Hello @eskimo (or whoever can help): our company builds a product which is delivered outside the app store as pkg. It contains a launch daemon which is a .NET build on an external build server and signed. Then the whole pkg is notarized.
The build server is macOS 10.15.7 (Catalina)
On macOS 13.x I can launch the daemon in Terminal without problem, but on Sonoma public beta I get "killed by Signal:9" and in Console I get:
"standard 07:44:53.694349-0700 kernel ASP: Security policy would not allow process: 1377, /Library/PrivilegedHelperTools/com.ThinPrint.TPACCloud/TPACCloud.Service"
This happens on both Intel and Apple CPU VMs.
Besides, when I disable SIP the error does not show up anymore and the binary runs like a charm.
What has changed between macOS 13 and macOS 14 ?
The binary entitlements:
com.apple.security.cs.allow-jit
com.apple.security.cs.allow-unsigned-executable-memory
com.apple.security.cs.disable-executable-page-protection
com.apple.security.cs.allow-dyld-environment-variables
com.apple.security.cs.disable-library-validation
The command to code sign:
/usr/bin/codesign --force --options=runtime --timestamp --entitlements "#{absolutePathToEntitlement}" --sign "#{applicationCertname}" "#{tPACCLOUD_ARTEFACTS_X64}/#{item}"
where #{item} are the binaries and .dylibs
Demystify code signing and its importance in app development. Get help troubleshooting code signing issues and ensure your app is properly signed for distribution.
Post
Replies
Boosts
Views
Activity
MyPythonExe is a compiled file coming from a python script compiled with using pyinstaller. After compiled, it was signed using codesign:
codesign -s "Developer ID TTT", -o runtime -f --timestamp MyPythonExe
Once signed, the exe was placed in a Zip container (exeZip), and then successfully notarized using the following:
xcrun notarytool submit exeZip --keychain-profile "MyNotarProf" --wait
It was accepted.
Now, when try to run it, the following error was thrown (oddly, the compiled unsigned Exe runs in the same computer without any issues):
/Users/admin/Downloads/MyPythonExe ; exit;
admin@admins-MacBook-Air ~ % /Users/admin/Downloads/MyPythonExe ; exit;
[1767] Error loading Python lib '/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python': dlopen: dlopen(/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python, 0x000A): tried: '/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python' (code signature in <88BFFD37-99D8-36AB-9B95-9F54B30BD667> '/private/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python' not valid for use in process: mapped file has no Team ID and is not a platform binary (signed with custom identity or adhoc?)), '/System/Volumes/Preboot/Cryptexes/OS/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python' (no such file), .... (+ a couple of similar errors)
No, the said exe file (MyPythonExe) was signed and successfully notarized. Oddly, the very same file, but unsigned runs perfectly well (after being authorized so it can surpass Gatekeeper, of course). What could be going on here? Any hint on how to overcome this issue?
Hi, I work for a company that makes an iPad app, and we have requested the user-assigned-device-name entitlement multiple times and been rejected every time.
I am familiar with the requirements listed here. I'm just wondering if anybody else who needed this entitlement ran into any surprises, e.g. "I thought that ____ was in line with their requirements but it turns out they really care about _____".
Alternatively if anyone knows how to get someone at Apple to tell us why it was rejected, that would be cool too.
Thanks!
Hello!
I'm curious about how com.apple.developer.hid.virtual.device entitlement works with apps. So the documentation hints that it should only be used within a driver. However, on macOS 13 I can successfully compile an app and create a virtual HID device.
On earlier versions, such as macOS 12, the app crashes on launch and there's a message in the console:
ASI found [libsystem_secinit.dylib] (sensitive) 'failed to compile sandbox profile
/System/Library/Sandbox/Profiles/application.sb:1010:15: unbound variable:
iokit-user-client-class-name
'
Everything seems to be working with the sandbox turned off. Is there a way to use the aforementioned entitlement in a sandboxed app or should I fall back to DriverKit?
Hi..
I have created the free apple developer account for the purpose of learning the iOS development. In my Mac book air M2 two certificates (APPLE DEVELOPMENT CERTIFICATES) were created by the XCODE automatically these certificates have an expiry of 1 year from the date of creation.
Kindly tell me what will happen after these certificates are expired, will I be able to create new certificates with my free developer account ?
Will XCODE will be able to create new certificates in the same way after these certificates are expired ?
Or, the existing certificates need to be renewed again ?
