Demystify code signing and its importance in app development. Get help troubleshooting code signing issues and ensure your app is properly signed for distribution.

Post

Replies

Boosts

Views

Activity

Max OS X App Bundle Framework folder
Hi, the documentation says that an application bundle for Mac OS X can have a Frameworks folder within Contents. Using a framework for console applications (no bundle) and GUI applications (bundle), I cannot load the console applications anymore on Ventura. Prior to Ventora I have tested and ran both on Mojave or earlier - I am not sure. To fix the issue, I have moved the frameworks within the application bundle to match the rpath for /Users/lothar/Library/Frameworks when I place the console into /Users/lothar/bin, the same rpath for application bundles works for those within the bin folder. Can I publish an application bundle with that modified layout or do I have to expect getting problems and do rather a Symlink pointing from /Users/lothar/Frameworks to /Users/lothar/Library/Frameworks? Thanks, Lothar
1
0
281
Oct ’24
Issue while adding App to Archive
CodeSign /Users/abc007/Library/Developer/Xcode/DerivedData/App-fjztkcxqsstohgfvqdfnedgpwltj/Build/Intermediates.noindex/ArchiveIntermediates/App/InstallationBuildProductsLocation/Applications/App.app (in target 'App' from project 'App') cd /Users/abc007/Documents/WorkSpace/RegulusIT/Release_Oct_2024/UI\ Backup/ios/App Signing Identity: "Apple Development: Yatin Ghat (JS84GYN3O4)" Provisioning Profile: "iOS Team Provisioning Profile: www.rightschool.net" (bdc0759d-b9d0-4470-8e3f-b5b67d3c2586) /usr/bin/codesign --force --sign 82C0E5904219E333688CE627A21522F732446038 --entitlements /Users/abc007/Library/Developer/Xcode/DerivedData/App-fjztkcxqsstohgfvqdfnedgpwltj/Build/Intermediates.noindex/ArchiveIntermediates/App/IntermediateBuildFilesPath/App.build/Release-iphoneos/App.build/App.app.xcent --generate-entitlement-der /Users/abc007/Library/Developer/Xcode/DerivedData/App-fjztkcxqsstohgfvqdfnedgpwltj/Build/Intermediates.noindex/ArchiveIntermediates/App/InstallationBuildProductsLocation/Applications/App.app /Users/abc007/Library/Developer/Xcode/DerivedData/App-fjztkcxqsstohgfvqdfnedgpwltj/Build/Intermediates.noindex/ArchiveIntermediates/App/InstallationBuildProductsLocation/Applications/App.app: errSecInternalComponent Command CodeSign failed with a nonzero exit code
1
0
237
Oct ’24
Launch Constraint Violation
When I try to launch my own Java app, I get the following error message. xpcproxy exited due to OS_REASON_CODESIGNING | Launch Constraint Violation, error info: c[5]p[1]m[1]e[0], (Constraint not matched) launch type 3, failure proc [vc: 1]: /bin/bash As far as I know, the failing process path is /bin/bash. This issue is only happening on macOS Sequoia. The Java app works without any issue on MacOS Sonoma or any previous macOS versions. I did not make any changes, including launch constraints or any other settings. After updating to macOS Sequoia, I started getting this error and can no longer launch my app. Thank you so much.
