We have got the Developer ID Application certification from apple official website. But it shows that the certificate is not trusted in the Keychain App.
After investigation in this website, and we know that we should install Apple Worldwide Developer Relation Certification Authority (WWDR) G3 from https://www.apple.com/certificateauthority/
We download G3 and install the certificate, and it shows "The certificate is marked as not trusted by all users", as shown in the attachment.
Could some expert help us to move on?
Thanks!
Post
Replies
Boosts
Views
Activity
We codesign our runnable PC application with entitlements.plist as following
sudo codesign --force --timestamp --options=runtime --entitlements ./entitlements.plist -s "${cert}" full/path
then we run it, the application goes into killed rather than runs up .
The terminal shows as below:
zsh: killed ./XXXX.app/Contents/MacOS/XXXX
The crash report and entitlements.plist are attached. The Mac OS is 10.15.4 , with latest XCode from Apple AppStore.
From the report, it seems terminated due to EXC_CRASH (Code Signature Invalid) . So it just failed for the boot of app. Hope somebody gives us points to move forward.
entitlements.plist
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
</dict>
</plist>
errorReport.txt
We have send email to Apple support but nobody replies, so we send it here to demand help.
Our company builds up our desktop application XXXX.app, and it runs well under Mac OS 10.15.4 Catalina.
We strictly follow the guideline of Nested code from https://developer.apple.com/library/archive/technotes/tn2206/_index.html
Then we buy Apple 99$ program and plan to codesign it to bypass GateKeeper. However, this operation goes into disaster.
We run the codesign one by one following your guide, from inside to outside (NOT --deep).
sudo codesign --force --timestamp --options=runtime -s "${cert}" file/full/path
And check the codesign with
$ codesign -vvv --deep --strict XXXX.app XXXX.app: valid on disk XXXX.app: satisfies its Designated Requirement
But when we run the signed XXXX.app , it crashes with exception (crashReport.txt).
Your codesign makes our app crash! You can repro it again and again.
Run well 2. codesign 3. Run up and crash inmediately!
Crash stack info is below
crashReport2.txt
Thread 0 Crashed: 0 QtWebKit 0x00000001121d19ff ***::OSAllocator::reserveAndCommit(unsigned long, ***::OSAllocator::Usage, bool, bool, bool) + 205 1 QtWebKit 0x00000001121d1907 ***::OSAllocator::reserveUncommitted(unsigned long, ***::OSAllocator::Usage, bool, bool, bool) + 15 2 QtWebKit 0x00000001120641c4 ***::PageReservation::reserveWithGuardPages(unsigned long, ***::OSAllocator::Usage, bool, bool) + 56 3 QtWebKit 0x00000001120640f5 JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator() + 103 4 QtWebKit 0x0000000112063eac JSC::ExecutableAllocator::initializeAllocator() + 28 5 QtWebKit 0x0000000112126376 JSC::initializeThreadingOnce() + 50 6 ??? 0x00007fff6f2637e5 0 + 140735058163685 7 ??? 0x00007fff6f258ec7 0 + 140735058120391 8 ??? 0x00007fff6f263793 0 + 140735058163603 9 QtWebKit 0x000000011179df19 WebCore::ScriptController::initializeThreading() + 9 10 QtWebKit 0x000000011173be49 WebCore::initializeWebCoreQt() + 30 11 QtWebKit 0x00000001117043cf QWebPagePrivate::QWebPagePrivate(QWebPage*) + 213 12 QtWebKit 0x000000011170b80d QWebPage::QWebPage(QObject*) + 55 13 QtWebKit.so 0x00000001116689df Sbk_QWebPage_Init(_object*, _object*, _object*) + 447 14 ??? 0x000000010d328681 0 + 4516382337 15 _tsLib1.so 0x000000010e8fdfbb __Pyx_PyObject_CallNoArg + 186 (_tsLib1.c:429148)
From the link below and crash report, we test the entitlements.plist to bypass memory problem, but fail too.
https://github.com/pyinstaller/pyinstaller/issues/4629
We use following command line to codesign :
sudo codesign --force --timestamp --options=runtime --entitlements ./entitlements.plist -s "${cert}" full/path
Then the app evenly do not run up at all. It shows:
zsh: killed ./XXXX.app/Contents/MacOS/XXXX
We also test other parameter com.apple.security.cs.allow-jit / com.apple.security.cs.disable-library-validation ( others/entitlements_full.plist ) , nothing changed.
