Hi! I'm having an issue notarizing my app. I've developed my app in python, packaged it with py2app and then codesigned it using command-line: codesign --deep --sign "Developer ID Application: Name (ID)" MyApp.app and verified it using: codesign --verify --verbose MyApp.app with no problem. I then continued to notarize it with notarytool: xcrun notarytool submit MyApp.zip --keychain-profile "MyProfile" --wait and everything went smoothly, however, the process ended as invalid. This is a recurring issue (used altool beforehand) where I get errors that prevent the notarization due to signature issues, some of them: "The signature of the binary is invalid." "The executable does not have the hardened runtime enabled." "The binary is not signed with a valid Developer ID certificate." "The signature does not include a secure timestamp." And so on. The issue is that this is occurring to the contents of the app and the python libraries and other dependencies it uses, not MyApp.app itself. I've read online in many places and couldn't find what am I missing, I've followed the code-signing and notarization instructions to no prevail. I hope someone here can help me solve this problem or figure out what am I missing. Many thanks :)

We have run into a very unique situation with codesigning and testing the apps under TestFlight under macOS 12 and macOS 13/14. We have existing apps on the macApp store and we are trying to basically update them. When we run the newly updated versions via Testflight under macOS 12, everything is working. However, the same apps under macOS 13/14 and Testflight crashes and we have narrowed it to a codesigned dylib issue of ours. We are getting a invalid code signature message when we try to load a dylib under macOS 13/14 and the app crashes as we cant get the dylib code pointer. Basically CFBundleGetFunctionPointerForName returns an invalid value. Just to explain we build our dylibs/bundles and codesign them outside - as these are built at the command line level and finally we package these within our apps under XCODE and go through the whole app building/archiving, code signing, validation and uploading that to the appstore. The crash log shows - Code Type: ARM-64 (Native) Parent Process: launchd [1] User ID: 501 Date/Time: 2023-11-28 23:31:11.9903 +0900 OS Version: macOS 13.6 (22G120) Report Version: 12 Anonymous UUID: Time Awake Since Boot: 370000 seconds System Integrity Protection: enabled Crashed Thread: 7 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000 Exception Codes: 0x0000000000000001, 0x0000000000000000 Termination Reason: Namespace SIGNAL, Code 11 Segmentation fault: 11 Terminating Process: exc handler [91418] VM Region Info: 0 is not in any region. Bytes before following region: 4368842752 REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL UNUSED SPACE AT START ---> __TEXT 104674000-1047f0000 [ 1520K] r-x/r-x SM=COW ...essional 2017 Thread 0:: Dispatch queue: com.apple.main-thread 0 libsystem_kernel.dylib 0x195a83de4 _kernelrpc_mach_port_deallocate_trap + 8 1 libsystem_kernel.dylib 0x195a85270 mach_port_deallocate + 28 2 QuartzCore 0x19d0cc458 CA::Context::destroy() + 512 3 QuartzCore 0x19d22135c invocation function for block in CA::Context::commit_transaction(CA::Transaction*, double, double*) + 100 We have double checked/triple checked the certificates and profiles and everything is valid. What is strange is that it works under macOS 12 and Testflight but not under macOS 13/14. For both Intel/Arm. Any ideas anyone?

Hey everybody, We're trying to migrate from one CI to another and we've met a problem. Our setup is mostly Fastlane+match so there are little build changes in terms of CI, but the same certificate we used on prev CI doesn't work on the new one (we have both CIs now and the same commit passes on the old one and fails on the new one). Two steps from the match with installing certs: Output of security find-identity These are virtual machines.

I am trying to build a Unity 3D app for iOS using Xcode. My app used to build successfully earlier but for some reason it has stopped building now and I get the error saying signing for "Unity-iPhone" requires a development team. I have selected automatically manage signing and also selected my personal development team.

