Hello,
I am currently developing a macOS application using macOS 10.15.7 and Xcode 11.1. My application is distributed directly to users via a server, not through the App Store. I recently came across the following announcement:
"Starting November 1, 2023, the Apple notary service no longer accepts uploads from altool or Xcode 13 or earlier. If you notarize your Mac software with the Apple notary service using the altool command-line utility or Xcode 13 or earlier, you need to transition to the notarytool command-line utility or upgrade to Xcode 14 or later."
Given this change, I understand that I need to use notarytool or upgrade to Xcode 14 or later for notarization. However, upgrading my current development environment is not feasible at the moment.
I would like to know if it is possible to build my application on my current environment (macOS 10.15.7 and Xcode 11.1) and then transfer the built application to a separate machine running macOS 11.0 or later with Xcode 14 or later installed, to perform the notarization using notarytool.
Could you please confirm if this approach is acceptable and if there are any specific steps or considerations I should be aware of when using notarytool on a separate machine for notarizing my application?
Thank you for your assistance.
Best regards,
WJohn
Demystify code signing and its importance in app development. Get help troubleshooting code signing issues and ensure your app is properly signed for distribution.
Post
Replies
Boosts
Views
Activity
Hi,
If anyone can please advise -- If signing a framework inside a XCFramework is recommended/mandatory?
Xcode > Target > Signing & Capabilities
Automaticaly manage signing
Mac OS Signing Certificate: Development
--> Provisioning Profile None Required
General Identity
App Category Productivity
Transporter
Asset validation failed (90242)
--> "Cannot be used with TestFlight because the bundle at “LargeNumberCalculator.app” is missing a provisioning profile.
Main bundles are expected to have provisioning profiles in order to be eligible for TestFlight." (90889).
What is wrong: "Provisioning Profile None Required" vs "missing a provisioning profile" ?
I'm trying to use XPC communicate between a command line tool (launched from Terminal) and a macOS application. My code currently works when the app is launched from Xcode, but not if I launch the built app from the command line (open path-to-foo.app) or if I try and distribute the packaged application (via "Development" distribution). Notably, the XPC works if the command line tool is launched from the terminal as long as the app itself is launched from Xcode.
I publish the XPC service using NSXPCListener(machServiceName: <team-identifier>.com.example.my-app.service) and connect to it using NSXPCConnection(machServiceName: machServiceName). Both my command line tool and my main app identical "app group" entitlements for $(TeamIdentifierPrefix)com.example.my-app and I verified the team identifier substitution was correct in both the app and command line tool after doing distributing for "App Store", exporting, unpacking the pkg and running codesign as described here: https://developer.apple.com/documentation/xcode/embedding-a-helper-tool-in-a-sandboxed-app
I have an XPC service that embeds Python. It executes a python script on behalf of the main app.
The app and xpc service are sandboxed. All seems to work just fine in the development environment but the script fails in the released version.
I disabled writing pycache by setting the PYTHONDONTWRITEBYTECODE environment variable because pycache tries to write inside my app bundle which fails (I believe I can redirect the pycache directory with PYTHONPYCACHEPREFIX and may experiment with that later).
Specifically this line fails in the release version only (not from Xcode):
PyObject *pModule = PyImport_Import(moduleNameHere);
if (pModuleOwnedRef == NULL)
{
// this is null in release mode only.
}
Any ideas what can be going wrong? Thanks in advance.
I'm trying to install from Xcode (15.4) to my physical device (iPhone SE 3rd gen, iOS 17.5.1) but I get the following error.
My provisioning profile is from a 3rd party organization, but I have confirmed my device UUID is added to their account and that the profile does contain the beta-reports-active flag. I have also checked that this is added to the entitlements file.
It works fine it I deploy and install via TestFlight, but for obvious reasons I would prefer not to have to do that for each and every build.
Can anyone suggest how to resolve this, either with local config or by asking the account admin to modify the provisioning profiles?
