We're having failures reported back to us from the notarization service as of the 4th of September. It's complaining about binaries inside .jar files, saying some aren't signed and others aren't signed with a valid developer certificate. These are third party jars; we unzip the unsigned binaries from these jars, sign them then put them back in using "jar -ufv". Notarizing is only complaining about binaries inside jars and not anything else, which implies our certificates are valid.
Nothing has changed regarding these jars between the notarizing service accepting and rejecting our app. To confirm our suspicions that the notarizing service may be behaving differently, we sent it an app package that previously had succeeded in notarizing. Now the notarizing service fails, citing issues with the same jars as described above.
Are you able to confirm whether anything has changed? Any ideas on what we could look at?
Demystify code signing and its importance in app development. Get help troubleshooting code signing issues and ensure your app is properly signed for distribution.
Post
Replies
Boosts
Views
Activity
I am signing my app using this command:
codesign --verbose=4 --force --options=runtime --deep --timestamp --sign "${APP_IDENTITY}" "${APP_FILE}" --entitlements "./Protect.entitlements
I have ensured that the necessary provisioning profiles are embedded in the IPA file.
I am also verifying the signing using
codesign -dvv ./JumpCloud\ Protect\ Staging.ipa
and
codesign --verify --deep --verbose ./JumpCloud\ Protect\ Staging.ipa
Despite following the above steps, when I attempt to upload the IPA file to Transporter, I receive the following error message:
Missing or invalid signature. The bundle 'com.jumpcloud.JumpCloud-Protect.staging' at bundle path 'Payload/JumpCloud Protect Staging.app' is not signed using an Apple submission certificate.
We have an organization with multiple developers trying to develop apps. There are times where they want to find out if their app will pass notarization or not? We have a Developer ID Application certificate that we use to sign files right before production deployment and then for notarization approval. But this is not possible when developers are working in their sandboxes.
Providing each developer their own Developer ID Application certificate for distribution is both not feasible and perhaps not very secure.
Is there a way in which they can find out if their apps would pass the notarization tests without actually uploading to Apple?
I'm trying to get some people to test my application, but when they attempt to open it, it says "Malware blocked and moved to bin". Attempting to open it on my mac has no issues, but on theirs it will get flagged.
Are there any solutions? I think this is to do with the signature, however this could be wrong.
I am sending a direct archive through iMessage in a zip file.
This post is in response to the information on app groups posted here: https://developer.apple.com/forums/thread/721701
I have a multi-platform (macOS and iOS) app that uses an app group to store the Core Data database, so that extensions and widgets can also access the database.
It seems to be impossible to add an app group in Xcode that doesn't start with group.. When I use the team identifier as detailed here , Xcode prepends group. to the app group identifier.
So far, I've simply been using an app group identifier that looks like this: group.com.example.MyAppName. This has worked on macOS and iOS. However, I noticed that when the app launches on macOS 15, the user is shown a dialog that says " would like to access data from other apps." If the user selects "Don't Allow", the app will crash, since it can't access the Core Data database located in the app group directory.
How can I work around this, considering that this is a multi-platform app, and both the iOS and macOS versions need to store the Core Data database in the app group directory? What is the proper way to configure app groups for multi-platform apps?
Among the newest crash reports downloaded by Xcode for my App Store app there is one that contains a single thread, crashed at libsecinit_appsandbox.c, without any trace of my app name. What could possibly cause such a crash? Is this something related with app signing? The app has been on the App Store for a long time and this never happened to me.
