App is signed, notarized and stapled, I send that dmg file with file transfer tool, it can open correctly on other mac without any warning or error. However, if I send that dmg file through IM to the same mac, it will produces the "cannot check it for malicious software" error.
I check the transfered dmg with spctl -a -t open -vvv --context context:primary-signature MyApp.dmg, it show source=Notarized Developer ID; origin=***
How can I resolve this issue?
General
RSS for tagDemystify code signing and its importance in app development. Get help troubleshooting code signing issues and ensure your app is properly signed for distribution.
Post
Replies
Boosts
Views
Activity
Hi our team is looking into feasibilities of appending customized data to personalized installer, so that we can make new users onboarding experience better. I did some investigations.
Append token data to xattr to a dmg, I went though this smoothly. I can successfully retrieve the data back, and the app can still be launched successfully. Want to make sure this doesn't require the dmg to be re-signed and re-notarized, and I didn't miss any steps in between
I created a fake simulation app try to sign and notarize. Signing the dmg seems to be successful, but when I notarize, it gave me back Invalid status. Is there anything wrong?
This is the signature:
Executable=/Users/myname/myname/poc/MySimulation.dmg
Identifier=MySimulation
Format=disk image
CodeDirectory v=20200 size=304 flags=0x0(none) hashes=1+6 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=e2a149614f6e0e3939db3a
4c762adda0e8c24
CandidateCDHashFull sha256=e2a149614f6e0e3939db3a3054adda0e8c24f597ddf4c4503cd27fb83821
Hash choices=sha256
CMSDigest=e2a149614f6e0e3939dba3054c62adda0e8c24f597ddf4c4503cd27fb83821
CMSDigestType=2
CDHash=e2a149614f6e0e39393a3054c762adda0e8c24
Signature size=4789
Authority=Apple Development: myId (someId)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Oct 14, 2024 at 3:46:08 PM
Info.plist=not bound
TeamIdentifier=W3TC3HXUZC
Sealed Resources=none
Internal requirements count=1 size=188
Do you have any other recommendations for us to append some data that doesn't break signing / notarization?
I facing issue where the system extension i try to install have message:
no related kext found for sysex 'com.apple.usbsoundriver'
com.apple.usbsoundriver:extension failed to validate! uninstalling...
uninstalling invalid extension com.apple.usbsoundriver
Is internet access is required for system extension validation? I install the driver without internet access.
This work in some others machine, only fresh reformated Mac machine without internet connection have this issue. Why is this so?
When I try to launch my own Java app, I get the following error message.
xpcproxy exited due to OS_REASON_CODESIGNING | Launch Constraint Violation, error info: c[5]p[1]m[1]e[0], (Constraint not matched) launch type 3, failure proc [vc: 1]: /bin/bash
As far as I know, the failing process path is /bin/bash.
This issue is only happening on macOS Sequoia. The Java app works without any issue on MacOS Sonoma or any previous macOS versions. I did not make any changes, including launch constraints or any other settings. After updating to macOS Sequoia, I started getting this error and can no longer launch my app.
Thank you so much.
Hello,
We are using automatic signing for a couple of projects, and we're struggling to get it to work in a CI with Xcode 16. It was working with Xcode 15 but with Xcode 16 we get the following errors :
error: The operation couldn’t be completed. Unable to log in with account ''. The login details for account '' were rejected.
error: Provisioning profile "iOS Team Provisioning Profile: com.bundleid.my" doesn't include signing certificate "Apple Development: Foobar (TEAMID)".
Any ideas ?
I would like to share my new project on an open source repository like GitHub. it need capabilities like iCloud. The problem is that I would prefer not have my appleid email being send to the open source repository. I saw that I can exclude files but I would be easier if the open source version had no Apple account associated with it.
how should I manage the open source version vs the App Store one.
Thank you
We are facing following message "A timestamp was expected but was not found" during codesign for following .dylib and .pkg and it cause notarization process failed.
We are facing this issue for last 3 days.
we have access for timestamp.apple.com and 17.0.0.0/8 and we didn't change firewall settings. We are facing this issue randomly and not for all time(scenario is 3:1).
