Code-signing code that is already signed

Is it true that signing should always over-write any existing code-signing?


I ask because I've had a recent case where this was done in SD Notary. The signing (of a framework) succeeded and notarization succeeded, although the app then failed when it tried to load the framework. I checked the logFileURL and there was an issue saying the framework was not signed.


I repeated the exercise, this time starting with an un-signed version of the framework, and all went well. (I have no idea how the previous version was signed -- it was from a user).

Up vote post of sstanley Down vote post of sstanley
2.7k views
Posted by
sstanley
Reply
Add a Comment

Replies

Is it true that signing should always over-write any existing code-signing?

Yes, assuming you used 

-f
.

The one thing to watch out for is nested code. Specifically:

  • Don’t use 

    --deep
    [1].

  • When you re-sign, make sure to sign from the inside out.

If you don’t follow the second rule then you can run into a situation where the client’s code signature has an obsolete reference to its dependency’s code signature, and that doesn’t end well.

Beyond that, I’d have to take a look at the specific case to offer any further insight.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"

[1] Except in very specific circumstances, with the obvious one in this context being Automator actions.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Yes, I'm using `--force` and signing inside-out.


Here's the SD Notary logging for signing of the relevant framework (with paths abbreviated):


<pre>

13:48:56.770: Signing ‘.../.../Contents/Frameworks/SMSTableDialogBuilder.framework/Versions/A'...

13:48:57.641: Result for /usr/bin/codesign --force -o runtime --timestamp --entitlements /Users/shane/.../Entitlements.plist --verbose=4 -s Developer ID Application: Shane Stanley (LT9SRJ2NCV) /Users/shane/Desktop/.../Contents/Frameworks/SMSTableDialogBuilder.framework/Versions/A

Termination status: 0

StandardOut: (null)

StandardError: Developer ID Application: Shane Stanley (LT9SRJ2NCV): found in both /Users/shane/Library/Keychains/login.keychain-db and /Users/shane/Library/Application Support/.../PrivateEncryptedDatak (this is all right)

/Users/shane/.../Contents/Frameworks/SMSTableDialogBuilder.framework/Versions/A: replacing existing signature

/Users/shane/.../Contents/Frameworks/SMSTableDialogBuilder.framework/Versions/A: signed bundle with Mach-O thin (x86_64) [au.com.myriad-com.SMSTableDialogBuilder] </pre>


It was successfully notarized, but the LogFileURL contained this:


<pre>

"issues": [

{

"severity": "warning",

"code": null,

"path": ".../Contents/Frameworks/SMSTableDialogBuilder.framework/SMSTableDialogBuilder",

"message": "The signature of the binary is invalid.",

"docUrl": null,

"architecture": "x86_64"

}

]

</pre>

Posted by
sstanley
Up vote reply of sstanley Down vote reply of sstanley
Add a Comment

Weird. If you’d like to dig into this further, I recommend that you open a DTS tech support incident about it. That’ll allow me to allocate a decent amount of time to investigate.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Quinn,


Thanks for the confirmation that it shouldn't happen. Seems to me that makes it a bug, so I'm not thrilled at the idea of forking out for a DTS incident over it. I'll log a bug.

Posted by
sstanley
Up vote reply of sstanley Down vote reply of sstanley
Add a Comment