Code Signing from a Makefile on macOS 15

Question

Created 4d

Replies 1

Boosts 0

Participants 2

Hello, my team is trying to fix a code signing issue with our app. Our production build works, but our debug build broke after upgrading to macOS 15. This is because our app contains an app extension that can no longer access our app group container after the upgrade to macOS 15. It looks like this is due to ~/Library/Group Containers being protected by SIP now.

We were not code signing our debug app, and now security is stricter. Because of historical reasons, we need to use a Makefile to build our app instead of just using Xcode. We are trying to determine the best way to sign our debug app.

It looks like our app extension is able to access our app group container if we sign the app with a developer certificate. However, we are wondering if the developer certificate is required. We see that Xcode can sign debug builds with the “-” code signing identity. We tried doing this from our Makefile in the same way we sign with the developer certificate, but it doesn’t work. Is this expected behavior?

Boost

Answer 1

DTS Engineer OP

Apple

4d

I’m gonna start by pointing you at App Groups: macOS vs iOS: Fight!, which explains app groups, and the new app group container protection feature, in some detail.

If you have follow-up questions, please post them here. Make sure to say whether you’re using a macOS- or iOS-style app group ID.

We see that Xcode can sign debug builds with the “-” code signing identity.

Right. That results in an ad hoc code signature (Signed to Run Locally in Xcode parlance). You can certainly sign stuff ad hoc, but it generally causes more problems than it solves. I talk about this in some detail in TN3127 Inside Code Signing: Requirements.

I think it’d be best to resolve your app group issue rather than start down this path.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0