Thread 0 Crashed:
0 libsystem_secinit.dylib 0x00000001941dcfcc _libsecinit_appsandbox.cold.12 + 60 (libsecinit_appsandbox.c:454)
1 libsystem_secinit.dylib 0x00000001941dbf94 _libsecinit_appsandbox + 1764 (libsecinit_appsandbox.c:454)
2 libsystem_trace.dylib 0x00000001872be598 _os_activity_initiate_impl + 64 (activity.c:131)
3 libsystem_secinit.dylib 0x00000001941db85c _libsecinit_initializer + 80 (libsecinit_initializer.c:17)
4 libSystem.B.dylib 0x00000001941f2664 libSystem_initializer + 280 (init.c:338)
5 dyld 0x00000001871fe608 invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const::$_0::operator()() const + 168 (Loader.cpp:2198)
6 dyld 0x000000018723cd6c invocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 340 (MachOAnalyzer.cpp:2481)
7 dyld 0x0000000187230400 invocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 496 (MachOFile.cpp:1669)
8 dyld 0x00000001871df2fc dyld3::MachOFile::forEachLoadCommand(Diagnostics&, void (load_command const*, bool&) block_pointer) const + 300 (MachOFile.cpp:1185)
9 dyld 0x000000018722f394 dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 192 (MachOFile.cpp:1628)
10 dyld 0x000000018723c880 dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 516 (MachOAnalyzer.cpp:2448)
11 dyld 0x00000001871fa53c dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 564 (Loader.cpp:2189)
12 dyld 0x00000001872042d4 dyld4::PrebuiltLoader::runInitializers(dyld4::RuntimeState&) const + 44 (PrebuiltLoader.cpp:818)
13 dyld 0x000000018721dcc0 dyld4::APIs::runAllInitializersForMain() + 84 (DyldAPIs.cpp:3889)
14 dyld 0x00000001871e4010 dyld4::prepare(dyld4::APIs&, dyld3::MachOAnalyzer const*) + 3156 (dyldMain.cpp:891)
15 dyld 0x00000001871e2ef4 start + 1868 (dyldMain.cpp:1265)
Crash report
Our company changed its name as a result of a merger, and the development group responsible for our mobile apps decided to migrate from our "legacy" Apple developer account to a new account associated with the new company name. I found this out last Friday when the notification step in the build script for our Mac applications stopped working — the notification server accepts the request but never responds; we were using the --wait flag with notarytool, and as a result it hangs indefinitely.
Apparently our old developer account was deactivated unexpectedly, and while it's been temporarily turned back on to allow the mobile apps team to finish migrating their apps, the notarization step continues to hang.
I haven't yet tried using the new team account, because my product requires an Endpoint Security entitlement, which is associated with the old Team ID. The long-term answer is probably to re-apply for a new entitlement, but that took over a month the last time we did this, and of course we were scheduled to release a product update in two weeks.
At the moment we're dead in the water. Are there any other options to get us going again? (I considered opening a code-level support request, but as this issue isn't exactly "code-level", I was worried that would be a waste of time and/or money.)
Hello there, I need guidance understanding what some certificates are related to.
a) On my Apple developer page home I see that RENEWAL date for my apple developer enterprise program subscription is 2024-october-10
b) in devices section, there is a banner showing that my membership will EXPIRE on 2024-october-09
c) in certificates section I have 6 "development" certificates expiring in multiple dates from 2024-october-11 to 2025-may-22.
these ones are "certificate Type - development" and **"certification name with my personal name" **
none of dates in certificates section matches exactly renewal or expiring dates for my apple developer page subscription or profile certificate.
why dates in a and b are different?
what are certificates in certificates section (those mentioned in "c") ? they seems different from "mac development" and such. What happens if they expire?
thank you in advance.
I have applied for the app push provider permission in the Network Extension entitlement, but have not received a response yet. How long does it take to apply for authorization?
I'm working on an app that contains a USB Driver Kit extension for iPad (NOT MAC). The app contains two targets, the core app and the DriverKit extension target. I can run the app just fine using a dev cert and provisioning profile. ** What is the step-by-step process for signing the release build?** There seems to be no way to create a release profile for the Driver Kit target. I've tried multiple avenues, but come to a dead end on each. I have requested and received the correct entitlements.
