Hi
After I added iCloud container and iCloud documents my UITests can't run anymore what is this problem and how can I solve it?
Thanks!
General
RSS for tagDemystify code signing and its importance in app development. Get help troubleshooting code signing issues and ensure your app is properly signed for distribution.
Post
Replies
Boosts
Views
Activity
I have already posted asking about this:
[quote='768005021, CynthiaSun, /thread/768005, /profile/CynthiaSun']
Codesigned and notarized app cannot directly write files inside the app bundle...
[/quote]
But there are still some doubts that have not been answered.
We use Qt to develop an application on the macOS platform, and we are attempting to perform code signing and notarization to ensure our the application is trusted by Apple.
However, there are a few things that seem weird regarding this statement:
"App bundles are read-only by design."
Let me provide more details.
Currently, when our application starts, it needs to create folder (e.g. Temp) in the root directory of the executable
For example: Myapp.app/Contents/MacOS/Myapp ---> Myapp.app/Contents/MacOS/Temp
The folder is designed for storing runtime logs or config files for our application. In the past, users may also modify the settings inside target folder if needed.
However, the strange thing is that after the application is codesigned and notarized.
When we double-click the application Myapp (a.k.a Myapp.app) in Finder, it could successfully launch and create the Temp folder inside the Myapp.app/Contents/MacOS folder.
However, when we navigate and attempt to run the main application executable in command line mode (as our application supports this command line execution)
$ cd Myapp.app/Contents/MacOS
$ ./Myapp -h
As our application will check if the root folder has write permission before starting (i.e., check if Myapp.app/Contents/MacOS is writable because we require to create Temp folder in the following steps)
It pop up the error that folder does not have write permission.
The aforementioned scenarios seems to conflict with this statement: "App bundles are read-only by design" (because when the application is launched directly by clicking in Finder, the Temp folder can be created successfully, but via the console command line, it cannot).
I would like to confirm again if writing files in the notarized application MacOS directory is not allowed?
If not, have any recommended approaches? (e.g., changing the folder to another directory). What causes the different results in these running scenarios?
We are not concerned about breaking the signature after application launched, as it seems that macOS will add it to system trust list after first time successfully launch. (Download the app from internet --> System: it is an app downloaded from the internet. Are you sure want to open it...? OK --> Although our application creates the Temp folder after first launch, when we click the application second time, it could directly open the app)
Adobe says that Animate works with the latest Mac OS.
When I publish apps with Animate, they work on my computer.
With a self-signed certificate, they work on some older Mac OS versions, but not on the 2 most recent.
How can I test my apps on others' Mac computers?
Robert
I work with a team that is responsible for our company's centralized infrastructure for code signing various products within our portfolio, including iOS apps. For security purposes, we want to sign apps before their posting on the App Store, and also to log this activity for eventual security audits. Not surprisingly, we need automated processes; we can't use an IDE like Xcode to do the work. We must queue, process, and log all signing jobs, and have Macs dedicated to this purpose.
I can't go into many details about our infrastructure due to confidentiality concerns, so I'll apologize now if my questions seem a little vague.
We currently require our iOS developers to submit one or more new provisioning profiles as well as their IPA archive for signing. We support supplying multiple provisioning profiles because some of our developers include embedded third-party extensions within their IPAs, and these extensions can also have their own provisioning profiles. Within our back end, we open the archive, sign the relevant portions using the entitlements in one of the profiles (that we believe to be the appropriate one for the particular archive element), overwrite each supplied provisioning profile with (what we believe to be) the appropriate one from user input, and re-compress the archive.
Here come the questions:
When we receive multiple provisioning profiles, how do we know which profile should be used to help with signing which archive elements? What data (e.g. entitlements application-identifier, team-identifier) can we use?
We also need to know which provisioning profiles from their input correspond to those that already exist within the archive. What data can we use to map profiles from one set to the other?
Should we be requiring our users to submit new provisioning profiles in the first place? Or should we edit/recycle the existing ones in some way? We'd like to remove any unnecessary burdens for our users, if possible.
