SecCodeCheckValidityWithProcessRequirement are the same as SecStaticCodeCheckValidityWithErrors & SecCodeCheckValidityWithErrors but a little simpler and can't be used as a 'more secure' way of validating codesign requirement. Thanks, Pavel

Hi, the documentation says that an application bundle for Mac OS X can have a Frameworks folder within Contents. Using a framework for console applications (no bundle) and GUI applications (bundle), I cannot load the console applications anymore on Ventura. Prior to Ventora I have tested and ran both on Mojave or earlier - I am not sure. To fix the issue, I have moved the frameworks within the application bundle to match the rpath for /Users/lothar/Library/Frameworks when I place the console into /Users/lothar/bin, the same rpath for application bundles works for those within the bin folder. Can I publish an application bundle with that modified layout or do I have to expect getting problems and do rather a Symlink pointing from /Users/lothar/Frameworks to /Users/lothar/Library/Frameworks? Thanks, Lothar

I am trying to get a PKG installer through the Apple codesign and notarytool process. When I submit the PKG installer I get a status message of "Invalid" and when I review the log file it has 2 errors. For "status summary" it says: "Archive contains critical validation errors", and for "message" it says" "The binary is not signed". The installer contains a flat file that is installed in the "Users/Shared" folder via the PKG installer. Here are the steps I've taken to get the installer through the codesign and notarytool process. codesign the file that's placed in the "Users/Shared" folder: codesign --options=runtime --sign 'Developer ID Application: XYZ' -v /Users/.../Documents/folder/"flat file" which I get a message saying "signed generic". Create the PKG installer with the signed "flat file". Sign the PKG installer containing the signed "flat file": codesign --options=runtime --sign 'Developer ID Application: XYZ' -v /Users/.../Documents/folder/"flat file" which I get a message saying "signed generic". Submit the PKG file with notarytool: xcrun notarytool submit /Users/.../Documents/folder/"flat file" --verbose --apple-id username --password password --team-id ID# --progress It completes and provides the submission ID. I check the status and get the error message that it's invalid. When I check the full details via the log I get the error messages mentioned above. What am I missing or failing to do?

I am using matlab to create an application (.app) using matlab application compiler. Along with that, I use matlab to create an installer for that. Unfortunately, the installer is in (.app) format. So do some custom things to install the dependencies and copying my application to Applications folder. I am able to sign the original application with Developer ID application certificate. But I am not able to sign the installer in .app format with Developer ID installer certificate. Is there any flag in any signing executable that allows me to use Developer ID installer certificate to sign .app file instead of typical (.pkg/.dmg)? Any help would be much appreciated.

Dear Support, I am trying to verify the installation of my macOS app via Test Flight. I have verified through code sign that it is properly signed and has all of the the required entitlements, including sandbox. The package uploaded successfully via Transporter, and the app installs with Test Flight. However, the app will not run. After numerous attempts, I discovered that the embedded.provisionprofile is missing from the Contents of the app bundle in the version that installs via Test Flight. If I install directly from the same PKG I uploaded to Transporter (that TestFlight is using for the build) I can verify that the embedded.provisionprofile is present. Why does uploading the PKG and installing through Test Flight result in the removal of the embedded provisioning file? Is this expected and/or could be another reason why my app is refusing to run? Much appreciated, ~Ross

Can you please revoke my developer id application and installer certs? So i may recreate. I deleted the private key by mistake before realizing i cannot recreate everything using the developer website portal. I dont have macos backup or did i backup my certs with attached pkey. I just did not realize this was important until now. Please help as Im now blocked. I opened a case too but i have not yet got a response. its been 3 days now. case id: 20000093632858

Hello, I was trying to solve the error "Command CodeSign failed with a nonzero exit code" that occurs when I try to archive and publish my app. I realized the Team IDs on the Portal (To right corner next to my name eg "Pete Park - ABC1D2E334") and my Mac Keychain Acces (eg "Pete Park - XYZ9W8V776") do not match. The number on KeyChain Access, is that's a Team ID. (clueless self learner here) If yes, do they need to match? Any suggestion for the CodeSign error? Is "errSecInternalComponent" the error? Sorry if these questions are obvious or stupid. Thanks so much for any advice.

