I am developing a PCIDriverKit dext, and testing on Sequoia Beta (Version 15.0 Beta, 24A5298h). Both the dext and the "owning" application build on Xcode 16.0 beta 4. I can run the owning application and register the dext.
When the OS attempts to load the dext, though, code signing validation errors occur:
2024-07-30 15:54:02.386 Df kernel[0:ae6a] Driver com.company.Dext-Loader.dext has crashed 0 time(s)
2024-07-30 15:54:02.386 Df kernel[0:ae6a] DK: Dext_Loader_Driver-0x100001464 waiting for server com.company.Dext-Loader.dext-100001464
2024-07-30 15:54:02.388 Df kernelmanagerd[112:abb5] Found 1 dexts with bundle identifier com.company.Dext-Loader.dext
2024-07-30 15:54:02.388 Df kernelmanagerd[112:abb5] Using unique id a0cf49ca3ea45f5d54a3e8644e2dde6b0e8666c649c1e9513ca4166919038b53 to pick dext matching bundle identifier com.company.Dext-Loader.dext
2024-07-30 15:54:02.388 Df kernelmanagerd[112:abb5] Picked matching dext for bundle identifier com.company.Dext-Loader.dext: Dext com.company.Dext-Loader.dext v34 in executable dext bundle com.company.Dext-Loader.dext at /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext
2024-07-30 15:54:02.389 I kernel[0:ae71] igmp_domifreattach: reattached igmp_ifinfo for ifp XHC
2024-07-30 15:54:02.389 I kernel[0:ae71] mld_domifreattach: reattached mld_ifinfo for ifp XHC2
2024-07-30 15:54:02.389 Df kernelmanagerd[112:abb5] DextRecordTable read from plist: {
com.company.Dext-Loader.dext:
MRS-> Optional(( path: /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext; state: loaded ))
history-> [
( path: /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext; state: loaded )
]
}
2024-07-30 15:54:02.389 Df kernelmanagerd[112:abb5] Launching dext com.company.Dext-Loader.dext com.company.Dext-Loader.dext 0x100001464 a0cf49ca3ea45f5d54a3e8644e2dde6b0e8666c649c1e9513ca4166919038b53
2024-07-30 15:54:02.390 I kernelmanagerd[112:abb5] [com.apple.km:DextLaunch] Skipping addBreadcrumbForDextWithIdentifier for <private> 0
2024-07-30 15:54:02.389 Df kernel[0:ae71] ifnet_attach: Waiting for all kernel threads created for interface XHC2 to get scheduled at least once.
2024-07-30 15:54:02.389 Df kernel[0:ae71] ifnet_attach: All kernel threads created for interface XHC2 have been scheduled at least once. Proceeding.
2024-07-30 15:54:02.390 Df kernelmanagerd[112:abb5] Launching driver extension: Dext com.company.Dext-Loader.dext v34 in executable dext bundle com.company.Dext-Loader.dext at /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext
2024-07-30 15:54:02.479 E kernel[0:a9fb] (Sandbox) 1 duplicate report for Sandbox: imagent(633) deny(1) mach-lookup com.apple.contactsd.persistence
2024-07-30 15:54:02.479 E kernel[0:a9fb] (Sandbox) Sandbox: taskgated-helper(2985) deny(1) user-preference-read kCFPreferencesAnyApplication
2024-07-30 15:54:02.483 Df kernel[0:ae73] (AppleMobileFileIntegrity) AMFI: code signature validation failed.
2024-07-30 15:54:02.483 Df kernel[0:ae73] (AppleMobileFileIntegrity) AMFI: bailing out because of restricted entitlements.
2024-07-30 15:54:02.483 Df kernel[0:ae73] (AppleMobileFileIntegrity) AMFI: When validating /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext/com.company.Dext-Loader.dext:
Code has restricted entitlements, but the validation of its code signature failed.
Unsatisfied Entitlements:
2024-07-30 15:54:02.483 Df kernel[0:ae73] mac_vnode_check_signature: /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext/com.company.Dext-Loader.dext: code signature validation failed fatally: When validating /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext/com.company.Dext-Loader.dext:
Code has restricted entitlements, but the validation of its code signature failed.
