I have a small command-line tool (a service) that gets compiled by Xcode, then I'm signing it during a Run Script phase. When I try to run it, it gets "Killed".
Here's the signing command:
% /usr/bin/codesign -s "Developer ID Application: ..." --keychain "/Users/.../Library/Keychains/login.keychain" --timestamp -f -o runtime --entitlements /Code/.../mytool.entitlements /Code/.../mytool
I've got an Info.plist and entitlements for it.
% codesign -vvvv ./mytool
./mytool: valid on disk
./mytool: satisfies its Designated Requirement
% codesign -dvv ./mytool
Executable=.../mytool
Identifier=com.myorg.mytool
Format=Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=10271 flags=0x10000(runtime) hashes=310+7 location=embedded
Signature size=8952
Authority=Developer ID Application: ...
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Dec 8, 2021 at 6:28:25 PM
Info.plist entries=19
TeamIdentifier=...
Runtime Version=12.0.0
Sealed Resources=none
Internal requirements count=1 size=180
When I run spctl I get:
% spctl -a -v --raw ./mytool
./mytool: rejected (the code is valid but does not seem to be an app)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>assessment:authority</key>
<dict>
<key>assessment:authority:flags</key>
<integer>0</integer>
<key>assessment:authority:source</key>
<string>obsolete resource envelope</string>
<key>assessment:authority:weak</key>
<true/>
</dict>
<key>assessment:cserror</key>
<integer>-67002</integer>
<key>assessment:remote</key>
<true/>
<key>assessment:verdict</key>
<false/>
</dict>
</plist>
What's it mean? How can I get this tool to run signed OK? All of this stuff is highly opaque, and the documentation out of date (for example, where it says you can run spctl on /bin/ls, but it gives the same exact error output that /bin/ls isn't an app.)
Note that ultimately this tool gets distributed in a ZIP file that contains Windows and Linux executables also; there is not, and ought not be, any macOS-specific installer... I have a lot of other things to do than jumping through these hoops.
Info.plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleDevelopmentRegion</key>
<string>English</string>
<key>CFBundleExecutable</key>
<string>mytool</string>
<key>CFBundleIdentifier</key>
<string>com.myorg.mytool</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>mytool</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleVersion</key>
<string>2.0.0</string>
<key>NSHumanReadableCopyright</key>
<string>...</string>
</dict>
</plist>
Entitlements:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
</dict>
</plist>