Both the codesign tool and Xcode allow you to sign code with a hardware-based code-signing identity. However, setting that up can be a bit of a challenge. Recently a developer open a DTS tech support incident requesting help with this, and so I thought I’d post my instructions here for the benefit of all. If you have any questions or comments about this, please start a new thread, tagging it with Code Signing so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Signing code with a hardware-based code-signing identity Both the codesign tool and Xcode allow you to sign code with a hardware-based code-signing identity. This post explains how to set that up. I used macOS 14.2.1 with Xcode 15.2. For my hardware-based key I used a YubiKey 5 NFC that I reset to its defaults. I installed YubiKey Manager 1.2.5. IMPORTANT While I used a YubiKey, the code signing parts of this process should work with any token that has a functioning CryptoTokenKit driver. In the case of the YubiKey, it presents a PIV interface and thus it’s supported by macOS’s built-in PIV CryptoTokenKit driver. In this example I created an Apple Development certificate because those are dime a dozen. This process should work with any other type of code-signing certificate. Indeed, it make sense to store your most precious keys in a hardware token, including your Developer ID keys. For more on that topic, see The Care and Feeding of Developer ID. Generate a certificate signing request To generate a certificate signing request (CSR): Connect the YubiKey via USB. Dismiss any system alerts: If the “Allow this accessory to connect?” alert comes up, click Allow. If the Keyboard Setup Assistant comes up, quit that. If the ctkbind notification comes up, dismiss that. Coded signing does not require that you bind your login account to your hardware token. Launch YubiKey Manager. Choose Applications > PIV. Click Configure Certificates. Select Digital Signature (slot 9c). In the past I’ve run into situations where signing fails if you don’t use this slot, although I haven’t tested that in this particular case. Click Generate. Select Certificate Signing Request (CSR) and click Next. Select the RSA2048 algorithm and click Next. Enter a subject and click Next. The value you use here doesn’t matter because Apple ignores pretty much everything in the CSR except the public key. Click Generate. Choose a save location and name. Don’t include a file name extension. When prompted for the management key, enter that and click OK. When prompted for the PIN, enter that and click OK. The app will generate a .csr file at your chosen location. Quit YubiKey Manager. Note Apple typically uses the .certSigningRequest extension for CSRs, but this process works just fine with the .csr extension used by YubiKey Manager. Generate a certificate from your CSR To generate a certificate from that CSR: In Safari, go to Developer > Account and log in. If you’re a member of multiple teams, make sure you have the correct one selected at the top right. Click Certificates. Click the add (+) button to create a new certificate. Select Apple Development and click Continue. Click Choose File, select your CSR file, and click Upload. Click Continue to generate your certificate. That takes you to the Download Your Certificate page. Click Download. In Terminal, calculate a SHA-1 hash of your .cer file. % shasum "development.cer" 840f40ef6b10bedfb2315ac49e07f7e6508a1680 development.cer Import the certificate to form a code-signing identity To import this certificate into your YubiKey: Convert the certificate to PEM form: % openssl x509 -in "development.cer" -inform der -out "development.pem" Launch YubiKey Manager. Choose Applications > PIV. Click Configure Certificates. Select Digital Signature (slot 9c). Click Import. In the file dialog, select the PEM and click Import. When prompted for the management key, enter that and click OK. The UI updates to show the certificate issuer (Apple Worldwide Developer Relations Certificate Authority) and subject (Apple Development: UUU, where UUU identifies you). Quit YubiKey Manager. Unplug the YubiKey and then plug it back in. Sign a test program Before digging into Xcode, check that you can sign code with the codesign tool: Create a small program to test with. In my case I decided to re-sign the built-in true command-line tool: % cp "/usr/bin/true" "MyTool" % codesign -s - -f "MyTool" Run codesign to sign your program, passing in the SHA-1 hash of the certificate you imported into the YubiKey: % codesign -s 840f40ef6b10bedfb2315ac49e07f7e6508a1680 -f "MyTool" When prompted for the PIN, enter that and click OK. The codesign invocation completes like so: % codesign -s 840f40ef6b10bedfb2315ac49e07f7e6508a1680 -f "MyTool" MyTool: replacing existing signature Sign from Xcode To sign from Xcode: Open your project in Xcode. In my case I created a new project by choosing File > New then selecting macOS > Command Line tool. In Signing & Capabilities for the tool target, turn off “Automatically manage signing”. In Build Settings, find the Code Signing Identity build setting, choose Other, and then enter the SHA-1 hash of your certificate. Choose Product > Build. When prompted for the PIN, enter that and click OK. The build then completes. IMPORTANT This requires Xcode 13 or later. Earlier versions of Xcode only work with file-based code-signing identities.

