Post not yet marked as solved
I need step by step instructions to debug why spctl command rejects -- I am on 10.15.7. Appreciate if anyone can shed some light on this with pointer/documentation?
Forcing me to do something on Xcode is not what I am looking for, please.
I am sure with Catalina -- new rules have formed around Gatekeeper spctl command to assess the security posture of the apps installed or developed.
No one wants malware, including hardworking developers :)
Now coming to our app, it gets rejected by spctl -- unknown developer, but codesign passes the app.
sh-3.2spctl -a -t exec --ignore-cache -vv /Applications/MyApp.app
====
/Applications/MyApp.app: rejected
origin=3rd Party Mac Developer Application: MyOrg (MYORGDEVID)
=====
sh-3.2codesign -dvv --strict /Applications/MyApp.app
=====
Executable=/Applications/MyApp.app/Contents/MacOS/MyApp
Identifier=com.MyApp.SubID
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=1285 flags=0x10000(runtime) hashes=31+5 location=embedded
Signature size=9134
Authority=3rd Party Mac Developer Application: MyOrg (MYORGDEVID)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Timestamp=Nov 2, 2020 at .... PM
Info.plist entries=15
TeamIdentifier=MYORGDEVID
Runtime Version=10.14.0
Sealed Resources version=2 rules=13 files=309
Internal requirements count=1 size=212
====
sh-3.2codesign -vv --strict /Applications/MyApp.app
===
/Applications/MyApp.app: valid on disk
/Applications/MyApp.app: satisfies its Designated Requirement
===
Post not yet marked as solved
Been scouring on this --
Having sandboxed with --options runtime --timestamp --entitlements and the following in the entitlements.xml, while code signing
<key>com.apple.security.app-sandbox</key> <true/>
the app needs access to user home dir to add logs and permanently stored keys for the MacBook/user.
Having added this also
<key>com.apple.security.temporary-exception.files.home-relative-path.read-write</key>
<array> <string>/.myorg/</string> </array>
Still unable to add log files or create the .myorg directory in the users' home dir, but rest of the app works.. The very first install and activation triggers some permanent keys created and stored in that dir.
Unsigned app works, but the signed one with entitlements does not. No directory is created.
Any other entitlements I am missing? Appreciate some pointers here. Thanks in advance.
Post not yet marked as solved
I need step by step instructions to debug why spctl command rejects -- I am on 10.15.7. Appreciate if anyone can shed some light on this with pointer/documentation?
Forcing me to do something on Xcode is not what I am looking for, please.
I am sure with Catalina -- new rules have formed around Gatekeeper spctl command to assess the security posture of the apps installed or developed.
Now coming to our app, it gets rejected by spctl -- unknown, but codesign passes the app. Need a systematic troubleshooting guide or instruction set. Thanks in advance,
sh-3.2
spctl -a -t exec --ignore-cache -vv /Applications/MyApp.app
====
/Applications/MyApp.app: rejected
origin=3rd Party Mac Developer Application: MyOrg (MYORGDEVID)
=====
sh-3.2
codesign -dvv --strict /Applications/MyApp.app
=====
Executable=/Applications/MyApp.app/Contents/MacOS/MyApp
Identifier=com.MyApp.SubID
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=1285 flags=0x10000(runtime) hashes=31+5 location=embedded
Signature size=9134
Authority=3rd Party Mac Developer Application: MyOrg (MYORGDEVID)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Timestamp=Nov 2, 2020 at .... PM
Info.plist entries=15
TeamIdentifier=MYORGDEVID
Runtime Version=10.14.0
Sealed Resources version=2 rules=13 files=309
Internal requirements count=1 size=212
====
sh-3.2
codesign -vv --strict /Applications/MyApp.app
===
/Applications/MyApp.app: valid on disk
/Applications/MyApp.app: satisfies its Designated Requirement
===
spctl --raw -a -t exec -vv /Applications/MyApp.app
=====
/Applications/MyApp.app: rejected
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" ".../>
<plist version="1.0">
<dict>
<key>assessment:authority</key>
<dict>
<key>assessment:authority:flags</key>
<integer>0</integer>
</dict>
<key>assessment:originator</key>
<string>3rd Party Mac Developer Application: MyOrg (MYORGDEVID)</string>
<key>assessment:remote</key>
<true/>
<key>assessment:verdict</key>
<false/>
</dict>
</plist>
origin=3rd Party Mac Developer Application: MyOrg (MYORGDEVID)
===========
Post not yet marked as solved
What should be the key used in the preinstall-requirements for a package built by prodcutbuild?