Also, on a separate note, has anyone achieved this process using Fastlane? It seems particularly resistant to building the app with the driverkit extension, even for dev builds. It complains about the driverkit dev profile not being an iOS profile.
Thanks!
Hello,
I requested the Family Controls (Distribution) entitlement and was granted access:
However, the "Additional Capabilities" Tab is not showing up in the associated App ID in "Certificates, Identifiers & Profiles":
Thank you in advance,
FCG
I've submitted several requests for Family Controls Distribution access for all of my app targets over two weeks ago and have not gotten any response. The app I've been working on for over a year is finally ready to beta test to 200+ waitlisted users but this final roadblock is killing me! Anyone know what to do? Is there anyone else I could reach out to other than the apple request form to get help with this? Thank you!
I have a Safari Extension deployed to test flight built and deployed using CLI tools in Azure Devops. It appears to be building, signing, and deploying properly. But when users try to install on TestFlight, they see an error saying something about an invalid provisioning profile. This seems to just be on the "installer" portion of the app. The extension shows up in safari settings and is otherwise useable. The users just aren't seeing the splash screen that instructs them to go to Safari Settings.
I'm not really sure what's wrong here. This is what my build pipeline looks like
- task: Bash@3
displayName: "Build export.plist file"
inputs:
targetType: 'inline'
script:
/usr/libexec/PlistBuddy -c "Add :method string mac-application" $(Pipeline.Workspace)/export.plist &&
/usr/libexec/PlistBuddy -c "Add :provisioningProfiles dict" $(Pipeline.Workspace)/export.plist &&
/usr/libexec/PlistBuddy -c "Add :provisioningProfiles:$(APP_IDENTIFIER) string $(InstallDistProvisioningProfile.provisioningProfileUuid)" $(Pipeline.Workspace)/export.plist &&
/usr/libexec/PlistBuddy -c "Add :signingCertificate string '$(InstallDistCerts.signingIdentity)'" $(Pipeline.Workspace)/export.plist &&
/usr/libexec/PlistBuddy -c "Add :signingStyle string manual" $(Pipeline.Workspace)/export.plist &&
/usr/libexec/PlistBuddy -c "Add :teamID string $(APPLE_TEAM_ID)" $(Pipeline.Workspace)/export.plist &&
/usr/libexec/PlistBuddy -c "Add :iCloudContainerEnvironment string Production" $(Pipeline.Workspace)/export.plist &&
/usr/libexec/PlistBuddy -c "Add :stripSwiftSymbols bool true" $(Pipeline.Workspace)/export.plist &&
/usr/libexec/PlistBuddy -c "Add :compileBitcode bool false" $(Pipeline.Workspace)/export.plist
- task: Xcode@5
displayName: "Build Safari Extension"
inputs:
action: "archive"
sdk: "macosx"
packageApp: true
xcodeVersion: "15"
args: "-verbose CODE_SIGNING_REQUIRED=Yes CODE_SIGNING_ALLOWED=Yes"
exportOptions: "plist"
exportOptionsPlist: '$(Pipeline.Workspace)/export.plist'
exportMethod: "mac-application"
archivePath: '$(Build.ArtifactStagingDirectory)/SafariDesktopExtension.xcarchive'
signingOption: "default"
- script: |
xcodebuild -exportArchive \
-archivePath $(Build.ArtifactStagingDirectory)/SafariDesktopExtension.xcarchive \
-exportPath $(Build.ArtifactStagingDirectory) \
-exportOptionsPlist $(Pipeline.Workspace)/export.plist
displayName: 'Export Distribution-signed App'
- task: DownloadSecureFile@1
displayName: "Download Provisioning Profile"
name: downloadProvisioningProfile
inputs:
secureFile: $(PROVISIONING_PROFILE_DIST)
- script: |
cp "$(downloadProvisioningProfile.secureFilePath)" "$(Build.ArtifactStagingDirectory)/SafariDesktopExtension.app/Contents/embedded.provisionprofile"
displayName: "Embed provisioning profile in Top-Level Executable"
- script: |
cp "$(downloadProvisioningProfile.secureFilePath)" "$(Build.ArtifactStagingDirectory)/SafariDesktopExtension.app/Contents/PlugIns/SafariDesktopExtension Extension.appex/Contents/embedded.provisionprofile"
displayName: "Embed provisioning profile in Extension"
- script: |
codesign --deep --force --verify --verbose --sign "$(InstallDistCerts.signingIdentity)" --entitlements "$(rootFolder)/safari/SafariDesktopExtension/SafariDesktopExtension/SafariDesktopExtension.entitlements" $(Build.ArtifactStagingDirectory)/SafariDesktopExtension.app
