I am engaged in warfare with code signing on macOS. I am on the losing side.
I simply need to sign apps for local development and usage for now. Here's what my process used to look like:
- I check what signing identity is available on the mac via
security find-identity -v -p codesigning
- if I see a string like 5412365ERRHG12 in the command above, I can then resign any app, and change its entitlements via the following command :
codesign -s 5412365ERRHG12 -f --options runtime --entitlements entitlements_file /path/to/app_to_resign.app
However, the app I am battling with is an Electron app. I am unable to sign properly its helper, even though I read all that I could on the internet.
I use this as entitlements for the main bundle :
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>***</string>
</array>
And this for the helper app :
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.inherit</key>
<true/>
However when doing so, the system keeps preventing the helper app from being launch, with the following error message :
deny(1) forbidden-sandbox-reinit
I've tried everything I saw online. The one thing left to try, was a guide mentioning I should embed a provisioning profile.
So I've created a provisioning profile on apple's developer portal, and added it on /path/to/app_to_resign.app/embedded.provisionprofile
However, I am not sure what to specify after the -s
flag of codesign
.
I installed the provisioning profile on the mac by double clicking on it, I expected this to add a new entry to security find-identity -v -p codesigning
, but it did not.
What am I missing? How can I feed to codesign the identity linked to the provisioning profile that I have just downloaded from the apple developer's portal?
Thanks!