Keep getting this message no matter what I try (not using xcode) from AppStore via Transporter.
"ERROR ITMS-90264: "The lowest minimum system version [none] in the Product Definition Property List must equal the 'LSMinimumSystemVersion' value [10.9.0] in the 'Info.plist'.""
Had tried the following, but appstore keeps complaining with same message. Also transporter verifies, but when I click deliver, the delivery fails with above message
=============
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" --appleurl redacted >
<plist version="1.0">
<dict>
<key>os</key>
<array>
<string>10.9.0</string>
</array>
</dict>
</plist>
===============
used also LSMinimumSystemVersion in place of os.
By the way, how do I verify that the product requirements list is captured in the package?
The command I use is:
productbuild \-distribution ./distribution.xml \
-resources ~/Desktop/resources \
-identifier com.myorg.uniqueid \
-version ${VERSION} \
-sign "${IDENTITY}" \
-product ~/Desktop/product_definition.plist outputFinal.pkg
man page for productbuild (10.15.7 catalina)
says the following
===-product requirements-plist
When synthesizing a distribution, use the requirements from
requirements-plist. See PRE-INSTALL REQUIREMENTS PROPERTY
LIST (this was formerly called the "product definition
property list").
PRE-INSTALL REQUIREMENTS PROPERTY LIST
When you use productbuild to synthesize a distribution (e.g. with the-component option), you can specify pre-install requirements in a separate property list file, specified with the --product option.
At the top level, this property list is a dictionary, with the following
keys:
Key											 Description
os												Minimum allowable OS versions (array of
																																														strings)
arch											Supported architectures (array of strings)
ram											 Minimum required RAM in gigabytes (real)
bundle										Specific bundles that must exist on the system
																																														(array
																																														of
																																														dictionaries)
all-bundles Are all of the bundles specified required?
(Boolean)
gl-renderer Required OpenGL capabilities (string)
cl-device Required OpenCL capabilities (string)
single-graphics-device Must OpenGL and OpenCL requirements be met by a
single
device?
(Boolean)
home Should installation be allowed in user home
directory?
(Boolean)
o The os key defines one or more minimum system versions. You might
have multiple versions if a certain OS update is required for a given
major OS version. For example, if you specify 10.5.4 and 10.6.2,
Leopard would be allowed from 10.5.4 up, and Snow Leopard from 10.6.2
up, but 10.6 and 10.6.1 would be rejected. There is no upper-bound
associated with the highest value given.		 NOTE: Some of the other requirements imply their own minimum system
versions, which may override the values set here. This is noted below
where applicable.
o The arch key specifies the supported architectures, e.g. i386 and/or
x8664. Note that i386 allows both 32- and 64-bit systems, but if you
specify only x8664, a 64-bit system is required.
=====
Any pointers -- gratefully appreciated. Thanks!!
Post not yet marked as solved
Ios and swift SMEs, appreciate if I can get some answers on the followingHave very short msg encrypted by a pvt rsa key (pkcs1, in java)Need to decrypt in ios using public key How can I achieve that? [Pls, 'am fairly familiar with cons and pros of using pub key to decrypt, for my use case pub key doesnt fly over internet; If I chose sig based, I need to do a time stamp etc check, which adds overhead; my msgs to encrypt are _very_ short << chars]Thanks in anticipation
soft_tech.