My app is a Safari extension. When trying to validate the app, I get the following error: App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list: [( "app.rango.Rango.pkg/Payload/Rango for Safari.app/Contents/MacOS/Rango for Safari" )] Refer to App Sandbox page at https://developer.apple.com/documentation/security/app_sandbox for more information on sandboxing your app. I don't know why this is happening. I have app sandbox enabled in both the app and the extension target. I have both entitlement files. When executing codesign -d --entitlements :- /path/to/binary I get the following: <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>com.apple.security.app-sandbox</key><true/><key>com.apple.security.files.user-selected.read-only</key><true/><key>com.apple.security.get-task-allow</key><true/><key>com.apple.security.network.client</key><true/></dict></plist> If I check on Activity Monitor, on the sandbox column it shows true. I have no idea why I keep getting this error when all indicates that the app is actually sandboxed.

I'm using PyBind11 to allow use of Python code within my C++ application. The application links successfully, but on the py::module::import below: LOGICAL WebServer:: CheckForPort() { EPython::Prepare(); auto socket = py::module::import("socket"); auto s = socket.attr("socket")(socket.attr("AF_INET"),socket.attr("SOCK_STREAM")); if (s == Py_None) return L_TRUE; auto rc = s.attr("connect_ex")("localhost",8810); // // Returns zero if port in in use // return (rc.cast<int>() == 0); } I get a run-time error libc++abi: terminating due to uncaught exception of type pybind11::error_already_set: ImportError: dlopen(/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/lib-dynload/math.cpython-311-darwin.so, 0x0002): tried: '/Users/Shared/Develop/IntelApps/WinTD 5/DerivedData/WinTDOSX/Build/Products/Debug/math.cpython-311-darwin.so' (no such file), '/usr/lib/system/introspection/math.cpython-311-darwin.so' (no such file, not in dyld cache), '/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/lib-dynload/math.cpython-311-darwin.so' (code signature in <855730B8-106D-389C-BF65-36A98463EDB5> '/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/lib-dynload/math.cpython-311-darwin.so' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), I have no idea how to fix the code signature error---this is intended for distribution, so that presumably would be a file on the user's computer. I tried to link in the .so file, but that's a rabbit hole as there are a near endless set of further dependencies.

Hi, I have a project that integrates the Firebase SDK via SPM as a dependency of an internal Swift Package: My app ⟶ My Library ⟶ Firebase SDK The project builds successfully and can be archived locally ✅. The uploaded .ipa is valid and gets published 🚀. However, we are now trying to automate the release process using Xcode Cloud, but the iOS Archive action is failing ❌ on Xcode Cloud. The logs show the following error ⬇️: error: exportArchive codesign command failed (/Volumes/workspace/tmp/XcodeDistPipeline/XcodeDistPipeline.~~~oomCvM/Root/Payload/base-ios.app/Frameworks/FirebaseAnalytics.framework: replacing existing signature /Volumes/workspace/tmp/XcodeDistPipeline/XcodeDistPipeline.~~~oomCvM/Root/Payload/base-ios.app/Frameworks/FirebaseAnalytics.framework: invalid or corrupted code requirement(s) Requirement syntax error(s): line 1:178: unexpected token: <COMPANY_NAME> ) ** EXPORT FAILED ** I have been researching this issue for a while and have tried several solutions to fix it, but with no luck. Even though the error points to a specific library—the Firebase SDK—I don’t believe Firebase is the root cause. There were related issues in the past, but those were already fixed by the Firebase team, and as I mentioned, the project archives correctly when built locally. On the other hand, the error states: line 1:178: unexpected token: <COMPANY_ACRONYM> This makes me wonder if there’s an issue parsing our Team Name during the re-signing process, as it contains special characters ": "name": "Apple Distribution: Company Full Name "COMPANY_ACRONYM""

