Stapler Validate Failing

Code Signing General
SimonPowell OP
Created Jul ’24
Replies 4
Boosts 0
Views 366
Participants 2

When checking that a .dmg file is correctly stapled with the command

xcrun stapler validate -v file.dmg

I intermittently get errors like

Properties are {
      NSURLIsDirectoryKey = 0;
      NSURLIsPackageKey = 0;
      NSURLIsSymbolicLinkKey = 0;
      NSURLLocalizedTypeDescriptionKey = "Disk Image";
      NSURLTypeIdentifierKey = "com.apple.disk-image-udif";
      "_NSURLIsApplicationKey" = 0;
  }
  Codesign offset 0x1eb82c90 length: 15891
  Stored Codesign length: 15891 number of blobs: 5
  Total Length: 15891 Found blobs: 5
  Props are {
      cdhash = {length = 20, bytes = 0x07d207070853a23966374ae1b36e921148b3a5f3};
      digestAlgorithm = 2;
      flags = 73728;
      secureTimestamp = "2024-07-26 06:08:31 +0000";
      signingId = "SIGNED-file.dmg...
      [ Message content over the limit has been removed. ]
  }
   Headers: {
      "Content-Type" = "application/json";
  }
  Response is (null)
  error is Error Domain=NSURLErrorDomain Code=-1001 "The request timed out." UserInfo={_kCFStreamErrorCodeKey=-2102, NSUnderlyingError=0x6000012b4a80 {Error Domain=kCFErrorDomainCFNetwork Code=-1001 "(null)" UserInfo={_kCFStreamErrorCodeKey=-2102, _kCFStreamErrorDomainKey=4}}, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <82266119-065E-480C-B012-F30B48DB0F44>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=(
      "LocalDataTask <82266119-065E-480C-B012-F30B48DB0F44>.<1>"
  ), NSLocalizedDescription=The request timed out., NSErrorFailingURLStringKey=https://api.apple-cloudkit.com/database/1/com.apple.gk.ticket-delivery/production/public/records/lookup, NSErrorFailingURLKey=https://api.apple-cloudkit.com/database/1/com.apple.gk.ticket-delivery/production/public/records/lookup, _kCFStreamErrorDomainKey=4}

I am not able to pin down the cause of this, could it be rate limiting on the API? Any other thoughts as to the cause?

Thanks.

Answered by DTS Engineer in 798005022
could it be rate limiting on the API?

That seems unlikely. As you can probably infer the from the verbose log, stapler simply uses URLSession to fetch the ticket from a CloudKit database. That’s failing with -1001, aka NSURLErrorTimedOut. That’s at transport error, meaning that there was a problem transporting the request to the server or getting the response back. If you were rate limited [1], you wouldn’t see this error, but some something from the server itself.

I suspect that this is being triggered by networking conditions, and specifically network conditions near you. If you want to dig deeper, the next step is a packet trace to see what’s happening on the wire.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] And, to be clear, I’m not even sure there is a rate limit for such requests.

Replies  4
Boosts  0
Views  366
Participants  2
DTS Engineer OP
Apple
Jul ’24
Recommended
could it be rate limiting on the API?

That seems unlikely. As you can probably infer the from the verbose log, stapler simply uses URLSession to fetch the ticket from a CloudKit database. That’s failing with -1001, aka NSURLErrorTimedOut. That’s at transport error, meaning that there was a problem transporting the request to the server or getting the response back. If you were rate limited [1], you wouldn’t see this error, but some something from the server itself.

I suspect that this is being triggered by networking conditions, and specifically network conditions near you. If you want to dig deeper, the next step is a packet trace to see what’s happening on the wire.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] And, to be clear, I’m not even sure there is a rate limit for such requests.

1
SimonPowell OP
Jul ’24

Thanks for the reply that makes sense, particularly as further investigation shows that only one of eleven machines on the same subnet are having this issue. I have compared configuration between working and non-working machines and can not see any differences. I have also sent a network capture to a network specalist. Do you have any other thoughts on what might cause this behaviour?

0
DTS Engineer OP
Apple
Aug ’24
Do you have any other thoughts on what might cause this behaviour?

No, but I do have a diagnostic suggestion. On the problematic machine, try to talk to the CloudKit server using curl. For example:

% curl -D /dev/stderr "https://api.apple-cloudkit.com/database/1/com.apple.gk.ticket-delivery/production/public/records/lookup"
HTTP/1.1 404 Not Found
…

This fails with a 404, because the request is malformed, but it confirms that I can reach the server. So:

  • If curl works you know that the networking is OK and the issue is with the Mac’s configuration.

  • OTOH, if curl fails as well, it’s likely that this is a network configuration issue.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
SimonPowell OP
Aug ’24

Found the problem. Tried curl as you suggest and the DNS lookup failed. However the nslookup command could resolve the address.

I flushed the DNS cache / restarted DNS (?):

sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

and all is now working as expected.

Thanks for your guidance and encouragement.

0
Stapler Validate Failing
First post date Last post date
 
 
Q