Post not yet marked as solved
I'm trying to build my Expo app. I already built it for Android, but now I'm struggling to create a release on iOS to upload on TestFlight. I have the apple developer account of my university, and they added our bundle ID there(I'm not an admin). When I try to build with EAS, it requires a p12 file.
So, I tried to generate it in this way:
From Keychain Access I created a CSR(by adding my mail and name) and then on Apple Developers I uploaded it(Certificates > +), so I downloaded a .cer file
I opened the .cer on Keychain Access and I dragged it under "login" section
From there I exported the p12 file
But that p12 gives me always this error when I run npx eas build --platform ios :
Provided Distribution Certificate is no longer valid on Apple's server
after submitting the p12 file on eas console.
Can someone help us?
Thanks in advance for your availability :)
Hi everyone,
Has this every happened to you? If so, how did you resolve it?
Submitting my app for review, I got the following rejection:
Guideline 2.4.5(ii) - Performance
The package currently available in App Store Connect cannot be installed and may be corrupted.
Next Steps
Please rebuild your application and upload a new version. If this issue continues, please contact Apple Developer Technical Support for help investigating the issue.
DTS referred me back to app review:
We are unable to help you resolve this matter. Please circle back with the App Review team for assistance.
I'm building the .pkg with productbuild:
xcrun productbuild --product WFH\ Phone\ Webcam.app/Contents/Info.plist --component WFH\ Phone\ Webcam.app /Applications --sign "3rd Party Mac Developer Installer: Mansour Moufid (42A2D88R9U)" --timestamp WFH\ Phone\ Webcam.pkg
and uploading it with altool:
xcrun altool --username "..." --password "..." --validate-app --file WFH\ Phone\ Webcam.pkg --type osx
xcrun altool --username "..." --password "..." --upload-app --file WFH\ Phone\ Webcam.pkg --type osx
The .pkg signature looks fine:
xcrun pkgutil --check-signature WFH\ Phone\ Webcam.pkg
Package "WFH Phone Webcam.pkg":
Status: signed by a developer certificate issued by Apple (Development)
Signed with a trusted timestamp on: 2024-04-29 14:11:27 +0000
Certificate Chain:
1. 3rd Party Mac Developer Installer: Mansour Moufid (42A2D88R9U)
Expires: 2025-03-13 20:11:55 +0000
SHA256 Fingerprint:
CB 8A 12 1D 4D 16 29 27 08 30 07 1C 6C F6 1C F4 85 6E AE F1 B1 34
68 F7 81 6D C3 3B 1B 8C 5D 32
------------------------------------------------------------------------
2. Apple Worldwide Developer Relations Certification Authority
Expires: 2030-02-20 00:00:00 +0000
SHA256 Fingerprint:
DC F2 18 78 C7 7F 41 98 E4 B4 61 4F 03 D6 96 D8 9C 66 C6 60 08 D4
24 4E 1B 99 16 1A AC 91 60 1F
------------------------------------------------------------------------
3. Apple Root CA
Expires: 2035-02-09 21:40:36 +0000
SHA256 Fingerprint:
B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C
68 C5 BE 91 B5 A1 10 01 F0 24
The app's signature also checks out:
codesign --strict --deep --verbose --verify WFH\ Phone\ Webcam.app
WFH Phone Webcam.app: valid on disk
WFH Phone Webcam.app: satisfies its Designated Requirement
I have no idea what "cannot be installed and may be corrupted" means and app review is not responding to my request for more information...
Post not yet marked as solved
I have a personal app I use only for myself on my iPhone. I do not distribute this. Its stops working every year when my renewal comes up. Once I renew my subscription I reload the app onto my phone and it works again. Is there a way that I can have it work forever without having to reload it every year? Sometimes I forget to reload after my renewal and it does not work until I do so.
Post not yet marked as solved
Hi,
I have codesigned my application and after this macos won't run the binary anymore.
codesign -f -o runtime --timestamp -s "Developer ID Application: YOUR NAME (TEAM_ID)" --entitlements $HOME/workspace/GSequencer-cocoa/gsequencer-macos/macos-contrib/GSequencer.entitlements -i com.gsequencer.GSequencer --deep $HOME/workspace/GSequencer-cocoa/gsequencer-macos/build/universal/GSequencer.app
Verify signature works.
codesign -vv $HOME/workspace/GSequencer-cocoa/gsequencer-macos/build/universal/GSequencer.app
The same for the DMG file, still doesn't work anymore.
codesign -f -o runtime --timestamp -s "Developer ID Application: YOUR NAME (TEAM_ID)" $HOME/workspace/GSequencer-cocoa/gsequencer-macos/build/arm64/GSequencer-6.9.1.dmg
I would love to distribute my application with code signing. Note all libraries are built using clang or clang++.