9
1
488
Oct ’24
Why xcodebuild in Xcode 16 in our CI logs out the Apple ID and creates a new one
Hello, We use automatic signing and Fastlane on our CI. Fastlane uses xcodebuild to create an archive. xcodebuild -workspace ourApp.xcworkspace -scheme app-dev -destination generic/platform=iOS -archivePath app-dev.xcarchive -skipPackagePluginValidation -allowProvisioningUpdates -authenticationKeyID OurAppStoreConnectAuthKey -authenticationKeyIssuerID OurAppStoreConnectAuthKeyIssuerId -authenticationKeyPath /path/to/OurAppStoreConnectKey.p8 clean archive All works fine, but .... Why does Xcode 16 log out logged Apple ID and create a new every build? As a result, we have more and more Unknown Apple IDs in Xcode, and for each of them an error appears in log. Error: xcodebuild[3174:1804334] DVTDeveloperAccountManager: Failed to load credentials for 0A1DF15C-ETC-ETC: Error Domain=DVTDeveloperAccountCredentialsError Code=0 "Invalid credentials in keychain for 0A1DF15C-ETC-ETC, missing Xcode-Username" UserInfo={NSLocalizedDescription=Invalid credentials in keychain for 0A1DF15C-ETC-ETC, missing Xcode-Username} Of course, the originally logged-in Apple ID has an error corresponding to his non-logged-in state. xcodebuild[3174:1804334] DVTDeveloperAccountManager: Failed to load credentials for originally_logged-in_user: Error Domain=DVTDeveloperAccountCredentialsError Code=0 "Invalid credentials in keychain for originally_logged-in_user, missing Xcode-Token" UserInfo={NSLocalizedDescription=Invalid credentials in keychain for originally_logged-in_user, missing Xcode-Token} Why does this happen and how can it be fixed? Why does Xcode 16 log out its logged Apple ID?
6
4
1.4k
Oct ’24
Open source and AppleID
I would like to share my new project on an open source repository like GitHub. it need capabilities like iCloud. The problem is that I would prefer not have my appleid email being send to the open source repository. I saw that I can exclude files but I would be easier if the open source version had no Apple account associated with it. how should I manage the open source version vs the App Store one. Thank you
7
0
310
Oct ’24
Notarised and Stapled App is not running Embedded Python Interpreter
Hi Apple community, many thanks in advance for your help. My macOS app embeds a Python interpreter, compiled from source, including the Python executable and its associated libraries. We have tried compiling the project with Xcode 16.0 and 16.1 beta 2 over MacOS Sequoia 15.0 and 15.1. The project is 100% developed in Swift6. This is how the project looks like: SampleApp.app SampleApp.app/Contents SampleApp.app/Contents/MacOS SampleApp.app/Contents/MacOS/SampleApp SampleApp.app/Contents/MacOS/bin SampleApp.app/Contents/MacOS/bin/python3.11 SampleApp.app/Contents/Resources SampleApp.app/Contents/Resources/lib SampleApp.app/Contents/Resources/lib/python3.11 SampleApp.app/Contents/Resources/Info.plist Since we want to 'initially' distribute the app directly, Python binary is signed as follows: codesign --deep --force --options runtime --timestamp --sign "$DEVELOPER_ID_APPLICATION" "$BINARY_PATH" App entitlements contain the next entries: <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.files.downloads.read-write</key> <true/> <key>com.apple.security.files.user-selected.read-only</key> <true/> <key>com.apple.security.files.user-selected.read-write</key> <true/> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> The resulting app is signed with entitlements, notarised and stapled. Once the app is running, we can see the next errors on Console: Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=[IDENTIFIER]], pid=58826, auid=502, euid=502, binary_path=[PATH]}, requesting={TCCDProcess: identifier=com.apple.appleeventsd, pid=824, auid=55, euid=55, binary_path=/System/Library/CoreServices/appleeventsd}, Python process runs for some seconds and then the process disappears. We can not see any AMFI message on Console. Then we add to Signing and Capabilities 'Apple Events' from Hardened Runtime section. The resulting app gets signed, notarised and stapled, but when running we get only the next errors: error 09:42:32.787744+0200 SampleApp Can't find or decode reasons error 09:42:32.787832+0200 SampleApp Failed to get or decode unavailable reasons Just in case it is relevant, this is how the app interacts with Python: process.executableURL = URL(fileURLWithPath: [PATH_TO_PYTHON_BINARIE]) process.environment = environment process.arguments = arguments process.standardOutput = pipe try process.run() process.waitUntilExit() We truly appreciate any guidance, help or advice. Thanks!!