I'm unable to run a widget containing a live activity with the error message at the bottom of this post. I've verified I have NSSupportsLiveActivities set to yes in the correct Info.plist, and have downloaded sample projects from github containing the same values. This error occurs while running on a device or simulator, on Xcode 15 and 16, iOS simulator 17 and 18.
Create sample project
Create new widget extension target
Set NSSupportsLiveActivities to true in the appropriateinfo.plist
Run the widget
This seems to be a longstanding issue https://forums.developer.apple.com/forums/thread/651611
Any ideas for debugigng? I'm completely blocked from running live activities.
SendProcessControlEvent:toPid: encountered an error: Error Domain=com.apple.dt.deviceprocesscontrolservice Code=8 "Failed to show Widget 'ca.holligan.live-activity-example.widget' error: Error Domain=FBSOpenApplicationServiceErrorDomain Code=1 "The request to open "com.apple.springboard" failed." UserInfo={NSLocalizedFailureReason=The request was denied by service delegate (SBMainWorkspace)., BSErrorCodeDescription=RequestDenied, NSUnderlyingError=0x600000c6a8b0 {Error Domain=SBAvocadoDebuggingControllerErrorDomain Code=1 "Failed to get descriptors for extensionBundleID (ca.holligan.live-activity-example.widget)" UserInfo={NSLocalizedDescription=Failed to get descriptors for extensionBundleID (ca.holligan.live-activity-example.widget)}}, FBSOpenApplicationRequestID=0x2ca0, NSLocalizedDescription=The request to open "com.apple.springboard" failed.}." UserInfo={NSLocalizedDescription=Failed to show Widget 'ca.holligan.live-activity-example.widget' error: Error Domain=FBSOpenApplicationServiceErrorDomain Code=1 "The request to open "com.apple.springboard" failed." UserInfo={NSLocalizedFailureReason=The request was denied by service delegate (SBMainWorkspace)., BSErrorCodeDescription=RequestDenied, NSUnderlyingError=0x600000c6a8b0 {Error Domain=SBAvocadoDebuggingControllerErrorDomain Code=1 "Failed to get descriptors for extensionBundleID (ca.holligan.live-activity-example.widget)" UserInfo={NSLocalizedDescription=Failed to get descriptors for extensionBundleID (ca.holligan.live-activity-example.widget)}}, FBSOpenApplicationRequestID=0x2ca0, NSLocalizedDescription=The request to open "com.apple.springboard" failed.}., NSUnderlyingError=0x600000c6a940 {Error Domain=FBSOpenApplicationServiceErrorDomain Code=1 "The request to open "com.apple.springboard" failed." UserInfo={NSLocalizedFailureReason=The request was denied by service delegate (SBMainWorkspace)., BSErrorCodeDescription=RequestDenied, NSUnderlyingError=0x600000c6a8b0 {Error Domain=SBAvocadoDebuggingControllerErrorDomain Code=1 "Failed to get descriptors for extensionBundleID (ca.holligan.live-activity-example.widget)" UserInfo={NSLocalizedDescription=Failed to get descriptors for extensionBundleID (ca.holligan.live-activity-example.widget)}}, FBSOpenApplicationRequestID=0x2ca0, NSLocalizedDescription=The request to open "com.apple.springboard" failed.}}}
Domain: DTXMessage
Code: 1
User Info: {
DVTErrorCreationDateKey = "2024-11-15 17:06:33 +0000";
}
