Demystify code signing and its importance in app development. Get help troubleshooting code signing issues and ensure your app is properly signed for distribution.

Post

Replies

Boosts

Views

Activity

Issue with code signing
I am signing my app using this command: codesign --verbose=4 --force --options=runtime --deep --timestamp --sign "${APP_IDENTITY}" "${APP_FILE}" --entitlements "./Protect.entitlements I have ensured that the necessary provisioning profiles are embedded in the IPA file. I am also verifying the signing using codesign -dvv ./JumpCloud\ Protect\ Staging.ipa and codesign --verify --deep --verbose ./JumpCloud\ Protect\ Staging.ipa Despite following the above steps, when I attempt to upload the IPA file to Transporter, I receive the following error message: Missing or invalid signature. The bundle 'com.jumpcloud.JumpCloud-Protect.staging' at bundle path 'Payload/JumpCloud Protect Staging.app' is not signed using an Apple submission certificate.
1
1
349
Sep ’24
Xcode downloaded client crash report at libsecinit_appsandbox.c
Among the newest crash reports downloaded by Xcode for my App Store app there is one that contains a single thread, crashed at libsecinit_appsandbox.c, without any trace of my app name. What could possibly cause such a crash? Is this something related with app signing? The app has been on the App Store for a long time and this never happened to me. Thread 0 Crashed: 0 libsystem_secinit.dylib 0x00000001941dcfcc _libsecinit_appsandbox.cold.12 + 60 (libsecinit_appsandbox.c:454) 1 libsystem_secinit.dylib 0x00000001941dbf94 _libsecinit_appsandbox + 1764 (libsecinit_appsandbox.c:454) 2 libsystem_trace.dylib 0x00000001872be598 _os_activity_initiate_impl + 64 (activity.c:131) 3 libsystem_secinit.dylib 0x00000001941db85c _libsecinit_initializer + 80 (libsecinit_initializer.c:17) 4 libSystem.B.dylib 0x00000001941f2664 libSystem_initializer + 280 (init.c:338) 5 dyld 0x00000001871fe608 invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const::$_0::operator()() const + 168 (Loader.cpp:2198) 6 dyld 0x000000018723cd6c invocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 340 (MachOAnalyzer.cpp:2481) 7 dyld 0x0000000187230400 invocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 496 (MachOFile.cpp:1669) 8 dyld 0x00000001871df2fc dyld3::MachOFile::forEachLoadCommand(Diagnostics&, void (load_command const*, bool&) block_pointer) const + 300 (MachOFile.cpp:1185) 9 dyld 0x000000018722f394 dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 192 (MachOFile.cpp:1628) 10 dyld 0x000000018723c880 dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 516 (MachOAnalyzer.cpp:2448) 11 dyld 0x00000001871fa53c dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 564 (Loader.cpp:2189) 12 dyld 0x00000001872042d4 dyld4::PrebuiltLoader::runInitializers(dyld4::RuntimeState&) const + 44 (PrebuiltLoader.cpp:818) 13 dyld 0x000000018721dcc0 dyld4::APIs::runAllInitializersForMain() + 84 (DyldAPIs.cpp:3889) 14 dyld 0x00000001871e4010 dyld4::prepare(dyld4::APIs&, dyld3::MachOAnalyzer const*) + 3156 (dyldMain.cpp:891) 15 dyld 0x00000001871e2ef4 start + 1868 (dyldMain.cpp:1265) Crash report
2
0
328
Sep ’24
Driver Kit App Signing for Release On iPad
I'm working on an app that contains a USB Driver Kit extension for iPad (NOT MAC). The app contains two targets, the core app and the DriverKit extension target. I can run the app just fine using a dev cert and provisioning profile. ** What is the step-by-step process for signing the release build?** There seems to be no way to create a release profile for the Driver Kit target. I've tried multiple avenues, but come to a dead end on each. I have requested and received the correct entitlements. Also, on a separate note, has anyone achieved this process using Fastlane? It seems particularly resistant to building the app with the driverkit extension, even for dev builds. It complains about the driverkit dev profile not being an iOS profile. Thanks!