1
2
273
Oct ’24
Notarised and Stapled App is not running Embedded Python Interpreter
Hi Apple community, many thanks in advance for your help. My macOS app embeds a Python interpreter, compiled from source, including the Python executable and its associated libraries. We have tried compiling the project with Xcode 16.0 and 16.1 beta 2 over MacOS Sequoia 15.0 and 15.1 This is how the project looks like: SampleApp.app SampleApp.app/Contents SampleApp.app/Contents/MacOS SampleApp.app/Contents/MacOS/SampleApp SampleApp.app/Contents/MacOS/bin SampleApp.app/Contents/MacOS/bin/python3.11 SampleApp.app/Contents/Resources SampleApp.app/Contents/Resources/lib SampleApp.app/Contents/Resources/lib/python3.11 SampleApp.app/Contents/Resources/Info.plist Since we want to 'initially' distribute the app directly, Python binary is signed as follows: codesign --deep --force --options runtime --timestamp --sign "$DEVELOPER_ID_APPLICATION" "$BINARY_PATH" App entitlements contain the next entries: <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.files.downloads.read-write</key> <true/> <key>com.apple.security.files.user-selected.read-only</key> <true/> <key>com.apple.security.files.user-selected.read-write</key> <true/> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> The resulting app is signed with entitlements, notarised and stapled. Once the app is running, we can see the next error on Console: Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=[IDENTIFIER]], pid=58826, auid=502, euid=502, binary_path=[PATH]}, requesting={TCCDProcess: identifier=com.apple.appleeventsd, pid=824, auid=55, euid=55, binary_path=/System/Library/CoreServices/appleeventsd}, Python process is not running, we can't see any AMFI message. Next we added to Signing and Capabilities 'Apple Events' from Hardened Runtime section. The resulting app gets signed, notarised and stapled, but when running we get only the next errors: error 09:42:32.787744+0200 SampleApp Can't find or decode reasons error 09:42:32.787832+0200 SampleApp Failed to get or decode unavailable reasons Just in case it is relevant, this is how the app interacts with Python: process.executableURL = URL(fileURLWithPath: [PATH_TO_PYTHON_BIN]) process.environment = environment process.arguments = arguments process.standardOutput = pipe try process.run() process.waitUntilExit() We truly appreciate any guidance, help or advice. Thanks!!
5
0
326
Oct ’24
pkgbuild giving signing identity error
The actual error: pkgbuild: error: Could not find appropriate signing identity for “Developer ID installer: My Name (DeveloperID)”. I'm trying to sign a program written with gfortran. The steps worked the last time (Mar 23) I built this code. The steps to error: a) xcrun notarytool store-credentials --apple-id "***" --team-id "yyy" Giving Profile Name zzz and App-specific password b) codesign --force --timestamp --options=runtime -s "Developer ID Application: My Name (yyy)" AppName c) pkgbuild --root ROOT --identifier org.aaa.bbb --version "1.1.1" --sign "Developer ID installer: My Name (yyy)" AppName.pkg ROOT contains the package contents At this point I get the error pkgbuild: error: Could not find appropriate signing identity for “Developer ID installer: My Name (yyy)” Are there steps that have changed. Any suggestions? Thanks, David
1
0
250
Oct ’24
EACCES Error on binary included in Electron app
Hi, I have an Electron app that I build, sign, notarize, and staple using electron-builder. It includes Sound Exchange (SoX), which I was invoking from the homebrew installed version. It builds a dmg and works fine. However, my users are non-technical, thus cannot be expected to install dev tools, homebrew, and sox from the command line and set paths. Therefore, I need to include a SoX binary in my app. I have a static SoX binary that works. However, when I try to run it from my electron app, I get Error: spawn / <path>/sox EACCES. Electron-builder is signing the SoX binary codesign --sign <sign number> --force --timestamp --options runtime --entitlements dist/entitlements/entitlements.mac.plist /<app path>Contents/Resources/bin/sox/sox The app sign/notarize works fine, the dmg mounts, and the app runs until I try to invoke SoX. Also, I verified the sox binary and entire app are signed and the app staple is valid. I am running the app from /Applications. Please help me!