Unable to Install “[redacted]”
Domain: IXUserPresentableErrorDomain
Code: 14
Recovery Suggestion: Failed to install embedded profile for [redacted] : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.)
User Info: {
DVTErrorCreationDateKey = "2024-07-03 12:47:34 +0000";
IDERunOperationFailingWorker = IDEInstallCoreDeviceWorker;
}
--
Unable to Install “[redacted]”
Domain: IXUserPresentableErrorDomain
Code: 14
Recovery Suggestion: Failed to install embedded profile for [redacted] : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.)
User Info: {
IDERunOperationFailingWorker = IDEInstallCoreDeviceWorker;
}
--
Failed to install the app on the device.
Domain: com.apple.dt.CoreDeviceError
Code: 3002
User Info: {
NSURL = "file:///Users/dan/Library/Developer/Xcode/DerivedData/iosApp-gxsprezneuyftnhbmfyfssbeojgd/Build/Products/Debug%20development-iphoneos/[redacted].app/";
}
--
Unable to Install “[redacted]”
Domain: IXUserPresentableErrorDomain
Code: 14
Failure Reason: This app cannot be installed because its integrity could not be verified.
Recovery Suggestion: Failed to install embedded profile for [redacted] : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.)
--
Failed to install embedded profile for [redacted] : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.)
Domain: MIInstallerErrorDomain
Code: 13
User Info: {
FunctionName = "-[MIInstallableBundle _installEmbeddedProfilesWithError:]";
LegacyErrorString = ApplicationVerificationFailed;
LibMISErrorNumber = "-402620385";
SourceFileLine = 308;
}
--
Event Metadata: com.apple.dt.IDERunOperationWorkerFinished : {
"device_isCoreDevice" = 1;
"device_model" = "iPhone14,6";
"device_osBuild" = "17.5.1 (21F90)";
"device_platform" = "com.apple.platform.iphoneos";
"dvt_coredevice_version" = "355.28";
"dvt_mobiledevice_version" = "1643.100.60";
"launchSession_schemeCommand" = Run;
"launchSession_state" = 1;
"launchSession_targetArch" = arm64;
"operation_duration_ms" = 3497;
"operation_errorCode" = 14;
"operation_errorDomain" = IXUserPresentableErrorDomain;
"operation_errorWorker" = IDEInstallCoreDeviceWorker;
"operation_name" = IDERunOperationWorkerGroup;
"param_debugger_attachToExtensions" = 0;
"param_debugger_attachToXPC" = 1;
"param_debugger_type" = 3;
"param_destination_isProxy" = 0;
"param_destination_platform" = "com.apple.platform.iphoneos";
"param_diag_MainThreadChecker_stopOnIssue" = 0;
"param_diag_MallocStackLogging_enableDuringAttach" = 0;
"param_diag_MallocStackLogging_enableForXPC" = 1;
"param_diag_allowLocationSimulation" = 1;
"param_diag_checker_tpc_enable" = 1;
"param_diag_gpu_frameCapture_enable" = 0;
"param_diag_gpu_shaderValidation_enable" = 0;
"param_diag_gpu_validation_enable" = 0;
"param_diag_memoryGraphOnResourceException" = 0;
"param_diag_queueDebugging_enable" = 1;
"param_diag_runtimeProfile_generate" = 0;
"param_diag_sanitizer_asan_enable" = 0;
"param_diag_sanitizer_tsan_enable" = 0;
"param_diag_sanitizer_tsan_stopOnIssue" = 0;
"param_diag_sanitizer_ubsan_stopOnIssue" = 0;
"param_diag_showNonLocalizedStrings" = 0;
"param_diag_viewDebugging_enabled" = 1;
"param_diag_viewDebugging_insertDylibOnLaunch" = 1;
"param_install_style" = 0;
"param_launcher_UID" = 2;
"param_launcher_allowDeviceSensorReplayData" = 0;
"param_launcher_kind" = 0;
"param_launcher_style" = 99;
"param_launcher_substyle" = 8192;
"param_runnable_appExtensionHostRunMode" = 0;
"param_runnable_productType" = "com.apple.product-type.application";
"param_structuredConsoleMode" = 1;
"param_testing_launchedForTesting" = 0;
"param_testing_suppressSimulatorApp" = 0;
"param_testing_usingCLI" = 0;
"sdk_canonicalName" = "iphoneos17.5";
"sdk_osVersion" = "17.5";
"sdk_variant" = iphoneos;
}
--
System Information
macOS Version 14.3 (Build 23D56)
Xcode 15.4 (22622) (Build 15F31d)
Timestamp: 2024-07-03T13:47:34+01:00
Hello everyone!
