How to code-sign a macOS App on Continuous Integration - xcode

Steps I made:
Created a new blank Xcode Project for my MacOS Application
created .travis.yml file for CI setup
pushed unedited Xcode Project to my GitHub repo
Travis started to build my Project but it throw an Error:
No signing Certificate "Mac Development" found: No "Mac Development" signing Certificate matching ID "XXXXX" with a private key was found
My .travis.yml:
os: osx
language: swift
osx_image: xcode11.3
script: xcodebuild clean build test -project MyApp.xcodeproj -scheme "MyApp" -sdk "macOS 10.15" -destination "platform=macOS" ONLY_ACTIVE_ARCH=NO
I tried the trick with disable Code-Signing at all (https://stackoverflow.com/a/54296008) but thats more like a hack. But I want a clean solution.
However Xcode signs my Code but Travis doesn't. How can I let sign my MacOS App on Travis CI too?
Btw: I only have a free Apple Developer Account, so I can't download certificates from https://developer.apple.com

Builds signed with free Apple Developer Accounts won't run on machines that aren't connected to your developer account. You will need a Paid Developer account to sign software using either Developer ID (outside of the app store) or for the App Store.
That said, for macOS (but not iOS/tvOS/etc), your binary built with CI can be run by somebody who downloads it to a machine with Gatekeeper disabled (prior to 10.15 only and not recommended), or by using the File > Open command or the context menu's Open command to launch the application (with a warning).
It's fairly common in CI environments to build without signatures and then add the signature later (this prevents accidental shipment of a binary that hasn't been through final testing, for example, or allows the company to limit who can build official binaries and under what circumstances).
To be clear, without the signing certificate and key, you cannot sign the Application.

Related

Xcode 10 notarization issue with Sparkle about Hardened Runtime for Autoupdate.app and fileop

As Apple introduced new notarization process for apps distributing outside of Mac App Store, I am getting this error when I try to submit my application for notarization, which has Sparkle framework installed via CocoaPods.
The error was first encountered for all bundles included in my app (helper app and other frameworks), however they all went away except these two mentioned bundles of Sparkle, after I enable Hardened Runtime with exceptions shown below through Project editor.
I am not well informed about the guidelines of this new notarization, as it just went out and I have already seen WWDC 2018 presentation about it and could not find any other documentation.
Any ideas how to enable hardened runtime for Sparkle's Autoupdate.app and fileop? Or is it just impossible for Sparkle like enabling sandbox, as the auto update procedure requires access to other apps?
The current release of Sparkle, 1.22.0rc1, has the "Hardened Runtime" build option enabled, but Apple's service still rejects it if you just include it with your app. There is also no hardened runtime option for fileop available when compiling.
But you can use it anyway, no need to rebuild it. Just add a Run Script to your Build Phases like this:
Here is the script (from the GitHub discussion):
LOCATION="${BUILT_PRODUCTS_DIR}"/"${FRAMEWORKS_FOLDER_PATH}"
# By default, use the configured code signing identity for the project/target
IDENTITY="${CODE_SIGN_IDENTITY}"
if [ "$IDENTITY" == "" ]
then
# If a code signing identity is not specified, use ad hoc signing
IDENTITY="-"
fi
codesign --verbose --force --deep -o runtime --sign "$IDENTITY" "$LOCATION/Sparkle.framework/Versions/A/Resources/AutoUpdate.app"
codesign --verbose --force -o runtime --sign "$IDENTITY" "$LOCATION/Sparkle.framework/Versions/A"