3
0
313
Oct ’24
[Mac App Store] Sudden increase in "<App> is damaged and can't be opened" errors when launching Mac App Store app
Hi, I've recently observed a sudden increase in support requests for one of my apps on the Mac App Store, reporting the error " is damaged and can't be opened. Please re-download it from the Mac App Store", all on different systems: macOS 12, macOS 13, and macOS 15 Sequoia. Re-downloading does not resolve the issue most of the time. One user reported that being connected to the internet resolved it - perhaps this is an OCSP issue again? I myself cannot reproduce this issue. Has there been a change in code-signing recently? Have some certificates changed? Anything else I should be aware of? What is the best course of action to have users take who experience this, when re-downloading the app from the Mac App Store does not work? Thank you, – Matthias
8
1
526
Oct ’24
Problems with PyBind11
I'm using PyBind11 to allow use of Python code within my C++ application. The application links successfully, but on the py::module::import below: LOGICAL WebServer:: CheckForPort() { EPython::Prepare(); auto socket = py::module::import("socket"); auto s = socket.attr("socket")(socket.attr("AF_INET"),socket.attr("SOCK_STREAM")); if (s == Py_None) return L_TRUE; auto rc = s.attr("connect_ex")("localhost",8810); // // Returns zero if port in in use // return (rc.cast<int>() == 0); } I get a run-time error libc++abi: terminating due to uncaught exception of type pybind11::error_already_set: ImportError: dlopen(/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/lib-dynload/math.cpython-311-darwin.so, 0x0002): tried: '/Users/Shared/Develop/IntelApps/WinTD 5/DerivedData/WinTDOSX/Build/Products/Debug/math.cpython-311-darwin.so' (no such file), '/usr/lib/system/introspection/math.cpython-311-darwin.so' (no such file, not in dyld cache), '/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/lib-dynload/math.cpython-311-darwin.so' (code signature in <855730B8-106D-389C-BF65-36A98463EDB5> '/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/lib-dynload/math.cpython-311-darwin.so' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), I have no idea how to fix the code signature error---this is intended for distribution, so that presumably would be a file on the user's computer. I tried to link in the .so file, but that's a rabbit hole as there are a near endless set of further dependencies.
1
0
260
Oct ’24
macOS 15 – Is AppleScript a Gatekeeper workaround ?
I have tried to manually install binaries using Finder by clicking and dragging from the Desktop into "/usr/local/bin/". The binaries come with a collection of frameworks etc. All the binaries are adhoc signed. macOS asks for Admin credentials which is fine. But then, when I execute the binaries in Terminal, Gatekeeper shows the now expected "'[binary"] Not Opened Apple could not verify ........" etc. It shows that dialog for every component and requires user input 2-3 times to allow each component of which there are perhaps dozens. BUT, none of that happens if I install those binaries using AppleScript. So, it might have a call like this: do shell script "curl -L " &amp; download_URL &amp; " -o " &amp; download_binary_zip with administrator privileges do shell script "unzip -o " &amp; download_binary_zip &amp; " -d " &amp; usr_bin_folder with administrator privileges The resulting installs work perfectly. Is this intended ? Using both install methods requires Admin credentials. Why does using a script work but using Finder does not ?
4
0
420
Oct ’24
Correct settings to setup Xcode/xcodebuild in a CI using automatically managed signing ? (Xcode 16)
Hello, We are using automatic signing for a couple of projects, and we're struggling to get it to work in a CI with Xcode 16. It was working with Xcode 15 but with Xcode 16 we get the following errors : error: The operation couldn’t be completed. Unable to log in with account ''. The login details for account '' were rejected. error: Provisioning profile "iOS Team Provisioning Profile: com.bundleid.my" doesn't include signing certificate "Apple Development: Foobar (TEAMID)". Any ideas ?
5
1
787
Sep ’24
Developing iOS Applications with Delphi 11: Crashing Issues and Troubleshooting
I am developing a mobile application with Delphi 11. I compiled the application using iOS SDK 17.5. I uploaded it to the Apple Store for testing and first tested it on an iPhone 7 (software version 15.7.1). The application worked smoothly. Later, I tested it on an iPhone 14 (software version 17.6.1) and an iPhone 11 (software version 18). On both of these devices, the application crashed before opening. Since the same application is available on the Apple Store, I downloaded it from there and saw that it worked fine on the last two devices. I thought that the SDK needed to be upgraded for newly compiled and submitted applications. However, in that case, it should have thrown an error when submitting the application to the Apple Store. I updated macOS and Xcode and upgraded to SDK 18. I also set SDK 18 in Delphi. When I compiled with these settings, I again saw that it worked normally on my first device, while the application crashed on the next two devices. Considering it could be an issue with a module in the application, I compiled a blank form by removing all permission requests for testing, but the result did not change. What can I do about this? Do you have any suggestions?