We tried the below command to sign the package,
codesign --verbose --deep --force --timestamp --options=runtime --sign ""
Kindly let us know how to fix this probelm.
traceroute timestamp.apple.com
traceroute to timestamp.v.aaplimg.com (17.157.80.35), 64 hops max, 52 byte packets
....
10 17.0.9.19 (17.0.9.19) 185.693 ms
17.0.9.17 (17.0.9.17) 180.932 ms 189.060 ms
11 * * *
12 17.0.17.141 (17.0.17.141) 191.513 ms *
17.0.17.137 (17.0.17.137) 183.086 ms
13 * * *
14 * * *
There does not seem to be a way to code sign a PAM module so that an XPC service can verify the signature with setCodeSigningRequirement.
There should be a way to build a PAM module (dynamic Library ) so it can be code signed. Put in a bundle and code signing the bundle does not work .
Hello,
We use automatic signing and Fastlane on our CI. Fastlane uses xcodebuild to create an archive.
xcodebuild -workspace ourApp.xcworkspace -scheme app-dev -destination generic/platform=iOS -archivePath app-dev.xcarchive -skipPackagePluginValidation -allowProvisioningUpdates -authenticationKeyID OurAppStoreConnectAuthKey -authenticationKeyIssuerID OurAppStoreConnectAuthKeyIssuerId -authenticationKeyPath /path/to/OurAppStoreConnectKey.p8 clean archive
All works fine, but ....
Why does Xcode 16 log out logged Apple ID and create a new every build? As a result, we have more and more Unknown Apple IDs in Xcode, and for each of them an error appears in log.
Error:
xcodebuild[3174:1804334] DVTDeveloperAccountManager: Failed to load credentials for 0A1DF15C-ETC-ETC: Error Domain=DVTDeveloperAccountCredentialsError Code=0 "Invalid credentials in keychain for 0A1DF15C-ETC-ETC, missing Xcode-Username" UserInfo={NSLocalizedDescription=Invalid credentials in keychain for 0A1DF15C-ETC-ETC, missing Xcode-Username}
Of course, the originally logged-in Apple ID has an error corresponding to his non-logged-in state.
xcodebuild[3174:1804334] DVTDeveloperAccountManager: Failed to load credentials for originally_logged-in_user: Error Domain=DVTDeveloperAccountCredentialsError Code=0 "Invalid credentials in keychain for originally_logged-in_user, missing Xcode-Token" UserInfo={NSLocalizedDescription=Invalid credentials in keychain for originally_logged-in_user, missing Xcode-Token}
Why does this happen and how can it be fixed? Why does Xcode 16 log out its logged Apple ID?
Hi,
the documentation says that an application bundle for Mac OS X can have a Frameworks folder within Contents. Using a framework for console applications (no bundle) and GUI applications (bundle), I cannot load the console applications anymore on Ventura.
Prior to Ventora I have tested and ran both on Mojave or earlier - I am not sure.
To fix the issue, I have moved the frameworks within the application bundle to match the rpath for /Users/lothar/Library/Frameworks when I place the console into /Users/lothar/bin, the same rpath for application bundles works for those within the bin folder.
Can I publish an application bundle with that modified layout or do I have to expect getting problems and do rather a Symlink pointing from /Users/lothar/Frameworks to /Users/lothar/Library/Frameworks?
Thanks, Lothar
CodeSign /Users/abc007/Library/Developer/Xcode/DerivedData/App-fjztkcxqsstohgfvqdfnedgpwltj/Build/Intermediates.noindex/ArchiveIntermediates/App/InstallationBuildProductsLocation/Applications/App.app (in target 'App' from project 'App')
cd /Users/abc007/Documents/WorkSpace/RegulusIT/Release_Oct_2024/UI\ Backup/ios/App
Signing Identity: "Apple Development: Yatin Ghat (JS84GYN3O4)"
Provisioning Profile: "iOS Team Provisioning Profile: www.rightschool.net"
(bdc0759d-b9d0-4470-8e3f-b5b67d3c2586)
/usr/bin/codesign --force --sign 82C0E5904219E333688CE627A21522F732446038 --entitlements /Users/abc007/Library/Developer/Xcode/DerivedData/App-fjztkcxqsstohgfvqdfnedgpwltj/Build/Intermediates.noindex/ArchiveIntermediates/App/IntermediateBuildFilesPath/App.build/Release-iphoneos/App.build/App.app.xcent --generate-entitlement-der /Users/abc007/Library/Developer/Xcode/DerivedData/App-fjztkcxqsstohgfvqdfnedgpwltj/Build/Intermediates.noindex/ArchiveIntermediates/App/InstallationBuildProductsLocation/Applications/App.app
/Users/abc007/Library/Developer/Xcode/DerivedData/App-fjztkcxqsstohgfvqdfnedgpwltj/Build/Intermediates.noindex/ArchiveIntermediates/App/InstallationBuildProductsLocation/Applications/App.app: errSecInternalComponent
Command CodeSign failed with a nonzero exit code
This post is part of a cluster of posts related to the trusted execution system. If you found your way here directly, I recommend that you start at the top.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Resolving Gatekeeper Problems
Gatekeeper strives to ensure that only trusted software runs on a user’s Mac. It’s important that your code pass Gatekeeper. If not, you’re likely to lose a lot of customers, and your users’ hard-won trust.
