I have the latest version of xcode
Certificates, Identifiers & Profiles
RSS for tagDiscuss the technical details of security certificates, identifiers, and profiles used by the OS to ensure validity of apps and services on device.
Post
Replies
Boosts
Views
Activity
Hi,
I'm trying to ssh into another machine, copy an app into that machine and codesign it using my "Dev ID Application" certificate, then copy it back to my original machine.
I'm getting the "errSecInternalComponent" error when running codesign.
This is the bash script I'm running:
ssh ${REMOTE_SERVER} "security -v unlock-keychain -p <REDACTED> /Users/<REDACTED>/Library/keychains/login.keychain-db"
ssh ${REMOTE_SERVER} "codesign -vvv --deep --force --verify --verbose --timestamp --options runtime --sign \"Developer ID Application: <REDACTED>\" \"/tmp/$BUILD_ID/ui-app/<APP_NAME>.app\""
ssh ${REMOTE_SERVER} "codesign -dv --verbose=4 /tmp/$BUILD_ID/ui-app/<APP_NAME>.app"
I've tried to follow all the available info found online, managed to sign it successfully through the machine's UI, set the ACL of the private key to ALLOW ALL, restarted the keychain service, tried with the system keychain, approved all pop ups through the UI.
Still with no luck through the SSH session.
Any help would be greatly appreciated.
Thanks!
My non-cloud Developer ID certificate will expire soon, and my account also has a cloud-managed Developer ID Certificate. My Mac application build workflow uses Archiving, so the cloud cert should be fine for that. But my workflow also signs bundled apps, such as Sparkle framwork's Autodupate app, using the codesign tool.
Is it correct that codesign only uses certificates from the local Keychain, and so cannot use a Cloud-managed Developer ID certificate?
Before I manually renew the non-cloud Developer ID certificate, I want to make sure I'm not missing some easier method. Thanks.
Hello I build an application in Xcode for MacOS. But the exported app I cannot open on different Mac systems. I get the message 'The application X can't be opened'. I can only run the application on the Mac where Xcode is installed.
I used different signing certificates: Apple Distribution, Developer ID application (this should be the one), Mac App Distribution.
I archive the application, then use Direct Distribution, then after complished the notary service, I export the app.
How can I modify bundleID of an app after building ipa file?
I try to modify the bundle id in my app by :
unzip ipa
modify bundle id in info.plist within app
resign app with entitlements
4.zip ipa
but ipa appeared to not be able to install on iphone
is that any way to modify bundle id after building ipa file?
Thanks for your Support
Hello, my team is trying to fix a code signing issue with our app. Our production build works, but our debug build broke after upgrading to macOS 15. This is because our app contains an app extension that can no longer access our app group container after the upgrade to macOS 15. It looks like this is due to ~/Library/Group Containers being protected by SIP now.
We were not code signing our debug app, and now security is stricter. Because of historical reasons, we need to use a Makefile to build our app instead of just using Xcode. We are trying to determine the best way to sign our debug app.
It looks like our app extension is able to access our app group container if we sign the app with a developer certificate. However, we are wondering if the developer certificate is required. We see that Xcode can sign debug builds with the “-” code signing identity. We tried doing this from our Makefile in the same way we sign with the developer certificate, but it doesn’t work. Is this expected behavior?
After using backup to setup my new Mac Mini my xCode App projects run ok in the Simulator but fail to Archive or Analyze with the error: "The specified item could not be found in the keychain." The item is a provisioning profile.
I was able to Run, Archive and Validate these projects on my old Mac Mini just before the final backup. Are there known problems in backup of provisioning profiles or keychains?
I have tried creating new profiles etc without success for several days. I'm not an expert developer so I'm hoping there is a simple solution.
Please suggest the best way to resolve and/or clarify this problem.
p12证书导出是灰色的,一直导出不了
![](“https://developer.apple.com/forums/content/attachment/36357e8a-bbb0-4661-a57c-720d41c3d9aa” “title=微信截图_20241119125858.png;宽度=962;高度=273”)
I'm trying to renew our Distribution Certificate, but when I request a certificate from a certificate authority as described and create the certificate via developer.apple.com and install it, it is installed without a private key, so I can't export it to .p12.