displayName: "Codesign"
- task: Bash@3
displayName: "Package Application"
inputs:
targetType: "inline"
script: |
productbuild --sign "$(InstallInstallerCert.signingIdentity)" --component "$(Build.ArtifactStagingDirectory)/SafariDesktopExtension.app" /Applications "$(Build.ArtifactStagingDirectory)/SafariDesktopExtension.pkg"
I'm sure there's a bit of garbage here as I'm new to developing in the apple ecosystem. But it appears to work and the resulting .pkg can be submitted successfully.
Effectively, that's building an archive using a plist for export options, exporting the archive for distribution, copying the distribution provisioning profile for the top-level executable (the one that's not working) and the extension itself, code signing, and packaging using the installer cert.
The provisioning profile (attached to a Mac distribution certificate) mentioned has the correct application identifier and matches the entitlements.
I'm not really sure what's going on here and the generic "invalid provisioning profile" error isn't helping. Any help would be appreciated. I'd also love to know if this could hold up a release.
Hi,
I've developed an application which reside under /Applications.
Inside the main application bundle (/Applications/mainApp.app) there are sub-app that contain security extension. Here's the relevant path
/Applications/mainApp.app/Contents/Helpers/subApp.app/Contents/Library/SystemExtensions/com.myComp.type.systemextension/
So far I could load the extension by running the subApp and make sure it calls the extension activation API. but seems like starting from Sonoma (i'm using version 14.6.1 )it stopped working, and I get crash dump on signature failure which trying to open the subApp.app.
in the crash log I get reason of invalid code sign. I also get the following hints
Binary Images:
0x1050a0000 - 0x10512bfff dyld_path_missing (*) <f635824e-318b-3f0c-842c-c369737f2b68> /dyld_path_missing
0x104d9c000 - 0x104d9ffff main_executable_path_missing (*) <1df5f408-cb16-304f-8b38-226e29361161> /main_executable_path_missing
Is it possible that new OS version have new validation rule that enforce something about the location of the app that can start extensions ?
We have developed an electron app which we want to extend with an action extension. The action extension is written in swift in Xcode. Our plan was to build the .appex file and insert it into the PlugIns folder in our electron app, but I don't think this is the right way to do it?
If we insert the .appex file before notarization then we get an error that we are "replacing existing signature".
If we manually insert it after the notarization then we get an error with the app is damaged and can’t be opened.
Can anybody provide a procedure for this kind of merge I would imagine that it goes something like:
Sign app
Sign extension
Add extension to App
Notarize app
For signing the app we use electron-builder.
Hi, can't activate system-extension.
in any case getting
Domain=OSSystemExtensionErrorDomain Code=8 "Invalid code signature or missing entitlements"
(sometimes get code = 9)
P.S. In debug running all is working. (The system is asking to activate sysex)
Has to read huge amount of forum, samples, and docs. But no luck
What and how i've tried
steps which i've doing
#- signing sysextension binaries with Developer ID Application
#- signing system extension with Developer ID Application
#- signing application with Developer ID Application
#- checking all signatures with Developer ID Application
#- building pkg installer
#- signing installer with Developer ID Installer
#- checking signing
#- sending installer for notarization
#- waiting for installer verification
#- after success I call stapler staple
#- When calling sysex activation I get
(But the problem is persist when i've try to move signed app to application folder, or try to notarize zip) or in any case which possibly mention on forum, i've get
sign command sample
codesign --force --timestamp --options runtime --sign "Developer ID ***"
Also has to tried with ** --deep,** but no luck.