SendProcessControlEvent:toPid: encountered an error: Error Domain=com.apple.dt.deviceprocesscontrolservice Code=8 "Failed to show Widget 'ca.holligan.live-activity-example.widget' error: Error Domain=FBSOpenApplicationServiceErrorDomain Code=1 "The request to open "com.apple.springboard" failed." UserInfo={NSLocalizedFailureReason=The request was denied by service delegate (SBMainWorkspace)., BSErrorCodeDescription=RequestDenied, NSUnderlyingError=0x600000c6a8b0 {Error Domain=SBAvocadoDebuggingControllerErrorDomain Code=1 "Failed to get descriptors for extensionBundleID (ca.holligan.live-activity-example.widget)" UserInfo={NSLocalizedDescription=Failed to get descriptors for extensionBundleID (ca.holligan.live-activity-example.widget)}}, FBSOpenApplicationRequestID=0x2ca0, NSLocalizedDescription=The request to open "com.apple.springboard" failed.}." UserInfo={NSLocalizedDescription=Failed to show Widget 'ca.holligan.live-activity-example.widget' error: Error Domain=FBSOpenApplicationServiceErrorDomain Code=1 "The request to open "com.apple.springboard" failed." UserInfo={NSLocalizedFailureReason=The request was denied by service delegate (SBMainWorkspace)., BSErrorCodeDescription=RequestDenied, NSUnderlyingError=0x600000c6a8b0 {Error Domain=SBAvocadoDebuggingControllerErrorDomain Code=1 "Failed to get descriptors for extensionBundleID (ca.holligan.live-activity-example.widget)" UserInfo={NSLocalizedDescription=Failed to get descriptors for extensionBundleID (ca.holligan.live-activity-example.widget)}}, FBSOpenApplicationRequestID=0x2ca0, NSLocalizedDescription=The request to open "com.apple.springboard" failed.}., NSUnderlyingError=0x600000c6a940 {Error Domain=FBSOpenApplicationServiceErrorDomain Code=1 "The request to open "com.apple.springboard" failed." UserInfo={NSLocalizedFailureReason=The request was denied by service delegate (SBMainWorkspace)., BSErrorCodeDescription=RequestDenied, NSUnderlyingError=0x600000c6a8b0 {Error Domain=SBAvocadoDebuggingControllerErrorDomain Code=1 "Failed to get descriptors for extensionBundleID (ca.holligan.live-activity-example.widget)" UserInfo={NSLocalizedDescription=Failed to get descriptors for extensionBundleID (ca.holligan.live-activity-example.widget)}}, FBSOpenApplicationRequestID=0x2ca0, NSLocalizedDescription=The request to open "com.apple.springboard" failed.}}}
Domain: DTXMessage
Code: 1
System Information
macOS Version 14.5 (Build 23F79)
Xcode 16.1 (23503) (Build 16B40)
Timestamp: 2024-11-15T12:06:33-05:00
Hi,
I'm currently developing a Flutter app that utilizes Push Notifications. The Android implementation is working flawlessly, but I'm encountering compilation issues in Xcode. Specifically, I'm receiving the following error:
Cannot create a iOS App Development provisioning profile for "dk.ceniconsulting.alarm".
Personal development teams, including "Henrik Thystrup", do not support the Push Notifications capability.
No profiles for 'dk.ceniconsulting.alarm' were found
Xcode couldn't find any iOS App Development provisioning profiles matching 'dk.ceniconsulting.alarm'.
This error seems to be a common issue, but I haven't been able to find a definitive solution. I've already generated a certificate, identifier, and installed them, but the problem persists.
Does anyone have any insights or suggestions on how to resolve this issue? Or perhaps a link to a resource that addresses this specific problem?
I tried building the React App for Any iOS device (Arm64) but I get error.
Although I can build successfully for any iOS Simulators
In the codesigning step I get the following error,
"Warning: unable to build chain to self-signed root for signer "Apple Development: my email address ( ... ) "
I don't have paid membership of Apple Developer Program, does that cause this failure?
Also, to archive also do I need Apple Developer Program paid membership?