There are four common Gatekeeper problems:
App blocked by a dangling load command path
Broken code signature
Lack of notarisation
Command-line tool blocked by Gatekeeper
The first problem is by far the most common. For the details, see Resolving Gatekeeper Problems Caused by Dangling Load Command Paths.
For general information about Gatekeeper, read Apple > Developer > Signing Mac Software with Developer ID and Apple > Support > Safely open apps on your Mac.
IMPORTANT This post focuses on Developer ID-signed code. Gatekeeper should not block App Store apps. If an app downloaded from the App Store fails to run, it’s likely to be some other trusted execution issue. For more about this, read Resolving Trusted Execution Problems.
macOS 14 introduced gktool, a very minimal interface to Gatekeeper. Run the tool with the help argument to learn more:
% gktool help
Verify Your Signature
A good first step in any Gatekeeper investigation is to verify that your code is signed correctly. Use the codesign tool for this:
% codesign -v -vvv --strict --deep MyApp.app
The -vvv options increase verbosity to the point where codesign will give you useful diagnostics. For example:
% codesign -v -vvv --strict --deep "Munged.app"
Munged.app: a sealed resource is missing or invalid
file added: …/Munged.app/Contents/Resources/names/Adam.txt
file modified: …/Munged.app/Contents/Resources/names/Morgan.txt
file missing: …/Munged.app/Contents/Resources/names/Rhonda.txt
This app was changed after it was signed in three different ways:
Adam.txt was added.
Morgan.txt was modified.
Rhonda.txt was removed.
You might see some results that make no sense. For example:
Start with an app with a valid code signature:
% codesign -v -vvv --strict --deep "NotNormal.app"
NotNormal.app: valid on disk
NotNormal.app: satisfies its Designated Requirement
Use the Finder to create a zip archive (File > Compress).
Use the Finder to unpack that archive.
Check the code signature of the unpacked file:
% codesign -v -vvv --strict --deep "NotNormal 2.app"
NotNormal 2.app: a sealed resource is missing or invalid
file added: …/NotNormal 2.app/Contents/Resources/names/Zoë Schrödinger.txt
file missing: …/NotNormal 2.app/Contents/Resources/names/Zoë Schrödinger.txt
There are two things to note here. First, just compressing and decompressing the app broke its code signature. Weird! Second, look at the error messages. It seems that the Zoë Schrödinger.txt file is was both added and removed. Weirder!
To see what’s going on here you have to look at a hex dump of the file name:
% ls "NotNormal.app/Contents/Resources/names" | xxd
00000000: 5a6f c3ab 2053 6368 726f cc88 6469 6e67 Zo.. Schro..ding
00000010: 6572 2e74 7874 0a er.txt.
% ls "NotNormal 2.app/Contents/Resources/names" | xxd
00000000: 5a6f 65cc 8820 5363 6872 6fcc 8864 696e Zoe.. Schro..din
00000010: 6765 722e 7478 740a ger.txt.
The names are not the same! The app started out with the ë in precomposed form and the ö in decomposed form. Compressing and decompressing the app converted the ë to its decomposed form, and that change broke the code signature.
Programs that deal with Unicode are expected to ignore differences in normalisation. Sadly, Apple’s code signing implementation missed that memo (r. 68829319). For more details see this post but the executive summary is that it’s best to stick to ASCII when naming files in a bundle.