I'm developing framework and app for macOS for PCI devices. For communication with driverkit, I'm verifying by giving userclient access entities of system extension to app.
However, the app is just a sample program, and our customer is trying to develop the app using a framework with PCI communication part.
Is there a way to build a framework with my company's signature, and to build and execute it without acquiring userclient access elements by any chance by a customer developer?
Moreover, userclient access is only available to developers who have subscribed to the Apple Developer Program, so I hope that client/developers do not need to obtain separate entries.
This afternoon notarization started throwing an error in terminal. I confirmed that the NOTARIZE_APP_LOG was created, but empty. I have been notarizing our apps on this machine (intel-12.7) with Xcode 13.4.1 for over a year without issue. Any suggestions would be greatly appreciated
9192 Bus error: 10 xcrun notarytool submit --apple-id "$ASC_USERNAME" --password "$ASC_PASSWORD" --team-id "$ASC_TEAM" "$ZIP_PATH" > "$NOTARIZE_APP_LOG" 2>&1
Translated Report (Full Report Below)
Process: notarytool [9192]
Path: /Library/Developer/CommandLineTools/usr/bin/notarytool
Identifier: notarytool
Version: ???
Code Type: X86-64 (Native)
Parent Process: bash [2167]
Responsible: Terminal [2142]
User ID: 501
Date/Time: 2024-07-02 16:29:33.5256 -0600
OS Version: macOS 12.7 (21G816)
Report Version: 12
Bridge OS Version: 8.0 (21P365)
Anonymous UUID: 9AFB52C6-5CA1-7AE0-C249-9D090ABDFD28
Time Awake Since Boot: 820 seconds
System Integrity Protection: enabled
Crashed Thread: 1 Dispatch queue: nio.nioTransportServices.connectionchannel
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000700009d77ff0
Exception Codes: 0x0000000000000002, 0x0000700009d77ff0
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace SIGNAL, Code 10 Bus error: 10
Terminating Process: exc handler [9192]
We've been notarizing apps for a while now and have been through agreement changes before. But we still keep getting the following error when trying to notarize:
Conducting pre-submission checks for myapp.dmg and initiating connection to the Apple notary service...
Error: HTTP status code: 403. A required agreement is missing or has expired. This request requires an in-effect agreement that has not been signed or has expired. Ensure your team has signed the necessary legal agreements and that they are not expired.
We've been through every document in our account to ensure it is signed. Is there any way to determine what document is not signed or what our issue is ? ...thanks
0 * H ÷
0 1
0 ` H e 0 8 * H ÷
) %
Apple Confidential Profile. Do not distribute. Not to be used or disclosed without permission from Apple. Copyright © 2023, Apple Inc. All rights reserved.