2
0
425
Sep ’24
Application signed with ability to load system extensions started failing due to signature issue
Hi, I've developed an application which reside under /Applications. Inside the main application bundle (/Applications/mainApp.app) there are sub-app that contain security extension. Here's the relevant path /Applications/mainApp.app/Contents/Helpers/subApp.app/Contents/Library/SystemExtensions/com.myComp.type.systemextension/ So far I could load the extension by running the subApp and make sure it calls the extension activation API. but seems like starting from Sonoma (i'm using version 14.6.1 )it stopped working, and I get crash dump on signature failure which trying to open the subApp.app. in the crash log I get reason of invalid code sign. I also get the following hints Binary Images: 0x1050a0000 - 0x10512bfff dyld_path_missing (*) <f635824e-318b-3f0c-842c-c369737f2b68> /dyld_path_missing 0x104d9c000 - 0x104d9ffff main_executable_path_missing (*) <1df5f408-cb16-304f-8b38-226e29361161> /main_executable_path_missing Is it possible that new OS version have new validation rule that enforce something about the location of the app that can start extensions ?
2
0
415
Sep ’24
Signing application with app extensions
We have developed an electron app which we want to extend with an action extension. The action extension is written in swift in Xcode. Our plan was to build the .appex file and insert it into the PlugIns folder in our electron app, but I don't think this is the right way to do it? If we insert the .appex file before notarization then we get an error that we are "replacing existing signature". If we manually insert it after the notarization then we get an error with the app is damaged and can’t be opened. Can anybody provide a procedure for this kind of merge I would imagine that it goes something like: Sign app Sign extension Add extension to App Notarize app For signing the app we use electron-builder.
3
0
475
Sep ’24
App is getting crashed after sign the application
PLATFORM AND VERSION macOS Development environment: Other: Python Run-time configuration: macOS 14.6.1 DESCRIPTION OF PROBLEM We have created application using python and created .app using pyInstaller. We want to get the location access using python based application which we are trying to run on MacOS 14.6.1. Without including NSLocationUsageDescription in our info.plist, it is working fine but not getting location permission pop up. After including NSLocationUsageDescription in info.plist application got corrupted. STEPS TO REPRODUCE We are using below commands to sign the application codesign --force -s "Developer ID Application: Pitney Bowes (72NX38Y9GF)" -v DeviceHub.app --deep --strict --options=runtime --entitlements ../info.plist DeviceHub.app ditto -c -k --keepParent --rsrc --sequesterRsrc --arch 'x86_64' DeviceHub.app DeviceHub.zip xcrun notarytool submit DeviceHub.zip --keychain-profile "DHAgentProfile" --wait xcrun stapler staple DeviceHub.app
2
0
387
Sep ’24
In the iOS 18 beta, if there are two Enterprise Apps with the same D-U-N-S number, one of the apps will not run.
I am a developer working on iOS apps. I would like to report an issue occurring in iOS 18 beta and iOS 18.1 beta. Our company has two Enterprise accounts, and we are developing two apps: A app / TeamId: ABCDEFG B app / TeamId: HIJKLMN When we distribute these apps, which have different TeamIds, and install them on a device running iOS 18 beta, both apps install successfully, but only one app will run. (Other app crashed immediately after being launched.) This issue does not occur on versions prior to iOS 18. I would like to know if this is a problem that will be resolved in future updates, or if it is a policy change.
19
4
2.1k
Sep ’24
Signing to run locally does not work with network access
I'm trying to sign an app to run locally because development provisioning does not work for unspecified reasons. I'm adding NSAllowsLocalNetworking to the app transport security section of the entitlements and the result is that the selection to sign the app locally vanishes from the signing section in Xcode. I need to access a local web application which does not provide HTTPS. I'm not only very confused about this but actually pretty ******. Is this once again Apple playing games for absolutely no reason? Why can't I build and run an application on my system that does not have to do anything with Apple, the app store, customers or anything? This is just for me and I cannot make it work.
