At some point I had to renew my Mac App Store certificates, so I've done so, and now that I'm attempting to build for submission to the app store, I'm getting: "No certificate for team 'My Name' matching '3rd Party Mac Developer Application: My Name (MY_ID)' found".
But where to get a 3rd Party Mac Developer Application certificate? Under Xcode's "Manage Certificates", there is no "3rd Party Mac Developer Application" under the "+" button.
There are only:
Apple Development
Apple Distribution
Mac Installer Distribution
Developer ID Application
Developer ID Installer
(all of which I have).
Demystify code signing and its importance in app development. Get help troubleshooting code signing issues and ensure your app is properly signed for distribution.
Post
Replies
Boosts
Views
Activity
Hi,
I'm trying to get a smart card reader to run with Xcode.
I set up the com.apple.security.smartcard entitlement in the .entitlements file and added it in Bild Settings -> Code Signing Entitlements.
But when I run: codesign -d --entitlements - Path/to/App, nothing smart card related shows up.
Also the TKSmartCardSlotManager.default isn't nil, but .slotNames are.
Do I have to install some drivers manually?
Please help.
I am runnning persistent notarization issues with my macOS Electron application.
Despite multiple attempts to resolve these issues, the notarization status remains "Invalid," and the errors in the report are consistent.
What I'm doing
Sign the code like this
codesign --sign "Apple Distribution: Name Lastname (123456)" --deep --force --timestamp=auto path/to/Application.app
I then get: Application.app: replacing existing signature
I then verify the signing with:
codesign --verify --deep --strict --verbose=4 path/to/Application.app
I then get: --prepared:/path/to/Application.app/Contents/Frameworks/SomeFramework.framework
--validated:/path/to/Application.app/Contents/Frameworks/SomeFramework.framework
--prepared:/path/to/Application.app/Contents/Frameworks/AnotherFramework.framework
--validated:/path/to/Application.app/Contents/Frameworks/AnotherFramework.framework
Application.app: valid on disk
Application.app: satisfies its Designated Requirement
I then build:
npm build
I then package:
zip -r Application.zip Application.app
I then upload:
xcrun notarytool submit Application.zip --apple-id your-apple-id --team-id your-team-id --password your-app-specific-password
Then I check for status and I get:
Successfully received submission info
createdDate: 2024-08-15T18:21:31.520Z
id: 55daf39a-4be9-4dd6-a490-1890d33f9e75
name: Application.zip
status: Invalid
In the report generated I get issues like:
"path": "path/to/Application.app/Contents/Frameworks/SomeFramework.framework/SomeFramework",
"message": "The signature of the binary is invalid.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
"architecture": "arm64"
and
"path": "path/to/Application.app/Contents/Frameworks/SomeFramework.framework/Versions/Current/Helpers/chrome_crashpad_handler",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "arm64"
What am I doing wrong? I tried signing each issue separately and rerun the entire process, it's not working.
Hi there-
Like the title says, I'm trying to get an .app bundle code-signed and notarised that runs java internally, without using XCode. I've mostly based my workflow off the advice and notes given here and here, but I'm running into problems with using notarytool at the final step, rather than altool.
My basic workflow from the same directory with the .app is as follows...
codesign --deep --force --options=runtime --entitlements ../resources/entitlements.plist --sign "DEVELOPER_ID_ETC" --timestamp MyApp.app/Contents/MacOS/launcher.command
codesign --deep --force --options=runtime --entitlements ../resources/entitlements.plist --sign "DEVELOPER_ID_ETC" --timestamp MyApp.app/Contents/Java/code_jar.jar
codesign --deep --force --options=runtime --entitlements ../resources/entitlements.plist --sign "DEVELOPER_ID_ETC" --timestamp MyApp.app/Contents/PlugIns/OSX_JRE
codesign --deep --force --options=runtime --sign "DEVELOPER_ID_ETC" --timestamp MyApp.app/Contents/Resources/app_icon.icns
codesign --deep --force --options=runtime --entitlements ../resources/entitlements.plist --sign "DEVELOPER_ID_ETC" --timestamp MyApp.app
codesign -vv MyApp.app
zip -r MyApp_APP.zip MyApp.app
../notarytool submit MyApp_APP.zip --keychain-profile "Developer-notarytool" --wait
...at which point I receive an 'invalid' response from the server that notarytool uploads to. The "codesign -vv" step passes without complaint, so is there any way to get more information about what's causing the notarisation failure?