PayloadContent
PayloadContent
DefaultsData
SeedGroup
PublicBeta
DefaultsDomainName
.GlobalPreferences
DefaultsData
SeedProgram
PublicSeed
DefaultsDomainName
com.apple.seeding
DefaultsData
SBIconVisibility
DefaultsDomainName
com.apple.appleseed.FeedbackAssistant
DefaultsData
MobileAssetAssetAudience
48407998-4446-46b0-9f57-f76b935dc223
MobileAssetSUAllowOSVersionChange
MobileAssetSUAllowSameVersionFullReplacement
MobileAssetServerURL-com.apple.MobileAsset.MobileSoftwareUpdate.UpdateBrain
https://mesu.apple.com/assets/iOS17PublicSeed
MobileAssetServerURL-com.apple.MobileAsset.SoftwareUpdate
https://mesu.apple.com/assets/iOS17PublicSeed
MobileAssetServerURL-com.apple.MobileAsset.SoftwareUpdateDocumentation
https://mesu.apple.com/assets/iOS17PublicSeed
DefaultsDomainName
com.apple.MobileAsset
PayloadIdentifier
com.apple.applebetasoftware
PayloadType
com.apple.defaults.managed
PayloadUUID
617630D8-C055-40A1-A4E8-AC30FD8A5ACE
PayloadVersion
1
PayloadDescription
Configures your iOS/iPadOS device for use with the Apple Beta Software Program.
PayloadDisplayName
iOS 17 & iPadOS 17 Beta Software Profile Beta Software Profile
PayloadIdentifier
com.apple.applebetasoftware
PayloadOrganization
Apple Inc.
PayloadRebootSuggested
PayloadType
Configuration
PayloadUUID
0C90EE68-9104-4D65-80A5-538784AAE2BE
PayloadVersion
1
RemovalDate
2025-01-31T00:00:00Z
TargetDeviceType
1
s0 0 ¹ûe J i0
H ÷
0b1 0 U US1 0 U
Apple Inc.1&0$ U Apple Certification Authority1 0 U
Apple Root CA0
130524174337Z
280524174337Z0 1@0> U 7Apple Application Integration 2 Certification Authority1&0$ U Apple Certification Authority1 0 U
Apple Inc.1 0 U US0 "0
H ÷
0
¸H¡glV åpÅFô¯
ã½:Þ¡çÙ¨6< b¥| G³k ¬þØtæ 5°XOtØ£þí-î¤s%YÔ Ü&Ï ' T Ü ±à3 b ȹ¯6 ¤j § mÝÝ -Ì } Ì) £É ª¢ìÙ gi < ¿D($±Ä,5Ö± %ïP§ Û%ÆÃOo[ ¾ñ §Ôl^²9. ©ám ;®9q? ó¹ôW #O ^ ð X¾µÑìײ~Âeâñì<¦ünÛV³î
² KÉ¢ðñ1ö®Þ5là ^Pc ¶ºm\Àã & J Þ ©°Zoû k ìÝß2Þü.B¢ÊxZ× £ ¦0 £0 U ÷¾|! Û= {Ø:2 iß l 0 U ÿ 0 ÿ0 U # 0 +ÐiG v þôk .@¦÷GM ^0. U '0%0# ! http://crl.apple.com/root.crl0 U ÿ 0 * H ÷cd 0 * H ÷ Í ý¤]õñÀ I ݳ3 Ð! ãÙÖÚ¯ "
<YBñ- ¶?ÿôôî jxÁ.û;L ®eCËϨ ë=7 E/ J ¨ k â Ûïg¸ ñäØ qwÓó ௤ê( ¤?4ye6 T Aq× !ÜPUEÎ ¼÷ÜUгÊ(Q¬sQ ¬y n 7 a1/¡Ñºëá\7ÀØÑ çà RB¤ ö"| À?Á
ÕÂ'c°bV í%ôÌ ÜT ·yè
8@¹ íMbÔ+ö) ñg¡á r w ö +Q Sòó óè¿¡ &Ïü 7»@0 S0 ; À6 k
0
* H ÷