Project Background:
I developed a Mac project using Electron and VSCode
Successfully uploaded the packaged pkg using Transporter,
However, I will receive an email informing me that there are some issues with the project:
ITMS-90296: App sandbox not enabled - The following executors must include the 'com. apple. security. app sandbox' entitlement with a Boolean value of true in the entitlement property list: [[com. electron. iflyrecclient. pkg/Payload/iFlytek Listen. app/Contents/MacOS/iFlytek Listen]]
ITMS-90886: 'Cannot be used with TestFlight because the signature for the bundle at' iFlytek hears. app 'is missing an application identifier but has an application identifier in the provisioning profile for the bundle.' Bundles with application identifiers in the provisioning profile are expected to have the same identifier signed into the bundle in order to be eligible for TestFlight.'
Here is my packaging process:
Generate an app using the electron packager tool
Sign the app using @ electron osx sign (version 1.3.1)
After signing, use
productbuild - component Yourappname App/Applications - sign "3rd Party Mac Developer Installer: * * * * * (XXXXXXXXXX)" Yourappname. pkg
command generates pkg
PS:
For the second step, I have set sand box=true in both entitlents.plist and entitlents.macinheriting. plist. And after signing, using
codesign -dvvv -- entitiements - /path
to view the app file shows' checkbox=true ', and the [iFlytek Listen. app/Contents/MacOS/iFlytek Listen] file in the issue also exists.
Using the Suspicious Package software to view pkg also has sandbox=true.
A few months ago, I uploaded it once and the issues mentioned in the email did not appear. The only changes were the macOS system version number and the replacement of the signature with provisionprofileprovisionprofile.
I have reviewed similar issues on the Apple Developer Forums, but have not been resolved
In the past, I used to export a developer-signed test version of my macOS app in Xcode, create a zip archive from the Finder, upload it to my website and share the link to the testers. The last time I did this with macOS 14 the tester was still able to download the test app and run it.
But it seems that with macOS 15 the trick to open the context menu on the downloaded app and click Open to bypass the macOS warning that the app couldn't be checked when simply double-clicking it, doesn't work anymore. Now I'm always shown an alert that macOS couldn't check the app for malware, and pushes me to move it to the bin.
In this StackOverflow topic from 10 years ago they suggested to use ditto and tar to compress and uncompress the app, but neither worked for me.
How can I share macOS apps that I signed myself with testers without physically handing them a drive containing the uncompressed app?
Codesigned and notarized app cannot directly write files inside the app bundle (neither in my.app/Contents/Resources/ nor my.app/Contents/MacOS/).
Are there any restrictions regarding this? Is there a way to bypass these restrictions?
Here is the situation I encountered:
The main app contains several sub-apps and sub-executables.
When the main app calls the sub-apps or sub-executables, it can write files within the app bundle, but when executed directly, it cannot write files.
The app is usually opened using the GUI, and when using the command line, neither the main app nor the sub-apps/sub-executables can write files within the app bundle.
My codesigning environment is:
Sonoma 14.0 on mac mini M1.
I manually sign the app directly using the codesign command in CI instead of using Xcode.
The process will traverse all of the files and sub-apps in the app folder and sign them from the deepest paths to the shallowest paths.
I also tried applying this process to other applications, but all of them encountered the same issue of failing to write files.
The app should not be sandboxed (I did not add sandbox entitlements).
I have tried adding the entitlement com.apple.security.files.user-selected.read-write, but this has not resolved the issue.
I have an app Arpeggio.app which I build and then sign without errors: "electron-osx-sign dist/mac-arm64/Arpeggio.app --identity="Developer ID Application: XXXX (XXXXXX)" --hardened-runtime --no-gatekeeper-assess --entitlements=entitlements.plist".
It returns "Application signed: dist/mac-arm64/Arpeggio.app".
I then use "/usr/bin/ditto -c -k --sequesterRsrc --keepParent src dst" to make a zip with the same signatures.
I then submit the zip for notarization: "xcrun notarytool submit dist/mac-arm64/Arpeggio.zip --apple-id XXXX etc"
which returns "Waiting for processing to complete.
Current status: Accepted..............
Processing complete
id: ***-***-xx-xx
status: Accepted".
