Post not yet marked as solved
We have a Jenkins job that runs a script on a Mac to create our installers.
This was working last week.
Today, it's failing with:
`"Apple Development: John Lussmyer (xxxxxxxxx)" (CSSMERR_TP_CERT_EXPIRED)
The other identities used for the build work. So far, I've been unable to find anything in my Account that indicates something has expired.
Can anyone tell me how to get this fixed?
Post not yet marked as solved
We use a Mac as a Jenkins agent to build the installer for our Mac application.
The script compiles things, signs, builds a dmg, has it notarized, etc...
This all works - EXCEPT that I have to manually respond to 8 or so prompts for an Admin ID and password so the script can access the keys.
This is NOT usable for an automated build. I've done searches and found several possible solutions - all of which either reference Dialogs that don't seem to exist, or just don't work.
One of the complications here is that the "Jenkins" user is NOT an administrator. The Mac mini is currently running Mac OS 13.2.1. Anyone know how to pre-authorize the key access so this process can run unattended?
Post not yet marked as solved
We have a Mac that is used to sign and notarize our installers. This Mac will be going away soon, so I have to setup a new Mac to do that work.
I've been able to install all the tools, but I can't get them to work.
The certificates are in the keychain, but don't show up in the "My Certificates", probably because the related keys don't exist in the "Keys" list.
I'm using the same Apple Dev ID that I used on the other machine.
HOW do I get things setup on the new machine to work? There must be some way to get key/certificate pairs to work. (I am very definitely NOT a Mac expert, barely even a novice.)
Post not yet marked as solved
We have a customer that is using our large java application.
This app invokes the "df" command to find the network drive mappings.
On JUST THIS ONE CUSTOMERS machines (several), the "df" command is missing.
He is using Mac OS 11.7.1.
The "df" command exists on every other Mac we've tested.
WHY is it missing?
An attempt to install it using brew install coreutils, only kind-of worked.
He can run "df -i -n" from the terminal, but our app still can't find it.
Post not yet marked as solved
I started a notarization run a few hours ago. (and used --wait)
Conducting pre-submission checks for Metrix Installer.dmg and initiating connection to the Apple notary service...
Submission ID received
id: dd77be4c-0cb6-4913-a846-d4025ede37fd
Successfully uploaded file
id: dd77be4c-0cb6-4913-a846-d4025ede37fd
path: /Users/johnluss/Work/Metrix Installer.dmg
Waiting for processing to complete.
Current status: In Progress.................................................................................................................................
I finally ctrl-c out of it (PAGES of ....) and tried getting the log
Submission log is not yet available or submissionId does not exist
id: dd77be4c-0cb6-4913-a846-d4025ede37fd
The Apple System Status page shows all servers up and running.
Any suggestions on what might be going wrong?
Post not yet marked as solved
I'm having problems getting our application Notarized.
It gets this error:
"severity": "error",
"code": null,
"path": "Metrix Installer.dmg/Install/MetrixApplication.pkg",
"message": "The binary is not signed with a valid Developer ID certificate.",
The thing is that I did do a codesign on it. (I've also tried productsign)
codesign -f --verbose=4 --timestamp --options runtime --sign F3YTHMJYQ9 Metrix/Install/MetrixApplication.pkg
codesign -dvvv Metrix/Install/MetrixApplication.pkg
Executable=/Users/johnluss/Metrix/BuildInstaller/Metrix/Install/MetrixApplication.pkg
Identifier=MetrixApplication
Format=generic
CodeDirectory v=20200 size=177 flags=0x10000(runtime) hashes=1+2 location=embedded
Hash type=sha256 size=32
...
Signature size=9053
Authority=Developer ID Application: Eps Us, LLC (F3YTHMJYQ9)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Sep 9, 2022 at 1:54:18 PM
Info.plist=not bound
TeamIdentifier=F3YTHMJYQ9
Sealed Resources=none
Internal requirements count=1 size=180
Any suggestions as to what I'm missing or doing wrong?
Post not yet marked as solved
I have signing working on my Development system.
Now I need to get the script to work on a build VM. It is a Mac OS 12 VM.
I installed all the various certs, and can see them in the Keychain app. All show as "trusted".
When I run the script, "security find-identities" only finds a couple (not the one I need), and they are marked as CSSMERR_TP_NOT_TRUSTED.
I'm quite sure I missed a step or setting somewhere, but have no idea of what or where.
Post not yet marked as solved
We do our builds via Jenkins at the command line.
I've recently had to update all our certificates due to a corporate name change.
I'm using the 9W4G... one for my code signing, and that seems to work.
I've been unable to get the productsign to work with either certificate.
I've tried the productsign command with both identities, and they both fail with the same error - which always refers to the 9W4G... identity.
[exec] Valid identities only
[exec] 3) ... "3rd Party Mac Developer Installer: Eps Us, LLC (F3YTHMJYQ9)"
[exec] 4) ... "Apple Development: John Lussmyer (9W4G27WAV9)"
[exec] 4 valid identities found
[exec] productsign --timestamp --sign F3YTHMJYQ9 /Users/jenkins/MetrixSetup/OSX_Metrix/OSX/MetrixApplication.pkg /Users/jenkins/MetrixSetup/OSX_Metrix/OSX/MetrixApplication-signed.pkg
[exec] ---------------------b
[exec] ---------------------c
[exec] cp -r /Users/jenkins/MetrixSetup/Installer.app /Users/jenkins/MetrixSetup/OSX_Metrix/
[exec] ---------------------d
[exec] productsign: error: Could not find appropriate signing identity for “9W4G27WAV9”.
Post not yet marked as solved
We use Jenkins, Ant, and shell scripts to build and sign our Mac application, installer, and dmg.
We recently had to get all new Certs due to a corporate ownership change.
Now that I'm (attempting) to use the new certs, there is a problem when the builds run.
It's prompting to unlock the keychain in the Mac UI. Since this is an automated process, we can NOT have it prompting to unlock the keychain. (and it didn't do this with the old certs.)
I've tried adding calls to "security unlock-keychain" calls - but that hasn't stopped the prompting.
What do I need to do to prevent the prompts?
JohnLussmyer.