I request you to please clarify these points as per the entitlements of my free developer account.
Also tell what is the maximum number of certificates which can be created by XCODE ?
I tried to search on internet but could not find any source which can clear these queries.
Regards
Hello everyone, I seem to have a problem with networking-multicast permissions.
The program we developed uses the UPnP protocol, so we applied for networking-multicast permission for our development plan.
Reference: < https://developer.apple.com/contact/request/networking-multicast>.
After that, we set Identifiers with check Multicast Networking in Additional Capabilities and update Profiles.
After rebuilding the program, the program can find UPnP devices in the network on my iPhone, and it does work.
The program is developed using Flutter, runs on both iOS/Android platforms, and has both professional and regular versions.
No matter which platform or version can work properly.
When only one program is installed on an iOS device, everything is fine.
But if two programs are installed on the same device at the same time (for example, our professional version and normal version, BundleID is different), various problems will occur:
case 1:
Install the normal version
Start the normal version: Does work
case 2:
Install the professional version
Start the professional version: Does work
case 3:
Install the normal version
Install the professional version
Start the normal version: Unable to discover UPnP device
Start the professional version: Unable to discover UPnP device
case 4:
Install the professional version
Install the normal version
Start the professional version: Unable to discover UPnP device
Start the normal version: Unable to discover UPnP device
case 5:
Install the normal version
Start the normal version: Does work
Install the professional version
Start the professional version: Does work
case 6:
Install the professional version
Start the professional version: Unable to discover UPnP device
Install the normal version
Start the normal version: Unable to discover UPnP device
Sum up the phenomenon:
There is no problem with installing a separate program.
Install two programs at the same time: it will work only if it is executed in a specific order (case 5).
Add a few points:
We use Flutter development, iOS and Android use the same code.
There is no problem with the above case on Android.
2. We use flutter_flavor ( reference: https://pub.dev/packages/flutter_flavor) configuration ordinary version & professional version.
3. In all cases where problems occur, the pop-up window of the system requesting networking-multicast will not pop up. It looks like that UPnP is not working because of permissions.
4. In all cases only one Application run at anytime. Before starting the new program, we will forcibly exit the other program to ensure that the port is released.
5. We found an UPnP programs developed by other developers on the Appstore, which do not conflict with our regular version or professional version, and both sides can work properly.
We think this looks like a bug of the iOS system.
I wonder if anyone else has encountered a similar situation?
Would you like to give us a hint of the direction of our solution?
Thank you very much.
Or at least, I wonder if anyone can help us figure out whether this problem is the bug of the iOS system or the problem of our program itself.
Thanks a lot.
I have a sandboxed/hardened app that is distributed outside of the MacAppStore. I want to allow the app to auto-update itself.
I currently have the ability in the app to figure out if there is a newer version which then informs the user and gives them an option to download the app (currently it downloads to ~/Downloads in the app container). The app comes as a simple zip file that only includes the app itself. Once downloaded, then NSWorkspace.shared.open(URLtoDownloadedUpdate) will expand the zip and place the app in ~/Downloads.
What I want is it to replace the current version of the app w/ this newly downloaded version. Is this possible?
First, how do I find out where the old app is stored? And then how do I replace it with the new version when the old app is still running?
I realize many people use Sparkle to do this instead of rolling their own. I simply do not want to depend on a third party.
Hi!
I've applied for and received the multicast networking entitlement. I'm befuddled as to how to apply it. I'm somewhat new to iOS development.
I've followed the instructions in this developer page as per the instructions in the email confirmation I received re entitlement granting.
https://developer.apple.com/forums/thread/663271
I've logged into my developer account, navigated to identifiers, and checked/enabled Multicast Networking under Additional Capabilities and saved them.
What do I do next? I've re-started Xcode but this new capability does not show up in my app.
I've tried running codesign utility but the examples in the above url don't work.
Any pointers/suggestions as to how to get this entitlement into my app?
Thanks,
Bobby
Hello, I want to modify app bundle for my macbook air, but having some troubles.
If I try to sign with my dev certificate (created with xcode) - invalid signature error appeared:
/Applications/Foo.app/Contents/MacOS/Foo not valid: Error Domain=AppleMobileFileIntegrityError Code=-423 "The file is adhoc signed or signed by an unknown certificate chain" UserInfo={NSURL=file:///Applications/Foo.app/Contents/MacOS/Foo, NSLocalizedDescription=The file is adhoc signed or signed by an unknown certificate chain}
If I modify mach-o binary in folder - app can not be started
So what I should to do? Thanks!