I have tried to manually install binaries using Finder by clicking and dragging from the Desktop into "/usr/local/bin/". The binaries come with a collection of frameworks etc. All the binaries are adhoc signed. macOS asks for Admin credentials which is fine. But then, when I execute the binaries in Terminal, Gatekeeper shows the now expected "'[binary"] Not Opened Apple could not verify ........" etc. It shows that dialog for every component and requires user input 2-3 times to allow each component of which there are perhaps dozens. BUT, none of that happens if I install those binaries using AppleScript. So, it might have a call like this: do shell script "curl -L " &amp; download_URL &amp; " -o " &amp; download_binary_zip with administrator privileges do shell script "unzip -o " &amp; download_binary_zip &amp; " -d " &amp; usr_bin_folder with administrator privileges The resulting installs work perfectly. Is this intended ? Using both install methods requires Admin credentials. Why does using a script work but using Finder does not ?

We are facing following message "A timestamp was expected but was not found" during codesign for following .dylib and .pkg and it cause notarization process failed. We are facing this issue for last 3 days. we have access for timestamp.apple.com and 17.0.0.0/8 and we didn't change firewall settings. We are facing this issue randomly and not for all time(scenario is 3:1). We tried the below command to sign the package, codesign --verbose --deep --force --timestamp --options=runtime --sign "" Kindly let us know how to fix this probelm. traceroute timestamp.apple.com traceroute to timestamp.v.aaplimg.com (17.157.80.35), 64 hops max, 52 byte packets .... 10 17.0.9.19 (17.0.9.19) 185.693 ms 17.0.9.17 (17.0.9.17) 180.932 ms 189.060 ms 11 * * * 12 17.0.17.141 (17.0.17.141) 191.513 ms * 17.0.17.137 (17.0.17.137) 183.086 ms 13 * * * 14 * * *

Hello everyone, I’m currently developing an Electron application, and I’m trying to properly sign and notarize it for macOS. The notarization process itself seems to complete successfully—the file is accepted without issues. However, when I attempt to staple the notarization ticket to the executable, I consistently get Error 65 with TheStableAndValidateActionFailed. The issue is puzzling because the executable does not change at any point during the process. After facing this issue multiple times in my own project, I decided to test it on a more controlled setup. I followed the steps from this https://www.youtube.com/watch?v=hYBLfjT57hU and the instructions from this macos-code-signing-example which have previously worked for others. Yet, even with this setup, I still get the same Error 65. Below, I have attached the verbose logs for reference. I’m trying to understand what could be causing this issue—whether it’s related to certificates, the signing process, or something else entirely. Has anyone encountered a similar problem, and if so, how did you resolve it? Any insights would be greatly appreciated!

I have created a Mac Catalyst version of the same app, and it was transferred from an old account to a new one. However, the Mac Catalyst build has been stuck in progress for several days when attempting to notarize it. After many days, I got the rejection with the following error: Team is not yet configured for notarization. Please contact Developer Programs Support at developer.apple.com under the topic Development and Technical / Other Development or Technical Questions. I have already tried to create a new developer ID certificate, but it still has the same issue. On the other hand, the iOS app is working fine and has been published in the App Store. Could you please assist us in resolving this issue as quickly as possible? Your prompt help would be greatly appreciated.

Hi Team, I have created multiple certificates for macOS application. Below are the certificates created- Apple Development Certificate DeveloperID Installer Certificate Apple Distribution Certificate others certificates Later, I have imported the all these above certificates in keychain-access. Now, I tried to compile the code through Xcode. I am getting error for code signing certificate. Warning: unable to build chain to self-signed root for signer "Apple Development: Amit (M2WMF2YERI)” .... Command CodeSign failed with a nonzero exit code When I checked the TeamID of User(Amit) I can see that his current TeamID is [P8ZW3W9R2Q]. There is mismatch of teamID in apple development certificate generation. Note- All certificates are generated with current TeamID[P8ZW3W9R2Q] of user (Amit) except Apple Development certificate which has been generated with TeamID [M2WMF2YERI] which is generated with old TeamID of user (Amit). I attempted to generate the apple development certificate multiple times but it is getting generated with old TeamID TeamID[M2WMF2YERI] of user(Amit)
 Summary- While creating a developer certificate using apple developer account and mapping it in keychain, the certificate is being generated with old apple account details (Inactive) instead of the current one. This is causing issues when using the certificate in keychain. If anyone has encountered this issue, how it was resolved?