0 1@0> U 7Apple Application Integration 2 Certification Authority1&0$ U Apple Certification Authority1 0 U
Apple Inc.1 0 U US0
201214200231Z
231214200231Z0s1.0, U %AppleCare Profile Signing Certificate1 0 U Configuration Profiles1 0 U
Apple Inc.1 0 U US0 "0
* H ÷
0
Ú ûñ E0H( ì ¶A¤[ûB JVßúLWæýøÖf ö×ïÃWWÀ[kh ³oíR téAj ³ » Q¬w é ÷;$Þ #Àå °»¤ýg Bªb}ÏñAó,³! ÄûÑhsÏû ê ÒdËt©P
+ñ üûSï fÄ eï2ÝV^"þïÑ8 {H ôF ¯ÉU w. ×N_ Ü H $&uwY``éL5 õ îÚzø OÝ ¿Ó r¡ëD;HÒ y åÈH'>øÊ ØòÖQnÜ ° +ùl· TÚ ç2 S¥ÿQ ¾*i'¥\ ?W°ßº"zoS5Sû¢ÔÑ"XÜ/ £ Ï0 Ë0 U ÿ 00 U # 0 ÷¾|! Û= {Ø:2 iß l 0@ + 40200 + 0 $http://ocsp.apple.com/ocsp04-aaica020 U 0 0 þ H ÷cd 0 ð0( + http://www.apple.com/appleca0 à + 0 ¶ ³Reliance on this certificate by any party assumes acceptance of the then applicable standard terms and conditions of use, certificate policy and certification practice statements.0 U % ÿ
0 H ÷cd 0 U 9S öÇGÔÆ?£l% ê$% º·0 U ÿ 0 * H ÷ Sß3çhÂ- 3=%à¬q dÙ ER ÷ ßù¾) ?nC ØÎò, ]¶OLE. |g#æ Qg% Ǽ ªë K · Êç S¥Oï p4 Ú¾ ²Õ ë( ÷¸Ìæs¾ ¦æ@ Äç0AFï t,Th ÏEi § |ààÞ Ú:K q÷Ûø·É õ y¬[$GÉ ø ¤HÞÖ Ü w +÷p ¥A¥ ]z ] ï òé/ ûö tîPøSo¿Ä|à IlÓV¾é * ä<ÈçÌÈ ïø¯f°3 Æ5 s¸ x¦cPb b ÉU ´V×&ñ¦ èv¹ |:¯"Ð hŲ1 =0 9 9S öÇGÔÆ?£l% ê$% º·0 H e 0 * H ÷ ûÄÄD úªÀg ¸« y6íÛÜ*ú ºÝ¤¢ ~/vÝæBx Ä
æ,þPß ò Âï
j¦·tu¾ðì×v 5ã¸pñ ìçó%¡Òª ±Q| ½ jÆË ü fK0 $ö4 }| `óq( ÈÄ· ®jÈÑ §?)ÍTÀ a ìø&¸7¡ï#¼£> Îer ¤ÑÍ ¨ \zHkN© <5 ýò¼F4ó »¨"\ Á Ô dêGivo&D
Ö
Y\¸ì äAÏáî lã!1À ±_4ñ g4t Cá ² !~)Hî Æ$
ã¦Úø)>e ,èòSûtÖ·ú$,y
Hi,
I have a PCI DriverKit System Extension project that our team has tested, and the entitlements are not a problem.
Once we decided to place the project to the Apple Store the review team requested to add "App Sandbox" entitlement to the project. Then I added the entitlement manually to the ".entitlements" file ( I couldn't do that using the Xcode add entitlement section because since it is a driverkit project, the "App sandbox" is not visible in the entitlements page ) and re-packaged the project for distribution. Later on, I saw that the entitlement was removed during the packaging process.
I also tried to add that using the "build settings" page in Xcode (the signing section ), but I had no luck.
I feel like I'm being misled by the review team. Do you know if the "App sandbox" entitlement is applicable to a DriverKit project ?