Hi team We are facing following message "A timestamp was expected but was not found" during codesign for following .pkg file and it cause Jenkins NB process failed. We are facing this issue for last 3 days as it was working on last 18th January. Kindly let us know how to fix this problem. Rgds

Hi everyone :) I'm exploring XPC these days; more specifically, I'm trying to establish a connection between a macOS application and an XPC service. I succeeded in establishing the connection, but now I'm trying to verify the incoming connection by using SecCodeCopyGuestWithAttributes, passing it an audit token. But I got the following error: 2024-01-18 10:43:06.805435+0100 DemoService[1627:7118397] [logging-persist] cannot open file at line 46922 of [554764a6e7] 2024-01-18 10:43:06.805452+0100 DemoService[1627:7118397] [logging-persist] os_unix.c:46922: (0) open(/private/var/db/DetachedSignatures) - Undefined error: 0 Cannot get SecCode: 100001 - UNIX[Operation not permitted] Audit token: Optional(32 bytes) The last two lines come from my code: class XPCClientValidator { var secCodeOptional: SecCode? = nil; func identifyGuest(for connection: NSXPCConnection) -> Bool { let auditToken = AuditToken.extractToken(from: connection) let hostSecCode: SecCode? = nil; // This is a way to indicate that the code signing root of trust hould be used as host. let attributes = [ kSecGuestAttributeAudit: auditToken ] as CFDictionary let secFlags = SecCSFlags(rawValue: 0) // Asks a code host to identify the guest given the audit token let status: OSStatus = SecCodeCopyGuestWithAttributes(hostSecCode, attributes, secFlags, &self.secCodeOptional) if (status != errSecSuccess) { let msg = SecCopyErrorMessageString(status, nil)! print("Cannot get SecCode: \(status) - \(msg)") print("Audit token: \(String(describing: auditToken))") return false } guard let _ = secCodeOptional else { NSLog("Couldn't unwrap the secCode") return false } return true } } I saw a few posts on the forum, but nothing helped me to solve this issue. The complete source code is here: https://github.com/tony-go/XPCDemo/tree/secure-xpc Note: If you want to reproduce it, you have to: start the app type a random input click on "uppercase it"

Hi, I have an app generated by using osacompile on an applescript file. The app works fine as expected. However, when I try to sign it, I get two errors as in the screen shot below: After some googling around, I deleted the _CodeSignature folder in the .app directory but still signing fails with the same error. So, I would like to know two things: Is it possible to sign .app files created using osacompile as in my case? If yes, what am I missing and how to resolve my situation. Thanks,

I have a simple CLI app bundle that activates my system extension. When I sign it for development it works fine. However, once I sign it with my developer ID certificate for distribution, the network extension will not activate, getting stuck the activation request and completely killing any internet connectivity until I restart. The only thing that I see is different is when I call systemextensionsctl list I get something like: 1 extension(s) --- com.apple.system_extension.network_extension enabled active teamID bundleID (version) name [state] <TEAM_ID> com.company.networkExt (1.0/240116145656) - [validating by category] * * <TEAM_ID> com.company.networkExt (1.0/240115061310) ProxyExtension [activated enabled] Where the one specifying [validating by category] is the one that I'm trying to activate signed with the developer ID cert. The one that is [activated enabled] got there from a dev build. The app was built and notarized and shows to be valid by any codesign -dv --verify --strict and spctl commands that I've found. The system extension is also valid according to codesign. The entitlements are adjusted to use the -systemextension suffix to work with Developer ID certificates. Is there another step required to make it work with a developer ID certificate?

Hi, I've ran into an issue which only seems to affect one of my macs. It's currently running 14.2.1 but I first saw this issue in 13.6. If I download the macOS Sonoma 14.2.1 installer (via App store) onto this particular machine, it will never execute the installer. It always reports that the installer is "damaged". Of course I did reasearch this online and you get the usual unhelpful posts which just say "re download it" and of course, I wouldn't be posting here had I not tried that. This happens with any macOS installer I download using the softwareupdate --fetch-full-installer utility as well. The thing is, if I copy this .app to another (identical as far as I can tell) Mac - it will work. So far this also seems limited to macOS installers - other third party apps are fine. I'm convinced this is related to trusted execution and something has gone wrong in the environment. I've been looking at my router logs to see if any connections may have been blocked (I'm using OPNsense) and also looking to see what connections are being made via Little Snitch and so far it looks fine. Again, other machines on the network can run these just fine. I've read through eskimo's excellent guide here: https://forums.developer.apple.com/forums/thread/706442 but I was wondering if anyone can give me some pointers to narrow this down further. As it stands, I can't trust this machine for app development if I can't even get the official Apple installers to run sucessfully.

