Code Signing

RSS for tag

Certify that an app was created by you using Code signing, a macOS security technology.

Code Signing Documentation

Pinned Posts

Posts under Code Signing tag

200 Posts
Sort by:
Post not yet marked as solved
0 Replies
4 Views
Hello, I'm create an app using QT on MacOs with Generate to Xcode, when submitting it to the App Store the upload process was successful but I got email feedback with the message containing the following: ITMS-90238: Invalid Signature - The main app bundle Tren at path Tren.app has following signing error(s): a sealed resource is missing or invalid . Refer to the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple .com/library/mac/technotes/tn2206/_index.html for more information. ITMS-90296: App sandbox not enabled - The following executables must include the 'com.apple.security.app-sandbox' entitlement with a Boolean value of true in the entitlements property list: [[Tren.app/Contents/MacOS/Tren ]] Refer to App Sandbox page at https://developer.apple.com/documentation/security/app_sandbox for more information on sandboxing your app. I've done the methods available in the community, but it still doesn't work. I hope someone will provide a solution, thank you
Posted
by usmanar.
Last updated
.
Post not yet marked as solved
1 Replies
47 Views
We're distributing an XCFramework to a customer to create their own apps. With the new XCFramework signing requirements, we have a question with regards the way how to implement it. We're using a few of the frameworks on the list https://developer.apple.com/support/third-party-SDK-requirements/ including [AFNetworking], as a dependencies for our framework. We are building those frameworks from source code and not using any binaries provided by any third-party. We also modify the open source code, so that it is different from the original open source code in a way so that it won't lead to runtime conflicts in case the customers is including similar frameworks in their application. We're using those derivatives of the open source frameworks as a statically linked libraries to our SDK. Questions: Do we need to sign the third party frameworks of which we have cloned source code and using it within our SDK Framework? Is it required that the XCFramework built this way is signed when it is delivered to a third party and they use it in their app?
Posted Last updated
.
Post not yet marked as solved
5 Replies
372 Views
I'm submitting an update to an app which was originally submitted in 2008. So, it has one of the "old" app id prefixes, not the Team ID prefix used by newer apps. When I try to validate this app built in Xcode 15 in organizer, I get a warning that the app id prefix in the current store app is changing from the "old" prefix to the new Team ID prefix. I didn't change anything. The App Identifier, Certificates, and Profile are the same that I used last June under Xcode 14. So, there seems to be an issue with Xcode 15. Same issue under 15.0 and 15.2. Anyone know a fix for this? This still works fine in Xcode 14. If I can't come up with a fix, I'll just submit with 14 as that's still valid until April 2024 I think. Regards, Patrick
Posted
by PatrickM.
Last updated
.
Post not yet marked as solved
1 Replies
254 Views
Older internet entries say there were free accounts we could use. I'm trying to create my .ipa apple installation file without using a payable developer account. In my case, I wisht to create the file for my own personal use. Is there a way to get a free developer account? I have tried by going to https://developer.apple.com/ and for individuals, payment is required. It's been many days since I sent questions to apple and no reply has been received. What can I do?
Posted
by julianhsc.
Last updated
.
Post not yet marked as solved
2 Replies
118 Views
The entire error is: "Failed retrieving request UUID for upload. You may have outstanding agreements to sign on App Store Connect." Logging into App Store Connect and the Agreements are all marked "Active". There are no account notifications on either App Store or developer.apple.com to indicate something is out of date. This is in XCode performing: Archive. Then in Archive window "Distribute App", "Developer ID", "Upload" From net searching I tried: restarting XCode, rebooting the machine, and in 'Preferences" removing and then adding in my account. Nothing worked. Any ideas? Montery 12.0.1 XCode 13.1
Posted
by Foxbat.
Last updated
.
