Invalid Signature Issue

Hello, I'm trying to submit an app to apple connect that is build outside of xcode but I'm getting this email saying the files have an invalid signature. I'm doing a step wrong or maybe using the wrong signature but not sure what is supposed to be the way to do it.

The app is written with python and pyside, and packaged with pyinstaller. In the pyinstaller .spec file I set the codesign_identity and entitlements_file and also fill some things to the info_plist (CFBundleVersion, LSApplicationCategoryType, etc).

This results in a .app file, which then I run a command on it:

productbuild --component path/to/file.app /Applications path/to/file.pkg --sign <id>

And then push with:

xcrun altool --upload-app path/to/file.pkg --type macos -u <username> -p <password>

I'm able to upload but then I get the email with the signature error (ITMS-90238: Invalid Signature).

Are these steps ok, or something else is needed?

Answered by DTS Engineer in 748232022

macOS supports two different categories of signing identities:

  • Code signing identities

  • Install signing identities

Within each category there are different identities for each distribution channel. For code signing, see the list in the Confirm Your Code Signing Identity section of Creating Distribution-Signed Code for Mac. For installer signing, see the Build an Installer Package section of Packaging Mac Software for Distribution.

My understanding is that you want to distribute via the Mac App Store. If so:

  • You’ll need an Apple Distribution: TTT identity to sign your code (or the old school 3rd Party Mac Developer Application: TTT equivalent).

  • You’ll need an 3rd Party Mac Developer Installer: TTT identity to sign your installer package.

Apple Development: TTT signing identities are for day-to-day code signing during development. And Developer ID Application: TTT ones are for signing code that’s distributed independently.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

There are multiple things that can go wrong here and I recommend that you start by isolating them. First, check that App Store submission is working in general. To do this, use Xcode to create a new app from one of the built-in templates — make sure to use the same bundle ID as your main app — and then try submitting that using the Xcode organiser. Does that work?

Presuming it does, use the Xcode organiser to export that as a .pkg — click Distribute App and then choose App Store > Export — and try submitting that using altool. Does that work?

Presuming it does, extract the app from the .pkg [1] and then use your productbuild process to sign it and altool to submit it. Does that work?

If all of the above works, you know that your packaging and submission setup is correct and you can then investigate the way that your app is built. OTOH, if something goes wrong with the above then that gives some something else to investigate.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] I use Pacifist for this sort of thing but you can do it using command-line tools. See Unpacking Apple Archives.

Hi, thanks for the response.

So I created an empty mac project and submitted to the store via xcode and it worked, I can see it in TestFlight.

I exported via xcode then do xcrun altool --upload-app -f ./app.pkg --type macos -u username -p password and it worked (message at the end: No errors uploading 'app.pkg').

I then extracted the .app file and used the productbuild to generate, and here I end up with a doubt about which ID to use. When I do security find-identity -v I have several items there, Apple Development: name, 3rd Party Mac Developer Installer: name, Developer ID Application: name. It works with the 3rd party one but if I use that in the pyinstaller then it says the identity cannot be used for signing code.

Which one I use for pyinstaller that generates the .app and then which one I use in the productbuild call?

Accepted Answer

macOS supports two different categories of signing identities:

  • Code signing identities

  • Install signing identities

Within each category there are different identities for each distribution channel. For code signing, see the list in the Confirm Your Code Signing Identity section of Creating Distribution-Signed Code for Mac. For installer signing, see the Build an Installer Package section of Packaging Mac Software for Distribution.

My understanding is that you want to distribute via the Mac App Store. If so:

  • You’ll need an Apple Distribution: TTT identity to sign your code (or the old school 3rd Party Mac Developer Application: TTT equivalent).

  • You’ll need an 3rd Party Mac Developer Installer: TTT identity to sign your installer package.

Apple Development: TTT signing identities are for day-to-day code signing during development. And Developer ID Application: TTT ones are for signing code that’s distributed independently.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hello, I used the identities as you mentioned and now it worked :)

Thanks a lot for the help!

Invalid Signature Issue
 
 
Q