I’m developing this tvOS app, and it builds and runs fine locally in Simulator. However, when I do Product > Archive (so I can upload it to app store later), it fails with error in the screenshot. Looks like Xcode is trying to sign the app with a certificate, but could not find a valid profile to do so. Since I don't have a physical Apple TV device, I'm unable to add an Apple TV to the Devices list on developer.apple.com, thus unable to create a profile. Is the any way around this issue to archive my tvOS app?

I develop an App for Mac and iPhone, and till now, I had no issue to test it on my iPhone. but this morning, I have the following message, when I try to run it on my iPhone: Failed to verify code signature .... (A valid provisioning profile for this executable was not found.) Verify that the Developer App certificate for your account is trusted on your device. Open Settings on the device and navigate to General -&gt; VPN &amp; Device Management, then select your Developer App certificate to trust it. I must precise that it works on the simulator. the version of Xcode is 15.2 and the version of iPhone is 17.2.1 when I go on Settings/VPN -&gt; Device Management (on iPhone), I don't see any section for Developper App Certificate when I go to Devices and Simulators on Xcode, and list the Provisioning Profiles installed on my iPhone, I see the IOS Team Provisioning Profiled of my application but it still not work. What can I do?

I am stuck. I have an iPadOS app that installs and calls a DEXT. I have a provisioning file for the DEXT and another for the app. Xcode shows me that the respective provisioning files match the bundle ids and that the entitlements and provisions match up. I have a developer certificate (two, actually) on the iPad. Xcode shows me, via "Devices" that the provisioning files are installed. When I try to run the app, I get: 0x16d3db000 +[MICodeSigningVerifier _validateSignatureAndCopyInfoForURL:withOptions:error:]: 78: Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.vyncZ7/extracted/USBApp.app/SystemExtensions/w1ebr.MUUI.ipadOS.driver.dext : 0xe8008015 (A valid provisioning profile for this executable was not found.) I don't know what to check next.

I recently built an update to one of our apps, which installs a driver extension. The new version won't launch on my Mac, Finder says it "can't be opened". I captured the logs, which say "no matching profile found": error 2024-01-10 14:36:03.306061 -0800 taskgated-helper <app-bundle-id>: Unsatisfied entitlements: com.apple.developer.system-extension.install, com.apple.developer.team-identifier info 2024-01-10 14:36:03.306279 -0800 amfid Requirements for restricted entitlements failed to validate, error -67671, requirements: '<private>' error 2024-01-10 14:36:03.306287 -0800 amfid Restricted entitlements not validated, bailing out. Error: Error Domain=AppleMobileFileIntegrityError Code=-413 "No matching profile found" UserInfo={NSURL=<private>, unsatisfiedEntitlements=<private>, NSLocalizedDescription=No matching profile found} default 2024-01-10 14:36:03.306432 -0800 amfid /Applications/<app-bundle-id>/Contents/MacOS/<app-name> not valid: Error Domain=AppleMobileFileIntegrityError Code=-413 "No matching profile found" UserInfo={NSURL=file:///Applications/C<escaped-app-name>/, unsatisfiedEntitlements=<CFArray 0x14f3041d0 [0x1dd7d39a0]>{type = immutable, count = 2, values = ( 0 : <CFString 0x14f3055a0 [0x1dd7d39a0]>{contents = "com.apple.developer.system-extension.install"} 1 : <CFString 0x14f304130 [0x1dd7d39a0]>{contents = "com.apple.developer.team-identifier"} )}, NSLocalizedDescription=No matching profile found} default 2024-01-10 14:36:03.306514 -0800 kernel AMFI: bailing out because of restricted entitlements. default 2024-01-10 14:36:03.306523 -0800 kernel mac_vnode_check_signature: /Applications/<app-bundle-id>/Contents/MacOS/<app-name>: code signature validation failed fatally: When validating /Applications/<app-bundle-id>/Contents/MacOS/<app-name>: Code has restricted entitlements, but the validation of its code signature failed. Unsatisfied Entitlements: com.apple.developer.system-extension.installcom.apple.developer.team-identifier The thing is, when I run this command codesign -v -vvv <path-to-app> the app is valid on disk and satisfies its Designated Requirement and these two commands: codesign --display --entitlements - security cms -D -i <path-to-app>/Contents/embedded.provisionprofile when run against the old app (which works) and the new app (which doesn't) have absolutely identical outputs. The certificates haven't expired yet. Where else should we be looking to figure out where we've messed up? We know we changed the signing and notarization flow; the working build was made by a person using Xcode, the new app was built, signed and notarized using the command line tools (xcodebuild and notarytool).