Result of steps descrribed here:
App has System Extension compatibility, Sysex haven't System Extension.
App is used the same bundle id as in AppStore (also has to tried separate one, but no luck)
In console just two informative message regarding it, but nothing specific
default 01:08:04.745310+0200 sysextd client activation request for com.company.appName.PacketTunnelMacExternal
default 01:08:04.745330+0200 sysextd attempting to realize extension with identifier com.company.appName.PacketTunnelMacExternal
default 01:08:04.750996+0200 appName-Mac-External [0x13a9496f0] invalidated because the current process cancelled the connection by calling xpc_connection_cancel()
Could you please assits with solve issue?
HERE IS THE COMPLETE LOG FROM THE SYSTEM.. please help me with the issue.
Downloads % xcrun notarytool submit appName.pkg --apple-id “appleid --team-id <app_id> --wait --verbose
[17:21:08.220Z] Debug [MAIN] Running notarytool version: unknown (0), date: 2024-09-09T17:21:08Z, command: /Applications/Xcode.app/Contents/Developer/usr/bin/notarytool submit _090624.pkg --apple-id <apple_id_hidden>--team-id <app_id> --wait --verbose
Conducting pre-submission checks for _090624.pkg and initiating connection to the Apple notary service...
[17:21:08.222Z] Debug [PREFLIGHT] _090624.pkg is a flat installer package.
[17:21:08.223Z] Debug [PREFLIGHT] Finished completing determination of file type for _090624.pkg. Operation took 1ms.
Password for <apple_id_hidden>:
[17:21:13.354Z] Info [API] Initialized Notary API with base URL: https://appstoreconnect.apple.com/notary/v2/
[17:21:13.357Z] Debug [CTXMGR] Created temporary directory at: file:///var/folders/bj/ct_f469n03b2l596c_00n27c0000gp/T/TemporaryItems/NSIRD_notarytool_hkXwCu/
[17:21:13.359Z] Debug [CTXMGR] Copied _090624.pkg -- file:///Users/w525362/Downloads/ to file:///var/folders/bj/ct_f469n03b2l596c_00n27c0000gp/T/TemporaryItems/NSIRD_notarytool_hkXwCu/_090624.pkg
[17:21:13.360Z] Debug [FILEHASH] Generating md5 and sha256 digest with buffer size 1048576 for file:///var/folders/bj/ct_f469n03b2l596c_00n27c0000gp/T/TemporaryItems/NSIRD_notarytool_hkXwCu/_090624.pkg
[17:21:13.486Z] Debug [FILEHASH] MD5 digest: bd49fd77dfe36a9bbfb4c7efc329c6fe
[17:21:13.486Z] Debug [FILEHASH] Base64-encoded MD5 Digest: vUn9d9/japu/tMfvwynG/g==
[17:21:13.487Z] Debug [FILEHASH] SHA256 digest: 03466bf60dc33f57a2bbb2ba54402eb882529085e98f9d18e1e42ceeecd9d0aa
[17:21:13.487Z] Debug [FILEHASH] Finished generating file hashes for _090624.pkg. Operation took 126ms.
[17:21:13.487Z] Debug [API] Sending submissions payload: submissionPayload(submissionName: "_090624.pkg", md5: "bd49fd77dfe36a9bbfb4c7efc329c6fe", sha256: "03466bf60dc33f57a2bbb2ba54402eb882529085e98f9d18e1e42ceeecd9d0aa", notifications: [])
[17:21:13.488Z] Info [API] Preparing POST request to URL: https://appstoreconnect.apple.com/notary/v2/submissions?, Custom Headers: private<Dictionary<String, String>>
[17:21:13.488Z] Debug [AUTHENTICATION] Delaying current request to refresh app-specific password token.