Identify a Notarisation Problem
Gatekeeper requires that your app be notarised. If not, it will block the execution of your app with a generic, user-level message. If you find your app blocked by Gatekeeper, check if this is a notarisation issue by looking in the system log for an entry like this:
type: info
time: 2022-05-11 14:57:21.812176 -0700
process: syspolicyd
subsystem: com.apple.syspolicy
category: default
message: ticket not available: 2/2/8b7410713591e6c79ea98f0132136f0faa55d22a
Note If the ticket details show as <private>, enable private data in the system log. For information on how to do that, see Recording Private Data in the System Log. For general information about the system log, see Your Friend the System Log.
The long hex number is the code directory hash, or cdhash, of the offending code. In this example, it’s the cdhash of the app itself:
% codesign -d -vvv /Applications/NotNotarised.app
…
CDHash=8b7410713591e6c79ea98f0132136f0faa55d22a
…
However, in some cases it may be the cdhash of some library referenced by the app.
For more information about cdhashes, see TN3126 Inside Code Signing: Hashes.
Resolve a Notarisation Problem
The obvious cause of this problem is that you haven’t notarised your app. For information on how to do that, see Notarizing macOS Software Before Distribution.
If you have notarised your app and yet you still see this problem, something more subtle is happening. For example, your app might reference a dynamic library that wasn’t seen by the notary service.
To investigate this:
Fetch the notary log for your app. For advice on that, see Fetching the Notary Log.
Confirm that the notary log matches the app you installed. Look in the notary log for the sha256 property. Its value is a SHA-256 hash of the file received by the notary service. Check that this matches the SHA-256 hash of the file you used to install your app. If not, see Hash Mismatch, below.
Search the notary log for the cdhash value from the Gatekeeper log message.
If the notary log doesn’t contain that cdhash, that code wasn’t included in the notarised ticket. It’s possible that you failed to submit the code to the notary service, that it was switched out with a different version after you notarised your app, that it was package in some way that the notary service couldn’t see it, or that something went wrong within the notary service.
Hash Mismatch
If you stapled your notarised ticket to the file used to install your app then the hashes in step 2 of the previous section won’t match. What to do depends on the file type:
If the file used to install your app was a zip archive (.zip), you definitely have the wrong file. Zip archives don’t support stapling.
If the file used to install your app was a signed disk image (.dmg), compare the disk image’s cdhash with the cdhash for the disk image in the notary log. If those match, you know you’re working with the same disk image.
To dump a disk image’s cdhash, run the codesign tool as follows:
% codesign -d -vvv DISK_IMAGE
…
CDHash=d963af703ac2e54af6609e9ad309abee7b66fae2
…
Replace DISK_IMAGE with the path to your disk image.
If the file used to install your app was a disk image but it wasn’t signed, switch to a signed disk image. It’s generally a better option.
If the file used to install your app was an installer package (.pkg), there’s no good way to know if this is the correct package. In this case, modify your notarisation workflow to retain a copy of the file before it was modified by stapler.
Tool Blocked by Gatekeeper
If your product includes a command-line tool, you might notice this behaviour:
When you double click the tool in Finder, it’s blocked by Gatekeeper.
When you run the tool from within Terminal, it works.
This is a known bug in macOS (r. 58097824). The issue is that, when you double click a tool in the Finder, it doesn’t run Gatekeeper’s standard execution logic. Rather, the Finder passes the tool to Terminal as a document and that opens a window (and associated shell) in which to run that document. This triggers Gatekeeper’s document logic, and that logic always blocks the tool.
There are two ways around this:
Embed your tool in an application. If the user runs the application first, Gatekeeper runs its normal application check. If the user allows the app to run, Gatekeeper records that decision and applies it to the app and any code within the app, including your tool.
Install your tool using an installer package. When the user goes to install the package, Gatekeeper checks it. Assuming that check passes, Gatekeeper does no further checks on the content it installed.
Revision History
2024-11-11 Added a mention of gktool.
2022-05-20 Added the Verify Your Signature section. Made other minor editorial changes.
I help a lot of developers with macOS trusted execution problems. For example, they might have an app being blocked by Gatekeeper, or an app that crashes on launch with a code signing error.