I am looking for any help regarding an errSecInternalComponent error I am seeing when trying to archive my iOS app via my CI process. Specifically, this CI process is a GitHub Action running on a self-hosted M2 Pro Mini machine to which we have Screen Share access. I have followed the very helpful seminal post and have confirmed that I can run the necessary command in the local terminal via Screen Share, and I don't get any Keychain Access dialogs to pop up. When I try to run the same command via an SSH terminal from my local machine on that same machine, I get the following error: /Users/{username}/Library/Developer/Xcode/DerivedData/{projectID}/Build/Intermediates.noindex/ArchiveIntermediates/{projectname}/IntermediateBuildFilesPath/UninstalledProducts/iphoneos/{some name}NotificationServiceExtension.appex: errSecInternalComponent I only get the error for that one service extension target. The project is only a couple years old, created with Xcode 14 or maybe 13. The signing has always been managed automatically with the provisioning profiles for all our targets being managed by Xcode. Thanks in advance for any advice or suggestions as to what I may be missing or how to address this problem. I am more than happy to provide any more information I can to diagnose and solve the issue.

I'm working on an app using entitlements. The entitlements are setup in its code signature and they are also applied in the corresponding provisioning profile. I embed said provisioning profile in the app, but when I launch the binary it gets rejected by taskgated-helper (as seen in console.app it says "profile not found"). However, if I install the same embedded provision profile it will work! So I can only assume taskgated-helper is not looking in the Contents/embedded.provisionprofile file when I try to run the binary? I can only imagine that the issue revolves around the binary not being the main bundle binary in the application, as that one works just fine without installing the profile. I would simply install the profile to fix the issue, but it brings other problems when trying to install the application in a headless environment (as opening the profile to install in system settings requires user interaction). Any ideas?

Hello on MacOS, I use following codes to get the sign of an application char app_path[PATH_MAX+1] = {0}; uint32_t size = sizeof(app_path); int ret = _NSGetExecutablePath(app_path, &size); if (ret) return -1; NSString *app_path_str = [[NSString alloc] initWithUTF8String: app_path]; NSURL* url = [NSURL URLWithString:app_path_str]; CFURLRef path = (__bridge CFURLRef)url; SecStaticCodeRef static_code; OSStatus status = SecStaticCodeCreateWithPath(path, kSecCSDefaultFlags, &static_code); and find when the path includes a space char( for example: "/Users/username/Downloads/test A/test.dmg") SecStaticCodeCreateWithPath will always return -4960（errSecCoreFoundationUnknown？） and it works well when the path doesn't contain space, could anyone give some help? thanks very much

I am new to macOS development and presently tearing my hair out trying to get a driverkit extension to build. I have tried following the instructions here: https://developer.apple.com/documentation/driverkit/communicating_between_a_driverkit_extension_and_a_client_app namely, disabling SIP, but I am still unable to get my extension to build. The instructions say to set the code signing identity to "Sign to Run Locally" for all three targets, but this is not listed as an option for the driver extension.

We have started creating third-party applications and for that we required to apple certificate and initially created multiple certificate (application and installer), later on realises that one can be enough to approve multiple application. Now we are not seeing any option to remove or revoke the certificates so that we can create new certificate. Support team also not able to help on this. What should we do to create new certificate?

Hello, I am rather new at publishing apps for Iphone and I am facing some difficulties. Maybe someone could point me what I am not understanding. I am having some issues handling the usage of the Development Certificate . I have created a CSR, supplied it at apple.developer system to get a development certificate. I downloaded such a certificate and installed it. When I try to use it I get this status saying it is not trusted : The result is this when trying to use it: " /Users/eao/build/dev/aquila_companion.xcodeproj: error: Missing private key for signing certificate. Failed to locate the private key matching certificate "Apple Development: Tiago DAagostini (GDH9UYDL8A)" in the keychain. To sign with this signing certificate, install its private key in your keychain. If you don't have the private key, select a different signing certificate for CODE_SIGN_IDENTITY in the build settings editor. (in target 'appaquila_companion' from project 'aquila_companion') " What am I missing? Where this p12 key should be? And is that related to that image where the Certificate is deemed not trusted?