Hi there,
I could use some help with notarizing. I'm developing a Python module in the Rust programming language. The extension of the resulting library file is .so, which is necessary for Python to see it, instead of the regular .dylib. I compile this library for both apple silicon and intel.
When a user first imports the library which in turn imports the library, and the user is confronted with Gatekeeper.
So I guess I need to notarize the module file. And that's where I'm stuck. I created an Apple developer account, created a "Developer ID Application" certificate and used codesign to sign the .so file with it. That worked.
I then used ditto to create a zip file with just the .so file: "ditto -c -k --keepParent my_module.so my_module.zip"
The 600 kb file quickly uploads to Apple and I get an ID for checking the logs later on. Then I wait for the progress........ And nothing happens for hours on end. When I check the logs for the provided ID I get this message: "Submission log is not yet available or submissionId does not exist"
I also checked if perhaps the notarization did work regardless of the above, with "spctl -a -t exec -vvv ./my_module.so". Says it's rejected, source=Unnotarized Developer ID.
There is not much that I can work with, because I don't get an error message. Any ideas?
Have fun,
Wybren
I created a driver using DriverKit on Intel macOS 12.6.1 and Xcode 13.3. I enabled auto-manage signing, and set the signing certificate to 'Sign to Run Locally'. Then, I created a provision profile for the driver and selected my M1 test device. After installing the profile, I ran the app on the M1 device and successfully activated the driver.
However, when I tried to compile the project on M1 macOS 13.3 with Xcode 14.3.1, I encountered an error. It appears that DriverKit does not support the 'Sign to Run Locally' option on M1 devices. To resolve this issue, I switched to using the 'Apple Development' signing certificate. Unfortunately, even after making this change, I still received an error message regarding 'Sign to Run Locally' from the Xcode console.
Both devices are logged in with the same developer account. Could you please advise me on how to resolve this problem?
iig:
#include <Availability.h>
#include <DriverKit/IOService.iig>
#include <DriverKit/IOUserClient.iig>
//class OSAction;
class epusbfilter: public IOService
{
public:
virtual bool init() override;
virtual kern_return_t Start(IOService * provider) override;
virtual kern_return_t Stop(IOService * provider) override;
virtual void free() override;
virtual kern_return_t GetRegistryEntryID(uint64_t * registryEntryID) override;
};
cpp:
#include <os/log.h>
#include <DriverKit/IOUserServer.h>
#include <DriverKit/IOLib.h>
#include <USBDriverKit/IOUSBHostInterface.h>
#include <USBDriverKit/IOUSBHostPipe.h>
#include "epusbfilter.h"
#define Log(fmt, ...) os_log(OS_LOG_DEFAULT, "epusbfilter - no super," fmt "\n", ##__VA_ARGS__)
struct epusbfilter_IVars
{
IOUSBHostInterface *interface;
IOUSBHostPipe *inPipe;
OSAction *ioCompleteCallback;
IOBufferMemoryDescriptor *inData;
uint16_t maxPacketSize;
};
bool epusbfilter::init() {
bool result = false;
Log("init");
result = super::init();
return result;
}
void epusbfilter::free() {
super::free();
Log("free");
}
kern_return_t
IMPL(epusbfilter, Start)
{
kern_return_t ret;
Log("Start");
ret = Start(provider, SUPERDISPATCH);
return ret;
}
kern_return_t
IMPL(epusbfilter, Stop)
{
kern_return_t ret = kIOReturnSuccess;
Log("Stop");
ret = Stop(provider, SUPERDISPATCH);
return ret;
}
kern_return_t
IMPL(epusbfilter, GetRegistryEntryID) {
Log("GetRegistryEntryID");
return GetRegistryEntryID(registryEntryID, SUPERDISPATCH);
}
info.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>IOKitPersonalities</key>
<dict>
<key>epusbfilter</key>
<dict>
<key>CFBundleIdentifier</key>
<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleIdentifierKernel</key>
<string>com.apple.kpi.iokit</string>
<key>IOProviderClass</key>
<string>IOUSBHostInterface</string>
<key>IOClass</key>
<string>IOUserUserClient</string>
<!-- <key>IOResourceMatch</key>-->
<!-- <string>IOKit</string>-->
<key>IOUserClass</key>
<string>epusbfilter</string>
<key>IOUserServerName</key>
<string>com.injection.epusbfilter.dext</string>
<key>bConfigurationValue</key>
<integer>1</integer>-->
<key>bInterfaceNumber</key>
<integer>0</integer>
<key>idVendor</key>
<string>*</string>
<key>idProduct</key>
<string>*</string>
<key>UserClientProperties</key>
<dict>
<key>IOClass</key>
<string>IOUserUserClient</string>
<key>IOUserClass</key>
<string>epusbfilter</string>
</dict>
</dict>
</dict>
</dict>
</plist>
entitlemens:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.driverkit</key>
<true/>
<key>com.apple.developer.driverkit.transport.usb</key>
<array>
<dict>
<key>idVendor</key>
<string>*</string>
<key>idProduct</key>
<string>*</string>
</dict>
</array>
</dict>
</plist>
I'm integrating Notary API, in our CI/CD pipelines.