Then I staple the notarization to the app and get "The staple and validate action worked!". Now it shows all validated and that the notarization is stapled. I then run "spctl --assess --type execute -vv 'dist/mac-arm64/Arpeggio.app'" as a last check and always get this:
dist/mac-arm64/Arpeggio.app: unknown error 99999=1869f
Why is this happening? I can't seem to debug the issue but out notarization and signing is always successful and the app works as expected. Pleas ehelp me get to the bottom of this.
I was able to setup a release test for an iOS app for distribution using a web server. It works perfectly fine for all the devices I registered for the deployment profile.
However every time I try to distribute a Unity based Vision Pro application using the same process for building the package and set up for distribution it does not work.
Safari only shows a message telling me:
"Cannot connect to ."
When trying to install the iOS app from the same server it shows the message "Do you want to install ?" and installation completes correctly.
My iOS is a simple hello world app generated by Xcode.
My Unity app is an AR app targeting com.apple.platform.xros.
According to documentation there should not be any difference in deployment profiles/signing for iOS apps vs. visionOS apps.
What am I doing wrong? Any hint is appreciated how to continue.
I am a developer, please send me the authentication code !
Hi all,
I have two apple accounts. Stupidly my project is written in Account A and my paid developer account is Account B. When I tried to archive and publish under Account A, it says "Team "*** (Personal Team)" is not enrolled in the Apple Developer Program". But when I add a team to Account B, "Command CodeSign failed with a nonzero exit code". I know it is not the code itself because it runs fine when I use Account A. Just couldn't publish.
Any advice? Many many thanks
Hi Team,
mac installer is crashing in macos15 after successfully installing. but it is working in below mac os versions.
.app file in successfully code signed and notarized.
crash logs is attahced, please check.
sh-2024-10-17-124323 2 1.ips
below is our entitlement.plist file for reference.
we are clueless what is causing issues in macos 15 as we are unable to luanch it post succesful installation.
please kind take a look into the logs attached and help us resolve the issues.
Thanks,
NareshG
Incremental builds using xcodebuild are very slow, around 3x slower when compared to the same build using Xcode.
Recently, I discovered that CODE_SIGNING_ALLOWED=NO" fixed the issue, but of course, I can't then run iOS app.
It seems like automatic signing using xcodebuild is somehow broken. Therefore, I think I could set CODE_SIGNING_ALLOWED=NO" and sign it manually later. However, I'm not sure how to do that.
I checked what Xcode does and it's:
/usr/bin/codesign --force --sign - --entitlements /Users/wkulik/Library/Developer/Xcode/DerivedData/XYZ-hblnhsksxjrctzekqmlevcflnsji/Build/Intermediates.noindex/XYZ.build/Debug-iphonesimulator/XYZ.build/XYZ.app.xcent --timestamp\=none --generate-entitlement-der /Users/wkulik/Library/Developer/Xcode/DerivedData/XYZ-hblnhsksxjrctzekqmlevcflnsji/Build/Products/Debug-iphonesimulator/XYZ.app
However, if I run xcodebuild with disabled signing I don't have XYZ.app.xcent required by this command.
I also tried:
codesign --force --deep --sign "Apple Development: John Snow (XYZ)" /Users/wkulik/Library/Developer/Xcode/DerivedData/XYZ-hblnhsksxjrctzekqmlevcflnsji/Build/Products/Debug-iphonesimulator/XYZ.app
but the app immediately terminates (the same way like when unsigned).
Could anyone help with that?
I found a post that submitted the same issue, but the solution was not made public. I didn't get a reply to my comment at the bottom of the post, so I'm pasting the content of the post here.
I am a developer working on iOS apps.
I would like to report an issue occurring in iOS 18 beta and iOS 18.1 beta.
Our company has two Enterprise accounts, and we are developing two apps:
A app / TeamId: ABCDEFG
B app / TeamId: HIJKLMN
When we distribute these apps, which have different TeamIds, and install them on a device running iOS 18 beta, both apps install successfully, but only one app will run.
(Other app crashed immediately after being launched.)