I'm trying to setup a new build machine and I can't seem to get the signing certificates detected by the security tool with "0 valid identities found" My id is linked to a team but my role is "app manager". In my console I can see the certificates but cant download the developerID installer cert. In Xcode no ceritifcates show up for that team ID in the list. The certs were generated by the developer console. I had to get the client to insecurely send me the certs because of this restriction. I imported them into the keychain but the tool still won't show anything. Is this another problem not having the correct root certificate installed ? I had all this setup in a VMWAre which was working before I lost all data due to a crash so setting it up fresh on a mac mini. I should be able to have just synced the certs through xcode and start signing installers. I researched hundreds of pages and no answer for my problem.

I am trying to run something I built with the CLI versions of clang on my M3 MBP. The application is signed: codesign -d -v /usr/local/bin/wine* Executable=/usr/local/bin/wine Identifier=org.winehq.wine Format=Mach-O thin (arm64) CodeDirectory v=20400 size=275 flags=0x0(none) hashes=3+2 location=embedded Signature size=8972 Timestamp=Dec 15, 2023 at 10:35:06 AM Info.plist entries=12 TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=1 size=176 Executable=/usr/local/bin/wineboot Identifier=wineboot Format=generic CodeDirectory v=20200 size=168 flags=0x0(none) hashes=1+2 location=embedded Signature size=9053 Timestamp=Dec 15, 2023 at 10:35:06 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=2 size=216 Executable=/usr/local/bin/winebuild Identifier=winebuild Format=Mach-O thin (arm64) CodeDirectory v=20400 size=1933 flags=0x0(none) hashes=55+2 location=embedded Signature size=8972 Timestamp=Dec 15, 2023 at 10:35:06 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=1 size=172 Executable=/usr/local/bin/winecfg Identifier=winecfg Format=generic CodeDirectory v=20200 size=167 flags=0x0(none) hashes=1+2 location=embedded Signature size=9053 Timestamp=Dec 15, 2023 at 10:35:07 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=2 size=216 Executable=/usr/local/bin/wineconsole Identifier=wineconsole Format=generic CodeDirectory v=20200 size=171 flags=0x0(none) hashes=1+2 location=embedded Signature size=9053 Timestamp=Dec 15, 2023 at 10:35:07 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=2 size=220 Executable=/usr/local/bin/winegcc Identifier=winegcc Format=Mach-O thin (arm64) CodeDirectory v=20400 size=747 flags=0x0(none) hashes=18+2 location=embedded Signature size=8972 Timestamp=Dec 15, 2023 at 10:35:07 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=1 size=168 Executable=/usr/local/bin/winedbg Identifier=winedbg Format=generic CodeDirectory v=20200 size=167 flags=0x0(none) hashes=1+2 location=embedded Signature size=9052 Timestamp=Dec 15, 2023 at 10:35:07 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=2 size=216 Executable=/usr/local/bin/winedump Identifier=winedump Format=Mach-O thin (arm64) CodeDirectory v=20400 size=3052 flags=0x0(none) hashes=90+2 location=embedded Signature size=8972 Timestamp=Dec 15, 2023 at 10:35:07 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=1 size=168 Executable=/usr/local/bin/winefile Identifier=winefile Format=generic CodeDirectory v=20200 size=168 flags=0x0(none) hashes=1+2 location=embedded Signature size=9053 Timestamp=Dec 15, 2023 at 10:35:07 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=2 size=216 Executable=/usr/local/bin/winegcc Identifier=winegcc Format=Mach-O thin (arm64) CodeDirectory v=20400 size=747 flags=0x0(none) hashes=18+2 location=embedded Signature size=8972 Timestamp=Dec 15, 2023 at 10:35:07 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=1 size=168 Executable=/usr/local/bin/winegcc Identifier=winegcc Format=Mach-O thin (arm64) CodeDirectory v=20400 size=747 flags=0x0(none) hashes=18+2 location=embedded Signature size=8972 