I have created an apple developer account
Created a Certificate request from Keychain tool,Uploaded it and generated a certificate for Macos distribution
Downloaded the certificate,double clicked and installed it.
Build the .app package and used the codesign tool codesign --force --sign "Apple Development:Cool Developer(27HS88RR)" "mysupercoolapp.app"
Used the following command for verification codesign --verify --deep --strict --verbose=2 "mysupercoolapp.app" the ouput is Valid on Disk,Satisfies some requirement
Using the spctl tool for Gatekeeper verification spctl -a -t exec --vv "mysupercoolapp.app" --> Rejected
Is there some magic trick for gatekeeper to accept the app? I'm fed up of this,apple does not have proper documentation on codesigning a macOs app from xcode directly.
Please advice
Related
I am trying to code-sign a desktop application binary for OSX Sierra with bought COMODO certificate.
I have a code-signing verification error CSSMERR_TP_NOT_TRUSTED at the end of the macdeployqt command run:
$ security unlock-keychain -p "$PASSWORD" /Users/user/Library/Keychains/login.keychain
$ ~/Qt5.8/5.8/clang_64/bin/macdeployqt app_name.app/ -codesign=(cat ~/keyid3) -verbose=4 -no-plugins # (1)
# (...)
Log: Finished codesigning "app_name.app" with identity "118E862D88E30998B6C4BACB8ABCB1FBDEADBEEF"
ERROR: codesign verification error:
ERROR: "app_name.app: CSSMERR_TP_NOT_TRUSTED\nIn architecture: x86_64\n"
The same happens when I try to use codesign utility directly on final bundle (I am giving the same certificate ID as the XCode does):
+ security unlock-keychain -p "$PASSWORD" /Users/user/Library/Keychains/login.keychain
+ export CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
+ CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
+ /usr/bin/codesign --force --sign 118E862D88E30998B6C4BACB8ABCB1FBDEADBEEF --deep --timestamp=none '<build-path>/app_name'
+ /usr/bin/codesign --verify '<build-path>/app_name' -dv
Executable=<build-path>/app_name/Contents/MacOS/app_name
Identifier=$(PRODUCT_BUNDLE_IDENTIFIER)
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=19725 flags=0x0(none) hashes=611+3 location=embedded
Signature size=2359
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources version=2 rules=13 files=2
Internal requirements count=1 size=104
+ /usr/bin/codesign --verify '<build-path>/app_name'
<build-path>/app_name: CSSMERR_TP_NOT_TRUSTED
In architecture: x86_64
+ spctl -a -v <build-path>/app_name
<build-path>/app_name/: CSSMERR_TP_NOT_TRUSTED
Binary compiled and signed by XCode is accepted though by gatekeeper (I generate XCode project with CMake and then modify project properties to sign the binary - this however is not making a full bundle for me). I have used the same codesign command (copied from XCode's log) for signing.
I have already:
removed and imported the certificate,
allowed it to be used on all applications,
checked are the permissions system default,
checked for doubled certificates in the system.
I use qmake (Qt5.8) to create makefiles.
My bundle contents (after make, before macdeploy):
./Contents
./Contents/_CodeSignature
./Contents/_CodeSignature/CodeResources
./Contents/Info.plist
./Contents/MacOS
./Contents/MacOS/app_name
./Contents/PkgInfo
./Contents/Resources
./Contents/Resources/CS_icon.icns
./Contents/Resources/empty.lproj
What should I do to make correct signed binary under OSX Sierra?
Turned out the SSL reseller I was buying the certificate from has simply not updated his website, where he was claiming the certificate works with OSX. Perhaps it has until 10.9 release AFAIR.
The only way to code-sign and use the binaries on latest MacOSes is to buy proper, targeted certificate directly from Apple (e.g. the one targeted for IPhone/iOS will not work on MacOS and vice-versa).
I wish reseller's helpdesk would know about it before I had lost the time.
Make Sure your certificate in keychain is not set to "Always Trust".If "Always Trust" then set to "System Defaults".
How can I achive Gatekeeper pass an app signed with a third-party certificate?
I have signed mine with the one I bought for the Windows version and if I have checked the "Mac App and identifier developers" option in System Preferences it can't be executed.
This is the command I executed for signing:
codesign --force --verify --verbose --sign "My cert" My.app
This is the command for verifying the signing:
codesign --verify --verbose=4 My.app
And this is the output:
My.app/: valid on disk
My.app/: satisfies its Designated Requirement
What am I doing wrong?
Thanks.
Gatekeeper does not accept third-party certificates, only Mac App Store and Apple Developer ID certs. The reason for this is that if Apple finds signed malware being distributed, they want to be able to revoke the certificate that was used to sign it; that's only possible if Apple owns the certificate authority that issued the signing cert. As a result, third-party certs are not considered trustworthy for Gatekeeper purposes.
BTW, the check you're doing with codesign -- verify only checks whether the signature matches the contents of the app, not whether it's considered a Gatekeeper-valid signature. For that, you want spctl -va My.app (although note that this checks it against your current Gatekeeper policy, so if you have Gatekeeper set to Mac App Store only, it'll report Developer ID-signed apps as "rejected").
