Hi,
I develop a MacOS application that has been being successfully distributed for several
years. Recently (I think following the 10.15.6 update) it began failing to start after
signing. It runs ok on my dev machine without signing.
% open ./path/to/MyApp.app
LSOpenURLsWithRole() failed with error -10810 for the file /path/to/MyApp.app.
The system.log indicates an issue with the signature.
Aug 11 10:57:28 mbp2019 com.apple.xpc.launchd[1] (*.*.*.109024[20001]): removing service since it exited with consistent failure - OSREASONCODESIGNING | When validating /path/to/MyApp.app/Contents/MacOS/MyApp:
Code has restricted entitlements, but the validation of its code signature failed.
Unsatisfied Entitlements:
Aug 11 10:57:28 mbp2019 com.apple.xpc.launchd[1] (*.*.*.109024[20001]): Binary is improperly signed.
However no issues are reported when verifying the signature.
% codesign -dv --verbose=4 -r- /path/to/MyApp.app
Executable=/path/to/MyApp.app/Contents/MacOS/MyApp
Identifier=*.*.*
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=612 flags=0x10000(runtime) hashes=10+5 location=embedded
VersionPlatform=1
VersionMin=657152
VersionSDK=658176
Hash type=sha256 size=32
CandidateCDHash sha1=53994a8bacf921809f8c3dd224b9537a48fa6fa1
CandidateCDHashFull sha1=53994a8bacf921809f8c3dd224b9537a48fa6fa1
CandidateCDHash sha256=8c0c0b984cfa0f037b90b32fd2934fa806a3c40e
CandidateCDHashFull sha256=8c0c0b984cfa0f037b90b32fd2934fa806a3c40ef3d064a4c05ed9d968eb5ce0
Hash choices=sha1,sha256
CMSDigest=6024afb1b3d39417d6a4beb25d0fb021717750af26f51ad3acde6269723c698f
CMSDigestType=2
Page size=4096
CDHash=8c0c0b984cfa0f037b90b32fd2934fa806a3c40e
Signature size=9070
Authority=Developer ID Application: * *** ***. (XXXXXXXXX)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=11/08/2020 at 10:57:06 AM
Info.plist entries=9
TeamIdentifier=XXXXXXXXX
Runtime Version=10.11.0
Sealed Resources version=2 rules=13 files=394
designated => identifier "*.*.xxxx" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = XXXXXXXXXX
% spctl --assess -vvv /path/to/MyApp.app
/path/to/MyApp.app: accepted
source=Developer ID
origin=Developer ID Application: *** *** *** (XXXXXXXXXX)
entitlements.plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "<removed-for-forum>/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key> com.apple.security.device.usb</key>
<true/>
</dict>
</plist>
How do I find out what the issue is?
I develop a MacOS application that has been being successfully distributed for several
years. Recently (I think following the 10.15.6 update) it began failing to start after
signing. It runs ok on my dev machine without signing.
% open ./path/to/MyApp.app
LSOpenURLsWithRole() failed with error -10810 for the file /path/to/MyApp.app.
The system.log indicates an issue with the signature.
Aug 11 10:57:28 mbp2019 com.apple.xpc.launchd[1] (*.*.*.109024[20001]): removing service since it exited with consistent failure - OSREASONCODESIGNING | When validating /path/to/MyApp.app/Contents/MacOS/MyApp:
Code has restricted entitlements, but the validation of its code signature failed.
Unsatisfied Entitlements:
Aug 11 10:57:28 mbp2019 com.apple.xpc.launchd[1] (*.*.*.109024[20001]): Binary is improperly signed.
However no issues are reported when verifying the signature.
% codesign -dv --verbose=4 -r- /path/to/MyApp.app
Executable=/path/to/MyApp.app/Contents/MacOS/MyApp
Identifier=*.*.*
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=612 flags=0x10000(runtime) hashes=10+5 location=embedded
VersionPlatform=1
VersionMin=657152
VersionSDK=658176
Hash type=sha256 size=32
CandidateCDHash sha1=53994a8bacf921809f8c3dd224b9537a48fa6fa1
CandidateCDHashFull sha1=53994a8bacf921809f8c3dd224b9537a48fa6fa1
CandidateCDHash sha256=8c0c0b984cfa0f037b90b32fd2934fa806a3c40e
CandidateCDHashFull sha256=8c0c0b984cfa0f037b90b32fd2934fa806a3c40ef3d064a4c05ed9d968eb5ce0
Hash choices=sha1,sha256
CMSDigest=6024afb1b3d39417d6a4beb25d0fb021717750af26f51ad3acde6269723c698f
CMSDigestType=2
Page size=4096
CDHash=8c0c0b984cfa0f037b90b32fd2934fa806a3c40e
Signature size=9070
Authority=Developer ID Application: * *** ***. (XXXXXXXXX)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=11/08/2020 at 10:57:06 AM
Info.plist entries=9
TeamIdentifier=XXXXXXXXX
Runtime Version=10.11.0
Sealed Resources version=2 rules=13 files=394
designated => identifier "*.*.xxxx" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = XXXXXXXXXX
% spctl --assess -vvv /path/to/MyApp.app
/path/to/MyApp.app: accepted
source=Developer ID
origin=Developer ID Application: *** *** *** (XXXXXXXXXX)
entitlements.plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "<removed-for-forum>/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key> com.apple.security.device.usb</key>
<true/>
</dict>
</plist>
How do I find out what the issue is?