Unsatisfied Entitlements:
2024-07-30 15:54:02.483 Df kernel[0:ae73] validation of code signature failed through MACF policy: 1
2024-07-30 15:54:02.483 Df kernel[0:ae73] check_signature[pid: 2984]: error = 1
2024-07-30 15:54:02.483 Df kernel[0:ae73] proc 2984: load code signature error 4 for file "com.company.Dext-Loader.dext"
2024-07-30 15:54:02.485 Df kernelmanagerd[112:abb5] [com.apple.libxpc.OSLaunchdJob:all] <OSLaunchdJob | handle=46B92B57-A90A-4EBD-8EF4-54313C6EE332>: submitAndStart completed, info=spawn failed, error=162: Codesigning issue
2024-07-30 15:54:02.483 Df kernel[0:ae73] (Sandbox) /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext/com.company.Dext-Loader.dext[2984] ==> com.apple.dext
2024-07-30 15:54:02.485 E kernelmanagerd[112:abb5] [com.apple.libxpc.OSLaunchdJob:all] <OSLaunchdJob | handle=46B92B57-A90A-4EBD-8EF4-54313C6EE332>: job failed to spawn, plist={
ProcessType => Driver
_ManagedBy => com.apple.kernelmanagerd
CFBundleIdentifier => com.company.Dext-Loader.dext
_JetsamPropertiesIdentifier => com.company.Dext-Loader.dext
LimitLoadToSessionType => System
_DextCheckInPort => <mach send right: 0xbd486ccc0> { name = 15679, right = send, urefs = 2 }
UserName => _driverkit
_NullBootstrapPort => true
ReslideSharedCache => false
LaunchOnlyOnce => true
Label => com.company.Dext-Loader.dext-0x100001464
RunAtLoad => true
ProgramArguments => [<capacity = 8>
0: /Library/SystemExtensions/B1BF8CDC-CB24-4F25-A8CA-D7A60D814861/com.company.Dext-Loader.dext.dext/com.company.Dext-Loader.dext
1: com.company.Dext-Loader.dext
2: 0x100001464
3: com.company.Dext-Loader.dext
]
SandboxProfile => com.apple.dext
}
The Xcode project uses these signing options:
Automatically manage signing
Team: Company
Provisioning Profile: Xcode Managed Profile
Signing Certificate: Apple Development: ()
The same project, with the same signing options, builds and loads its dext without issues from Xcode 15.3 on Sonoma 14.5. That same dext binary from Xcode 15.3 loads and passes the signature checks on Sequoia, but using Xcode on Sequoia is when the signature validation fails.
Can anyone suggest a way to resolve these signature validation errors? (Other than just developing on Sonoma and testing on Sequoia?)
General
RSS for tagDemystify code signing and its importance in app development. Get help troubleshooting code signing issues and ensure your app is properly signed for distribution.
Post
Replies
Boosts
Views
Activity
Hi,
I am a developer and app manager using a personal account. I am encountering an issue where the automatic signing feature in Xcode is not working, and I receive the error message: "Signing for 'Runner' requires a development team." Additionally, I cannot access the "Certificates, Identifiers & Profiles" section, even though I have already added my account to Xcode.
How can I fix this issue? Is it possible to run or upload the app without this signing process?
When checking that a .dmg file is correctly stapled with the command
xcrun stapler validate -v file.dmg
I intermittently get errors like
Properties are {
NSURLIsDirectoryKey = 0;
NSURLIsPackageKey = 0;
NSURLIsSymbolicLinkKey = 0;
NSURLLocalizedTypeDescriptionKey = "Disk Image";
NSURLTypeIdentifierKey = "com.apple.disk-image-udif";
"_NSURLIsApplicationKey" = 0;
}
Codesign offset 0x1eb82c90 length: 15891
Stored Codesign length: 15891 number of blobs: 5
Total Length: 15891 Found blobs: 5
Props are {
cdhash = {length = 20, bytes = 0x07d207070853a23966374ae1b36e921148b3a5f3};
digestAlgorithm = 2;
flags = 73728;
secureTimestamp = "2024-07-26 06:08:31 +0000";
signingId = "SIGNED-file.dmg...