I've been at this for hours, searching all over, trying to find a solution. I've created a very simple app, basically 1 window that has a label saying "Hello World". 'm trying to sign this app with a Provisioning Profile that was created like so: Created "Mac App Distribution" and "Mac Installer Distribution" certificates. Installed them, they show as valid "3rd Party Mac Developer..." in Keychain Access. Created an Identifier for an "app", gave a Description and Bundle ID Created a Profile for a "Mac App Store" type Distribution, used my ID from step 2, chose the "Mac App Distribution" certificate (there was only one), inputted a profile name Then, over to xcode. In Signing & Capabilities uncheck "Automatically manage signing", enter the Bundle Identifier as it was made in step 2 above, import profile as was created in step 3 above. All seems well, however when I press that play button in order to compile and run, I immediately get a "quit unexpectedly" with the following in the details: Exception Type: EXC_CRASH (SIGKILL (Code Signature Invalid)) Exception Codes: 0x0000000000000000, 0x0000000000000000 Termination Reason: CODESIGNING 1 Taskgated Invalid Signature I can create a "Developer ID Application" no problem, but all goes awry when trying to build in order to make it to the Apple Store. I'm on 16-inch 2019 MacBook Pro, Sonoma 14.1.1, xcode 15.0.1. Is there something super lame I've looked over?

It tells me my certificate is bad (doesn't have a private key), and that it needs me to revoke it so it can generate a new one, and I do that, and it loops forever. Oh and I get email from Apple saying it's been revoked. Not sure if it's related but I also can't use a Developer ID certificate. Also says it doesn't have a private key. I even generated a new certificate using openssl so I could make sure I had the private key and the .csr file and still no happiness. I also managed to kill my login keychain at some point, because why not. I've googled and stackoverflowed and nothing works. This is on macOS 13.6.1, and Xcode Version 15.0.1 (15A507). I am frustrated to the point of tears at this point.

I think there's something broken with certificates or Xcode that's preventing me to sign a new version of a Mac app I've made. First, I know my "login" keychain password. I can use this password to export a .p12 file for my "Apple Development: {email} (CLW499436V)" item in my login keychain. Second, I can use security find-identity -v -p codesigning to see my signing identities. It shows two of them. They have a different initial number, and then the same string "Apple Development: {email} (CLW499436V)". The behavior using codesign -vf --sign SIGNING_ID ./test.app is different for each one of them. One requests the signature with the following message: I can input my "login" keychain password, which I know, and all is good The other uses the following message: It requires "the keychain password", which I have no clue what it is. Now, in Xcode, if I go to the Build Settings/Signing, I can set my "Coding Signing Identity". Opening the dropdown I can see a section named "Certificates in Keychain", and there's one "Apple Development: {email} (CLW499436V)". I don't know which one is that. Anyways, if I select that, going to "Signing & Capabilities" I see an error that tells me to select "Apple Developer" in the previous setting. When I do that, however, it seems Xcode is trying to sign the app with the certificate that request a password I don't know. I don't think I had this problem in the past, so I'm not sure how I've reached this situation. I also don't seem to be able to remove certificates and create new ones because I'm not subscribed (paying) to the Apple Developer program. Maybe there's a way to remove them that I have missed? How can I go back to having Xcode automatically sign my app?

Hi, I'm trying to manage singing certificates but it's proving impossible without having the Apple Developer subscription. I think it should be basic that any developer can handle their certificates as they wish. The opposite could easily result in increased security risk for all Apple users. I was hoping I could: Delete existing certificates, since I can't manage to find the password, so they're useless Create a new certificate. It would also be create if when creating a new certificate I could use a different email and name. The ones in my AppleID are my personal email and name, which are used for the certificates. However, I'd like to use my brand's name and email for the app I'm building. Is there a way to do this without paying USD 99 per year to Apple?

Hello all, I am having really weird trouble with productsign process using Developer ID Installer certificate. I started cooperation with another company and got both Developer ID Application and Developer ID Installer certificates (including private keys) from them and I am also a part of their apple developer team. Now, I am able to use the first one to codesign binaries, but when trying to sign pkg using the second one, I always get this response: productsign: error: Could not find appropriate signing identity for “Developer ID Installer: The company (XXYYZZ..)“ I've already tried to sign the pkg with certificate of another company and this one works as expected. I've also tried the process on another macOS, the same result. The company is using this certificate on their mac machine without problems. I am calling productsign phase using standard shell script: sudo productsign --sign "Developer ID Installer: The company (XXYYZZ..)" "test.pkg" "signedTest.pkg" We've already tried to use newly generated certificate based on my certificate request, still the same. Also tried using only the team ID code instead of the whole name as advised on some forums, still the same. Do you have any idea or hint how to fix this? I've already lost more than a day with thing that should work without a trouble. Tested on macOS 12.7.1 and Catalina. Vladimír