Ad-Hoc codesigning for device succeeds in Studio, Fails in Jenkins

I have a Xamarin Forms application that supports Android and iOS. I've generated Jenkins builds to compile them. All of the Android builds work. The iOS Debug build compiles fine. The Ad-Hoc build, however, fails to build completely for an iPhone target. It appears to be failing during codesigning. It works if I target the iPhoneSimulator, but if I target iPhone device it fails.
Tool /usr/bin/codesign execution started with arguments: -v --force --sign 81088F8E194139DC4C6CE640716944E41FB0709F --entitlements "/Users/Shared/Jenkins/.jenkins/workspace/{project path}/obj/iPhone/Ad-Hoc/Entitlements.xcent" --deep "/Users/Shared/Jenkins/.jenkins/workspace/{project path}/bin/iPhone/Ad-Hoc/AppName.app"
bin/iPhone/Ad-Hoc/AppName.app : error : /Users/Shared/Jenkins/.jenkins/workspace/{project path}/bin/iPhone/Ad-Hoc/AppName.app: unknown error -1=ffffffffffffffff [/Users/Shared/Jenkins/.jenkins/workspace/{project path}/iDriverMobile.iOS.csproj]
If I open up the Solution in Visual Studio, right in the Jenkins workspace folder so it's using the exact same files, then compilations works fine, which is really frustrating.
Looking at differences between the two outputs, it seems that the working build (from Studio) has AOT output for all of the assemblies that looks like this:
Mono Ahead of Time compiler - compiling assembly /Users/Shared/Jenkins/.jenkins/workspace/{project path}/obj/iPhone/Ad-Hoc/mtouch-cache/32/Build/OpenNETCF.Google.Analytics.dll
The failing build has none of those. Instead, it has a couple lines that look like this:
MTOUCH : warning MT0095: Aot files could not be copied to the destination directory /Users/Shared/Jenkins/.jenkins/workspace/{project path}/obj/iPhone/Ad-Hoc/mtouch-cache/64/Build/Msym/Msym/tmp: Could not start process. [/Users/Shared/Jenkins/.jenkins/workspace/{project path}/AppName.csproj]
The worst part of all of this is that these builds did work, but then I restarted the Mac Mini that Jenkins is running on and things went downhill. I can't figure out what the difference is between what Studio is doing and the command line call to msbuild. They both point to the same binaries.
Additional Information
This still fails with the latest updates as of today (5/24/17). This is the environment:
Mac OS X 10.12.5
List item
XCode 8.3.2
Xamarin.iOS 10.10.0.36
Visual Studio 2017 Community for Mac 7.0.1 (build 24)
Mono 5.0.1.1
What doesn't fix it:
Creating a new Jenkins build
Changing the Jenkins workspace path
Opening up permissions (777) to the entire Jenkins folder
Enabling LLVM
Disabling all linking
Completely uninstalling and re-installing Jenkins
Using xbuild instead of msbuild
Swearing a lot
My middle finger
Try to delete the derived data folder in DerivedData of your app. It looks like YourAPP_ dasfdsfsdafdsasfdsaf, according to this from Apple Developer Forum.
The DerivedData data folder is located at ~/Library/Developer/Xcode/DerivedData/
If this does not work, all the symptoms point to a signing certificate (also called, signing identity) issue.
It seems like when it was compiled from command line, /usr/bin/codesign can not access signing identity 81088F8E194139DC4C6CE640716944E41FB0709F. It could be many different reasons, unfortunately:
keychain was locked
codesign is not allowed to access the signing
identity.
multiple identities exist in keychain and wrong signing
identity was selected
Wrong provision
profile was matched for Ad Hoc build.
Try to add following code snippets before running msbuild, assuming your signing identity is in keychain ~/Library/Keychains/login.keychain:
security unlock-keychain -p <password> ~/Library/Keychains/login.keychain
security set-keychain-settings -l -u -t 3600 ~/Library/Keychains/login.keychain
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k -p <password> ~/Library/Keychains/login.keychain
It is not a good idea to have keychain password stored in the build script, you can follow this guide to hide them.

Xcodebuild- Travis CI can't archive a project that uses cocoapods due to code signing error?

Trying to use Travis CI to build, archive and distribute my Ad Hoc app builds through Crashlytics (Fabric).
Having an issue with the code signing process though, as it attempts to code sign the cocoapods I am using.
Here is the output:
=== ARCHIVE ===
xcodebuild archive My Cool App - AdHoc
Pods / Bolts (AdHoc)
✗ Check dependencies (16 ms)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Check dependencies
Code Sign error: Provisioning profile does not match bundle identifier: The provisioning profile specified in your build settings (“My Cool App (AdHoc)”) has an AppID of “com.nitwitstudios.mycoolapp” which does not match your bundle identifier “org.cocoapods.Bolts”.
I was having this issue with a project that has use_frameworks! enabled.
The temporary workaround I found for this was changing the code signing identity for any iOS SDK for all of my Cocoapod frameworks to default so that it was iOS Distribution:
This doesn't really seem like a permanent solution though - this gets overwritten anytime I pod update.