[ Message content over the limit has been removed. ]
}
Headers: {
"Content-Type" = "application/json";
}
Response is (null)
error is Error Domain=NSURLErrorDomain Code=-1001 "The request timed out." UserInfo={_kCFStreamErrorCodeKey=-2102, NSUnderlyingError=0x6000012b4a80 {Error Domain=kCFErrorDomainCFNetwork Code=-1001 "(null)" UserInfo={_kCFStreamErrorCodeKey=-2102, _kCFStreamErrorDomainKey=4}}, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <82266119-065E-480C-B012-F30B48DB0F44>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask <82266119-065E-480C-B012-F30B48DB0F44>.<1>"
), NSLocalizedDescription=The request timed out., NSErrorFailingURLStringKey=https://api.apple-cloudkit.com/database/1/com.apple.gk.ticket-delivery/production/public/records/lookup, NSErrorFailingURLKey=https://api.apple-cloudkit.com/database/1/com.apple.gk.ticket-delivery/production/public/records/lookup, _kCFStreamErrorDomainKey=4}
I am not able to pin down the cause of this, could it be rate limiting on the API?
Any other thoughts as to the cause?
Thanks.
I have embedded Python in my iOS project in XCODE according to Beewares Usage guide https://github.com/beeware/Python-Apple-support/blob/main/USAGE.md
when running, I get the error that pythonKit can't find cv2, imported by ultralytics. When I add OpenCV-python to my app_packages folder (just like ultralytics) I get the following error:
Code signing identifier (libtheoraenc.1) does not match bundle identifier (com.iubh-lea.Meye.cv2.) for /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.s2Bujt/extracted/Meye.app/Frameworks/cv2..framework
any way to add cv2 Framework accessible by python kit without signing mismatch?
Can someone help me at my testflight CODE?
We have created a new Key for APN services but when we click the download button we get to following error:
è stato fornito un valore non valido 'undefined' per il parametro 'keyId'
(An invalid value 'undefined' was provided for the 'keyId' parameter)
Already tried we a new one but got the same error.
Thanks
I use launch constraints in a project. If I archive the project and save a copy of the app locally, everything works as expected but if I choose "Direct Distribution" and submit the app to Apple for notarization, the notarized app does not contain any launch constraints. What are I am doing wrong? Thanks.
Hi
I have an error message from running an iOS emulator, and it seems there's a problem because Xcode wants to sign something.
I have noticed that when running my code for testing, that it is being run in ios-release mode. I have thought that maybe Xcode would not want to sign if the code was being run in ios-debug mode - because Xcode didn't have this interest in signing problem before.
Confirmed: "Building com.example.appName for device (ios-release)..."
Error confirmation: "No valid code signing certificates were found. You can connect to your Apple Developer account by signing in with your Apple ID in Xcode and create an iOS Development Certificate ..."
My preference is to test/develop at this point without Apple Developer. This was possible for a long time before.
Advice: "Or run on an iOS simulator without code signing"
It seems that if Xcode were not interested in code signing that I wouldn't have this error preventing me.
How can I configure Xcode so that code signing is skipped and the code testing occurs without a reference to my Apple Developer account please?
If you can assist to resolve with these queries, that would be cool and greatly appreciated.
With thanks.
Hi,
python "import foundation" crushes without error message (but with a macos crush report) if the app is codesigned with Developer ID Application Certificate.(Without codesign, it works fine.)