This issue does not occur on versions prior to iOS 18. I would like to know if this is a problem that will be resolved in future updates, or if it is a policy change.
We have a native ARM64 application. The application is a development environment and native compiler for the language Common Lisp. CL has a foreign function interface, which allows loading of .dylib files into CL and calling functions in them from CL. For this reason, we add certain entitlements. See below.
It is notarized and installed on macOS 14.7. When I run spctl on it I get this:
$ spctl --assess -v /Applications/AllegroCL64.app
/Applications/AllegroCL64.app: rejected (the code is valid but does not seem to be an app)
That’s before I run it. Which is odd because the app is notarized. When I run the app, it asks for a license file and installs it into /Applications/AllegroCL64.app/Contents/Resources/ and after that, the spctl shows this:
$ spctl --assess -v /Applications/AllegroCL64.app
/Applications/AllegroCL64.app: a sealed resource is missing or invalid
I assume the mere act of copying the license (a file called devel.lic which is a small text file) is causing this. Why does it say it “does not seem to be an app”?
This self-modification of the files in the Contents/Resources directory is a huge feature. We allow downloading of patches, which add features and fix bugs in the product. Is this going to be a problem, going forward? I don’t remember seeing this result from spctl before and I have a feeling it’s a new , due to tightening of security policies, etc.
All of this is quite worrying to us.
More details of the app:
$ codesign -vvvv mlisp
mlisp: valid on disk
mlisp: satisfies its Designated Requirement
$ codesign -d --entitlements - /Applications/AllegroCL64.app
Executable=/Applications/AllegroCL64.app/Contents/MacOS/AllegroCL64
[Dict]
[Key] com.apple.security.cs.allow-dyld-environment-variables
[Value]
[Bool] true
[Key] com.apple.security.cs.allow-jit
[Value]
[Bool] true
[Key] com.apple.security.cs.disable-library-validation
[Value]
[Bool] true
[Key] com.apple.security.get-task-allow
[Value]
[Bool] true
$
Other details:
The app was built with the Command Line tools version 2395 on macOS 12.x.
App is signed, notarized and stapled, I send that dmg file with file transfer tool, it can open correctly on other mac without any warning or error. However, if I send that dmg file through IM to the same mac, it will produces the "cannot check it for malicious software" error.
I check the transfered dmg with spctl -a -t open -vvv --context context:primary-signature MyApp.dmg, it show source=Notarized Developer ID; origin=***
How can I resolve this issue?
Hi our team is looking into feasibilities of appending customized data to personalized installer, so that we can make new users onboarding experience better. I did some investigations.
Append token data to xattr to a dmg, I went though this smoothly. I can successfully retrieve the data back, and the app can still be launched successfully. Want to make sure this doesn't require the dmg to be re-signed and re-notarized, and I didn't miss any steps in between
I created a fake simulation app try to sign and notarize. Signing the dmg seems to be successful, but when I notarize, it gave me back Invalid status. Is there anything wrong?
This is the signature:
Executable=/Users/myname/myname/poc/MySimulation.dmg
Identifier=MySimulation
Format=disk image
CodeDirectory v=20200 size=304 flags=0x0(none) hashes=1+6 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=e2a149614f6e0e3939db3a
4c762adda0e8c24
CandidateCDHashFull sha256=e2a149614f6e0e3939db3a3054adda0e8c24f597ddf4c4503cd27fb83821
Hash choices=sha256
CMSDigest=e2a149614f6e0e3939dba3054c62adda0e8c24f597ddf4c4503cd27fb83821
CMSDigestType=2
CDHash=e2a149614f6e0e39393a3054c762adda0e8c24
Signature size=4789
Authority=Apple Development: myId (someId)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Oct 14, 2024 at 3:46:08 PM
Info.plist=not bound
TeamIdentifier=W3TC3HXUZC
Sealed Resources=none
Internal requirements count=1 size=188
Do you have any other recommendations for us to append some data that doesn't break signing / notarization?