我创建了一个developer id instanller 证书,并且安装在自己电脑上,我使用productbuild --component xx.app /Applications --sign "Developer ID Installer: " --product xx.app/Contents/Info.plist ST.pkg签名并生成pkg,使用 spctl -a -v --type install ST.pkg 去验证签名的时候,出现rejected
source=Unnotarized Developer ID,我不知道哪里有问题,将pkg安装到其他电脑也会出现pkg无法打开,apple无法检查是否包含恶意软件 提示信息,希望可以得到大家的帮助谢谢,
In my developper account, "Certificates, Identifiers & Profiles" show
two "Developer ID Installer" certificates (Expiration Date 2027/05/13 and 2027/02/01)
I did not found any way to delete, remove or revoke one.
How can I fix it ?
Xcode complaint "Command CodeSign failed with a nonzero exit code"
Previouly I put right this error with the command:
xattr -cr path_to_application
but this no longer work.
Hi, I'm shipping a GUI app based on Golang outside App Store distribution, for the distribution, I have already sign and notarize the .App and the .Pkg installer, now there is a feature called self-update on my app which basically
app check if there is any update
the same program request a sudo access to rewrite current binary file content
the program will restart after the update completed
Now, I have already sign the updated binary via signing and notarization process, and I take the compiled Golang binary inside Content/MacOS to be used for self-update proses
but it doesn't work as expected, the updated binary are fail to run with error "Can't open the app" or if we try to call it on CLI, it will show "Killed 9"
what did I'm missing? thankyou
I've developed a mobile app in Visual Studio 2022 on Windows 11 on the MAUI platform. I'm Pair to a remote Mac machine to test/debug on an iOS Simulator. I was previously able to test on the remote mac machine simulator with not problems. I added some features including Geolocation and now I get the following error:
error MSB6006: "codesign" exited with code 3.
These are the last few lines in the Output window:
1> [xma][info]: Starting remote task execution for 'TriStar.Mobile.DriverPortal': Xamarin.MacDev.Tasks.CodesignVerify
1> [xma][info]: Sending Request Xamarin.Messaging.Build.Contracts.ExecuteTaskMessage to topic xvs/build/17.2.8053/execute-task/TriStar.Mobile.DriverPortal/8f2f6e4002fCodesignVerify
1> [xma][info]: Received Response of Xamarin.Messaging.Build.Contracts.ExecuteTaskMessage to topic build2424827232benbl/+/xvs/build/17.2.8053/execute-task/TriStar.Mobile.DriverPortal/8f2f6e4002fCodesignVerify
1> CodesignVerify: 2024-05-31T17:36:08.1417751-05:00 - Logging messages
1> Environment Variables passed to tool:
1> CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
1> /usr/bin/codesign --verify -vvvv "-R=anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.1] exists and (certificate leaf[field.1.2.840.113635.100.6.1.2] exists or certificate leaf[field.1.2.840.113635.100.6.1.4] exists)" bin/Debug/net8.0-ios/iossimulator-arm64//TriStar.Mobile.DriverPortal.app
1> bin/Debug/net8.0-ios/iossimulator-arm64//TriStar.Mobile.DriverPortal.app: valid on disk
1> bin/Debug/net8.0-ios/iossimulator-arm64//TriStar.Mobile.DriverPortal.app: satisfies its Designated Requirement
1> test-requirement: code failed to satisfy specified code requirement(s)
1> C:\Program Files\dotnet\packs\Microsoft.iOS.Sdk\17.2.8053\tools\msbuild\iOS\Xamarin.Shared.targets(2059,3): error MSB6006: "codesign" exited with code 3.
Is there a problem or conflict with my entitlements?
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
</dict>
The remote Mac is a Mac-In-Cloud running xCode 15.3 and Visual Studio 2022.
My dev machine is running Windows 11 and VS 2022
In my Windows VS MAUI project I have
<PropertyGroup Condition="'$(TargetFramework)'=='net8.0-ios'">
<EnableCodeSigning>true</EnableCodeSigning>
<CodesignKey>Apple Development: BENJAMIN BLA... (7AGK....)</CodesignKey>
<ProvisioningType>automatic</ProvisioningType>
<CodesignProvision>VS: com.tristarfreightsys.driverportal Development</CodesignProvision>
</PropertyGroup>
VS: com.tristarfreightsys.driverportal Development is the Provisioning Profile automatically generated by VS.