I have been having this problem since xcode cloud came out, it is a shame that this tool cannot be used, I have this problem that xcode cloud always fails to form the code, I have already tried deleting the xcode cloud certificates.
Invalid Signature. Code failed to satisfy specified code requirement(s). The file at path “MyApp.app/MyApp” is not properly signed. Make sure you have signed your application with a distribution certificate, not an ad hoc certificate or a development certificate. Verify that the code signing settings in Xcode are correct at the target level (which override any values at the project level). Additionally, make sure the bundle you are uploading was built using a Release target in Xcode, not a Simulator target. If you are certain your code signing settings are correct, choose “Clean All” in Xcode, delete the “build” directory in the Finder, and rebuild your release target. For more information, please consult https://developer.apple.com/support/code-signing.
I have a security agent plugin that uses NSXPCConnection to communicate with a launch daemon. This works well, but I want to make sure the launch daemon has not been compromised. I added code to call setCodeSigningRequirement in my module that handles the client side of the NSXPCConnection. However, when used in the security agent plugin, remoteObjectProxyWithErrorHandler reports an error
NSCocoaErrorDomain Code=4102 "The code signature requirement failed."
If I call my xpc module from a test application, I do not receive an error and everything works as expected. I have tried different code signing requirements. Even with just "anchor apple generic" I still get the error.
The console log shows two entries of interest
com.apple.SecurityAgentHelper.arm64 default 09:13:29.677567-0500 SecurityAgentHelper-arm64 EOGSecurityServiceClient biometricAuthorization remote proxy error: Error Domain=NSCocoaErrorDomain Code=4102 "The code signature requirement failed." UserInfo={NSDebugDescription=The code signature requirement failed.}
I am in the process of notarizing a dmg file. We are getting some errors in the process. These errors can be retrieved from the notarytool -log option. However, I would like to get the error in a link form like we used to get with altool so that I could share it with my team. Does anyone know how to get a link for the failure log?
Hi everyone,
I'm hearing online that the macOS App Notarization service won't work for some Chinese app developers. They say that personal Apple Developer accounts in China (supposedly having membership subscription) are restricted from using this service or their macOS apps won't pass notarization process probably due to some "strict legal regulations". I want to ask if this is true? Or is it just they failed to follow some of the technical requirements of this process?
Hi again, experts
I have a problem :D
My app craseh on startup, when creating it in AppStore Mode and I have absolutely no idea, why.
The only difference betweed my Developer-ID-Mode and AppStore-Mode is, tha differnet certificates are used and a tool runs, that does something with the info.plist.
(and the stapler tool, that runs in devID-Mode, is of course not used in appstore-mode)
Here is, what I do, when creating the binary:
/usr/bin/plutil -convert binary1 "/Users/me/somewhere/myapp.app/Contents/Info.plist"
(the above line is not used in Dev-ID-Mode)
/usr/bin/codesign --entitlements "/Users/me/somewhere/myapp.entitlements" --deep -s "DeveloperAppCert" -f "/Users/me/somewhere/hansimaticoffice.app"
/usr/bin/productbuild --component "/Users/me/somewhere/hansimaticoffice.app" "/Applications" --sign "MacDeveloperInstallerCert" "/Users/me/somewhere/hansimaticoffice.pkg"
Any hint?
Helo, I'm trying to upload my React Native App to test with TestFlight but in the archives when I validate the app I received the following error:
Missing signing identifier at "/var/folders/72/pp85df852gxbzn51b2b34blw0000gn/T/XcodeDistPipeline.~~~PCbJ98/Root/Payload/
Failed to cloud sign "/var/folders/72/pp85df852gxbzn51b2b34blw0000gn/T/XcodeDistPipeline.~~~PCbJ98/Root/Payload/Click+". Please file a bug report at https://feedbackassistant.apple.com.
My enterprise distribution certificate was revoked accidentally by someone. Although I created a different certificate and using it i want to trace the person responsible.
Hi,
I'm trying to upload my electron app to the App Store.
The app uploads fine to App Store Connect but runs into the following problem while processing:
Unable to Sign. This package doesn't meet the current code signing requirements. For more information, see the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple.com/library/mac/technotes/tn2206/_index.html Specifically, codesign generated the following errors: [ com.electron.easy-csl-electron.pkg/Payload/easy-csl-electron.app: resource fork, Finder information, or similar detritus not allowed] (90303)
Getting to this point was already a real challenge. I'm trying to use electron forge and submit my package to the App Store for which to my knowledge doesn't exist any guide at all.