I figured out that when I leave entitlements away it would launch but complains about library signatures.
regards, Joël
Post not yet marked as solved
Hi,
I am experience crashes with my application after code signing, this didn't happen before. Does OpenGL require special permissions?
GSequencer stack-trace gtk4 crash
by, Joël
Post not yet marked as solved
I am able to successfully install the app on my device, but I am unable to verify the app.
Steps to reproduce:
Navigate to Settings -> VPN & Device Management on iPhone 14
Select developer under Developer App
Select trust this computer
Attempt to Verify App
The "Verify App" button has no effect. The app can still be installed when built, but is not able to be opened. Navigating to ppq.apple.com in a browser results in a "cannot be trusted":
Post not yet marked as solved
After upload using transporter I get following message:
"Cannot be used with TestFlight because the signature for the bundle at “GSequencer.app” is missing an application identifier but has an application identifier in the provisioning profile for the bundle. Bundles with application identifiers in the provisioning profile are expected to have the same identifier signed into the bundle in order to be eligible for TestFlight." (90886)
I am unsure about the cause of this problem, please give some advice howto fix?
Hi,
My application doesn't start playback anymore after signing it with entitlements.
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.files.user-selected.read-only</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
<key>com.apple.security.device.microphone</key>
<true/>
<key>com.apple.security.assets.music.read-write</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
</dict>
</plist>
regards, Joël
Post not yet marked as solved
I'm trying to sign a macOS application which includes a Endpoint Security system extension. The profile for the extension has capability added and the app profile has the System Extension capability added. Both targets also has the correct entitlements, but when validating the app after archiving I get the following error: "Profile doesn't support Endpoint Security." When looking in the logs I can see that Xcode is fetching a provisioning profile for the extension without the needed capability. If downloading the profile from the developer portal the correct capability is present. Could something be "out of sync" regarding what provisioning profiles Xcode fetches vs what I see on the developer portal?
If I try to archive using xcodebuild I get the following: "APP requires a provisioning profile with the System Extension feature." and ""BUNDLE_ID.systemextension" requires a provisioning profile with the Endpoint Security feature."
I have tried with automatic and manual signing but nothing seems to work.
Post not yet marked as solved
I'm encountering a peculiar issue with my macOS installer application when hardened runtime is enabled (--options runtime) during code signing, and I'm hoping to get some guidance on how to resolve it.
Issue Description:
My installer application is designed to prompt users for system credentials upon launch. After entering the correct credentials and clicking "OK", users should see the next screen to proceed with the installation process. However, with hardened runtime enabled, the application stops responding after the credential entry step. The next screen, where users should proceed with installation, does not appear. If I codesign without using hardened runtime, my installer works fine. However it fails during notarization.
What I've Tried:
I have reviewed Apple's documentation on hardened runtime and notarization to ensure I'm following best practices.
I've checked the Console logs for any relevant error messages or warnings, but haven't found any conclusive information.
Additional Information:
The application is an installer built using bitrock installbuilder.
It relies on prompting users for system credentials using standard macOS authentication mechanisms.
Initially the installer is in tar.gz format which I extract to get .app file. This file is codesigned. Next I create a .DMG of the codesigned .app file and codesign the DMG before sending it for notarization.
Request for Assistance:
I'm seeking guidance on how to address this issue with my installer application not proceeding after credential entry when hardened runtime is enabled. Are there any specific configurations, entitlements, or best practices that I might be missing? Or are there alternative approaches I should consider to ensure compatibility while still meeting Apple's security requirements for notarization?
Any insights or advice from your experiences would be greatly appreciated. Thank you in advance for your help!
Post not yet marked as solved
I am woking on a project for a client and they have an individual apple developer account. They added me to their team as an admin sometime back but the team is still not showing up in Xcode. Only my personal team is visible. Is this because it's an Individual account? Any way to fix this? Appreciate your help.
I am building plug-ins for audio software.