It all works well for notarization, but there is no mention of how to obtain the signing ticket nor how to staple it to the dmg.
Do I need to use for that the:
xcrun stapler staple
I was hoping that with use of the Notary API, I can avoid requiring xtools and developer id on the machine.
Hi,
I have notarised system extension for MacOS, we use network extension for content filter. in debug it works and ask permission. but when I notarised it doest work any more...
any help appreciate..
Hello,
What is the key for In-App Purchases entitlement I can add to my app.entitlements file in my project, so that I can autonomously enable the In-App Purchase capability?
I have searched far a wide for this, however, it's unclear where it can be located. I know I can enable this capability manually by opening Xcode -> Selecting the "Signing & Capabilities" tab -> selecting "+ Capability" -> selecting "In-App Purchase" capability.
However, this is not really an ideal solution for adding the capability to my app, especially when automated processes for building, testing, distributing via CI/CD are integrated. It would beneficial to be able to reference some documentation or resources for enabling capabilities (or any other build settings) autonomously in a project as opposed to having to manually click my way through enabling them.
Looking forward to hearing back. Thanks!
I'm running into a code signing issue with an (existing) app that I recently started working on. I haven't run into this problem with other apps built on the same computer using the same framework (Capacitor).
When I try to build the app from Xcode, either to run on a linked iPhone or to archive/publish, I get the error message: "Command PhaseScriptExecution failed with a nonzero exit code"
That script fails when running /usr/bin/codesign and shows the message errSecInternalComponent. I tried running the same command directly in the terminal and got the same error message.
I started going through this forum post and the initial sanity check failed. I ran this from a local terminal, not over ssh or inside tmux. I didn't get any dialog prompts when running it, though that may make sense since I was already logged in:
$ cp /usr/bin/true MyTrue
$ codesign -s "Apple Development: ..." -f MyTrue
MyTrue: replacing existing signature
MyTrue: errSecInternalComponent
$ echo $?
1
The identity I attempted to use is listed by security find-identity -p codesigning in both the "Matching identities" and "Valid identities only" sections. Keychain Access shows that the certificate is valid.
I've tried restarting the computer. I've tried cleaning the build folder from Xcode. Any other suggestions for diagnosing and/or fixing the problem?
Hi
I'm using library in my project which create, modify and read file in iConf. How to get access for the app to read from that file.
Tnx,
Filip
I am having an issue trying to notarize app with a bundled binary using notarytool. Everything is signed properly, but the notarization status of every submission I've tried over the past two days have just been stuck on In Progress. I even tried submitting something else but this is also stuck on In Progress.
Successfully received submission history.
history
--------------------------------------------------
createdDate: 2023-10-01T15:34:36.959Z
id: 8461c5b0-51d0-4c00-8391-4dcb541f2ccf
name: flot.zip
status: In Progress
--------------------------------------------------
createdDate: 2023-10-01T15:13:46.537Z
id: 4fd3e79c-74e2-4824-bc5c-c63c305243c3
name: flot.zip
status: Invalid
--------------------------------------------------
createdDate: 2023-10-01T14:29:52.668Z
id: fc8bc0ae-8e17-4286-86b5-48d71d08175c
name: flot-Mac-2.0.0-Installer.dmg
status: In Progress
I looked at other posts with this problem and didn't find anything that worked.
I used Keychain Access and Certificate Assistant to create a CSR; I uploaded that on the portal. Downloaded the certificate, and I get that error whenever I try to import it. I can import it into the System one, but then it's untrusted, and I still can't export it as a p12 file.
