Demystify code signing and its importance in app development. Get help troubleshooting code signing issues and ensure your app is properly signed for distribution.

Post

Replies

Boosts

Views

Activity

Command CodeSign failed with a nonzero exit code
I am having a peculiar issue with an app I am developing. I am trying to upload it onto App Store Connect but I am getting one error, and a very odd behavior. The error message I am getting is: /Users/user/Documents/GitHub/MyApp/MyApp/DerivedData/MyApp.pub/Build/Intermediates.noindex/ArchiveIntermediates/MyApp.pub/InstallationBuildProductsLocation/Applications/MyApp.pub.app: resource fork, Finder information, or similar detritus not allowed Command CodeSign failed with a nonzero exit code I have cleaned built the directory, I have removed the Derived Data, but this always gets thrown. It was working fine a few months ago, I have only just got back to working on it. The other issue I am havving, when I set to archive the app, I set the target as Any iOS Arm Device (arm64), but when it is archiving it switches to my iPhone as the target. I don't prompt it to do this, it just does it. This is very frustrating. I'm using a MacBook Air M1, with a macOS Sonoma. I updated my Xcode the other day, that's Version 15.4 (15F31d). My App has a minimum target of iOS 15 and a project target of Xcode 13. Any help is appreciated.
5
0
832
Jun ’24
run command line tool with associated dylib
I've been given an Xcode project which produces a command line tool which links to a dylib. I have the dylib, but not its source code. I change the signing option for the command line tool target so it is signed automatically by my personal team. On an attempt to run the tool, it fails to load the dylib, because the dylib is signed with a different certificate. I manually codesign the dylib with the same certificate I am using for the command line app. Now, I can build the app, but not run it. If I try to do so, I see four dialogs telling me “libXXX.dylib” can’t be opened because Apple cannot check it for malicious software, then the console tells me "'/path/to/libXXX.dylib' not valid for use in process: library load disallowed by system policy)" I found an old document about Gatekeeper (https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html) which suggests that Gatekeeper just won't let me do this - I can't just put the dylib next to the executable, although the dynamic linker finds the dylib, Gatekeeper doesn't like it because the dylib isn't inside the app bundle (there is none), and isn't in one of the well-known places. I dealt with this by making a do-nothing app which I can sign with my personal certificate. Then I replace the signature on the dylib (and its dependent dylibs) with my own. I add the command line tool and all its dylib dependencies to the do-nothing app, then add those files into the Copy Bundle Resources phase of the do-nothing app. Now, the command line tool and its dylibs all live in do-nothing.app/Contents/Resources, and I can run the tool from there without Gatekeeper complaining. Is there an easier way (aside from asking my supplier for static libraries)? And if this is the only way, is Contents/Resources the right place to put command line tools and the dylibs they link to?
5
0
1.1k
May ’24
App Sandbox blocked my launchPath
I need help, when I run code without a sandbox it works well. however, when I enabled it, it gave me (Thread 3: "launch path not accessible")! How can I fix that? let task = Process() task.launchPath = "/Users/alielzieny/Documents/TerrierSectraFix/TerrierSectraFix/Frameworks/python3" task.arguments = ["/Users/alielzieny/Documents/TerrierSectraFix/TerrierSectraFix/SectraFix.py", selectedDirectoryURL.path, destinationDirectoryURL.path] let pipe = Pipe() task.standardOutput = pipe task.launch() task.waitUntilExit() let data = pipe.fileHandleForReading.readDataToEndOfFile() if let output = String(data: data, encoding: .utf8) { print(output) }
1
1
606
May ’24
An App ID with Identifier 'de.{domain}.app' is not available. Please enter a different string
Hi, I am trying to create a new Identifier for my app. When I write down the Bundle ID I am getting this popup: An attribute in the provided entity has invalid value An App ID with Identifier 'de.{domain}.app is not available. Please enter a different string. Can anyone please help? The domain is mine and no apps have been released yet. I can't find a solution for this
1
0
600
May ’24
The python app is caught by gatekeeper.
I got the python app notarized and downloaded it fine. However, if you are caught by Gatekeeper and open the information window, you will see a lock and even if you enter the password to open the lock, it will not work. xattr -d com.apple.quarantine ./test.app You have to exclude it from the gatekeeper directly. I wonder if the downloaded app is unavoidable... or if there is another way.
1
0
512
May ’24
need help updating an app to work on ios 17+
I have an app that needs re-signing/updating to work on ios 17 (ios 17.4.1). I have renamed the IPA file to zip and extracted it to the desktop. The files in the extracted folder are: ItunesArtwork ItunesMetadata.plist Payload folder Payload folder contains the app App package contents contains all the app files, including the _CodeSignature folder. I extracted the package contents to a folder on the desktop. Xcode 15.3 (15E204a) is installed. Need the steps necessary to complete it and generate the new IPA file to test. Thanks all, Ed