1-test_simple_foundation.py(already attached):
import socket
import Foundation
print("hallo")
2-Install Nuitka:
pip install Nuitka
3-Generate App File via Nuitka:
echo *** | sudo -S python3.9 -m nuitka --run --standalone --macos-create-app-bundle --macos-app-mode=ui-element --macos-app-icon=icons/app_icon.png --include-data-dir=icons=icons test_simple_foundation.py
4-Copy app file under /applications
5-Execute test_simple_foundation.app file from terminal ./Applications/test_simple_foundation.app/Contents/MacOS/test_simple_foundation and observer that "hallo" is printed out
6-Codesign with following sh file(already attached):
7-Execute test_simple_foundation.app file from terminal ./Applications/test_simple_foundation.app/Contents/MacOS/test_simple_foundation and observer that code freezes with a macos crush report(already attached), after import Foundation nothing printed out.
MacOS_crush_report.txt
build-app_no_sand-sh.txt
test_simple_foundation-py.txt
pip list freeze.txt
app.entitlements.txt
Requirement:
python3.9 -m nuitka --version
1.9rc5
Commercial: None
Python: 3.9.12 (v3.9.12:b28265d7e6, Mar 23 2022, 18:22:40)
Flavor: CPython Official
Executable: /Library/Frameworks/Python.framework/Versions/3.9/bin/python3.9
OS: Darwin
Arch: x86_64
Version C compiler: /usr/bin/clang (clang).
MacOS: Sonoma 14.2.1
1,6 GHz Dual-Core Intel Core i5
8 GB 2133 MHz LPDDR3
I'm new to iOS development so forgive me if this question sounds naive. I have an iPhone 15 Pro currently registered to a coworker but I would like to test my apps on that iPhone when he is not working on it. In order for me to test on that phone, do I need to wipe that iPhone and re-register under my name? Is there anyway to switch between accounts on the iPhone?
Hi,
If anyone can please advise -- If signing a framework inside a XCFramework is recommended/mandatory?
I'm trying to use XPC communicate between a command line tool (launched from Terminal) and a macOS application. My code currently works when the app is launched from Xcode, but not if I launch the built app from the command line (open path-to-foo.app) or if I try and distribute the packaged application (via "Development" distribution). Notably, the XPC works if the command line tool is launched from the terminal as long as the app itself is launched from Xcode.
I publish the XPC service using NSXPCListener(machServiceName: <team-identifier>.com.example.my-app.service) and connect to it using NSXPCConnection(machServiceName: machServiceName). Both my command line tool and my main app identical "app group" entitlements for $(TeamIdentifierPrefix)com.example.my-app and I verified the team identifier substitution was correct in both the app and command line tool after doing distributing for "App Store", exporting, unpacking the pkg and running codesign as described here: https://developer.apple.com/documentation/xcode/embedding-a-helper-tool-in-a-sandboxed-app
I have an XPC service that embeds Python. It executes a python script on behalf of the main app.
The app and xpc service are sandboxed. All seems to work just fine in the development environment but the script fails in the released version.
I disabled writing pycache by setting the PYTHONDONTWRITEBYTECODE environment variable because pycache tries to write inside my app bundle which fails (I believe I can redirect the pycache directory with PYTHONPYCACHEPREFIX and may experiment with that later).
Specifically this line fails in the release version only (not from Xcode):
PyObject *pModule = PyImport_Import(moduleNameHere);
if (pModuleOwnedRef == NULL)
{
// this is null in release mode only.
}
Any ideas what can be going wrong? Thanks in advance.
Hi, I'm shipping a GUI app based on Golang outside App Store distribution, for the distribution, I have already sign and notarize the .App and the .Pkg installer, now there is a feature called self-update on my app which basically
app check if there is any update
the same program request a sudo access to rewrite current binary file content
the program will restart after the update completed
Now, I have already sign the updated binary via signing and notarization process, and I take the compiled Golang binary inside Content/MacOS to be used for self-update proses
but it doesn't work as expected, the updated binary are fail to run with error "Can't open the app" or if we try to call it on CLI, it will show "Killed 9"
what did I'm missing? thankyou
I've developed a mobile app in Visual Studio 2022 on Windows 11 on the MAUI platform. I'm Pair to a remote Mac machine to test/debug on an iOS Simulator. I was previously able to test on the remote mac machine simulator with not problems. I added some features including Geolocation and now I get the following error:
error MSB6006: "codesign" exited with code 3.