How can we bypass the codesign and make app runnable? Please help us.
Thanks
I use below command to notarize my xxxx_setup.pkg
sudo xcrun altool --notarize-app --primary-bundle-id "net.xxxx.xxxx" --username "xxxx@gmail.com" --password "xxxxxxxxxx" --file ./xxxx_setup.pkg -itc_provider "XXXXXXXX"
Uploading is performed normally. And from the logFile of notarization-info command, I got the error message of my main executable file (yyyy) under xxxx.app/Contents/MacOS as below:
{
"logFormatVersion": 1,
"jobId": "34e7712f-8ebe-49a7-b10a-9863eba7c666",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "xxxx_setup.pkg",
"uploadDate": "2021-04-06T14:07:55Z",
"sha256": "944b56a56cb91c06b937b548fe9fbb6a2d039e4d4fe949819cac93d3821dff42",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "xxxx_setup.pkg/xxxx.pkg Contents/Payload/Applications/xxxx.app/Contents/MacOS/yyyy",
"message": "The signature of the binary is invalid.",
"docUrl": null,
"architecture": "x86_64"
}
]
}
I have used command below to check the binary yyyy
codesign -vvv --deep --strict /path/to/binary
and I get info below :
yyyy : valid on disk
yyyy : satisfies its designated requirement.
I use codesign -dvvv to validate the signature of the execuable file. All the timestamp and signed are there.
So who can help me to dig out these bugs.
I code-sign with my Mac app, and upload it to notarization service with xcrun altool .
Then I get the notarization error below:
"The binary uses an SDK older than the 10.9 SDK" for the etree.so and objectify.so.
These two so files are from python lxml library (4.6.3, the latest one) in /Library/Python/2.7/site-packages/lxml/ .
I use otool to get the information of the two library, and find its dependency to /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.50.4).
I also find the library info below: cmd LC_VERSION_MIN_MACOSX
cmdsize 16
version 10.9
sdk 9.4.1
Due to this is the latest version of lxml, and I have no idea to go forward. Somebody gives me help please.
Thanks
I build my Mac app bundle (***.dmg) with codesign (Develop Id app) and expect to upload to Apple service for noratize. But when I key in below in terminal of MacBook : sudo xcrun altool --notarize-app --primary-bundle-id "net.xxxx.xxxx" --username "*@*.com" --password "xxxxxxxxxxx" --file ./xxxx.dmg -itc_provider "xxxxxxxxxx"
After serveral minites, the terminal prompts up error messages below:
main INFO: Invalid checksum on resource download for: https://contentdelivery.itunes.apple.com/transporter/repositories/j2se8/2.1.0/bundles/org.xerial.sqlite-jdbc-3.27.2.1.jar expected: 0b2eff4ff050a1e6edb0dd0435de3ef5, received: 953ac82655db8339d34e544a923cf7c7
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.apple.transporter.launcher.Application.start(Application.java:212)
at com.apple.transporter.launcher.Application.main(Application.java:642)
Caused by: com.apple.transporter.bootstrap.BundleNotFoundException: bundle=[org.xerial.sqlite-jdbc] version=[3.27.2.1,4.0.0) not found.
at com.apple.transporter.bootstrap.BootstrapperPhase1.downloadNeededBundles(BootstrapperPhase1.java:267)
at com.apple.transporter.bootstrap.BootstrapperPhase1.bootstrap(BootstrapperPhase1.java:97)
at com.apple.transporter.bootstrap.BootstrapperPhase1.bootstrap(BootstrapperPhase1.java:59)
at com.apple.transporter.launcher.Launcher.launchBootstrapper(Launcher.java:37)
... 6 more
Out:** Error: An error occurred uploading to Apple Services.
From the log, it seems download org.xerial.sqlite-jdbc-3.27.2.1.jar error when we launch transporter from Xcode. My Xcode version is 10.1 and my PC is MacBook Air (early 2015) with Mac OS 10.13.6 .
I have digged out solutions from Internet, and some suggestions point out that I should download newest Transporter from Mac AppStore directly. I follow the suggestion and find that newest Tranporter UI supports only IPA and PKG rather than dmg. And I also have no idea how to change the transporter reference of XCode into the newest transporter.
Anyone gives some advices to move forward?