Timestamp=Dec 15, 2023 at 10:35:07 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=1 size=168 Executable=/usr/local/bin/winemaker Identifier=winemaker Format=generic CodeDirectory v=20200 size=169 flags=0x0(none) hashes=1+2 location=embedded Signature size=9052 Timestamp=Dec 15, 2023 at 10:35:07 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=2 size=224 Executable=/usr/local/bin/winemine Identifier=winemine Format=generic CodeDirectory v=20200 size=168 flags=0x0(none) hashes=1+2 location=embedded Signature size=9052 Timestamp=Dec 15, 2023 at 10:35:08 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=2 size=216 Executable=/usr/local/bin/winepath Identifier=winepath Format=generic CodeDirectory v=20200 size=168 flags=0x0(none) hashes=1+2 location=embedded Signature size=9053 Timestamp=Dec 15, 2023 at 10:35:08 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=2 size=216 Executable=/usr/local/bin/wineserver Identifier=wineserver Format=Mach-O thin (arm64) CodeDirectory v=20400 size=5838 flags=0x0(none) hashes=177+2 location=embedded Signature size=8972 Timestamp=Dec 15, 2023 at 10:35:08 AM Info.plist=not bound TeamIdentifier=L479DU3G63 Sealed Resources=none Internal requirements count=1 size=172 but I still get: default 11:47:19.051342-0500 kernel ASP: Security policy would not allow process: 1501, /usr/local/bin/wine Permissions: ls -al wine* -rwxr-xr-x 1 root wheel 28368 Dec 15 10:35 wine -rwxr-xr-x@ 1 root wheel 1973 Dec 14 23:41 wineboot -rwxr-xr-x 1 root wheel 245424 Dec 15 10:35 winebuild -rwxr-xr-x@ 1 root wheel 1973 Dec 14 23:41 winecfg -rwxr-xr-x@ 1 root wheel 1973 Dec 14 23:41 wineconsole lrwxr-xr-x 1 root wheel 7 Dec 14 23:41 winecpp -> winegcc -rwxr-xr-x@ 1 root wheel 1973 Dec 14 23:41 winedbg -rwxr-xr-x 1 root wheel 388400 Dec 15 10:35 winedump -rwxr-xr-x@ 1 root wheel 1973 Dec 14 23:41 winefile lrwxr-xr-x 1 root wheel 7 Dec 14 23:41 wineg++ -> winegcc -rwxr-xr-x 1 root wheel 91840 Dec 15 10:35 winegcc -rwxr-xr-x@ 1 root wheel 95127 Dec 14 23:41 winemaker -rwxr-xr-x@ 1 root wheel 1973 Dec 14 23:41 winemine -rwxr-xr-x@ 1 root wheel 1973 Dec 14 23:41 winepath -rwxr-xr-x 1 root wheel 747120 Dec 15 10:35 wineserver xattr wine* wineboot: com.apple.cs.CodeDirectory wineboot: com.apple.cs.CodeRequirements wineboot: com.apple.cs.CodeRequirements-1 wineboot: com.apple.cs.CodeSignature winecfg: com.apple.cs.CodeDirectory winecfg: com.apple.cs.CodeRequirements winecfg: com.apple.cs.CodeRequirements-1 winecfg: com.apple.cs.CodeSignature wineconsole: com.apple.cs.CodeDirectory wineconsole: com.apple.cs.CodeRequirements wineconsole: com.apple.cs.CodeRequirements-1 wineconsole: com.apple.cs.CodeSignature winedbg: com.apple.cs.CodeDirectory winedbg: com.apple.cs.CodeRequirements winedbg: com.apple.cs.CodeRequirements-1 winedbg: com.apple.cs.CodeSignature winefile: com.apple.cs.CodeDirectory winefile: com.apple.cs.CodeRequirements winefile: com.apple.cs.CodeRequirements-1 etc., etc... Since this is a new machine, maybe something is missing? How do I debug this problem? The most common response to ASP would not allow progress is that there is an unsigned binary. If this is the case, how do I find what binary it is? Thanks! Gene R.

I spent some time cleaning up my TCC data. During that I learned that some TCC info is cached in “Mac OS X Detached Code Signature” files. Is there a way to dump their contents suitable for human consumption? The codesign tool doesn’t seem to do it (or I can’t figure out how to invoke it).

We have developed a secure desktop app using QT, we are developing and delivering this app for more than 2 years. While deploying app we perform codesigning and notarization of app and we use Ventura on build system. So the issue we observed is that if we install this app on any macOS version below Sonoma it works as expected and in Apparency we can see code signature is verified and also app in notarized. But if we install the same app on Sonoma and check in Apparency, it shows signature can't be verified.