These are the last few lines in the Output window:
1> [xma][info]: Starting remote task execution for 'TriStar.Mobile.DriverPortal': Xamarin.MacDev.Tasks.CodesignVerify
1> [xma][info]: Sending Request Xamarin.Messaging.Build.Contracts.ExecuteTaskMessage to topic xvs/build/17.2.8053/execute-task/TriStar.Mobile.DriverPortal/8f2f6e4002fCodesignVerify
1> [xma][info]: Received Response of Xamarin.Messaging.Build.Contracts.ExecuteTaskMessage to topic build2424827232benbl/+/xvs/build/17.2.8053/execute-task/TriStar.Mobile.DriverPortal/8f2f6e4002fCodesignVerify
1> CodesignVerify: 2024-05-31T17:36:08.1417751-05:00 - Logging messages
1> Environment Variables passed to tool:
1> CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
1> /usr/bin/codesign --verify -vvvv "-R=anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.1] exists and (certificate leaf[field.1.2.840.113635.100.6.1.2] exists or certificate leaf[field.1.2.840.113635.100.6.1.4] exists)" bin/Debug/net8.0-ios/iossimulator-arm64//TriStar.Mobile.DriverPortal.app
1> bin/Debug/net8.0-ios/iossimulator-arm64//TriStar.Mobile.DriverPortal.app: valid on disk
1> bin/Debug/net8.0-ios/iossimulator-arm64//TriStar.Mobile.DriverPortal.app: satisfies its Designated Requirement
1> test-requirement: code failed to satisfy specified code requirement(s)
1> C:\Program Files\dotnet\packs\Microsoft.iOS.Sdk\17.2.8053\tools\msbuild\iOS\Xamarin.Shared.targets(2059,3): error MSB6006: "codesign" exited with code 3.
Is there a problem or conflict with my entitlements?
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
</dict>
The remote Mac is a Mac-In-Cloud running xCode 15.3 and Visual Studio 2022.
My dev machine is running Windows 11 and VS 2022
In my Windows VS MAUI project I have
<PropertyGroup Condition="'$(TargetFramework)'=='net8.0-ios'">
<EnableCodeSigning>true</EnableCodeSigning>
<CodesignKey>Apple Development: BENJAMIN BLA... (7AGK....)</CodesignKey>
<ProvisioningType>automatic</ProvisioningType>
<CodesignProvision>VS: com.tristarfreightsys.driverportal Development</CodesignProvision>
</PropertyGroup>
VS: com.tristarfreightsys.driverportal Development is the Provisioning Profile automatically generated by VS.
My Development Certiifcate and Distrubution Cert are in the Mac Keychain and in my VS
Summary
We have a .net 8 application that consists of 2 components, a GUI app and a launch daemon. The .pkg file for the GUI app is created by Visual Studio, and this .pkg is then bundled with the launch daemon into one installer using the packagesbuild utility.
The problem we're facing is that our customer's MDM system is refusing to install the app because of a missing lock icon in the installer, which makes it look as if the app was not signed even though it is (shown on the right in the image below).
Installer package contents
The .pkg file created by packagesbuild contains the GUI app .pkg file shown on the left in the image above, signing of this file is handled by the .net build process.
It also contains two third party .dylib files (one for intel, the other for arm), which are re-signed with the following command:
codesign --sign "Developer ID Application: [...]" \
--force --options runtime --no-strict \
"<file-path>"
The launch daemon is build with .net and then signed using this command:
codesign --sign "Developer ID Application: [...]" \
--force --options runtime --no-strict \
--entitlements "<entitlements-path>" \
"<file-path>"
I don't know if it's relevant, but there are also several .plist and .json files.
Final package signing
The .pkg file created by packagesbuild is signed using:
productsign --sign "Developer ID Installer: [...]" \
--cert "Developer ID Installer: [...]" \
"com.optimidoc.cloudclient.pkg" \
"com.optimidoc.cloudclientsigned.pkg"
After signing, the package is notarised with xcrun notarytool.