So I'm kinda stuck here: I don't know what "resource fork, Finder information, or similar detritus" is and where it came from and when I search the Internet for this problem I can't find any way to solve it. I tried reading the documentation links provided but I have no idea where to even start :/
Would anybody be able to help me?
Thanks,
Ludwig
I don't know why we’re up to Xcode 16 and this stuff is still so damn difficult.
First of all, I don't know why I can't just send a .app I built for my M1 MacBook Pro to my friend who also has an M1 MacBook Pro. But even after going through the quarantine steps, he gets an alert saying the app can't be opened.
So I'm trying to do direct distribution of an archive. But that gives me two errors:
There is a problem with the request entity
You already have a current Developer ID Application Managed (With Kext) certificate or a pending certificate request.
No profiles for 'com.latencyzero.VideoBox' were found
Xcode couldn't find any Developer ID provisioning profiles matching 'com.latencyzero.VideoBox'.
The signing is managed by Xcode. CloudKit access works.
Hi there, I've been working on a JUCE audio plugin project and have created an installer for the demo to release to the public outside of the App Store.
I have built the various forms of the plugin in Xcode (standalone, AU, vst3) and have the automatic signing set up with a Developer ID Application certificate. I have been using WhiteBox Packages to create the installer to install the AU component and the vst3 on a user's computer. I can successfully sign the installer with a Developer ID Installer certificate but when I submit it for notarization, the status returns as "invalid". When looking at the Notarytool log, it says that the binary is not signed with a valid Developer ID certificate for all versions of the plugin (for AU & vst3, and both architectures, arm64 & x86_64, as well).
I can use codesign and pkgutil to confirm that the files and installer are both signed including the contents within both the AU and vst3 bundles, but the notarization still fails. I have tried to notarize just a zipped version of the plugin but that fails too. In the Customizing The Notarization Workflow documentation, it is mentioned that custom third-party installers need two rounds of notarization. I'm assuming Packages is a custom third-party installer but I don't see how two rounds of notarization is possible when I can't even notarize a zipped version of the plugin.
I am still new to Xcode and Apple Developer so there is a possibility that it's something I missed or didn't do. I've read through quite a few other posts on both this forum and the JUCE forum about similar problems but I haven't found a solution that has worked so if anyone has any ideas on how to potentially get my installer notarized, I'd greatly appreciate the advice. Thanks.
I facing issue where the system extension i try to install have message:
no related kext found for sysex 'com.apple.usbsoundriver'
com.apple.usbsoundriver:extension failed to validate! uninstalling...
uninstalling invalid extension com.apple.usbsoundriver
Is internet access is required for system extension validation? I install the driver without internet access.
This work in some others machine, only fresh reformated Mac machine without internet connection have this issue. Why is this so?
Build issue when creating an Apple Watch standalone app archive
This is an Apple Watch standalone app. (Without an iPhone app)
Even if you create an Apple Watch standalone app as a new project in Xcode, two targets are created: "iPhone target + Apple Watch target".
The iPhone target cannot be built or modified.
Usually, builds or archives are created with the Apple Watch target.
It's been a while since I updated the app, so I tried to fix it, add new features, and update it.
When I created an archive, the version kept being created as 1.0 - 1.
I entered 1.1 - 8 for the Apple Watch target.
In the previous Xcode version, when I clearly modified the version and build version of the Apple Watch target, it was reflected in the archive file.
However, in the current Xcode, it is not reflected.
Does anyone know how we can fix this issue?
Hi all,
one newbie-question only, as I din't understand the basics yet:
Do I need to be paying member of the dev programm to get an application for MacOS running on third pleoples Macs?
As far as I understand, I need to run a "notarization" of the app. Forthat I need a certificate - and that is available to dev members. maybe to paying members only ..
Thanks in advance for your hints. :)
Hi,
When postinstall tries to run another binary inside the ./scripts folder I package with pkgbuild, it gets killed by taskgated when the postinstall script tries to run it.