If you encounter a problem that’s not explained here, start a new thread with the details. Make sure to add relevant tags — like Gatekeeper, Code Signing, and Notarization — so that I see your post.
IMPORTANT macOS 14 has a new tool, syspolicy_check, that was specifically designed to help diagnose problems like this. I plan to update this post once I have more experience with it. In the meantime, however, if you hit a trusted execution problem and it reproduces on macOS 14, please try out syspolicy_check and let us know how that pans out.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Resolving Trusted Execution Problems
macOS supports three software distribution channels:
The user downloads an app from the App Store.
The user gets a Developer ID-signed program directly from its developer.
The user builds programs locally using Apple or third-party developer tools.
The trusted execution system aims to protect users from malicious code. It’s comprised of a number of different subsystems. For example, Gatekeeper strives to ensure that only trusted software runs on a user’s Mac, while XProtect is the platform’s built-in anti-malware technology.
Note To learn more about these technologies, see Apple Platform Security.
If you’re developing software for macOS your goal is to avoid trusted execution entanglements. You want users to install and use your product without taking any special steps. If, for example, you ship an app that’s blocked by Gatekeeper, you’re likely to lose a lot of customers, and your users’ hard-won trust.
Trusted execution problems are rare with Mac App Store apps because the Mac App Store validation process tends to catch things early. This post is primarily focused on Developer ID-signed programs.
Developers who use Xcode encounter fewer trusted execution problems because Xcode takes care of many code signing and packaging chores. If you’re not using Xcode, consider making the switch. If you can’t, consult the following for information on how to structure, sign, and package your code:
Placing Content in a Bundle
Embedding Nonstandard Code Structures in a Bundle
Embedding a Command-Line Tool in a Sandboxed App
Creating distribution-signed code for macOS
Packaging Mac software for distribution
Gatekeeper Basics
User-level apps on macOS implement a quarantine system for new downloads. For example, if Safari downloads a zip archive, it quarantines that archive. This involves setting the com.apple.quarantine extended attribute on the file.
Note The com.apple.quarantine extended attribute is not documented as API. If you need to add, check, or remove quarantine from a file programmatically, use the quarantinePropertiesKey property.
User-level unarchiving tools preserve quarantine. To continue the above example, if you double click the quarantined zip archive in the Finder, Archive Utility will unpack the archive and quarantine the resulting files.
If you launch a quarantined app, the system invokes Gatekeeper. Gatekeeper checks the app for problems. If it finds no problems, it asks the user to confirm the launch, just to be sure. If it finds a problem, it displays an alert to the user and prevents them from launching it. The exact wording of this alert varies depending on the specific problem, and from release to release of macOS, but it generally looks like the ones shown in Apple > Support > Safely open apps on your Mac.
The system may run Gatekeeper at other times as well. The exact circumstances under which it runs Gatekeeper is not documented and changes over time. However, running a quarantined app always invokes Gatekeeper.
Unix-y networking tools, like curl and scp, don’t quarantine the files they download. Unix-y unarchiving tools, like tar and unzip, don’t propagate quarantine to the unarchived files.
Confirm the Problem
Trusted execution problems can be tricky to reproduce:
You may encounter false negatives, that is, you have a trusted execution problem but you don’t see it during development.
You may also encounter false positives, that is, things fail on one specific Mac but otherwise work.
To avoid chasing your own tail, test your product on a fresh Mac, one that’s never seen your product before. The best way to do this is using a VM, restoring to a snapshot between runs. For a concrete example of this, see Testing a Notarised Product.
The most common cause of problems is a Gatekeeper alert saying that it’s blocked your product from running. However, that’s not the only possibility. Before going further, confirm that Gatekeeper is the problem by running your product without quarantine. That is, repeat the steps in Testing a Notarised Product except, in step 2, download your product in a way that doesn’t set quarantine. Then try launching your app. If that launch fails then Gatekeeper is not the problem, or it’s not the only problem!
Note The easiest way to download your app to your test environment without setting quarantine is curl or scp. Alternatively, use xattr to remove the com.apple.quarantine extended attribute from the download before you unpack it. For more information about the xattr tool, see the xattr man page.
Trusted execution problems come in all shapes and sizes. The remaining sections address the most common ones.