Developer ID signed OS X app crashes on start with Code Signature Invalid

I'm trying to build my app such that I can share it with testers. My app specifies entitlements (iCloud) so I have to sign it. To distribute a signed build I think I need to sign it using 'Developer ID', which I've done. The app package appears to be signed correctly - running:
spctl --verbose=4 --assess --type execute <my app>
reports:
<my app>: accepted
source=Developer ID
But when I run the app it crashes - a 'Code Signature Invalid' exception.
So why does it crash? I think I need to include the provisioning profile I've created which includes the UUID's for my tester's machines, but when I try to export the 'Developer ID-signed Application' from Xcode it always lists the provisioning profile as 'None', and there's no way to change it. What am I doing wrong?
I figured out that I was misunderstanding a bunch of things.
Firstly - I'm pretty sure it crashes because although the code signature is valid, I'm trying to use features (iCloud) which are only available to apps downloaded from the app store; the app needs to be signed by Apple to run.
Secondly - Developer ID-signed apps don't use provisioning profiles; these are production-ready apps for actual distribution outside of the app store (so long as they don't use app-store only features).
So how do I share a build so that testers can run it and use its iCloud features? The answer is I build a development build as I normally do, signed as a developer, but create a matching provisioning profile including the UUIDs of my tester's machines. I then export the archived app using 'Export as Mac Application'. Both the app AND the profile need to be passed on to testers - they can install the profile by simply double-clicking on it to bring up the profile manager.
This took me a few hours to figure out - I don't think it's clear from the doc quite how all these things relate, so I hope this is useful to someone! ;)
I recommended to create DMG file and put the app in Application folder:
this is clean and build the proj:
xcodebuild -configuration Release -scheme {SCHEME_NAME} clean build
and create the dmg file:
hdiutil create -volname {PROJECT_NAME} -srcfolder {...}/Xcode/DerivedData/Build/Products/Debug/{APP_NAME}}.app -ov -format UDZO {SRC_PATH_FORDMG_FILE}/{PRODUCT_NAME}.dmg