3
0
653
Sep ’24
Previously unseen problem with certificate signing
I first built WordPuzzleAids over 2 years ago. I built it on my MacBook Pro, using Xcode and Swift. The destination for the build was my iPhone. Two weeks ago, the app stopped working on the iPhone: I thought I might need to rebuild it on the on the MacBook and "re-deliver" it to the iPhone. The build failed with: CodeSign /Users/paddy/Library/Developer/Xcode/DerivedData/WordPuzzleAids-dnwilitxxdvpzablseyseujsllag/Build/Products/Debug-iphoneos/WordPuzzleAids.app (in target 'WordPuzzleAids' from project 'WordPuzzleAids') cd /Users/paddy/Projects/ThirdParty/WordPuzzleAids Signing Identity: "Apple Development: John Patterson (G9M8AH9CTD)" Provisioning Profile: "iOS Team Provisioning Profile: *" (650d11d4-ecd2-4458-a146-3cb55438e9dc) /usr/bin/codesign --force --sign 1FC4588FA2EAD7DCF9AAC9CDC823B567D76BCBE8 --entitlements /Users/paddy/Library/Developer/Xcode/DerivedData/WordPuzzleAids-dnwilitxxdvpzablseyseujsllag/Build/Intermediates.noindex/WordPuzzleAids.build/Debug-iphoneos/WordPuzzleAids.build/WordPuzzleAids.app.xcent --timestamp\=none --generate-entitlement-der /Users/paddy/Library/Developer/Xcode/DerivedData/WordPuzzleAids-dnwilitxxdvpzablseyseujsllag/Build/Products/Debug-iphoneos/WordPuzzleAids.app /Users/paddy/Library/Developer/Xcode/DerivedData/WordPuzzleAids-dnwilitxxdvpzablseyseujsllag/Build/Products/Debug-iphoneos/WordPuzzleAids.app: errSecInternalComp I have attached the build documentation file Build WordPuzzleAids_2024-08-29T21-17-09.txt
6
0
554
Aug ’24
SignatureCollection failed when archive in Jenkins
I am having an issue when archiving in Jenkins. The log says: SignatureCollection /Users/***/Library/Developer/Xcode/DerivedData/***/Build/Intermediates.noindex/ArchiveIntermediates/***/BuildProductsPath/Release-iphoneos/Some.xcframework-ios.signature error: signature-collection failed: The operation couldn't be completed. (XCBUtil.CodeSignatureInfo.Error error 0.) I am able to build and archive without any issue locally.
1
0
455
Aug ’24
multiprocessing.Queue() python method sandbox problem
multiprocessing.Queue() method of python getting "PermissionError: [Errno 1] Operation not permitted" error if it is sandboxed: CODE: import multiprocessing tensorflow_coordinates_queue = multiprocessing.Queue() ERROR: ./test_temp9 Traceback (most recent call last): File "/Applications/test_temp9.app/Contents/MacOS/test_temp9.py", line 4, in <module> File "/Applications/test_temp9.app/Contents/MacOS/multiprocessing/context.py", line 103, in Queue File "/Applications/test_temp9.app/Contents/MacOS/multiprocessing/queues.py", line 43, in __init__ File "/Applications/test_temp9.app/Contents/MacOS/multiprocessing/context.py", line 68, in Lock File "/Applications/test_temp9.app/Contents/MacOS/multiprocessing/synchronize.py", line 162, in __init__ File "/Applications/test_temp9.app/Contents/MacOS/multiprocessing/synchronize.py", line 57, in __init__ PermissionError: [Errno 1] Operation not permitted BUNDELED WITH NUITKA: echo *** | sudo -S python3.9 -m nuitka --run --standalone --macos-disable-console --macos-create-app-bundle --macos-app-mode=ui-element --enable-plugin=pyside6 --macos-app-icon=icons/app_icon.png --include-data-dir=icons=icons test_temp9.py SIGNED WITH FOLLOWING SH: sign.txt sign2.txt ENTITLEMENTS: app.entitlements.txt
2
0
437
Aug ’24
Xcode Cloud code signing failure 🤯
I have been having this problem since xcode cloud came out, it is a shame that this tool cannot be used, I have this problem that xcode cloud always fails to form the code, I have already tried deleting the xcode cloud certificates. Invalid Signature. Code failed to satisfy specified code requirement(s). The file at path “MyApp.app/MyApp” is not properly signed. Make sure you have signed your application with a distribution certificate, not an ad hoc certificate or a development certificate. Verify that the code signing settings in Xcode are correct at the target level (which override any values ​​at the project level). Additionally, make sure the bundle you are uploading was built using a Release target in Xcode, not a Simulator target. If you are certain your code signing settings are correct, choose “Clean All” in Xcode, delete the “build” directory in the Finder, and rebuild your release target. For more information, please consult https://developer.apple.com/support/code-signing.