App Blocked by Gatekeeper
If your product is an app and it works correctly when not quarantined but is blocked by Gatekeeper when it is, you have a Gatekeeper problem. For advice on how to investigate such issues, see Resolving Gatekeeper Problems.
App Can’t Be Opened
Not all failures to launch are Gatekeeper errors. In some cases the app is just broken. For example:
The app’s executable might be missing the x bit set in its file permissions.
The app’s executable might be subtly incompatible with the current system. A classic example of this is trying to run a third-party app that contains arm64e code.
macOS requires that third-party kernel extensions use the arm64e architecture. In other circumstances, stick to arm64 for your shipping products. If you want to test arm64e code locally, see Preparing Your App to Work with Pointer Authentication.
The app’s executable might claim restricted entitlements that aren’t authorised by a provisioning profile.
Or the app might have some other code signing problem.
Note For more information about provisioning profiles, see TN3125 Inside Code Signing: Provisioning Profiles.
In such cases the system displays an alert saying:
The application “NoExec” can’t
be opened.
[[OK]]
Note In macOS 11 this alert was:
You do not have permission to
open the application “NoExec”.
Contact your computer or network
administrator for assistance.
[[OK]]
which was much more confusing.
A good diagnostic here is to run the app’s executable from Terminal. For example, an app with a missing x bit will fail to run like so:
% NoExec.app/Contents/MacOS/NoExec
zsh: permission denied: NoExec.app/Contents/MacOS/NoExec
And an app with unauthorised entitlements will be killed by the trusted execution system:
% OverClaim.app/Contents/MacOS/OverClaim
zsh: killed OverClaim.app/Contents/MacOS/OverClaim
In some cases running the executable from Terminal will reveal useful diagnostics. For example, if the app references a library that’s not available, the dynamic linker will print a helpful diagnostic:
% MissingLibrary.app/Contents/MacOS/MissingLibrary
dyld[88394]: Library not loaded: @rpath/CoreWaffleVarnishing.framework/Versions/A/CoreWaffleVarnishing
…
zsh: abort MissingLibrary.app/Contents/MacOS/MissingLibrary
Code Signing Crashes on Launch
A code signing crash has the following exception information:
Exception Type: EXC_CRASH (SIGKILL (Code Signature Invalid))
The most common such crash is a crash on launch. To confirm that, look at the thread backtraces:
Backtrace not available
For steps to debug this, see Resolving Code Signing Crashes on Launch.
One common cause of this problem is running distribution-signed code. Don’t do that! For details on why that’s a bad idea, see Don’t Run App Store Distribution-Signed Code.
Code Signing Crashes After Launch
If your program crashes due to a code signing problem after launch, you might have encountered the issue discussed in Updating Mac Software.
Non-Code Signing Failures After Launch
The hardened runtime enables a number of security checks within a process. Some coding techniques are incompatible with the hardened runtime. If you suspect that your code is incompatible with the hardened runtime, see Resolving Hardened Runtime Incompatibilities.
App Sandbox Inheritance
If you’re creating a product with the App Sandbox enabled and it crashes with a trap within _libsecinit_appsandbox, it’s likely that you’re having App Sandbox inheritance problems. For the details, see Resolving App Sandbox Inheritance Problems.
Library Loading Problem
Most library loading problems have an obvious cause. For example, the library might not be where you expect it, or it might be built with the wrong platform or architecture. However, some library loading problems are caused by the trusted execution system. For the details, see Resolving Library Loading Problems.
Explore the System Log
If none of the above resolves your issue, look in the system log for clues as to what’s gone wrong. Some good keywords to search for include:
gk, for Gatekeeper
xprotect
syspolicy, per the syspolicyd man page
cmd, for Mach-O load command oddities
amfi, for Apple mobile file integrity, per the amfid man page
taskgated, see its taskgated man page
yara, discussed in Apple Platform Security
ProvisioningProfiles
You may be able to get more useful logging with this command:
% sudo sysctl -w security.mac.amfi.verbose_logging=1
Here’s a log command that I often use when I’m investigating a trusted execution problem and I don’t know here to start:
% log stream --predicate "sender == 'AppleMobileFileIntegrity' or sender == 'AppleSystemPolicy' or process == 'amfid' or process == 'taskgated-helper' or process == 'syspolicyd'"
For general information the system log, see Your Friend the System Log.
