What files all need to be codesign'ed?

I have recently upgraded to macOS 14 and Xcode 15. I gather codesign --deep no longer works.

Do I have to explicitly codesign every file in my .app? There are several hundreds of them.

Also, I am able to successfully codesign my executable (MyApp.app/Contents/MacOS/MyExecutable), but when I upload for Notarization, it fails with "The signature of the binary is invalid.", identifying the executable specifically.

This used to work fine. Why is it failing now?

I gather codesign --deep no longer works.

The --deep option was never a good idea when signing code. See --deep Considered Harmful.

Do I have to explicitly codesign every file in my .app?

Yes and no. Every file in your app must be sealed over by your code signature. That does not mean that you must run codesign against each file. Rather, identify the code items in your app and sign each code item. If the code item is a bundle, that item’s code signature will seal over all the resources in that bundle.

You mentioned notarisation, which suggests you’re targeting the Mac. If so, see the following docs, which explain in detail how to sign Mac code:

Why is it failing now?

Probably because you’re bundle structure isn’t following the rules described in Placing Content in a Bundle. Quoting that doc:

If you put content in the wrong location, you may encounter hard-to-debug code signing and distribution problems. These problems aren’t always immediately obvious.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks for your reply.

What constitutes a "bundle"? My .PKG includes 750 files, located in 87 directories nested five deep. There are .APPs withih the .APP.

I have read "Placing content in a bundle", it leaves me confused.

Herewith is the directory structure of the .APP. Where do I draw the line for a bundle?

./Frameworks
./Frameworks/QtCore.framework
./Frameworks/QtCore.framework/Versions
./Frameworks/QtCore.framework/Versions/5
./Frameworks/QtCore.framework/Versions/5/Resources
./Frameworks/QtCore.framework/Versions/5/_CodeSignature
./Frameworks/QtDBus.framework
./Frameworks/QtDBus.framework/Versions
./Frameworks/QtDBus.framework/Versions/5
./Frameworks/QtDBus.framework/Versions/5/Resources
./Frameworks/QtDBus.framework/Versions/5/_CodeSignature
./Frameworks/QtGui.framework
./Frameworks/QtGui.framework/Versions
./Frameworks/QtGui.framework/Versions/5
./Frameworks/QtGui.framework/Versions/5/Resources
./Frameworks/QtGui.framework/Versions/5/_CodeSignature
./Frameworks/QtHelp.framework
./Frameworks/QtHelp.framework/Versions
./Frameworks/QtHelp.framework/Versions/5
./Frameworks/QtHelp.framework/Versions/5/Resources
./Frameworks/QtHelp.framework/Versions/5/_CodeSignature
./Frameworks/QtNetwork.framework
./Frameworks/QtNetwork.framework/Versions
./Frameworks/QtNetwork.framework/Versions/5
./Frameworks/QtNetwork.framework/Versions/5/Resources
./Frameworks/QtNetwork.framework/Versions/5/_CodeSignature
./Frameworks/QtPrintSupport.framework
./Frameworks/QtPrintSupport.framework/Versions
./Frameworks/QtPrintSupport.framework/Versions/5
./Frameworks/QtPrintSupport.framework/Versions/5/Resources
./Frameworks/QtPrintSupport.framework/Versions/5/_CodeSignature
./Frameworks/QtSql.framework
./Frameworks/QtSql.framework/Versions
./Frameworks/QtSql.framework/Versions/5
./Frameworks/QtSql.framework/Versions/5/Resources
./Frameworks/QtSql.framework/Versions/5/_CodeSignature
./Frameworks/QtSvg.framework
./Frameworks/QtSvg.framework/Versions
./Frameworks/QtSvg.framework/Versions/5
./Frameworks/QtSvg.framework/Versions/5/Resources
./Frameworks/QtSvg.framework/Versions/5/_CodeSignature
./Frameworks/QtWidgets.framework
./Frameworks/QtWidgets.framework/Versions
./Frameworks/QtWidgets.framework/Versions/5
./Frameworks/QtWidgets.framework/Versions/5/Resources
./Frameworks/QtWidgets.framework/Versions/5/_CodeSignature
./Frameworks/QtXml.framework
./Frameworks/QtXml.framework/Versions
./Frameworks/QtXml.framework/Versions/5
./Frameworks/QtXml.framework/Versions/5/Resources
./Frameworks/QtXml.framework/Versions/5/_CodeSignature
./Helpers
./Helpers/tp5.app
./Helpers/tp5.app/Contents
./Helpers/tp5.app/Contents/FtmSdk
./Helpers/tp5.app/Contents/FtmSdk/en
./Helpers/tp5.app/Contents/MacOS
./Helpers/tp5.app/Contents/MonoBundle
./Helpers/tp5.app/Contents/MonoBundle/en
./Helpers/tp5.app/Contents/Resources
./Helpers/tp5.app/Contents/Resources/Main.storyboardc
./Helpers/tp5.app/Contents/Resources/Main.storyboardc/MainMenu.nib
./Helpers/tp5.app/Contents/_CodeSignature
./Helpers/tp5_2024.app
./Helpers/tp5_2024.app/Contents
./Helpers/tp5_2024.app/Contents/FtmSdk
./Helpers/tp5_2024.app/Contents/FtmSdk/en
./Helpers/tp5_2024.app/Contents/MacOS
./Helpers/tp5_2024.app/Contents/MonoBundle
./Helpers/tp5_2024.app/Contents/MonoBundle/en
./Helpers/tp5_2024.app/Contents/Resources
./Helpers/tp5_2024.app/Contents/Resources/Main.storyboardc
./Helpers/tp5_2024.app/Contents/_CodeSignature
./MacOS
./Plugins
./Plugins/bearer
./Plugins/imageformats
./Plugins/platforms
./Plugins/printsupport
./Plugins/sqldrivers
./Plugins/styles
./Resources
./Resources/CC_Qt skins
./Resources/Help
./Resources/borders
./Resources/borders/borders
./_CodeSignature

If you’re using a large third-party toolset like this, I recommend that you look at its support resources to see if they have specific advice on this topic.

What constitutes a "bundle"?

But, in general, our advice on this topic is covered by the Identify the code to sign section of the Creating distribution-signed code for macOS doc I referenced earlier. So:

  • Each of your .framework directories is the root of a bundle.

  • Likewise for each of the .app directories.

The stuff in Plugins is trickier. That directory is intended to be used for plug-ins that use a bundle structure. That doesn’t seem to be the case here. If those items are Mach-O images then you’d want to sign each one as non-bundled code. If they’re something else… well… at that point I’m going to defer to your tools vendor.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

OK, thanks very much for your help.

I found my problem: my .app file was stored on an NTFS (Bootcamp) partition. The notarization was failing, in spite of successfully being signed for years. Surprise!

Copying it to a regular Mac drive enables it to be notarize successfully.

Three weeks I'll never get back.

What files all need to be codesign'ed?
 
 
Q