1
0
583
Aug ’24
setCodeSigningRequirement and Security Agent Plugins
I have a security agent plugin that uses NSXPCConnection to communicate with a launch daemon. This works well, but I want to make sure the launch daemon has not been compromised. I added code to call setCodeSigningRequirement in my module that handles the client side of the NSXPCConnection. However, when used in the security agent plugin, remoteObjectProxyWithErrorHandler reports an error NSCocoaErrorDomain Code=4102 "The code signature requirement failed." If I call my xpc module from a test application, I do not receive an error and everything works as expected. I have tried different code signing requirements. Even with just "anchor apple generic" I still get the error. The console log shows two entries of interest com.apple.SecurityAgentHelper.arm64 default 09:13:29.677567-0500 SecurityAgentHelper-arm64 EOGSecurityServiceClient biometricAuthorization remote proxy error: Error Domain=NSCocoaErrorDomain Code=4102 "The code signature requirement failed." UserInfo={NSDebugDescription=The code signature requirement failed.}
4
0
514
Aug ’24
App crashes in AppStore-Mode
Hi again, experts I have a problem :D My app craseh on startup, when creating it in AppStore Mode and I have absolutely no idea, why. The only difference betweed my Developer-ID-Mode and AppStore-Mode is, tha differnet certificates are used and a tool runs, that does something with the info.plist. (and the stapler tool, that runs in devID-Mode, is of course not used in appstore-mode) Here is, what I do, when creating the binary: /usr/bin/plutil -convert binary1 "/Users/me/somewhere/myapp.app/Contents/Info.plist" (the above line is not used in Dev-ID-Mode) /usr/bin/codesign --entitlements "/Users/me/somewhere/myapp.entitlements" --deep -s "DeveloperAppCert" -f "/Users/me/somewhere/hansimaticoffice.app" /usr/bin/productbuild --component "/Users/me/somewhere/hansimaticoffice.app" "/Applications" --sign "MacDeveloperInstallerCert" "/Users/me/somewhere/hansimaticoffice.pkg" Any hint?
4
0
520
Aug ’24
Error validating app to distribute on TestFlight
Helo, I'm trying to upload my React Native App to test with TestFlight but in the archives when I validate the app I received the following error: Missing signing identifier at "/var/folders/72/pp85df852gxbzn51b2b34blw0000gn/T/XcodeDistPipeline.~~~PCbJ98/Root/Payload/ Failed to cloud sign "/var/folders/72/pp85df852gxbzn51b2b34blw0000gn/T/XcodeDistPipeline.~~~PCbJ98/Root/Payload/Click+". Please file a bug report at https://feedbackassistant.apple.com.
1
0
605
Aug ’24
Transporter Error on submitting electron app pkg
Hi, I'm trying to upload my electron app to the App Store. The app uploads fine to App Store Connect but runs into the following problem while processing: Unable to Sign. This package doesn't meet the current code signing requirements. For more information, see the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple.com/library/mac/technotes/tn2206/_index.html Specifically, codesign generated the following errors: [ com.electron.easy-csl-electron.pkg/Payload/easy-csl-electron.app: resource fork, Finder information, or similar detritus not allowed] (90303) Getting to this point was already a real challenge. I'm trying to use electron forge and submit my package to the App Store for which to my knowledge doesn't exist any guide at all. So I'm kinda stuck here: I don't know what "resource fork, Finder information, or similar detritus" is and where it came from and when I search the Internet for this problem I can't find any way to solve it. I tried reading the documentation links provided but I have no idea where to even start :/ Would anybody be able to help me? Thanks, Ludwig
2
0
315
Aug ’24
Trouble direct-distributing macOS app
I don't know why we’re up to Xcode 16 and this stuff is still so damn difficult. First of all, I don't know why I can't just send a .app I built for my M1 MacBook Pro to my friend who also has an M1 MacBook Pro. But even after going through the quarantine steps, he gets an alert saying the app can't be opened. So I'm trying to do direct distribution of an archive. But that gives me two errors: There is a problem with the request entity You already have a current Developer ID Application Managed (With Kext) certificate or a pending certificate request. No profiles for 'com.latencyzero.VideoBox' were found Xcode couldn't find any Developer ID provisioning profiles matching 'com.latencyzero.VideoBox'. The signing is managed by Xcode. CloudKit access works.