└── Contents
├── Helpers
├── Info.plist
├── MacOS
│ ├── UI
│ └──Worker
├── PkgInfo
├── Resources
│ ├── com.ui.plist
│ ├── com.worker.plist
│ └── icon.icns
├── _CodeSignature
│ └── CodeResources
└── embedded.provisionprofile
scripts:
├── token_installer
├── postinstall
├── token_installer
├── postinstall
How I am signing:
codesign --entitlements entitlements.plist --timestamp --options=runtime --sign "$DEVELOPER_ID" --force out/myapp.app/Contents/MacOS/UI
codesign --entitlements entitlements.plist --timestamp --options=runtime --sign "$DEVELOPER_ID" --force out/myapp.app/Contents/MacOS/Worker
codesign --entitlements entitlements.plist --timestamp --options=runtime --sign "$DEVELOPER_ID" --force ./scripts/token_installer
codesign --entitlements entitlements.plist --timestamp --options=runtime --sign "$DEVELOPER_ID" --force ./scripts/postinstall
codesign --entitlements entitlements.plist --timestamp --options=runtime --sign "$DEVELOPER_ID" --force out/myapp.app
echo "pkgbuilding..."
pkgbuild --root ./out/myapp.app --sign "$DEVELOPER_ID" --identifier com.myapp.app --version 1.0 --install-location /Applications/myapp.app --scripts ./scripts ./out/myapp.pkg
echo "productbuilding..."
# productbuild --distribution ./Distribution.xml --package-path ./out/myapp.pkg --resources . ./out/MyAppInstaller.pkg
productbuild --product requirements.plist --distribution ./Distribution.xml --package-path ./out/myapp.pkg --resources . ./out/MyAppInstaller.pkg
productsign --sign "Developer ID Installer: My Company Inc (***)" --force ./out/MyAppInstaller.pkg ./out/MyAppInstallerSigned.pkg
Sidenote: all binaries that are not the main executable, UI, get killed by taskgated, but I figured I will wrap the Worker in its own app Inside Helpers. I just do not see the point in doing that for the token_installer, since it should only be called once ever, during postinstall.
Is there a way to make it run without having to include it in the app bundle itself?
I have been trying to notarize an app since yesterday tried about 20 times at various times of the day.
Most times it stops during the upload and produces an error message
"Couldn't communicate with a helper application" which occurs at various places while downloading.
Three times the upload appeared to complete but then produced an error
"This operation could not be completed (SotoS3.S3ErrorType.Multipart.error.1
I then looked in the status log which had several entries:
Prepared archive for uploading (green check to left)
Upload failed (red x to left)
Notary error (red x to left)
The operation couldn't be completed (SotoS3.S3ErrorType...)
In Progress (grey timer icon to left)
I am developing a PCIDriverKit dext, and testing on Sequoia Beta (Version 15.0 Beta, 24A5298h). Both the dext and the "owning" application build on Xcode 16.0 beta 4. I can run the owning application and register the dext.
When the OS attempts to load the dext, though, code signing validation errors occur:
2024-07-30 15:54:02.386 Df kernel[0:ae6a] Driver com.company.Dext-Loader.dext has crashed 0 time(s)
2024-07-30 15:54:02.386 Df kernel[0:ae6a] DK: Dext_Loader_Driver-0x100001464 waiting for server com.company.Dext-Loader.dext-100001464
2024-07-30 15:54:02.388 Df kernelmanagerd[112:abb5] Found 1 dexts with bundle identifier com.company.Dext-Loader.dext
2024-07-30 15:54:02.388 Df kernelmanagerd[112:abb5] Using unique id a0cf49ca3ea45f5d54a3e8644e2dde6b0e8666c649c1e9513ca4166919038b53 to pick dext matching bundle identifier com.company.Dext-Loader.dext
2024-07-30 15:54:02.388 Df kernelmanagerd[112:abb5] Picked matching dext for bundle identifier com.company.Dext-Loader.dext: Dext com.company.Dext-Loader.dext v34 in executable dext bundle com.company.Dext-Loader.dext at /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext
2024-07-30 15:54:02.389 I kernel[0:ae71] igmp_domifreattach: reattached igmp_ifinfo for ifp XHC
2024-07-30 15:54:02.389 I kernel[0:ae71] mld_domifreattach: reattached mld_ifinfo for ifp XHC2
2024-07-30 15:54:02.389 Df kernelmanagerd[112:abb5] DextRecordTable read from plist: {
com.company.Dext-Loader.dext:
MRS-> Optional(( path: /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext; state: loaded ))
history-> [
( path: /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext; state: loaded )
]
}
2024-07-30 15:54:02.389 Df kernelmanagerd[112:abb5] Launching dext com.company.Dext-Loader.dext com.company.Dext-Loader.dext 0x100001464 a0cf49ca3ea45f5d54a3e8644e2dde6b0e8666c649c1e9513ca4166919038b53
2024-07-30 15:54:02.390 I kernelmanagerd[112:abb5] [com.apple.km:DextLaunch] Skipping addBreadcrumbForDextWithIdentifier for <private> 0
2024-07-30 15:54:02.389 Df kernel[0:ae71] ifnet_attach: Waiting for all kernel threads created for interface XHC2 to get scheduled at least once.