1
0
477
May ’24
Crash using OpenMP library in a sandboxed app
I'm trying to add a feature to my app which requires OpenMP as third party library. The first time an openMP API gets called makes the app crash. The Xcode terminal reports this: OMP: Error #179: Function Can't open TEMP failed: OMP: System error #1: Operation not permitted Assertion failure at kmp_runtime.cpp(6918): temp_reg_status_file_name. OMP: Error #13: Assertion failure at kmp_runtime.cpp(6918). Console app reports this: Sandbox: deny(1) ipc-posix-shm-write-create /__KMP_REGISTERED_LIB_31975 I cannot substitute or get rid of the OpenMP library as it is used by other third party libs needed by the feature I’m developeng. Hope there is a workaround to the sandbox security restrictions that allows to use the lib. Thanks, Andrea
1
0
595
May ’24
Deploying a personal app
I have a personal app I use only for myself on my iPhone. I do not distribute this. Its stops working every year when my renewal comes up. Once I renew my subscription I reload the app onto my phone and it works again. Is there a way that I can have it work forever without having to reload it every year? Sometimes I forget to reload after my renewal and it does not work until I do so.
1
0
422
Apr ’24
PKG Installer postinstall script not executing in Sonoma
Hi, we have an app that has been in development since Catalina and ever since Sonoma came out we noticed that when executing our pkg installer the application is installed correctly but the postinstall script is not executed. The weird thing is that if I run the pkg for the first time the postinstall does not execute BUT if I run it again then it DOES!! Looking through the logs I found these ones that confirm the execution of the script is being blocked. We haven't changed anything in the way we build the installer so I'm not quite sure how to fix this. 2024-04-25 16:29:51.570662-0300 0x1c62 Error 0x0 308 0 syspolicyd: [com.apple.syspolicy.exec:default] Unable (errno: 2) to read file at <private> for pid: 784 process path: <private> library path: (null) 2024-04-25 16:29:51.570662-0300 0x1c62 Error 0x0 308 0 syspolicyd: [com.apple.syspolicy.exec:default] Terminating process due to Malware rejection: 784, <private> 2024-04-25 16:29:51.570679-0300 0x1d13 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Sleep interrupted, signal 0x100 2024-04-25 16:29:51.570682-0300 0x1d13 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 784, /private/tmp/PKInstallSandbox.m5Av3O/Scripts/com.mycompany.myapp.pkg.BSOjtt/postinstall The app as well as the installer are both signed, notarized and stapled. Here you can see the script which just simply executes the app. #!/bin/bash echo "Running postinstall" /Applications/myapp.app/Contents/MacOS/myapp --load-system-extension & exit 0 Any help would be much appreciated. Thanks!
4
0
998
Apr ’24
Unable to verify certificate on iOS caused by invalid HTTPS certificate on ppq.apple.com
I am able to successfully install the app on my device, but I am unable to verify the app. Steps to reproduce: Navigate to Settings -> VPN & Device Management on iPhone 14 Select developer under Developer App Select trust this computer Attempt to Verify App The "Verify App" button has no effect. The app can still be installed when built, but is not able to be opened. Navigating to ppq.apple.com in a browser results in a "cannot be trusted":
2
0
459
Apr ’24
couldn't issue sandbox extension com.apple.app-sandbox.read-write
[7268:372225] Failed to create an FPSandboxingURLWrapper for file:///Users/####/Downloads/mod##06-9-19.pdf. Error: Error Domain=NSPOSIXErrorDomain Code=1 "couldn't issue sandbox extension com.apple.app-sandbox.read-write for 'file:///Users/####/Downloads/mod##06-9-19.pdf' PS- Used ### to hide info I am facing an error with apple sandbox in my dot NET MAUI project here is the entitlements file I don't know Why I'm getting the in my understanding with user-selected.read-write it should work
2
0
927
Apr ’24
macOS app with associated domains feature - not launching after deployment on other machines.
Hi, I have added associated domains support for our desktop app and it works fine on my machine. But when I deploy it on other machines, it is not launching. It throws ‘The application ““ can’t be opened” message. It works fine when I install provisioning profile on those machines. Xcode is not allowing me to code sign the app manually as part of build process. Till now we were dong the same for other apps. Associated domain need a provisioning profile and I have created one distribution profile and code signed it. Now it works fine only on my machine and not working on other machines. It works only on other machines if I install provisioning profile. What should be the issue? How do I work this macOS app on other machines without installing provisioning profile?
0
0
483
Apr ’24
Xcode Signing and Capabilities