Post marked as solved
8 Replies
905 Views
I got an email from Apple, "Your Developer ID Installer Certificate will no longer be valid in 30 days". So I went to my certificates page on developer.apple.com, and I see the attached photo. Basically, yes, I have a Developer ID Installer Certificate that expires 2023/07/01; but I also have one that expires 2025/12/08, and one that expires 2026/01/09, and one that expires 2026/12/15, and another that expires 2026/12/16! Why do I have all these certificates? I have no idea. There is a "+" button to add a new one; but given that I already seem to have ones that won't expire for several more years, do I need to? There does not seem to be a "-" button, or any way to clear out this cruft. I then recalled that perhaps I have managed my certificates in Xcode in the past, not on this page (or maybe I have done both, at different times?). So I went to Xcode, and things seem to be rather a mess there too, but in a different way (second image attached). Here, I seem to have lots of stale certificates that are in gray and say "Not in Keychain" – how do I clear those out? Again there does not seem to be a "-" button. And the newer ones that I saw on developer.apple.com do not seem to be listed here, maybe – it's hard to compare, though, because on developer.apple.com it shows the expiration date but not creation date, whereas in Xcode it shows creation date but not expiration date. What should I do? Note that I am not a member of multiple different teams, or anything like that; I'm a solo developer. This stuff is really confusing and does not seem to be well-documented anywhere that I have found. Am I just being dense?
Posted
by bhaller.
Last updated
.
Post not yet marked as solved
5 Replies
298 Views
I am having trouble submitting the next build of my macOS app to the App Store Connect. I keep getting a variation of this error: ITMS-90238: Invalid Signature - The main app bundle MyApp at path MyApp.app has following signing error(s): code has no resources but signature indicates they must be present In subcomponent: MyApp.app/Contents/Frameworks/GoogleAppMeasurement.framework . Refer to the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple.com/library/mac/technotes/tn2206/_index.html for more information. ITMS-90238: Invalid Signature - The main app bundle MyApp at path MyApp.app has following signing error(s): code has no resources but signature indicates they must be present In subcomponent: MyApp.app/Contents/Frameworks/GoogleAppMeasurementIdentitySupport.framework . Refer to the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple.com/library/mac/technotes/tn2206/_index.html for more information. ITMS-90238: Invalid Signature - The main app bundle MyApp at path MyAppt.app has following signing error(s): code has no resources but signature indicates they must be present In subcomponent: MyApp.app/Contents/Frameworks/FirebaseAnalytics.framework . Refer to the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple.com/library/mac/technotes/tn2206/_index.html for more information. I am using Firebase framework as a Swift package. I tried updating Swift package to the latest version and that didn't help. I also tried to revert to the last version that was successfully used on the App Store/TestFlight and that didn't help. I have no control over this framework other than not use it or choose a specific version. I also tried to export the app and use the Transporter app and that didn't help. Any suggestions?
Posted
by anosidium.
Last updated
.
Post not yet marked as solved
1 Replies
138 Views
I am receiving an error message trying to upload an update for my macOS app to App Store Connect that I do not understand: "Cannot be used with TestFlight because the signature for the bundle at “YourApp.app” is missing an application identifier but has an application identifier in the provisioning profile for the bundle. Bundles with application identifiers in the provisioning profile are expected to have the same identifier signed into the bundle in order to be eligible for TestFlight". I have double-checked, and the nbunde identifier in the profile matches that in the Info.plist, and I have, in addition, now passed it via "--identifier" to code sign for the app bundle as well, but the error remains. Where else would the identifier be needed, and has this changed recently? (I last uploaded this app a year ago, w/o issues, and made no relevant changes). I am using a custom toolchain and not Xcode to build the app bundle and installer. codesign -dvvv also reports the correct the bundle identifier back as expected. any suggestions?
Posted
by dwarfland.
Last updated
.
Post not yet marked as solved
1 Replies
162 Views
Hi, I created a developer id certification from my apple developer account a couple of year ago and downloaded it as .cer file into my Laptop. Now I want to use this certificate to sign my application, but unfortunately Xcode shows an error message like 'Missing Private Key" and I can also see that there is no private key under my developer id certificate(there is no grey arrow to expand to see private cer) in keychain access. Moreover my developer account is expired and I do not want to extend it yet so unfortunately no solutions with apple developer account will work like creating a new certification etc. Do you have any other solutions like using Keychain Access or Xcode to link my private key again into my developer id certificate? Note: 1-.cer file was created on my laptop by me, which I am using now. So I would expected that the related private key should already exist in my Keychain Access(if I did not delete it mistakenly.) but I do not know which private key is the relevant one, I have several of them. 2-I have also a CertificateSigningRequest.certSigningRequest file which was copied near my .cer file. Maybe it could be useful for a solution? 3-No! unfortunately I do not have any .p12 file. 4-I had already installed current AppleWWDRCAG3 file before I import my .cer file into my Keychain Access Tool. 5-Get Info shows that my cer file is still valid till sep 2025. 6- I have already restarted my Xcode and laptop. 7-I tried all solutions here: https://stackoverflow.com/questions/12867878/missing-private-key-in-the-distribution-certificate-on-keychain 8-https://developer.apple.com/account/resources/ shows me no certificate with the reason that my membership expired 9-I removed and re-added my apple account into Xcode. the same error occurred. XCODE:Version 15.3 (15E204a) OSX:macOS Sonoma 14.2.1 Thanks a lot in advance.