Trouble packaging and signing iOS apps built with Cordova CLI

Until now, all of my experience compiling PhoneGap apps has been via the excellent PhoneGap:Build service. However, I now find myself in a situation where I need to compile locally, because I need to use a plugin that includes a binary file, which precludes it from being included for use with PG:B.
So for these reasons, I need to compile locally. "Great!" I thought, I'll just use the new CLI...
I have developed my app, and I can test it on-device via deploy over USB from Xcode, but trying to get a release build, and sign it, with the provisioning profile embedded, has been a nightmare.
For completeness, this is the basic outline of everything I've done, aside from the app development itself.
$ pwd
/users/adam/dev/myapp/mobile/
$ cordova create build_local com.foo.bar MyApp
Creating a new cordova project with name "MyApp" and id "com.foo.bar" at location "/Users/adam/DEV/myapp/build_local"
$ cd build_local
$ cordova platform add ios
Creating ios project...
$ cordova platform add android
Creating android project...
Creating Cordova project for the Android platform:
Path: platforms/android
Package: com.foo.bar
Name: MyApp
Android target: android-19
Copying template files...
<snip>
Project successfully created.
$ cordova plugin add https://github.com/hazemhagrass/BackgroundJS
Fetching plugin "https://github.com/hazemhagrass/BackgroundJS" via git clone
Installing com.badrit.BackgroundJS (android)
Fetching plugin "https://github.com/apache/cordova-plugin-device.git" via git clone
Installing org.apache.cordova.device (android)
Installing com.badrit.BackgroundJS (ios)
Installing org.apache.cordova.device (ios)
$ cordova plugin add de.appplant.cordova.plugin.local-notification
Fetching plugin "de.appplant.cordova.plugin.local-notification" via plugin registry
Installing de.appplant.cordova.plugin.local-notification (android)
Installing de.appplant.cordova.plugin.local-notification (ios)
$ cordova plugin add https://github.com/kdzwinel/phonegap-estimotebeacons
Fetching plugin "https://github.com/kdzwinel/phonegap-estimotebeacons" via git clone
Installing pl.makingwaves.estimotebeacons (android)
Installing pl.makingwaves.estimotebeacons (ios)
For what it's worth, this last plugin is the reason that I have to compile locally.
Now, here's one other potential monkey wrench: This app is actually two apps. It's the same core codebase, merged into two different deployment branches of the repo, one for each client. So each app will have its own id, name, and config stuff. Because of this, I actually have more than one cordova project folder (1 for each final app) and after creating each project through the steps above, I remove the generated www folder and replace it with a symlink to the shared www folder that exists outside of these phonegap project directories.
This is supported behavior; the CLI allows you to generate your app with a symlink via the --link-to flag (see cordova help create for details). However, doing so seems to have issues; so I've resorted to doing all of the app config up front and then replacing the generated www folder with a symlink after everything is ready to compile.
At this point, I can deploy to either the iOS simulator or Android emulator, and I can deploy to devices over USB, and everything works just fine; all of my plugins are available and function as expected. So I'm ready to compile a release build. Android is easy. iOS, not so much.
$ cordova build ios
<snip>
** BUILD SUCCEEDED **
However, this is a DEV build. The generated file is in the build/emulator/ folder, and when I attempt to sign it, I'm told that it's not signed because of the I386 architecture (which indicates that it's a development build).
$ xcrun -sdk iphoneos PackageApplication -v "platforms/ios/build/emulator/MyApp.app" -o "/users/adam/dev/myapp/MyApp.ipa" --sign "iPhone Distribution: {our cert name} ({our cert id})"
<snip>
Codesign check fails : platforms/ios/build/emulator/MyApp.app: code object is not signed at all
In architecture: i386
<snip>
I've attempted to generate a release build from the cordova CLI. I haven't been able to find the --release flag documented anywhere, but the CLI doesn't complain, and it usually does if it doesn't recognize a flag.
$ cordova build ios --release
<same result as previously>
Attempting to sign this build results in the same problem.
At this point, I started attempting to work directly in Xcode. I've set the .mobileprovision file and the signing credentials up appropriately, to the best of my knowledge:
With these values set, Xcode no longer allows me to build:
So I'm stuck: I have no choice but to build locally, and I can't figure out how to get it to build for release and sign! Please help!
Additionally, if I attempt to embed a provisioning profile, that fails because of an issue with entitlements. I'm not exactly sure what this means, but I'm hopeful that it's a result of working with a dev build, and resolving that will resolve this as well.
$ test -e ~/.ios/DEV.mobileprovision && echo exists
exists
$ xcrun -sdk iphoneos PackageApplication -v "platforms/ios/build/emulator/MyApp.app" -o "/users/adam/dev/myapp/MyApp.ipa" --embed "~/.ios/DEV.mobileprovision"
<snip>
error: Failed to read entitlements from '/var/folders/zs/j2hmt69n12sbjm6gyn0m_q4c0000gn/T/tyYvYPQKf3/Payload/MyApp.app'
Update 1:
This SO question helped in one regard. I don't know how the active scheme (I'm not really sure what that means, but that's the tooltip when I hover over the control) got changed as part of specifying keys/etc, but clearly it did. Changing this back to an iOS Device, like iPhone, allows me to build my project, and even Archive (which, to the best of my understanding, means it's creating the .ipa file I need to submit to the app store), but I can't find the archived file. Where should it be? Can I define this in a setting somewhere in Xcode?
Update 2:
By fiddling with certificates and provisioning profiles I've finally been able to create an archive from Xcode, which I've been told is a release build (is it?). Ideally I would like to be able to build from the command line so that I can automate it as much as possible, so that's where I'll be picking up in the morning. Any advice on that front would be quite welcome!
If you managed to create an archive in Xcode, then your signing certificate and provisioning profiles are known to Xcode, so cordova build ios --release --device should make it.
The steps are:
1) Import your iOS developer certificate for production to the keychain by downloading and double clicking on it in Finder (or get it via Xcode)
2) Download your provisioning profile (with the App ID set to the id attribute of the widget element in config.xml) and double click it on Finder so it goes to the Xcode provisioning profile store
3) cordova build ios --release --device
it looks like you're trying to sign the app with a wildcard provisioning profile (the XCode screenshot). Can you try creating and downloading a distribution certificate and provprofile to your Mac? Then import the .cer file in the keychain access app (doubleclicking should suffice) and doubleclick the provprofile as well.
Now you should be able to select the appropriate values from the release dropdowns in the XCode build settings.
Hope this helps somewhat...
Eddy
One other issue I am seeing from your screenshot is I don't think you can Build an Archive (Release) version using the Developer Signing Idenetity, you would need to create a Distribution certificate and use that one for the Release (Archive) version.

Resources