I am trying to submit the Mac app outside the app store. I take the build from Xcode 4.5 and use the following code for code-signing. But neither of them are working.
codesign --force -s "3rd Party Mac Developer Application: My Company" -v <path to my .app file>
//signed bundle with Mach-O thin (x86_64) [com.CompanyNama.AppName]
It gives rejected when verifying.
codesign --force --sign "Developer ID Application: My Company" <path to my .app file>
It gives rejected, source=No Matching Rule/source=Developer ID when verifying.
I use the following command for verifying,
sudo spctl -a -v
What I am doing wrong? Which one we should use when code-signing .app file?
You need to replace "Developer ID Application: My Company" with an actual certificate name. Find the production certificate you want to use in Apple's developer portal. Make sure that it's also in your OS X keychain including the private key. Copy the name and replace "Developer ID Application: My Company"
I am not sure about the source=No Matching Rule part, but I was getting rejected, because my Gatekeeper was switched to accept "Mac App store" apps only. After changing it to "Mac App store and identified developers" the check passed.
I paid the $99 to get a developer license w/ Apple. Installed Xcode 4.3. Went to the Organizer and "Provisioning Profiles" and refreshed to download my code signing certificate. Checked my Keychain Access and confirmed that I have "3rd Party Mac Developer ", "Developer ID" and "Mac Developer *" certificates.
At this point the documentation from apple mentioned pulling up your project files. I'm using Wineskin to package my Windows application, so I don't have an Xcode project. I have a .app file produced my Wineskin. I'd like to codesign the .app file that Wineskin produced for me.
I tried:
codesign -s "certificate name" /path/to/my.app
I tried all the possible certificate names that had my name and the word "Application" in them from my Keychain Access.
Every time I get the error "/path/to/my.app: object file format unrecognized, invalid, or unsuitable"
Any idea on how to get past this error? Am I even attempting the proper command? Or is there a different way I should go?
To summarize the comments to my questions, here are the commands I run to sign my .app file for Gatekeeper:
export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/usr/bin/codesign_allocate"
codesign --force --sign "Developer ID Application: <my name>" /path/to/my.app
Thanks, Gordon Davisson and JWWalker!
(edit) If this fails, I realize that installing the "Command Line Tools" from within XCode was needed.
EDIT:
To verify
$ codesign -dv --verbose=4 my.app
In Apple ID account make sure you have few types of certificate?
Make sure you have a valid developer certificate and a private key in your keychain.
If you have some problems with it, the certificate should be revoked via developer.apple.com and generated from the scratch (XCode > Accounts > Manage Certificates).
Then you can use codesign:
codesign --force --deep --sign "Apple Development: FirstName LastName (XXXXXXXXXX)" /Applications/ApplicationName.app
Before using codesign command
Install Command line tool for Xcode from https://developer.apple.com/downloads/index.action section.
(You should have a developer account to download Additional Tools.)
Please check for any hidden file in Payload folder like (.DStore) and if there is one please remove it
Navigate to Payload folder via terminal using cd command
Type ls- a command on terminal
if there is any hidden file apart, delete it by rm -f .DStore
This solution worked for me so please give a try....
Hi im trying to code sign a MonoMac binary for the Mac Store via "Application Loader". I can submit the app, but the status in "Itunes Connect" will always say "Invalid Binary" !? The reason I have to manually do this is because theres a bug in MonoMac signing. But i'm starting to pull my hair out now as it been over a day and a half.
I also get back an email saying:
Invalid Signature - the main app bundle Paper Tanks at path Paper
Tanks.app is signed but the signature is invalid.
If I try to sign the binary with this the "Application Loader" will give an error:
codesign -v --force --sign "A72F25F56B7D6C43332AE795288EA092009BE737" "--resource-rules=/Users/Andrew/Reign/Games/papertanks/PaperTanks_OSX/PaperTanks_OSX/bin/AppStore/Paper Tanks.app/Contents/Resources/ResourceRules.plist" --entitlements "/Users/Andrew/Reign/Games/papertanks/PaperTanks_OSX/PaperTanks_OSX/bin/AppStore/Paper Tanks.xcent" "/Users/Andrew/Reign/Games/papertanks/PaperTanks_OSX/PaperTanks_OSX/bin/AppStore/Paper Tanks.app"
Application Loader error = "Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. The bundle contains a key that is not included in the provisioning profile: 'com.apple.application-indetifier' in Paper Tanks.app/Contents/macOS/Paper Tanks'."
So because the step above fails I then code sign the app like this:
codesign -v --force --sign "3rd Party Mac Developer Application:
Andrew Witte" "--resource-rules=.../AppStore/Paper
Tanks.app/Contents/Resources/ResourceRules.plist" "..../AppStore/Paper
Tanks.app"
Then I code sign the internal mono posix lib as the last step doesn't seem to.
codesign -v --force --sign "3rd Party Mac Developer Application:
Andrew Witte" .../AppStore/Paper\
Tanks.app/Contents/Resources/libMonoPosixHelper.dylib
Then I build and sign the pkg:
productbuild --component ".../AppStore/Paper Tanks.app" /Applications
--sign "3rd Party Mac Developer Installer: Andrew Witte" ".../AppStore/PaperTanks_OSX-0.1.pkg"
The issue was fixed by me upgrading to Xcode 4.4