I am using the JUCE framework and I am building with VScode / CMake / Ninja / LLVM
I want to package the output, which are two bundles "Sinensis.component" (the AU plugin) and "Sinensis.vst3" (the vst3 plugin)
I am using this script :
codesign -s "Developer ID Application: $DEVELOPER_ID" --timestamp --force -o runtime -i "$PLUGIN_NAME".component "$PLUGIN_NAME".component/Contents/MacOs/"$PLUGIN_NAME" #--options=runtime
pkgbuild --install-location /Library/Audio/Plug-Ins/Components --sign "Developer ID Installer: $DEVELOPER_ID" --timestamp --identifier "$IDENTIFIER"au --version "$VERSION" --root "$PLUGIN_NAME".component "$PLUGIN_NAME"_au.pkg
codesign -s "Developer ID Application: $DEVELOPER_ID" --timestamp --force -o runtime -i "$PLUGIN_NAME".vst3 "$PLUGIN_NAME".vst3/Contents/MacOs/"$PLUGIN_NAME" #--options=runtime
pkgbuild --install-location /Library/Audio/Plug-Ins/VST3 --sign "Developer ID Installer: $DEVELOPER_ID" --timestamp --identifier "$IDENTIFIER"vst3 --version "$VERSION" --root "$PLUGIN_NAME".vst3 "$PLUGIN_NAME"_vst3.pkg
productbuild --synthesize --package "$PLUGIN_NAME"_au.pkg --package "$PLUGIN_NAME"_vst3.pkg distribution.xml
productbuild --distribution distribution.xml --resources Resources/ "$PLUGIN_NAME".pkg
productsign --sign "Developer ID Installer: $DEVELOPER_ID" "$PLUGIN_NAME".pkg "$PLUGIN_NAME"_installer.pkg --timestamp
xcrun notarytool submit --keychain-profile "thomas" "$PLUGIN_NAME"_installer.pkg --wait
xcrun stapler staple "$PLUGIN_NAME"_installer.pkg
feeding it distribute.sh Sinensis "Thomas Xxxxxx (<personal identifier>)" <indentifier for the package> 101
I am using --force because of a post on the juce forum that I strangely cannot link to here. tl;dr the binary is signed at the build stage and need --force to overwrite with my signature
But it ends up with error 65
Conducting pre-submission checks for Sinensis_installer.pkg and initiating connection to the Apple notary service...
Submission ID received
id: 38ba301b-f857-4408-b665-9e11e8647ca1
Upload progress: 100,00 % (6,10 MB of 6,10 MB)
Successfully uploaded file
id: 38ba301b-f857-4408-b665-9e11e8647ca1
path: /Users/thomas/Desktop/Sinensis_installer.pkg
Waiting for processing to complete.
Current status: Invalid............
Processing complete
id: 38ba301b-f857-4408-b665-9e11e8647ca1
status: Invalid
Processing: /Users/thomas/Desktop/Sinensis_installer.pkg
CloudKit query for Sinensis_installer.pkg (1/dc8136b4b82a4e9c9f7b5e6064238488e97f04ad) failed due to "Record not found".
Could not find base64 encoded ticket in response for 1/dc8136b4b82a4e9c9f7b5e6064238488e97f04ad
The staple and validate action failed! Error 65.
Looking at the log via xcrun notarytool log return
{
"logFormatVersion": 1,
"jobId": "75fa5853-d19d-42a5-9069-4ed0d8f735be",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "Sinensis_installer.pkg",
"uploadDate": "2024-04-19T10:11:07.372Z",
"sha256": "da6457f73d1b93995392f844a25f4b9bc9750eac0555ae72854b14e270e32685",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "Sinensis_installer.pkg/Sinensis_au.pkg Contents/Payload/Library/Audio/Plug-Ins/Components/Contents/MacOS/Sinensis",
"message": "The signature of the binary is invalid.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "Sinensis_installer.pkg/Sinensis_vst3.pkg Contents/Payload/Library/Audio/Plug-Ins/VST3/Contents/MacOS/Sinensis",
"message": "The signature of the binary is invalid.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735",
"architecture": "arm64"
}
]
}
codesign -vvv --deep --strict Sinensis.vst3 returns
Sinensis.vst3: valid on disk
Sinensis.vst3: satisfies its Designated Requirement
pkgutil --check-signature Sinensis_installer.pkg returns
Package "Sinensis_installer.pkg":
Status: signed by a developer certificate issued by Apple for distribution
Signed with a trusted timestamp on: 2024-04-19 10:21:59 +0000
Certificate Chain:
1. Developer ID Installer: Thomas Guillory (53B2GD4XYM)
Expires: 2027-02-01 22:12:15 +0000
SHA256 Fingerprint:
E8 D7 4A 6D CD 19 56 A2 39 C9 15 00 09 06 EA 98 01 B0 AF 85 59 AA
AE 26 71 89 56 9B 54 EF 48 B3
------------------------------------------------------------------------
2. Developer ID Certification Authority
Expires: 2027-02-01 22:12:15 +0000
SHA256 Fingerprint:
7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03
F2 9C 88 CF B0 B1 BA 63 58 7F
------------------------------------------------------------------------
3. Apple Root CA
Expires: 2035-02-09 21:40:36 +0000
SHA256 Fingerprint:
B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C
68 C5 BE 91 B5 A1 10 01 F0 24
I tried to unpack the .pkg using pacifist as recommended in multiple thread but the bundle wasn't recognized as such, I may have not follow the correct procedure.