Both the signing and notarisation finish without error, which I've validated by running pkgutil --check-signature "<file-path>"
Package "com.optimidoc.cloudclientsigned.pkg":
Status: signed by a developer certificate issued by Apple for distribution
Notarization: trusted by the Apple notary service
Signed with a trusted timestamp on: 2024-06-13 11:41:57 +0000
Certificate Chain:
1. Developer ID Installer: OptimiDoc s.r.o. (2YMBVCM8TM)
Expires: 2028-03-01 07:37:30 +0000
SHA256 Fingerprint:
02 E2 C1 A0 06 E1 C1 A2 FF 70 BD CD A5 47 43 B2 DB CF 62 BB 6D D4
90 69 3E 7C C8 A7 29 73 7D 69
------------------------------------------------------------------------
2. Developer ID Certification Authority
Expires: 2031-09-17 00:00:00 +0000
SHA256 Fingerprint:
F1 6C D3 C5 4C 7F 83 CE A4 BF 1A 3E 6A 08 19 C8 AA A8 E4 A1 52 8F
D1 44 71 5F 35 06 43 D2 DF 3A
------------------------------------------------------------------------
3. Apple Root CA
Expires: 2035-02-09 21:40:36 +0000
SHA256 Fingerprint:
B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C
68 C5 BE 91 B5 A1 10 01 F0 24
What I've tried
I played around with the signing process for a few days but I was unable to figure out where the installer UI gets the certificate information from.
I've tried limiting the files included in the final .pkg file. First I tried only including the GUI app .pkg with a known good signature. I also tried only including the launch daemon executables. All to no avail.
In regard to the packagesbuild utility, I noticed the --identity option, but at the moment I'm stuck with an "unknown error" message:
The command is:
packagesbuild "com.optimidoc.cloudclient.pkgproj" -v \
--identity "Developer ID Installer: [...]" \
--keychain "/Library/Keychains/System.keychain"
And the output I get is:
Building Project (11:56:49) at path: [...]
------------------------------------------------------------------------------
Build Folder (done)
Package "com.optimidoc.cloudclient"
Payload
Assemble file hierarchy (done)
Split forks (done)
Create bill of material (done)
Create pax archive (done)
Scripts
Assemble file hierarchy (done)
Split forks (done)
Create pax archive (done)
PackageInfo (done)
Create xar archive
==============================================================================
ERROR:
Description:
Unknow Error
==============================================================================
Build Failed
I think the --identity option is the way forward, but I don't know how to debug the "unknown error" message. I've sunk a few days into this problem already, so any help would be greatly appreciated. I'll update the post if I have any news.
Hi,
I want to resign my app with a different certificate. Is it possible to keep the entitlements (including com.apple.application-identifier)? I want to resign the whole app including the plugins and frameworks, but I saw --deep was considered harmful.
Sorry, I'm a bit confused. Any help would be appreciated.
I encountered a signature issue, codesign -f -s "Developer ID Application: ***" /Users/leagsoft/Desktop/uninstall
/Users/leagsoft/Desktop/uninstall: replacing existing signature
Warning: unable to build chain to self-signed root for signer "Developer ID Application:***"
/Users/uninstall: errSecInternalComponent
but using Sodu can sign normally
1) The situation in general:
1A) I begun USB-DExt project for Mac & iPADsOS>=17.
1B) I started-from scratch with
DriverKitSampleApp
1C) For these two different targets (Mac,iPAD; using IDE XCode15.0), I couldn't find another way to build the sample project from Apple, beside this: now I have two handmade sets of ini-profiles and two respective "command-files".