Posted
by EmreGun.
Last updated
.
Post not yet marked as solved
0 Replies
111 Views
According to the new requirements for binary XCFrameworks they should be code signed. I watched the WWDC23 video 10061-Verify app dependencies with digital signatures and while it helpfully provides the command to sign the framework after building, it doesn’t mention how to sign it when your distribution certificates are of the Cloud managed kind, and therefore not actually in the macOS Keychain. My question is how can I sign a binary XCFramework when the only distribution certificate we have is in the cloud? I am a part of a team in App Store Connect, if that’s relevant. Thanks 🙌
Posted
by mladenny.
Last updated
.
Post not yet marked as solved
0 Replies
116 Views
I have a macOS app which contains a dext. I'd like to distribute it to external testers using TestFlight, so it has to pass Mac App Store review. It failed, because the App Sandbox entitlement was missing. I checked the app, it has the entitlement, but the dext does not. However, the .entitlements file used by the dext does contain App Sandbox set to true. I tried adding a "fake-entitlement" value to the .entitlements file, and that made it into the dext's code signature, but the App Sandbox entitlement appears to be stripped out by the build process? For a dext target, it isn't possible to add the App Sandbox capability in Xcode's Signing and Capability section. I have to add the entitlement manually in the .entitlement file (or it was put there by the Xcode driver template, I don't remember). I've tried clean building several times, I've tried Xcode 15.0.1, 15.2 and 15.3, but the result is always the same. I'm inspecting the entitlements using codesign -dvvv --entitlements - Does anyone know what I can do to put the App Sandbox entitlement into my dext's signature? Is this happening to anyone else?
Posted
by ssmith_c.
Last updated
.
Post not yet marked as solved
0 Replies
135 Views
Hi All, We use a small group of Mac mini units running VMs for our Apple CI system. Since you can't login to an Apple ID on an Apple Silicon VM we wanted to use an App Store Connect API token to handle all the authentication for us. In the past this has not worked but I wanted to see if it could now. The answer is no, you can not use an API token with Developer ID Cloud certificates. The reason is that, even on an Admin role token, the DevID certificates are not enabled by default. When you are using an Apple ID this is no big deal as you can check the box to allow access, but with tokens they are minted with only the default settings for the role. This means that the option for Access to Cloud Managed Developer ID Certificates is always disabled and you can't enable it. If we could continue logging in with an Apple ID we could stumble along with that still, but even this ability is gone on AS VMs. Right now this pretty much means that we either give up on using stateless VMs to build or we go back to manually managing all of our code signing materials. The longer term solution would be to move to Xcode Cloud, but that will take us quite some time. I filed FB13687073 to see if there is any way to create a token that can use this checkbox.
Posted
by jamfshome.
Last updated
.
Post marked as Apple Recommended
1.6k Views
I've been trying to notarize an installer (.pkg file) on a new laptop. Previous versions have been notarized successfully on a previous Mac. However, in spite of having the required certificates (same as the old Mac, generated for the new Mac) the submission gets stuck at "In Progress". Doing it multiple times (even hours apart) doesn't help. Is there a FAQ / suggested list of steps to help resolve this issue? Here's what I see: xcrun notarytool history --keychain-profile "(my profile name)" results in (problem started with v4, the first version I've tried on this new Mac): createdDate: 2023-10-17T01:34:36.911Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v4.pkg status: In Progress -------------------------------------------------- createdDate: 2023-10-17T01:33:59.191Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v4.pkg status: In Progress -------------------------------------------------- createdDate: 2023-10-16T21:01:25.832Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v4.pkg status: In Progress -------------------------------------------------- createdDate: 2023-10-16T19:57:44.776Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v4.pkg status: In Progress -------------------------------------------------- createdDate: 2023-10-02T14:17:34.108Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v3.pkg status: Accepted -------------------------------------------------- createdDate: 2023-09-28T14:04:46.211Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v2.pkg status: Accepted -------------------------------------------------- createdDate: 2023-09-20T17:28:46.168Z id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name: xxxxxxxxxx-v1.pkg status: Accepted -------------------------------------------------- xcrun notarytool log xxxxxxxxxxxxxxxxxxxx --keychain-profile "(my profile name)" results in: Submission log is not yet available or submissionId does not exist id: xxxxxxxxxxxxxxxxxxxxxxxx
Posted
by suhail_.