I've read the man page for productbuild, codesign and productsign.
I've also read the MacOS code signing technical note althought I didn't understood everything clearly (especially on the nested part, which seems relevant).
The closest thing I could find was this forum post but the bundles seems to be correctly seen by MacOs as a bundle and not as a folder
I really lost at this point
may Eskimo come shed some enlightenment on my poor newbie soul 🙏
Have a nice day !
Post not yet marked as solved
I'm currently befuddled by the entire signing and certificate process. I don't understand what I need, what the team admin needs to do, or how to go about doing it so that I can build the project.
We've managed to have this working in the past but I guess the system has changed somewhat. Here's what we have going:
A Unity project which hasn't changed from a few years ago. I build the project in unity, open the Xcode project and this:
There's an issue with the Signing and Capabilities.
If I choose automatic setup it shows an error saying that it requires a development team. I had the account admin add my Apple ID to the team so I'm not sure why that's an issue still. Do I need to pay the 99$ to be able to building Xcode?
If I try to do it manually I select the provisioning profile that the account admin sent me and it auto selects the team associated with the provisioning profile I guess but then there's no singing certificate. The error says:
There is no signing certificate "iOS Development" found. No "iOS Development" signing certificate matching team ID "V7D5YBZRMV" with a private key was found.
So, if someone could explain to me like I'm 5 the entire signing and certificate process is and let me know what we're doing wrong with the team/provisioning profile/certificate setup I would be very much appreciative.
I have an Xcode project (generated from Qt) which is signed by a post-processing script.
It uses the invocation:
codesign -o runtime --sign "$(CODE_SIGN_IDENTITY)"
CODE_SIGN_IDENTITY is set to "Apple Development" in the Build Settings for the target.
The signing step fails with this complaint
Apple Development: ambiguous (matches "Apple Development: <my name> (an ID)" and "Apple Development: <my company email> (another ID)" in login.keychain-db)
It is true, I do have two Apple Development certificates. I thought one is for personal development (when you pick the personal team) and the other for company development (when I pick the company team).
I have other Xcode projects (built "by hand") which have CODE_SIGN_IDENTITY set to "Apple Development" and with Automatic signing turned on, and they build just fine, even though I have two certificates with common names beginning "Apple Development".
However, when I look at the build log of those regular Xcode projects, which are signed by Xcode rather than in a post-processing script, the Signing step logs this:
Signing Identity: Apple Development: (an ID)
not simply "Apple Development". Xcode seems to have resolved the ambiguity all on its own before calling codesign. It then calls codesign using the hash of the certificate as its identifier.
How can I emulate Xcode's behavior here? The postprocessing script runs on different developer's machines - they all have multiple "Apple Development" certificates, and they are all different from one another.
Post not yet marked as solved
Hello,
I have a multi-platform app that is split across two organizations:
One is on iOS, and is distributed using the App Store with bundle ID X with team ID A.
One is on macOS, and is distributed using Developer ID with bundle ID Y with team ID B.
Once again, these are in two separate organizations. To consolidate these accounts we'd like to transfer ownership of Y to team ID A. However, according to the app transfer criteria, it appears that that's not possible:
Both the transferor and recipient accounts can’t be in a pending or changing state, and the latest version of their paid and free agreements must be accepted.
[...]
The app must have had at least one version that's been approved for distribution.
Given the context from the rest of the page, it seems valid to assume (and I've confirmed this through speaking with technical support) that apps are only eligible for transfer if they've been submitted to the App Store, so I'm considering looking into it just for the purposes of this transfer.
This app has a fairly large user base and if possible we want to avoid any user disruption (and any cost inflicted on our API) as a result of a forced logout due to losing access to the previous keychain.
As a bonus, it would be nice, though not necessary, if the macOS app could ship under the same entry as the iOS app. As I understand it, this would require changing the macOS app to use bundle ID X.
Before going down this road, I'd like to confirm if the following plan is a sane one for accomplishing a complete app transfer that satisfies the above requirements:
Distribute the app on the macOS App Store under team ID B.
Transfer the app, and continue distribution on the macOS App Store under team ID A.
Obtain a new Developer ID certificate for using bundle ID Y with team ID B.