Revision History
2024-10-11 Added info about the security.mac.amfi.verbose_logging option. Updated some links to point to official documentation that replaces some older DevForums posts.
2024-01-12 Added a specific command to the Explore the System Log section. Change the syspolicy_check callout to reflect that macOS 14 is no longer in beta. Made minor editorial changes.
2023-06-14 Added a quick call-out to the new syspolicy_check tool.
2022-06-09 Added the Non-Code Signing Failures After Launch section.
2022-06-03 Added a link to Don’t Run App Store Distribution-Signed Code. Fixed the link to TN3125.
2022-05-20 First posted.
Hi Apple community,
many thanks in advance for your help.
My macOS app embeds a Python interpreter, compiled from source, including the Python executable and its associated libraries.
We have tried compiling the project with Xcode 16.0 and 16.1 beta 2 over MacOS Sequoia 15.0 and 15.1
This is how the project looks like:
SampleApp.app
SampleApp.app/Contents
SampleApp.app/Contents/MacOS
SampleApp.app/Contents/MacOS/SampleApp
SampleApp.app/Contents/MacOS/bin
SampleApp.app/Contents/MacOS/bin/python3.11
SampleApp.app/Contents/Resources
SampleApp.app/Contents/Resources/lib
SampleApp.app/Contents/Resources/lib/python3.11
SampleApp.app/Contents/Resources/Info.plist
Since we want to 'initially' distribute the app directly, Python binary is signed as follows:
codesign --deep --force --options runtime --timestamp --sign "$DEVELOPER_ID_APPLICATION" "$BINARY_PATH"
App entitlements contain the next entries:
&lt;key&gt;com.apple.security.app-sandbox&lt;/key&gt;
&lt;true/&gt;
&lt;key&gt;com.apple.security.files.downloads.read-write&lt;/key&gt;
&lt;true/&gt;
&lt;key&gt;com.apple.security.files.user-selected.read-only&lt;/key&gt;
&lt;true/&gt;
&lt;key&gt;com.apple.security.files.user-selected.read-write&lt;/key&gt;
&lt;true/&gt;
&lt;key&gt;com.apple.security.network.client&lt;/key&gt;
&lt;true/&gt;
&lt;key&gt;com.apple.security.network.server&lt;/key&gt;
&lt;true/&gt;
The resulting app is signed with entitlements, notarised and stapled.
Once the app is running, we can see the next error on Console:
Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=[IDENTIFIER]], pid=58826, auid=502, euid=502, binary_path=[PATH]}, requesting={TCCDProcess: identifier=com.apple.appleeventsd, pid=824, auid=55, euid=55, binary_path=/System/Library/CoreServices/appleeventsd},
Python process is not running, we can't see any AMFI message.
Next we added to Signing and Capabilities 'Apple Events' from Hardened Runtime section.
The resulting app gets signed, notarised and stapled, but when running we get only the next errors:
error 09:42:32.787744+0200 SampleApp Can't find or decode reasons
error 09:42:32.787832+0200 SampleApp Failed to get or decode unavailable reasons
Just in case it is relevant, this is how the app interacts with Python:
process.executableURL = URL(fileURLWithPath: [PATH_TO_PYTHON_BIN])
process.environment = environment
process.arguments = arguments
process.standardOutput = pipe
try process.run()
process.waitUntilExit()
We truly appreciate any guidance, help or advice.
Thanks!!
Hi Apple community,
many thanks in advance for your help.
My macOS app embeds a Python interpreter, compiled from source, including the Python executable and its associated libraries.
We have tried compiling the project with Xcode 16.0 and 16.1 beta 2 over MacOS Sequoia 15.0 and 15.1.
The project is 100% developed in Swift6.
This is how the project looks like:
SampleApp.app
SampleApp.app/Contents
SampleApp.app/Contents/MacOS
SampleApp.app/Contents/MacOS/SampleApp
SampleApp.app/Contents/MacOS/bin
SampleApp.app/Contents/MacOS/bin/python3.11
SampleApp.app/Contents/Resources
SampleApp.app/Contents/Resources/lib
SampleApp.app/Contents/Resources/lib/python3.11
SampleApp.app/Contents/Resources/Info.plist
Since we want to 'initially' distribute the app directly, Python binary is signed as follows:
codesign --deep --force --options runtime --timestamp --sign "$DEVELOPER_ID_APPLICATION" "$BINARY_PATH"
App entitlements contain the next entries:
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.files.downloads.read-write</key>
<true/>
<key>com.apple.security.files.user-selected.read-only</key>
<true/>
<key>com.apple.security.files.user-selected.read-write</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
The resulting app is signed with entitlements, notarised and stapled.
