Code signature validation failed fatally

Code Block  
% codesign -d --entitlements :- /Applications/abc.app
% security cms -D -i /Applications/abc.app/Contents/embedded.provisionprofile

Code Block 
<dict>
    <key>com.apple.application-identifier</key>
    <string>TeamID.com.company.abcappn</string>
    <key>com.apple.developer.networking.networkextension</key>
    <array>
        <string>content-filter-provider</string>
    </array>
    <key>com.apple.developer.system-extension.install</key>
    <true/>
    <key>com.apple.developer.team-identifier</key>
    <string>TeamID</string>
</dict>
 

Code Block 
key>Entitlements</key>
      <dict>                   
                      <key>com.apple.developer.system-extension.install</key>
           <true/>
                      <key>com.apple.developer.networking.networkextension</key>
           <array>
                      <string>packet-tunnel-provider-systemextension</string>
                      <string>app-proxy-provider-systemextension</string>
                      <string>content-filter-provider-systemextension</string>
                      <string>dns-proxy-systemextension</string>
                      <string>dns-settings</string>
           </array>
                      <key>com.apple.application-identifier</key>
           <string>TeamID.com.company.abcappn</string>
                      
                      <key>keychain-access-groups</key>
           <array>
                      <string>TeamID.*</string>
           </array>
                      
                      <key>com.apple.developer.team-identifier</key>
           <string>TeamID</string>
 
      </dict>

No. Only on container app and extension.

i see that everything in the first is allowed in second.

Do you have entitlements set on any non-main-executable code? Like frameworks? Or shared libraries?

@eskimo, I do codesign using entitlements on frameworks and I'm seeing this error in macOS 10.15, 11.* and 13.* mapping to one of my frameworks when I launch the app. Any idea what the entitlements should look like when code signing frameworks?

My current entitlements

  [Key] com.apple.application-identifier
	[Value]
		[String] HXXXXXXX.bundle.id
	[Key] com.apple.developer.aps-environment
	[Value]
		[String] production
	[Key] com.apple.developer.team-identifier
	[Value]
		[String] HXXXXXXX
	[Key] com.apple.security.automation.apple-events
	[Value]
		[Bool] true
	[Key] com.apple.security.cs.disable-library-validation
	[Value]
		[Bool] true
	[Key] com.apple.security.device.audio-input
	[Value]
		[Bool] true
	[Key] com.apple.security.device.camera
	[Value]
		[Bool] true
	[Key] com.apple.security.temporary-exception.mach-lookup.global-name
	[Value]
		[Array]
			[String] $(PRODUCT_BUNDLE_IDENTIFIER)-spks
			[String] $(PRODUCT_BUNDLE_IDENTIFIER)-spki

Provisioning profile entitlements

<key>com.apple.developer.aps-environment</key>
		<string>production</string>
				
				<key>com.apple.application-identifier</key>
		<string>HXXXXXXX.bundle.id</string>
				
				<key>keychain-access-groups</key>
		<array>
				<string>HXXXXXXX.*</string>
		</array>
				
				<key>com.apple.developer.team-identifier</key>
		<string>HXXXXXXX</string>

Any idea what the entitlements should look like when code signing frameworks?

Frameworks should not claim entitlements. There are two reasons for this:

• Such claims are ineffective. The system only honours the entitlements applied to the a process’s main executable.

• Such claims can cause trusted execution problems, as the system tries to authorise the claims with a provisioning profile that doesn’t exist.

I call this out specifically in Creating Distribution-Signed Code for Mac.

Most folks who run into the problem do so because they sign with the --deep flag. I specifically recommend against that; see --deep Considered Harmful for the details.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

@eskimo, thanks for the reply. I tried removing --deep flag while signing and still see below error when I launch the app.

Notes:                 Translocated Process

Crashed Thread:        0

Exception Type:        EXC_CRASH (SIGABRT)
Exception Codes:       0x0000000000000000, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Reason:    DYLD, [0x5] Code Signature

Dyld Error Message:
  Library not loaded: @rpath/***.framework/Versions/A/***
  Referenced from: /private/var/folders/*/***.app/Contents/MacOS/***
  Reason: no suitable image found.  Did find:
	/private/var/folders/8k/lq520j255vx959w2gz3rl1sw0000gn/T/AppTranslocation/A032D364-17F7-4515-A59C-B9CCBAC0A539/d/***.app/Contents/MacOS/../Frameworks/***.framework/Versions/A/***: code signature invalid for '/private/var/folders/8k/lq520j255vx959w2gz3rl1sw0000gn/T/AppTranslocation/A032D364-17F7-4515-A59C-B9CCBAC0A539/d/***.app/Contents/MacOS/../Frameworks/***.framework/Versions/A/***'