Resume distribution of the Developer-ID-signed app with team ID B, without loss of keychain access.
If loss of keychain access is not possible, can someone confirm if it is at least possible to keep the same bundle ID after performing the steps above?
Many thanks in advance for your help - there is much conflicting information online and in this forum, and little documentation when it comes to Developer ID transfers. I've even spoken to several Apple employees who have directed me here.
Post not yet marked as solved
Hi Team,
Need your help on solving the errSecInternalComponent error which is getting generated while doing a xcode archive command from jenkins jobs.
Currently using Sonoma-14.4, Xcode-15.2, in local it's working well both build and archive but in case of jenkins i am unable to get that, i already given security-unlock commands also before the archive stage but no use,
Commands passed:
security unlock-keychain -p xxxx /Users/ec2-user/Library/Keychains/login.keychain-db; \
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k xxxxx
Please let me know if i have missed any configuration thing.
Error
Signing Identity: "iPhone Distribution: "
Provisioning Profile: "Notification Content Dist Profile"
(ffb7be92-3e65-4be4-b161-07c7f75723f0)
/usr/bin/codesign --force --sign 1FD10D04940E92C7A212E4A27C1E11D5C3DB12E9 --preserve-metadata\=identifier,entitlements,flags --generate-entitlement-der /Users/ec2-user/Library/Developer/Xcode/DerivedData/ReferenceApp-CardAppSDK-bwgchbllhpzevwgvnuwqvjywfeju/Build/Intermediates.noindex/ArchiveIntermediates/ReferenceApp-CardAppSDK/IntermediateBuildFilesPath/UninstalledProducts/iphoneos/NotificationContentExtension.appex/Frameworks/PushNotificationExtensions.framework
Warning: unable to build chain to self-signed root for signer "iPhone Distribution: "
/Users/ec2-user/Library/Developer/Xcode/DerivedData/ReferenceApp-CardAppSDK-bwgchbllhpzevwgvnuwqvjywfeju/Build/Intermediates.noindex/ArchiveIntermediates/ReferenceApp-CardAppSDK/IntermediateBuildFilesPath/UninstalledProducts/iphoneos/NotificationContentExtension.appex/Frameworks/PushNotificationExtensions.framework: errSecInternalComponent
please help on this ASAP
Post not yet marked as solved
Hi,
I'm wondering if we'd want to improve the clarity of the Apple Platform Security guide (dated 2022) on the iOS app security model (page 99), as edits might have lost the intended structure of the sentence (although I might be reading it wrong).
Current text:
At runtime, code signature checks that all executable memory pages are made as they are loaded to help ensure that an app hasn’t been modified since it was installed or last updated.
Possible rephrasing:
At runtime, iOS checks code signature on all executable memory pages as they are loaded to help ensure that an app hasn’t been modified since it was installed or last updated.
Post not yet marked as solved
I started the notarization process last night with the following command
xcrun notarytool submit --wait --keychain-profile "Developer ID Application: ..." --verbose Open\ Interface.zip
When I check its status, it still shows as it's in progress over 16 hours later
xcrun notarytool history --keychain-profile "Developer ID Application: ..."
Successfully received submission history.
history
--------------------------------------------------
createdDate: 2024-04-09T03:49:07.620Z
id: 8fcf8111-c18c-4941-acb6-f447d86735a2
name: Open Interface.zip
status: In Progress
--------------------------------------------------
createdDate: 2024-04-09T03:23:58.816Z
id: 93461030-f230-4225-b9f2-5d9472904858
name: Open Interface.zip
status: In Progress
Does anyone know what might be going wrong?
My .zip file is available here: https://github.com/AmberSahdev/Open-Interface/releases/download/0.5.0/Open-Interface-v0.5.0-MacOS.zip
Thanks!
Post not yet marked as solved
I am not enrolled in the Apple developer program and need to create a small Safari app extension helper that will be shared with my colleagues within the company. Is it somehow possible for me to distribute the app in some way without forcing everyone to disable a gatekeeper?
Post not yet marked as solved
Hello guys, I've been dealing with one error in my xcode cloud configuration. I want to auto-deploy the app version to Testflight on something is merged to main branch. Of course if I do at my local environment it works perfect. But when I try to execute it at XCode Cloud I've got this error.
I really don't have any idea about how to fix it. Thanks a lot for your time 😊
Invalid Signature. The main app bundle SyncTion at path SyncTion.app has following signing error(s): valid on disk SyncTion.app: does not satisfy its designated Requirement SyncTion.app: explicit requirement satisfied . Refer to the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple.com/library/mac/technotes/tn2206/_index.html for more information.