I'm currently befuddled by the entire signing and certificate process. I don't understand what I need, what the team admin needs to do, or how to go about doing it so that I can build the project. We've managed to have this working in the past but I guess the system has changed somewhat. Here's what we have going: A Unity project which hasn't changed from a few years ago. I build the project in unity, open the Xcode project and this: There's an issue with the Signing and Capabilities. If I choose automatic setup it shows an error saying that it requires a development team. I had the account admin add my Apple ID to the team so I'm not sure why that's an issue still. Do I need to pay the 99$ to be able to building Xcode? If I try to do it manually I select the provisioning profile that the account admin sent me and it auto selects the team associated with the provisioning profile I guess but then there's no singing certificate. The error says: There is no signing certificate "iOS Development" found. No "iOS Development" signing certificate matching team ID "V7D5YBZRMV" with a private key was found. So, if someone could explain to me like I'm 5 the entire signing and certificate process is and let me know what we're doing wrong with the team/provisioning profile/certificate setup I would be very much appreciative.
3
0
768
Apr ’24
SQlite issue because of entitlements?
Hello, I am having some trouble with an application accessing and running SQlite database queries. The error I am getting is (5642) SQLITE_IOERR_SEEK when trying to sqlite_step_stement in the database. See https://www.sqlite.org/rescode.html#ioerr_seek A bit of background, it is an application in Unreal Engine, and everything was working fine in Unreal Engine 4. The application uses a SQlite database on disk to store and fetch data. This database is saved to the documents folder. (I also tried other folders to see if that would make a difference) But since switching to a new version of the engine, Unreal Engine 5, in a build I am getting errors when trying to read/write to the database. This only happens in a build .app file. The only big difference I can find is that in the new engine when making a build the codesigning is already done in the engine. I don't see why those settings would break anything though. It also has an entitlements file, but I also edited it and made sure it has the same entitlements settings as my own scripts that are run afterwards. I am overwriting the codesigning with our own CI/CD scripts afterwards. The .app file is codesigned, notarized and stapled by that script. Also I use an entitlements file to set certain values. It doesn't seem to be a code related issue, as everything is working fine when running the application "in editor". But only when creating a final .app build. It doesn't matter if this build is in Debug or Shipping. My first thought was to try more entitlements settings. But I tried the following and I am still getting the same errors: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.cs.debugger</key> <true/> <key>com.apple.security.cs.disable-executable-page-protection</key> <true/> <key>com.apple.security.cs.disable-library-validation</key> <true/> <key>com.apple.security.automation.apple-events</key> <true/> <key>com.apple.security.app-sandbox</key> <false/> <key>com.apple.security.cs.allow-dyld-environment-variables</key> <true/> <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> <key>com.apple.security.files.downloads.read-write</key> <true/> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> </dict> </plist> I also am thinking that it might be a different issue as the application is able to create a database file in the documents folder, just not able to do the read write inside the database. These values are just set to try if any of these settings "fix" the issue, but thus far no luck. As there is nothing I can find in Unreal Engine related forums, and I also do not have a lot of experience with all the options when making Mac builds. I was hoping someone on this forum could think of a reason why a .app file would have problems with reading and writing to a SQlite database.
3
0
718
Apr ’24
NSUpdateSecurityPolicy don't work
I have two apps written in MAUI Mac Catalyst Framework -- one is main app, second is app updater. My updater works this way: it is located in the same directory as main app: firstly it deletes MainApp.app/Contents folder, then unzips new Contents folder that was downloaded from server. I added NSUpdateSecurityPolicy dictionary as in https://developer.apple.com/documentation/bundleresources/information_property_list/nsupdatesecuritypolicy and create application like . It looks that I wrote everything fine pkgbuild --install-location '/Library/Application Support/First' --root root --ownership preserve # aslo signing, etc But on user's macOS, system does not allow to delete Contents folder: I have IO_Access denied exception. Can it be because main app is sandboxing or something else? What I can do wrong? Thanks a lot in advance!
2
0
636
Apr ’24
Identifier (and profiles) management - Developer portal
Hey guys! Please, its not possible to remove or reuse an identifier (new app by removing the old one) through the developer portal? https://developer.apple.com/account/resources/identifiers/list Everytime we try to remove there is a message we can't: There is a problem with the request entity The App ID 'xxxxxxxxxxx' appears to be in use by the App Store, so it can not be removed at this time. But the app has been removed!!! Does anyone knows how to delete/reuse an identifier by doing some action in the portal? NOTE: we are low code - no Xcode (yes, so poor) Thank u guys!
1
0
586
Apr ’24