My idea is to help small businesses (without IT infrastucture) generate apple wallet passes for their customers (to identify them later). All the data would be stored in my database and will be accessible by businesses. So Customer would show apple wallet pass which business would be able to scan and fetch customer info from my database. And businesses would be able to create/modify their passes through my app. Can I generate apple wallet passes using my pass type id? In https://developer.apple.com/forums/thread/48719, one of the comments mentioned: You agree not to ... use Your Pass Type ID to sign a third party's pass. I haven't seen this rule anywhere on apple's website, so not sure if it is still active. and distribution needs to be under Your own trademark or brand. Does that mean I can't generate passes for other businesses? Although, I am providing service related to wallet passes and pass generation is not part of the main service itself. If so, is there any legal workaround for my use case? E.g. maybe putting my company logo as main logo etc. Thanks! P.S. creating paid apple developer account to obtain business' own pass type id and certificate is not a viable solution

Hi, If I remove a Pass Type Identifier that is linked with a production (currently live) Pass Type ID certificate, will it affect my production pass certificate? When I press delete it states: "Delete Pass Type ID" "Deleting this Pass Type ID will prevent you from sending future updates to any associated passes. Installed passes will not be affected." But I want to make sure I will not be breaking anything in production. Any help? Many Thanks

I've built an app in Electron. I am in the process of preparing to release the app on my website as a free download. Since the app is free, I'm not really looking to spend a ton of money on security certificates. I can get the app to work on Windows by clicking through the Windows Defender, but I cannot run it at all on Mac even after disabling Gatekeeper. So my question is... Is it possible for me to get a certificate for my Electron app through the apple developer program. Keep in mind I have never touched the apple developer ecosystem. Avoiding subscriptions for this app's security certificates is what I am looking for. As that is all I have seen as options online so far. Any other suggestions are more than welcome! Thanks in advance!

Hello fellow developers, I hope you're all doing well. I've encountered an issue that I'm hoping someone here might have some insights on. When I try to package my IPA for the production version, I receive a notification that the provisioning profile doesn't match the private key certificate. However, when packaging for the test version, everything works perfectly. I've ensured that I'm using the provisioning profile for the production version and even exported the key for this profile, but they still don't seem to match. Upon further inspection, I noticed that when I applied for the production version of the mobileprovision, the Certificate Name automatically changed to the company name. Has anyone else experienced this issue? If so, how did you resolve it? Any guidance would be greatly appreciated. Thank you in advance for your time and assistance. Best regards

I joined the Apple Developer Program using my existing Apple ID, the account identifier changed but when I create a new certificate in the developer portal the certificate has the old identifier. (i.e when installed in my keychain) I have revoked and recreated my certificates, profiles and identifiers, cleared derived data, deleted certificates in keychain many times without any success. When I build my iOS App and run it on my iOS 14 Max Pro directly connected to my Mac Mini I get the error: Command CodeSign failed with a nonzero exit code. Am I missing something? Please help. Thanks.

Hi, I have developed a MacOS app I'd like to distribute outside app store. I am an indie developer, there is no company, just me. If I disable gatekeeper, app installs and runs fine. But to distribute, it seems I now have to sign the app (notarise etc) - which means joining Apple Developer Program and paying $99 p.a. for the pleasure. But before I sign up, I wanted to check what will be shown on the certificate? I'd prefer not to show my (fairly unique) name/surname for privacy reasons. Will I be able to specify CN etc for the certificate or am I doomed to publicise my name with the app? Thanks

If I understand correctly, Apple Distribution certificate type aims to replace the separate platform-specific certificate types. (Please don't jump me, I know this is a very simplified way to put it :D) I am 100% sure Apple Distribution certificate can be used instead of a "Mac App Distribution" certificate, but I'm not sure whether the same is true for installers, namely the "Mac Installer Distribution" certificate. I have read eskimo's great articles on packaging (https://developer.apple.com/forums/thread/701581) and signing (https://developer.apple.com/forums/thread/128166) but I have not seen a definite answer to this question in those. Our command line builds started to fail with a 'no certificate of type Mac Installer Distribution is found' without any actual apparent change to the build process, so I'm just trying to understand this certificate type better. I see no sign of this certificate ever having existed in developer.apple.com under Certificates tab. We use the xcodebuild -exportArchive command with an -exportOptionsPlist that has the following content: <dict> <key>[redacted]</key> <string>[redacted]</string> <key>[redacted]</key> <string>[redacted]</string> </dict> <key>installerSigningCertificate</key> <string>3rd Party Mac Developer Installer</string> <key>signingCertificate</key> <string>Mac App Distribution</string> and this has not changed at all either between the last successful build and the failing ones. I listed the existing code signing identities with security find-identity -p codesigning and only an Apple Distribution certificate shows up, not Mac Installer Distribution certificate.