Last updated
.
Post not yet marked as solved
1 Replies
154 Views
We use CocoaPods to manage third-party SDKs, so how should we sign and use these third-party SDKs
Posted
by mqyu.
Last updated
.
Post not yet marked as solved
1 Replies
148 Views
Hello, I am setting up a build (Gitlab CICD) runner. I create a keychain and imported certificate and my signing key. $ security find-identity -v XXXXXX "Developer ID Application: XXXXXX, INC. (XXXXXX)" (CSSMERR_TP_NOT_TRUSTED) 1 valid identities found $ security find-identity -p codesigning -v XXXXXX "Developer ID Application: XXXXXX, INC. (XXXXXX)" 1 valid identities found Codesign fails with unable to build chain to self-signed root for signer "Developer ID Application: XXXXXX, INC. (XXXXXX)" errSecInternalComponent On the local machine everything is fine. I think the point is that the identity is both valid and CSSMERR_TP_NOT_TRUSTED. What can I do about it?
Posted
by Punchel.
Last updated
.
Post marked as solved
1 Replies
179 Views
I have a shell script that turns a framework into a plain dylib and updates some dependent library paths using install_name_tool. It works, but if the framework was signed, I get warnings like: install_name_tool: warning: changes being made to the file will invalidate the code signature in: [redacted].dylib (for architecture x86_64) I thought I could get rid of the warning by adding codesign --remove-signature dylib-path to the script before using install_name_tool, but then I get errors like install_name_tool: fatal error: file not in an order that can be processed (link edit information does not fill the __LINKEDIT segment): [redacted].dylib (for architecture x86_64) Is there a way to fix this?
Posted
by JWWalker.
Last updated
.
Post not yet marked as solved
1 Replies
188 Views
The current structure of my SDK xcframework is XXXX-Release.xcframework. Inside that, I have an XXXX.xcframework and a LICENSE.md file. Currently, this structure works fine in Swift Package Manager, dropping the XXXX-Release.xcframework file into Xcode and CocoaPods. When I sign my xcframework as per Apple's requirements, I need to sign XXXX.xcframework, which is on the second level. Signing this works fine. Will this meet Apple's requirements for signing an xcframework? I just want to make sure the current structure of my SDK does not need to change. Thanks
Posted
by ajeisses.
Last updated
.
Post not yet marked as solved
6 Replies
760 Views
Xcode Cloud succeeds in building the Release configuration of the app, but whenever deployment preparation is set to "TestFlight and App Store" the last step fails with: ITMS-90035: Invalid Signature. Code failed to satisfy specified code requirement(s). The file at path “{AppName}.app/{AppName}” is not properly signed. Make sure you have signed your application with a distribution certificate, not an ad hoc certificate or a development certificate. Verify that the code signing settings in Xcode are correct at the target level (which override any values at the project level). Additionally, make sure the bundle you are uploading was built using a Release target in Xcode, not a Simulator target. If you are certain your code signing settings are correct, choose “Clean All” in Xcode, delete the “build” directory in the Finder, and rebuild your release target. For more information, please consult https://developer.apple.com/support/code-signing. When I build for release (with manual signing) everything works as expected and uploading to TestFlight for external testing works. I have tried to removed every imported framework, library, file etc. only keeping the bare minimum and still Xcode Cloud fails with the same error. I even created a new empty project but I still get the same error. My only guess is that something is off with the automatically generated certificates (or provisioning profiles) that Apple creates. Is there any way to figure out what specifically makes the signing fail? Is there a way to reset Xcode Cloud to clear all data and caches, revoke all certificates and remove all accosiated provisioning profiles?
Posted
by bonanton.
Last updated
.