This is one of the few times I did everything by reading the documentation as I did it, so I'm very confused.
When I try to store my credentials using the notary tool, I get the following:
/Applications/Xcode.app/Contents/Developer/usr/bin/notarytool store-credentials --verbose
[00:44:33.975Z] Debug [MAIN] Running notarytool version: 1.0.0 (27), date: 2023-10-03T00:44:33Z, command: /Applications/Xcode.app/Contents/Developer/usr/bin/notarytool store-credentials --verbose
This process stores your credentials securely in the Keychain. You reference these credentials later using a profile name.
Profile name:
build
We recommend using App Store Connect API keys for authentication. If you'd like to authenticate with an Apple ID and app-specific password instead, leave this unspecified.
Path to App Store Connect API private key:
./private_keys/AuthKey_QHBB38VH7L.p8
App Store Connect API Key ID:
storieddata
App Store Connect API Issuer ID:
69a6de6f-872e-47e3-e053-5b8c7c11a4d1
Validating your credentials...
[00:45:08.825Z] Info [API] Initialized Notary API with base URL: https://appstoreconnect.apple.com/notary/v2/
[00:45:08.826Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/test?, Parameters: [:], Custom Headers: private<Dictionary<String, String>>
[00:45:08.827Z] Debug [JWT] Generating new JWT for key ID: storieddata.
[00:45:08.829Z] Info [JWT] Caching newly generated JWT. key ID: storieddata, JWT: private<String>
[00:45:08.830Z] Debug [AUTHENTICATION] Authenticating request with App Store Connect API credentials. Key ID: storieddata, Issuer ID: 69a6de6f-872e-47e3-e053-5b8c7c11a4d1
[00:45:08.831Z] Debug [TASKMANAGER] Starting Task Manager loop to wait for asynchronous HTTP calls.
[00:45:09.243Z] Debug [API] **Received response status code: 401, message: unauthorized, URL: https://appstoreconnect.apple.com/notary/v2/test?,** Correlation Key: ZYHO7EDNX52XJBTRMIOUWGIVZI
[00:45:09.244Z] Error [API] Received non-JSON response body from Notary API, URL: https://appstoreconnect.apple.com/notary/v2/test?
[00:45:09.245Z] Error [TASKMANAGER] Completed Task with ID 1 has encountered an error.
[00:45:09.246Z] Debug [TASKMANAGER] Ending Task Manager loop.
Credential validation failed. Please verify your inputs.
I have double checked the input, and everything is correct.
Hey everyone,
while trying to codesign a x86_64 Python app using an arm64 system, I often stumble across an rosetta error like the one depicted down here:
rosetta error: unable to mmap __TEXT: 1
/var/db/oah/.../.../libomp.dylib.aotzsh: abort PYTORCH_ENABLE_MPS_FALLBACK=1 ./diarize_x86_64 mps
This happens after I codesign the app and then try to run it in a Rosetta2 zsh. This thread is not about the error itself (since I am trying to solve it somewhere else). It is about making this rosetta error more verbose so we can actually work with it. If I run this app/executable on a native x86_64 system, the error is much more informative (and it can actually be debugged):
error dlopen(/var/folders/ws/***/T/yyy/sklearn/__check_build/_check_build.cpython-39-darwin.so, 2): Library not loaded: @rpath/libomp.dylib
Referenced from: /var/folders/ws/***/T/yyy/sklearn/__check_build/_check_build.cpython-39-darwin.so
Reason: no suitable image found. Did find:
/private/var/folders/ws/***/T/yyy/sklearn/__check_build/../../libomp.dylib: code signing blocked mmap() of '/private/var/folders/ws/***/T/yyy/sklearn/__check_build/../../libomp.dylib'
___________________________________________________________________________
Contents of /var/folders/ws/***/T/yyy/sklearn/__check_build:
__init__.py __pycache__ _check_build.cpython-39-darwin.so
___________________________________________________________________________
It seems that scikit-learn has not been built correctly.
If you have installed scikit-learn from source, please do not forget
to build the package before using it: run `python setup.py install` or
`make` in the source directory.
If you have used an installer, please check that it is suited for your
Python version, your operating system and your platform.
It would be great, if we could get this output using a Rosetta2 zsh with an arm64 system, because the simple rosetta error is hard (or impossible) to debug. Is there a way to do this?