My Development Certiifcate and Distrubution Cert are in the Mac Keychain and in my VS
Good day,
I'm trying to get my app notarized, so I can distribute it, but my submissions get stuck on 'In Progess'.
On the 20th of June I made several submissions which seems to have disappeared. When I do 'xcrun notarytool history' they are not there anymore.
On the 21th Of June I made 2 new submission attempts with ids d68ca68e-ddfb-42c2-a491-0b24ac6efdc2 and 5f0118c9-0edd-4213-827b-a2ff53e40f27, which had been running for several hours last time I checked on the the 21th, but have also disappeared over the weekend from my history.
I checked the app with the steps described here: https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues, but all the checks were fine.
Since there is no error message or log, I have no clue why my submissions get stuck on 'In Progress' or disappear.
I've just submitted a new attempt with id 23a39a69-79a8-435c-a500-17ce1422c1fc and again it's stuck. Can anybody give any assistance?
Hello, I referred to the official camera extension example at https://developer.apple.com/documentation/coremediaio/creating_a_camera_extension_with_core_media_i_o?language=objc. I'm using CMake to build the camera extension plugin and integrate it into a Qt CMake project. When installing the system extension file, I receive a failure prompt with the following message:
Error Domain=OSSystemExtensionErrorDomain Code=8 "Invalid code signature or missing entitlements" UserInfo={NSLocalizedDescription=Invalid code signature or missing entitlements}
Here are the entitlements files for the camera extension:
<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">
<plist version=\"1.0\">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>com.yealink.meeting.app</string>
</array>
</dict>
</plist>
The info.List.in file for the camera extension:
<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">
<plist version=\"1.0\">
<dict>
<key>CMIOExtension</key>
<dict>
<key>CMIOExtensionMachServiceName</key>
<string>$(TeamIdentifierPrefix)$(PRODUCT_BUNDLE_IDENTIFIER)</string>
</dict>
</dict>
</plist>
And the entitlements file for the app:
<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">
<plist version=\"1.0\">
<dict>
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>com.yealink.meeting.app</string>
</array>
<key>com.apple.security.device.camera</key>
<true/>
<key>com.apple.security.device.microphone</key>
<true/>
<key>com.apple.security.device.usb</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
<key>com.apple.security.personal-information.location</key>
<true/>
</dict>
</plist>
I'm looking forward to your response.
I got into trouble setting up my X-Code team ID. My user ID suddenly changed.
Please take a look at the first screenshot. This is the certificate I was originally using, and I got a new certificate because it's about to expire. The new certificate is the second screenshot. But you can check that the ID is different.
The problem is that the Apple login function is not working properly because the ID is different (I'm using Unity to develop a game) Can you tell me why the user ID has changed and I can't change it to the original one?
I have an app that runs on both iOS and visionOS (native). Both app use the same project, just some files and code segments are different. We do not use automatic signing. Instead we use a Distribution profile. When creating a distribution profile and adding capabilities there are certain capabilities we are using on iOS that are not available on visionOS. Like the com.apple.developer.kernel.increased-memory-limit and the Extended Virtual Addressing Entitlement. My understanding is that we can only have one Distribution profile per app (may be wrong understanding). My question is how can we have two separate distribution profiles for iOS and visionOS, so iOS can have those extra capabilities that aren't available on visionOS?
I tried to create two separate targets, one for iOS and one for visionOS, but that still gives me the same issue of having the distribution profile being the same and not being able to make it unique for iOS and visionOS. Is there a correct approach to setting up the Xcode project or the distribution profile?
I'm new to visionOS development and distribution profiles, any guidance would be appreciated. Let me know if you have any questions or need more clarification.