2024-07-30 15:54:02.389 Df kernel[0:ae71] ifnet_attach: All kernel threads created for interface XHC2 have been scheduled at least once. Proceeding.
2024-07-30 15:54:02.390 Df kernelmanagerd[112:abb5] Launching driver extension: Dext com.company.Dext-Loader.dext v34 in executable dext bundle com.company.Dext-Loader.dext at /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext
2024-07-30 15:54:02.479 E kernel[0:a9fb] (Sandbox) 1 duplicate report for Sandbox: imagent(633) deny(1) mach-lookup com.apple.contactsd.persistence
2024-07-30 15:54:02.479 E kernel[0:a9fb] (Sandbox) Sandbox: taskgated-helper(2985) deny(1) user-preference-read kCFPreferencesAnyApplication
2024-07-30 15:54:02.483 Df kernel[0:ae73] (AppleMobileFileIntegrity) AMFI: code signature validation failed.
2024-07-30 15:54:02.483 Df kernel[0:ae73] (AppleMobileFileIntegrity) AMFI: bailing out because of restricted entitlements.
2024-07-30 15:54:02.483 Df kernel[0:ae73] (AppleMobileFileIntegrity) AMFI: When validating /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext/com.company.Dext-Loader.dext:
Code has restricted entitlements, but the validation of its code signature failed.
Unsatisfied Entitlements:
2024-07-30 15:54:02.483 Df kernel[0:ae73] mac_vnode_check_signature: /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext/com.company.Dext-Loader.dext: code signature validation failed fatally: When validating /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext/com.company.Dext-Loader.dext:
Code has restricted entitlements, but the validation of its code signature failed.
Unsatisfied Entitlements:
2024-07-30 15:54:02.483 Df kernel[0:ae73] validation of code signature failed through MACF policy: 1
2024-07-30 15:54:02.483 Df kernel[0:ae73] check_signature[pid: 2984]: error = 1
2024-07-30 15:54:02.483 Df kernel[0:ae73] proc 2984: load code signature error 4 for file "com.company.Dext-Loader.dext"
2024-07-30 15:54:02.485 Df kernelmanagerd[112:abb5] [com.apple.libxpc.OSLaunchdJob:all] <OSLaunchdJob | handle=46B92B57-A90A-4EBD-8EF4-54313C6EE332>: submitAndStart completed, info=spawn failed, error=162: Codesigning issue
2024-07-30 15:54:02.483 Df kernel[0:ae73] (Sandbox) /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext/com.company.Dext-Loader.dext[2984] ==> com.apple.dext
2024-07-30 15:54:02.485 E kernelmanagerd[112:abb5] [com.apple.libxpc.OSLaunchdJob:all] <OSLaunchdJob | handle=46B92B57-A90A-4EBD-8EF4-54313C6EE332>: job failed to spawn, plist={
ProcessType => Driver
_ManagedBy => com.apple.kernelmanagerd
CFBundleIdentifier => com.company.Dext-Loader.dext
_JetsamPropertiesIdentifier => com.company.Dext-Loader.dext
LimitLoadToSessionType => System
_DextCheckInPort => <mach send right: 0xbd486ccc0> { name = 15679, right = send, urefs = 2 }
UserName => _driverkit
_NullBootstrapPort => true
ReslideSharedCache => false
LaunchOnlyOnce => true
Label => com.company.Dext-Loader.dext-0x100001464
RunAtLoad => true
ProgramArguments => [<capacity = 8>
0: /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext/com.company.Dext-Loader.dext
1: com.company.Dext-Loader.dext
2: 0x100001464
3: com.company.Dext-Loader.dext
]
SandboxProfile => com.apple.dext
}
The Xcode project uses these signing options:
Automatically manage signing
Team: Company
Provisioning Profile: Xcode Managed Profile
Signing Certificate: Apple Development: ()
The same project, with the same signing options, builds and loads its dext without issues from Xcode 15.3 on Sonoma 14.5. That same dext binary from Xcode 15.3 loads and passes the signature checks on Sequoia, but using Xcode on Sequoia is when the signature validation fails.
Can anyone suggest a way to resolve these signature validation errors? (Other than just developing on Sonoma and testing on Sequoia?)