1
0
445
Aug ’24
system extension failed to validate
I facing issue where the system extension i try to install have message: no related kext found for sysex 'com.apple.usbsoundriver' com.apple.usbsoundriver:extension failed to validate! uninstalling... uninstalling invalid extension com.apple.usbsoundriver Is internet access is required for system extension validation? I install the driver without internet access. This work in some others machine, only fresh reformated Mac machine without internet connection have this issue. Why is this so?
10
0
602
Aug ’24
Build issue when creating an Apple Watch standalone app archive
Build issue when creating an Apple Watch standalone app archive This is an Apple Watch standalone app. (Without an iPhone app) Even if you create an Apple Watch standalone app as a new project in Xcode, two targets are created: "iPhone target + Apple Watch target". The iPhone target cannot be built or modified. Usually, builds or archives are created with the Apple Watch target. It's been a while since I updated the app, so I tried to fix it, add new features, and update it. When I created an archive, the version kept being created as 1.0 - 1. I entered 1.1 - 8 for the Apple Watch target. In the previous Xcode version, when I clearly modified the version and build version of the Apple Watch target, it was reflected in the archive file. However, in the current Xcode, it is not reflected. Does anyone know how we can fix this issue?
1
0
322
Aug ’24
Postinstall fails to run binary in ./scripts
Hi, When postinstall tries to run another binary inside the ./scripts folder I package with pkgbuild, it gets killed by taskgated when the postinstall script tries to run it. └── Contents ├── Helpers ├── Info.plist ├── MacOS │   ├── UI │   └──Worker ├── PkgInfo ├── Resources │   ├── com.ui.plist │   ├── com.worker.plist │   └── icon.icns ├── _CodeSignature │   └── CodeResources └── embedded.provisionprofile scripts: ├── token_installer ├── postinstall ├── token_installer ├── postinstall How I am signing: codesign --entitlements entitlements.plist --timestamp --options=runtime --sign "$DEVELOPER_ID" --force out/myapp.app/Contents/MacOS/UI codesign --entitlements entitlements.plist --timestamp --options=runtime --sign "$DEVELOPER_ID" --force out/myapp.app/Contents/MacOS/Worker codesign --entitlements entitlements.plist --timestamp --options=runtime --sign "$DEVELOPER_ID" --force ./scripts/token_installer codesign --entitlements entitlements.plist --timestamp --options=runtime --sign "$DEVELOPER_ID" --force ./scripts/postinstall codesign --entitlements entitlements.plist --timestamp --options=runtime --sign "$DEVELOPER_ID" --force out/myapp.app echo "pkgbuilding..." pkgbuild --root ./out/myapp.app --sign "$DEVELOPER_ID" --identifier com.myapp.app --version 1.0 --install-location /Applications/myapp.app --scripts ./scripts ./out/myapp.pkg echo "productbuilding..." # productbuild --distribution ./Distribution.xml --package-path ./out/myapp.pkg --resources . ./out/MyAppInstaller.pkg productbuild --product requirements.plist --distribution ./Distribution.xml --package-path ./out/myapp.pkg --resources . ./out/MyAppInstaller.pkg productsign --sign "Developer ID Installer: My Company Inc (***)" --force ./out/MyAppInstaller.pkg ./out/MyAppInstallerSigned.pkg Sidenote: all binaries that are not the main executable, UI, get killed by taskgated, but I figured I will wrap the Worker in its own app Inside Helpers. I just do not see the point in doing that for the token_installer, since it should only be called once ever, during postinstall. Is there a way to make it run without having to include it in the app bundle itself?
7
0
411
Aug ’24