2) My current palliative solution comprises of two specific ~"command-files" (each one runs in a directory with specific DriverKitSampleApp.entitlements,project.pbxproj)_ :
2A) my current file "cpy.command" for target "MAC"
## Destination "Mac"
## DriverKitSampleApp.entitlements: "com.apple.developer.driverkit.userclient-access"
## item0: "com.ry.dexsample1.driver"
## Build Settings "DriverKitSampleApp":Signing:Code Signing Identity:"Sign to Run Locally"
## "NullDriver":Signing:Code Signing Identity:"Sign to Run Locally"
## "NullDriver":"AD_HOC_CODE_SIGNING_ALLOWED=YES"
cp DriverKitSampleApp.entitlements ../DriverKitSampleApp
cp project.pbxproj ../RyDExtSmpl1.xcodeproj
2B) my current file ~"cpy.command" for target "iPAD"
## Destination "iPAD"
## Build Settings "DriverKitSampleApp":Signing:Code Signing Identity:"Apple Development"
## "NullDriver":Signing:Code Signing Identity:"Apple Development"
## "NullDriver":"AD_HOC_CODE_SIGNING_ALLOWED=NO"
cp DriverKitSampleApp.entitlements ../DriverKitSampleApp
cp project.pbxproj ../RyDExtSmpl1.xcodeproj
2C) This state is inconvenient (predicting that I will switch between MAC and iPAD dozens thousands of times when debugging this project)
3) The question
3A) I need to build the Apple's sample project "DriverKitSampleApp" just selecting one of two possible targets (Mac,iPad) in XCode-IDE.
3B) Option1: what developer(or team's entitlements) do I need for "3A"?
3C) Option2: what adjustments of project's configuration files do I need for "3A"? .
Hi,
I am trying to release a small application which bundles a conda environment and a python script. I am using Platypus to turn it into a .app, and I include all necessary resources (libraries, binaries etc) inside the Resources directory. My application works correctly before code signing, and is portable between machines (so I don't think it is the case that the conda environment is missing something). However, after signing, it crashes when it runs one of the programs within the conda environment.
I am first signing all .so, .dylib and all files in conda_env/bin as follows:
# Within the conda environment directory in Resources
find bin -type f | xargs -n1 codesign -f -o runtime --timestamp --sign "Developer ID Application: Whatever (123456789)"
find . -name "*.dylib" -o -name "*.so" -type f | xargs -n1 codesign -f -o runtime --timestamp --sign "Developer ID Application: Whatever (123456789)"
I am then signing the .app itself
codesign -f -o runtime --timestamp --sign "Developer ID Application: Whatever (123456789)" my_app.app
Finally, I convert it into a .dmg (with appdmg) and sign that.
codesign -f --sign "Developer ID Application: Whatever (123456789)" --timestamp my_app.dmg
I submit to the notary service, which succeeds, and then I staple the ticket to the .dmg:
xcrun notarytool submit my_app.dmg --keychain-profile my_notarytool_keychain_id --wait
xcrun stapler staple my_app.dmg
spcl is happy with the signed .app and .dmg and accepts them both.
spctl -a -vv my_app.app
# my_app.app: accepted
# source=Notarized Developer ID
# origin=Whatever (123456789)
spctl -a -vv -t install my_app.dmg
# my_app.dmg: accepted
# source=Notarized Developer ID
# origin=Whatever (123456789)
I have a valid Developer Application ID. All good, right?
Except, during execution, the signed .app crashes. When I look in the Console, the error log always looks similar - something like:
Exception Type: EXC_BAD_ACCESS (SIGKILL (Code Signature Invalid))
Termination Reason: Namespace CODESIGNING, Code 2 Invalid Page
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_platform.dylib 0x186e15848 sys_icache_invalidate + 40
1 libllvmlite.dylib 0x2a022f8e8 llvm::sys::Memory::protectMappedMemory(llvm::sys::MemoryBlock const&, unsigned int) + 384
2 libllvmlite.dylib 0x29d765528 LLVMPY_TryAllocateExecutableMemory + 92
3 libffi.8.dylib 0x103abc04c ffi_call_SYSV + 76
etc
I think all the .dylib, .so, and binaries are signed in my codesign scripts, except for the libsystem_platform.dylib mentioned in the first line of the log. Could this be the problem?
How can I find if I am not signing something that is being used? Are there other types of files that I should be signing that I am missing?
I've been trying to fix this for several days and I feel I have tried everything (constructing the conda env in different ways, signing in different ways, e.g. with/without --deep, with/without signing each type of library/binary) to no avail... Any help would be greatly appreciated!
All the best,
George