What am I doing wrong? Last year this went without any problems.
Please help me out, because I have to renew the certificate before 12-12-2024.
In Xcode's (version 16.1) "Devices and Simulators" window pressing the device's context menu item "Show Provisioning Profiles..." does nothing: no new window, no message, nothing. How can I fix this?
As of Nov 25, 2024, Xcode 16.1 won't recognize an App Store provisional profile as Eligible so you cannot select the provisional profile for signing. Which means you cannot archive it for upload to Apple. Setting it to manual or automatic signing does not help. Even going to the dev site and making new, fresh provisional profiles did not work. rebooting xcode did not work. rebooting the computer did not work.
I have an internal customer who is trying to submit an IPA to TestFlight via a Jenkins pipeline, and they are submitting their IPA to our central code signing service first. But they're seeing failures in their logs such as:
{
"id" : "bb07c32d-b4d6-48c4-abfe-390a46dec3ca",
"status" : "409",
"code" : "STATE_ERROR.VALIDATION_ERROR.90179",
"title" : "Asset validation failed",
"detail" : "Invalid Code Signing. The executable
'Payload/their.app/Frameworks/Pods_their.framework/Pods_their'
must be signed with the certificate that is contained in the provisioning profile."
}
I obtained the signed IPA file, and examined one of the items flagged as incorrectly signed with "codesign -d -vvvv". I see the correct team identifier in the output, along with the correct ("Distribution") authority.
I unbundled the IPA with "ditto -xk", extracted the plist from the embedded provisioning file with "security cms -D -i", and examined the lone developer certificate with "plutil -extract DevelopCertificates.0" and "certtool d". The subject name fields correspond to the correct cert: "Other name" and "OrgUnit" contain "our" team name, "Org" has our company name, "Common Name" has the name of the authority mentioned above.
In short, it looks like we're signing it properly, but Apple notarization is refusing it.
(For the record, something on Apple's side complained about using "altool" instead of "notarytool". I don't know if that's our problem or not.)
What else should I be doing to confirm the status of the signatures? I'm missing something, but I have no idea what.
Hi,
I am trying to upload the Certificate Signing Request but its failing and showing this error:
CSR algorithm/size incorrect. Expected: RSA(2048)
I'm trying to sign a build coming from a gitlab runner, but for some reason security find-identity is yielding no results during the pipeline.
Hitting the runner via SSH shows the results as I would expect, as well as VNCing into the runner and using the terminal.
whoami on all 3 shows the same result
My current attempt is to build the keychain on the fly so that I can ensure I have access to the identity, and it succeeds in building the keychain and importing the certs, but find-identity still shows zero results in the pipeline.
- security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
- security list-keychains -d user -s "$KEYCHAIN_PATH" "/Users/######/Library/Keychains/login.keychain-db" "/Library/Keychains/System.keychain"
- security set-keychain-settings "$KEYCHAIN_PATH"
- security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
- security import "$SIGNING_KEY_DECODED" -P "$P12_PASSWORD" -A -f pkcs12 -k $KEYCHAIN_PATH -T "/usr/bin/codesign"
- > # escape :
CERT_IDENTITY="##########"
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" -D "$CERT_IDENTITY" -t private "$KEYCHAIN_PATH"
- echo $(security find-identity)
The echo at the end returns the following:
Policy: X.509 Basic
Matching identities
0 identities found
Valid identities only
0 valid identities found
Running the same command via ssh/terminal over VNC after the build fails returns the following:
Policy: X.509 Basic
Matching identities
1) C6......A2 "iPhone Distribution: ###########"
1 identities found
Valid identities only
1) C6......A2 "iPhone Distribution: ###########"
1 valid identities found
Which suggests that the keychain creation and certificate import is working as expected.
I'm not ruling out the possibility of this being an issue on gitlab's end, but this has been working historically, and only really stopped working since we've updated to Sonoma (we're on 14.7.1 now). We have an active runner on Ventura 13.6.1 that's working still.