And below is my codesign order

codesign -s "Developer ID Application" --options=runtime,library --timestamp -f ***.app/Contents/Resources/***\ ***.driver
codesign -s "Developer ID Application" --options=runtime,library --timestamp -f ***.app/Contents/Library/LaunchServices/com.xxxx.privilegedHelper
codesign -s "Developer ID Application" --options=runtime,library --timestamp -f ***.app/Contents/Resources/***/***.app/Contents/MacOS/***
codesign -s "Developer ID Application" --options=runtime,library --timestamp -f ***.app/Contents/Resources/daemon/xxxr.app/Contents/MacOS/***
codesign -s "Developer ID Application" --options=runtime --timestamp -f ***.app/Contents/Frameworks/***.framework/Versions/A/Resources/***.app/Contents/MacOS/***
codesign -s "Developer ID Application" --options=runtime --timestamp -f ***.app/Contents/Frameworks/***.framework/Versions/A/Frameworks/***.framework/Versions/Current/Resources/***
codesign -s "Developer ID Application" --options=runtime --timestamp -f ***.app/Contents/Frameworks/***.framework/Versions/A/Frameworks/***.framework/Versions/Current/Libraries/***.dylib
codesign -s "Developer ID Application" --options=runtime --timestamp -f ***.app/Contents/Frameworks/***.framework/Versions/A/Frameworks/***.framework/Versions/Current/Libraries/***.dylib
codesign -s "Developer ID Application" --options=runtime --timestamp -f ***.app/Contents/Frameworks/***.framework/Versions/A/Frameworks/***.framework/Versions/Current/Libraries/***.dylib
codesign -s "Developer ID Application" --options=runtime --timestamp -f ***.app/Contents/Frameworks/***.framework/Versions/A/Resources/upload-symbols
codesign -s "Developer ID Application" -f --timestamp -o runtime --entitlements $entitlement -f ***.app

It’s likely that your code signature is simply borked. Try this:

% codesign --verify -vvv --strict --deep /path/to/your.app

Note that using --deep in a --verify operation is just fine (-:

The most common cause of this problem for frameworks is folks copying the framework using cp -r, which doesn’t preserve symlinks.

And below is my codesign order

Hmmm…

codesign -s "Developer ID Application" --options=runtime,library --timestamp -f ***.app/Contents/Resources/***\ ***.driver

This is a worry. Presumably this .driver bundle contains code, which means it shouldn’t be in the Resources directory. See Placing Content in a Bundle.

codesign -s "Developer ID Application" --options=runtime,library --timestamp -f ***.app/Contents/Resources/***/***.app/Contents/MacOS/***

I’m presuming that’s this is some sort of helper tool rather than the main executable for the containing .app.

codesign -s "Developer ID Application" --options=runtime,library --timestamp -f ***.app/Contents/Resources/daemon/xxxr.app/Contents/MacOS/***

This is also worrying. In general, when signing bundled code, you should sign the bundle, not the specific executable.

Also, this is nested code and doesn’t belong in the Resources directory.

codesign -s "Developer ID Application" --options=runtime --timestamp -f ***.app/Contents/Frameworks/***.framework/Versions/A/Resources/***.app/Contents/MacOS/***

This has the same issues as above.

codesign -s "Developer ID Application" --options=runtime --timestamp -f ***.app/Contents/Frameworks/***.framework/Versions/A/Frameworks/***.framework/Versions/Current/Resources/***
…
codesign -s "Developer ID Application" --options=runtime --timestamp -f ***.app/Contents/Frameworks/***.framework/Versions/A/Resources/upload-symbols
…

I suspect that these are both helper tools and thus, again, don’t belong in Resources.

codesign -s "Developer ID Application" --options=runtime --timestamp -f ***.app/Contents/Frameworks/***.framework/Versions/A/Frameworks/***.framework/Versions/Current/Libraries/***.dylib
…

I see you signing the dynamic libraries embedded within your framework but I don’t see you sign your framework as a whole.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thank you @eskimo, codesigning framework as a whole fixed my issue. Although, I do see issues when notarizing the app now

"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,

{
      "severity": "error",
      "code": null,
      "path": "***(arm64).pkg/***.pkg Contents/Payload/Applications/***/***.app/Contents/Library/LaunchServices/com.***.PrivilegedHelper",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087724",
      "architecture": "arm64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "***(arm64).pkg/***.pkg Contents/Payload/Applications/***/***.app/Contents/Frameworks/Sparkle.framework/Versions/B/Autoupdate",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
      "architecture": "arm64"
    }

It gave more errors with same info. But, I already add --timestamp and --options=runtime when codesigning my app. Not sure what's missing here. Could you please take a look. I can provide more logs if needed

Regarding, your privileged helper, each executable inside your app needs to signed with the hardened runtime enabled. So, just because you’ve signed the main app that way, doesn’t help your privileged helper.

Regarding your framework, you’ll have its embedded helper tool as a separate code item.

Have another read of Creating Distribution-Signed Code for Mac. It has a general algorithm — albeit a complex one! — for signing code that covers both of these cases.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"