I developed it as Unity. Originally, I updated Unity to the latest version to fix the problem of not being able to log in to Apple. That's when I found out my team ID had changed. The current Apple membership team ID is HBEMGSUAQ3, When I check "Automatically manage sing" in Xcode Selected with the team ID "ESB392LR64". Where did this team come from all of a sudden? I've only used "HVEMGSUAQ3" for a very long time. The change in ID was a test build while developing another project yesterday, but it changed then. If I manually select the provisioning profile of my project "Failed to install embedded profile for : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.)" This error appears and the test installation is not possible.. So I created a new certificate, identifier, and profile. However, it continues to be created with the ID of "ESB392LR64". Keychain registration is also naturally registered with "ESB392LR64" status. Again, my team ID is "HVEMGSUAQ3" and there is no way to check "ESB392LR64" on my dev page... This situation suddenly appeared when my certificates were updated with the ID of "ESB392LR64" on June 12, and What I suspect is that I updated my MacBook to the latest version of OS on the day of the issue. Please let me know what's going on. I'm hoping it's not a big deal....

I have an app that only crashes once it's been notarised. I read a few posts that essentially said before trying to identify issues by reviewing the crash report I should ensure signing and notarisation has happened correctly. I've worked through the document "Resolving common notarization issues" spctl -vvv --assess --type exec: gives no errors and correctly returns my developer id. codesign -dvv: returns a timestamp My app uses a hardened runtime. My app shows up in Xcode as a macOS Archive (e.g not a Generic Xcode Archive) Here is the crash report. Translated Report (Full Report Below) Process: Scene Finder [44479] Path: /Users/USER/Downloads/Scene Finder.app/Contents/MacOS/Scene Finder Identifier: Version: 0.9 (20250206.1) Code Type: ARM-64 (Native) Parent Process: launchd [1] User ID: 501 Date/Time: 2025-02-11 13:09:03.7786 +1000 OS Version: macOS 15.3 (24D60) Report Version: 12 Anonymous UUID: EE8B1269-0A8A-3AB6-516B-C752E8A18B5A Sleep/Wake UUID: 436CD7CF-7B13-4A9C-9425-7EF94CC007A9 Time Awake Since Boot: 98000 seconds Time Since Wake: 9524 seconds System Integrity Protection: enabled Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_CRASH (SIGABRT) Exception Codes: 0x0000000000000000, 0x0000000000000000 Termination Reason: Namespace SIGNAL, Code 6 Abort trap: 6 Terminating Process: Scene Finder [44479]

Can someone please describe what is necessary to perform signing using codesign in a system that runs as LaunchDaemon. All workarounds like placing the codesigning cert + private key a custom keychain and unlock it in the session of the LaunchDaemon doesn't work anymore on Sequoia. Or are there alternatives for signing MachO binaries without codesign?

I have created a XPC server and client using C APIs. I want to ensure that I trust the client, so I want to have a codesigning requirement on the server side, something like - xpc_connection_set_peer_code_signing_requirement(listener, "anchor apple generic and certificate leaf[subject.OU] = \"1234567\"") This checks if the client code was signed by a code-signing-identity issued by Apple and that the teamID in the leaf certificate is 1234567. My questions are- Is using teamID as a signing requirement enough? What else can I add to this requirement to make it more secure? How does xpc_connection_set_peer_code_signing_requirement work internally? Does it do any cryptographic operations to verify the clients signature or does it simply do string matching on the teamID? Is there a way actually verify the clients signature(cryptographically) before establishing a connection with the server? (so we know the client is who he claims to be)

We are developing an application for local file discovery and transfer. We applied to Apple for two permissions. One is com.apple.developer.networking.multicast, which supports the four provisioning profiles: Development, Ad hoc, App Store Connect, and Developer ID. The other is com.apple.developer.device-information.user-assigned-device-name, but Apple only approved it for Development and Ad hoc, without granting App Store Connect support. This prevents us from using the user-assigned-device-name permission in the archive. Could you please clarify the situation? How can we get user-assigned-device-name supported for App Store Connect?