Once the app is running, we can see the next errors on Console:
Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=[IDENTIFIER]], pid=58826, auid=502, euid=502, binary_path=[PATH]}, requesting={TCCDProcess: identifier=com.apple.appleeventsd, pid=824, auid=55, euid=55, binary_path=/System/Library/CoreServices/appleeventsd},
Python process runs for some seconds and then the process disappears. We can not see any AMFI message on Console.
Then we add to Signing and Capabilities 'Apple Events' from Hardened Runtime section.
The resulting app gets signed, notarised and stapled, but when running we get only the next errors:
error 09:42:32.787744+0200 SampleApp Can't find or decode reasons
error 09:42:32.787832+0200 SampleApp Failed to get or decode unavailable reasons
Just in case it is relevant, this is how the app interacts with Python:
process.executableURL = URL(fileURLWithPath: [PATH_TO_PYTHON_BINARIE])
process.environment = environment
process.arguments = arguments
process.standardOutput = pipe
try process.run()
process.waitUntilExit()
We truly appreciate any guidance, help or advice.
Thanks!!
Using .p12 file (included ios developer and ios distribution), to keychain login tried to register iPhone Developer and iPhone Distribution.
But iPhone Distribution is not displayed.
MacOS: 15.0.1
My mac os is 15.0.1.
Using .p12 file (included ios developer and ios distribution), to keychain login tried to register iPhone Developer and iPhone Distribution.
But iPhone Distribution is not displayed.
The actual error:
pkgbuild: error: Could not find appropriate signing identity for “Developer ID installer: My Name (DeveloperID)”.
I'm trying to sign a program written with gfortran. The steps worked the last time (Mar 23) I built this code.
The steps to error:
a) xcrun notarytool store-credentials --apple-id "***" --team-id "yyy"
Giving Profile Name zzz and App-specific password
b) codesign --force --timestamp --options=runtime -s "Developer ID Application: My Name (yyy)" AppName
c) pkgbuild --root ROOT --identifier org.aaa.bbb --version "1.1.1" --sign "Developer ID installer: My Name (yyy)" AppName.pkg
ROOT contains the package contents
At this point I get the error
pkgbuild: error: Could not find appropriate signing identity for “Developer ID installer: My Name (yyy)”
Are there steps that have changed. Any suggestions?
Thanks, David
Hi,
I have an Electron app that I build, sign, notarize, and staple using electron-builder. It includes Sound Exchange (SoX), which I was invoking from the homebrew installed version. It builds a dmg and works fine.
However, my users are non-technical, thus cannot be expected to install dev tools, homebrew, and sox from the command line and set paths.
Therefore, I need to include a SoX binary in my app. I have a static SoX binary that works. However, when I try to run it from my electron app, I get Error: spawn / <path>/sox EACCES.
Electron-builder is signing the SoX binary codesign --sign <sign number> --force --timestamp --options runtime --entitlements dist/entitlements/entitlements.mac.plist /<app path>Contents/Resources/bin/sox/sox
The app sign/notarize works fine, the dmg mounts, and the app runs until I try to invoke SoX. Also, I verified the sox binary and entire app are signed and the app staple is valid. I am running the app from /Applications.
Please help me!
Hi,
I've recently observed a sudden increase in support requests for one of my apps on the Mac App Store, reporting the error " is damaged and can't be opened. Please re-download it from the Mac App Store", all on different systems: macOS 12, macOS 13, and macOS 15 Sequoia.
Re-downloading does not resolve the issue most of the time.
One user reported that being connected to the internet resolved it - perhaps this is an OCSP issue again?
I myself cannot reproduce this issue.
Has there been a change in code-signing recently? Have some certificates changed? Anything else I should be aware of?
What is the best course of action to have users take who experience this, when re-downloading the app from the Mac App Store does not work?
Thank you,
– Matthias