I am having a very weird issue with Xcode 15.0.1. If you are running an app that was built with XCode 14 and install the new version of the app with XCode 15 it works fine. If you delete the XCode 14 build of the app, and install the XCode 15 build of the app you get "This app cannot be installed because its integrity could not be verified" error message on launching the app. Then when we rebuild the app again with XCode 14 the app works fine with no issues. I have tried multiple solutions that I have found on various forums, but with no luck. Anyone have any suggestions on how to fix this issue.

I have created Apple Development Signing Certificate for my macbook-air device with my developer account email here and when i export the certificate to view details but I found this then, How can I convert it to human readable language or any other better than this to see its content?

Hi, After spending two months trying to launch this app I decided to start from scratch, and regenerate everything from code signing requests, certs, apps, appIDs, App Store entries, EVERYTHING, and at the end of all of it, I get exactly the same problem I've had for months: "Invalid Provisioning Profile. The provisioning profile included in the bundle com.chiltonwebb.secretprojectname [com.chiltonwebb.secretprojectname.pkg/Payload/secretprojectname.app] is invalid. [Invalid 'com.apple.application-identifier' entitlement value.] For more information, visit the macOS Developer Portal. (ID: 723cede2-3c9f-4069-b4fa-581ebd3468b9)" I'm tired of guessing. I've tried everything I can find in these forums. What is the official way to diagnose this problem? -Chilton

I want to sign xml file using enveloped signature approach in swift. The example original xml file could be like below <?xml version="1.0" encoding="ISO-8859-1"?> <Envelope xmlns="http://example.org/envelope"> <Body> Olá mundo </Body> </Envelope> After signature, the xml file would be like this <?xml version="1.0" encoding="ISO-8859-1"?> <Envelope xmlns="http://example.org/envelope"> <Body> Olá mundo </Body> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>????</DigestValue> </Reference> </SignedInfo> <SignatureValue>????</SignatureValue> <KeyInfo> <KeyValue> <RSAKeyValue>????</RSAKeyValue> </KeyValue> </KeyInfo> </Signature> </Envelope> Here the steps are encrypt using sha1WithRSAEncryption signature algorithm (rsa-sha1), which uses the SHA-1 message digest algorithm and RSA PKCS#1v1.5 to create the signature. Get the digest value using SHA-1 Canonicalization will be according to Canonical XML Version 1.0 or c14n rules. Is there any library in swift or objective c which i can use for this purpose? I am currently using AEXML to parse, read and write xml file. But for canonical conversion and other steps stated above which library i can use? For Your reference in C#, Cryptography.Xml provides all those functionalities. The below code in C# do the signing part of XML. SignedXml signedXml = new SignedXml(xmlDocument); signedXml.SigningKey = certificate.PrivateKey; Reference reference = new Reference(); reference.Uri = ""; //"#" + procedureSerial; reference.Type = reason; reference.Id = DateTime.UtcNow.Ticks.ToString(); // Add an enveloped transformation to the reference. XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform(true); reference.AddTransform(env); // Add the reference to the SignedXml object. signedXml.AddReference(reference); //canonicalize XmlDsigC14NTransform c14t = new XmlDsigC14NTransform(); reference.AddTransform(c14t); KeyInfo keyInfo = new KeyInfo(); KeyInfoX509Data keyInfoData = new KeyInfoX509Data(certificate); KeyInfoName kin = new KeyInfoName(); kin.Value = certificate.FriendlyName; RSA rsa = (RSA)certificate.PublicKey.Key; RSAKeyValue rkv = new RSAKeyValue(rsa); keyInfo.AddClause(rkv); keyInfo.AddClause(kin); keyInfo.AddClause(keyInfoData); signedXml.KeyInfo = keyInfo; // Compute the signature. signedXml.ComputeSignature(); // Get the XML representation of the signature and save // it to an XmlElement object. XmlElement xmlDigitalSignature = signedXml.GetXml(); xmlDocument.DocumentElement.AppendChild( xmlDocument.ImportNode(xmlDigitalSignature, true) ); I want to do same functionalities using swift or objective C to sign xml file in MacOS. Could you please suggest any library regarding this?