2
0
282
Sep ’24
error: exportArchive: Code signing "FBAEMKit.framework" failed.
When I make ipa by commond tools,Some errors have occurred.Has anyone encountered it before? Ps:debug mode is ok,release mode is not ok. error: exportArchive: Code signing "FBAEMKit.framework" failed. Error Domain=IDEDistributionPipelineErrorDomain Code=0 "Code signing "FBAEMKit.framework" failed." UserInfo={NSLocalizedDescription=Code signing "FBAEMKit.framework" failed., NSLocalizedRecoverySuggestion=View distribution logs for more information.}
1
0
233
Sep ’24
Issue with code signing
I am signing my app using this command: codesign --verbose=4 --force --options=runtime --deep --timestamp --sign "${APP_IDENTITY}" "${APP_FILE}" --entitlements "./Protect.entitlements I have ensured that the necessary provisioning profiles are embedded in the IPA file. I am also verifying the signing using codesign -dvv ./JumpCloud\ Protect\ Staging.ipa and codesign --verify --deep --verbose ./JumpCloud\ Protect\ Staging.ipa Despite following the above steps, when I attempt to upload the IPA file to Transporter, I receive the following error message: Missing or invalid signature. The bundle 'com.jumpcloud.JumpCloud-Protect.staging' at bundle path 'Payload/JumpCloud Protect Staging.app' is not signed using an Apple submission certificate.
1
1
341
Sep ’24
Xcode downloaded client crash report at libsecinit_appsandbox.c
Among the newest crash reports downloaded by Xcode for my App Store app there is one that contains a single thread, crashed at libsecinit_appsandbox.c, without any trace of my app name. What could possibly cause such a crash? Is this something related with app signing? The app has been on the App Store for a long time and this never happened to me. Thread 0 Crashed: 0 libsystem_secinit.dylib 0x00000001941dcfcc _libsecinit_appsandbox.cold.12 + 60 (libsecinit_appsandbox.c:454) 1 libsystem_secinit.dylib 0x00000001941dbf94 _libsecinit_appsandbox + 1764 (libsecinit_appsandbox.c:454) 2 libsystem_trace.dylib 0x00000001872be598 _os_activity_initiate_impl + 64 (activity.c:131) 3 libsystem_secinit.dylib 0x00000001941db85c _libsecinit_initializer + 80 (libsecinit_initializer.c:17) 4 libSystem.B.dylib 0x00000001941f2664 libSystem_initializer + 280 (init.c:338) 5 dyld 0x00000001871fe608 invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const::$_0::operator()() const + 168 (Loader.cpp:2198) 6 dyld 0x000000018723cd6c invocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 340 (MachOAnalyzer.cpp:2481) 7 dyld 0x0000000187230400 invocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 496 (MachOFile.cpp:1669) 8 dyld 0x00000001871df2fc dyld3::MachOFile::forEachLoadCommand(Diagnostics&, void (load_command const*, bool&) block_pointer) const + 300 (MachOFile.cpp:1185) 9 dyld 0x000000018722f394 dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 192 (MachOFile.cpp:1628) 10 dyld 0x000000018723c880 dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 516 (MachOAnalyzer.cpp:2448) 11 dyld 0x00000001871fa53c dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 564 (Loader.cpp:2189) 12 dyld 0x00000001872042d4 dyld4::PrebuiltLoader::runInitializers(dyld4::RuntimeState&) const + 44 (PrebuiltLoader.cpp:818) 13 dyld 0x000000018721dcc0 dyld4::APIs::runAllInitializersForMain() + 84 (DyldAPIs.cpp:3889) 14 dyld 0x00000001871e4010 dyld4::prepare(dyld4::APIs&, dyld3::MachOAnalyzer const*) + 3156 (dyldMain.cpp:891) 15 dyld 0x00000001871e2ef4 start + 1868 (dyldMain.cpp:1265) Crash report
2
0
321
Sep ’24