I have signed and notarized a single executable file command line tool developed outside Xcode, and distributed outside of the App store by way of a download from a website as follows below, but nevertheless gatekeeper blocks running the tool with the usual message, just like without signing or notarization.
If I remove the com.apple.quarantine xattr, the tool runs as it should without gatekeeper interference, as expected.
I have browsed countless posts here, with similar issues, but in the end I can't find what's wrong with the process.
From what I gather, as long as the target Mac is connected to the Internet, stapling should not be required (I do understand I can't staple a single file executable command line tool), although Gatekeeper would be expected to complain in the case of the first run being done without Internet connection.
The certificate is a "Developer Id Application" certificate, installed and valid on the machine doing the signing.
It is unclear to me what the distinction is between "Developer Id Application" and "Developer Id Installer" certificates, but it's confusing that using -t install with spctl will actually accept the app.
The app is open source and available on GitHub (although the full distribution packaging is done in a separate build environment with some additional logic). The app used below as the target for signing and notarization is available to download from https://www.axantum.com/ in a .tar.gz archive.
Here follows a log of commands and output:
XecretsCli.plist: (This was necessary to add to the signing to avoid corruption of the executable by the code signing)
codesign -s GCXRMT5SQC -f --timestamp -s 0CF6800E595AA6DE9EBB905066619A9BFDD17A77 --entitlements XecretsCli.plist -o runtime XecretsCli
codesign -d -vvv --entitlements :- XecretsCli
Executable=/Users/svante/Downloads/XecretsCli-Osx-2.3.567 3/XecretsCli
Identifier=XecretsCli
Format=Mach-O thin (x86_64)
CodeDirectory v=20500 size=271478 flags=0x10000(runtime) hashes=8473+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b2
CandidateCDHashFull sha256=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b20c9e3c17e107f08c7ae75c5a
Hash choices=sha256
CMSDigest=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b20c9e3c17e107f08c7ae75c5a
CMSDigestType=2
CDHash=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b2
Signature size=8987
Authority=Developer ID Application: Axantum Software AB (GCXRMT5SQC)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Jun 20, 2024 at 13:26:05
Info.plist=not bound
TeamIdentifier=GCXRMT5SQC
Runtime Version=13.1.0
Sealed Resources=none
Internal requirements count=1 size=172
Warning: Specifying ':' in the path is deprecated and will not work in a future release
codesign -v -vvv --strict --deep XecretsCli
XecretsCli: valid on disk
XecretsCli: satisfies its Designated Requirement
zip XecretsCli.zip XecretsCli
adding: XecretsCli (deflated 63%)
xcrun notarytool submit "XecretsCli.zip" --keychain-profile "Notarize" --wait
Conducting pre-submission checks for XecretsCli.zip and initiating connection to the Apple notary service...
Submission ID received
id: e5990902-3101-42de-a1a6-b9ea40b944b8
Upload progress: 100.00% (12.4 MB of 12.4 MB)
Successfully uploaded file
id: e5990902-3101-42de-a1a6-b9ea40b944b8
path: /Users/svante/Downloads/XecretsCli-Osx-2.3.567 3/XecretsCli.zip
Waiting for processing to complete.
Current status: Accepted........
Processing complete
id: e5990902-3101-42de-a1a6-b9ea40b944b8
status: Accepted
spctl -a -vvv XecretsCli
XecretsCli: rejected (the code is valid but does not seem to be an app)
origin=Developer ID Application: Axantum Software AB (GCXRMT5SQC)
spctl -a -vvv -t install XecretsCli
XecretsCli: accepted
source=Notarized Developer ID
origin=Developer ID Application: Axantum Software AB (GCXRMT5SQC)
Trying to run the executable:
"XecretsCli" can't be opened
because the identity of the
developer cannot be confirmed.
Your security preferences allow
installation of only apps from the App
Store and identified developers.
Chrome downloaded this file today at
10:37.
OK