[17:21:13.488Z] Info [API] Preparing GET request to URL: https://appstoreconnect.apple.com/notary/v2/asp?, Parameters: [:], Custom Headers: private<Dictionary<String, String>>
[17:21:13.488Z] Debug [AUTHENTICATION] Authenticating request to '/notary/v2/asp' with Basic Auth. Username: appleID, Password: private, Team ID: <app_id>
[17:21:13.489Z] Debug [TASKMANAGER] Starting Task Manager loop to wait for asynchronous HTTP calls.
[17:21:14.774Z] Debug [API] Received response status code: 401, message: unauthorized, URL: https://appstoreconnect.apple.com/notary/v2/asp?, Correlation Key: QHGCOMLZWZVN4SEAKHS3SBGLS4
[17:21:14.775Z] Error [TASKMANAGER] Completed Task with ID 2 has encountered an error.
[17:21:14.775Z] Debug [TASKMANAGER] Ending Task Manager loop.
[17:21:14.783Z] Debug [CTXMGR] Removed temporary directory:
Optional(file:///var/folders/bj/ct_f469n03b2l596c_00n27c0000gp/T/TemporaryItems/NSIRD_notarytool_hkXwCu/)
Error: HTTP status code: 401. Invalid credentials. Username or password is incorrect. Use the app-specific password generated at appleid.apple.com. Ensure that all authentication arguments are correct.
PLATFORM AND VERSION
macOS
Development environment: Other: Python
Run-time configuration: macOS 14.6.1
DESCRIPTION OF PROBLEM
We have created application using python and created .app using pyInstaller. We want to get the location access using python based application which we are trying to run on MacOS 14.6.1. Without including NSLocationUsageDescription in our info.plist, it is working fine but not getting location permission pop up. After including NSLocationUsageDescription in info.plist application got corrupted.
STEPS TO REPRODUCE
We are using below commands to sign the application
codesign --force -s "Developer ID Application: Pitney Bowes (72NX38Y9GF)" -v DeviceHub.app --deep --strict --options=runtime --entitlements ../info.plist DeviceHub.app
ditto -c -k --keepParent --rsrc --sequesterRsrc --arch 'x86_64' DeviceHub.app DeviceHub.zip
xcrun notarytool submit DeviceHub.zip --keychain-profile "DHAgentProfile" --wait
xcrun stapler staple DeviceHub.app
So I'm trying to maintain free open-source macOS tools. These two tools are sandboxed and hardened runtime. One is an image viewer that writes out a perftrace file into the sandbox folder (in Containers). Then another app tries to open that perftrace file (json).
When the perftrace file is opened in Xcode (signed and notarized), the file opens fine the first and all subsequent times.
When the opening app is kram-profile (signed not notaraized), the file opens once and then nothing can ever open it again. The app has attribute com.apple.quarantine set on it.
The only workaround to then open this file is to remove the attribute
xattr -d com.apple.quarantine <filename>
This is my tool build in Xcode, and having to sign let alone notarize an app is a large amount of complexity. Also this app is available on github.
I am a developer working on iOS apps.
I would like to report an issue occurring in iOS 18 beta and iOS 18.1 beta.
Our company has two Enterprise accounts, and we are developing two apps:
A app / TeamId: ABCDEFG
B app / TeamId: HIJKLMN
When we distribute these apps, which have different TeamIds, and install them on a device running iOS 18 beta,
both apps install successfully, but only one app will run.
(Other app crashed immediately after being launched.)
This issue does not occur on versions prior to iOS 18.
I would like to know if this is a problem that will be resolved in future updates, or if it is a policy change.