I need to create a certified runtime from my Filemaker application which required an Apple Develeoper Certificate. I purchased the certificate and followed some instructions on how I can sign my application with the certificate.
I created it in the keychain (following the official apple documentation) and it appears to be okay, here's a screenshot:
It's shown as active. Then I followed this Instruction and modifed the script, but if I try to access my certificate I always get the error:
error the specified item could not be found in the keychain
This error occurs in the following line of the script:
codesign -f -vvvv -s "Developer ID Installer: Dieter K****** (D********)"
I can't find any errors in the syntax of my script, all other steps work fine.
You may need to use "Developer ID Application" certificate.
Refer this video https://www.youtube.com/watch?v=pBsFCrI_wXA
Related
Initially I tried to codesign our Adobe AIR Mac app with Mac Developer distribution certificate which generally starts as "3rd Parth Mac Developer Application:xxx". Later, I read through https://developer.apple.com/library/mac/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG211 where it's discussed that verification through codesign and spctl commands needs the certificate to be Developer ID certificate only (I'm using 'Developer ID Application:xxx'):
Like Gatekeeper, spctl will only accept Developer ID-signed apps and
apps downloaded from the Mac App Store by default. It will reject apps
signed with Mac App Store development or distribution certificates.
My verification commands were:
./check-signature DEPLOY/Moonshine.app DEPLOY/Application.pkg
(c) 2014 Apple Inc. All rights reserved.
DEPLOY/Application.app: YES
DEPLOY/Application.pkg: YES
and
spctl -a -t exec -vv DEPLOY/Application.app
DEPLOY/Application.app: accepted
source=Developer ID
override=security
disabled
origin=Developer ID Application: xxx (LS9K97G9DD)
Both commands were retuned positive results as discussed in Apple Developers page.
When we submitted the app to App Store we returned with errors like "test-requirement: code failed to satisfy specified code requirement(s)". We also supplied with suggested (Code Requirements) links by Apple: https://developer.apple.com/library/mac/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG4, and we started verifying .app file at our local with following command:
codesign -vvvv -R="anchor apple" DEPLOY/Applications.app
We starts receiving likewise error as Apple sent us:
--prepared:/Users/santanu/Documents/Adobe Flash Builder 4.7/ProjectFolder/build/DEPLOY/Application.app/Contents/Frameworks/Adobe
AIR.framework/Versions/Current/.
--validated:/Users/santanu/Documents/Adobe Flash Builder 4.7/ProjectFolder/build/DEPLOY/Application.app/Contents/Frameworks/Adobe
AIR.framework/Versions/Current/.
DEPLOY/Application.app/: valid on disk
DEPLOY/Application.app/: satisfies its Designated Requirement
test-requirement: code failed to satisfy specified code requirement(s)
Later, I also tried to codesign with Mac Developer distribution certificate (3rd Party Mac Developer Application:xxx) instead of Developer ID certificate, but that didn't improve the situation either.
I'm unable to understand now what else certificate we should use to get that anchor apple in our codesign process to fix this 'code failed to satisfy specified code requirement' error, or any other way we can fix this?
I paid the $99 to get a developer license w/ Apple. Installed Xcode 4.3. Went to the Organizer and "Provisioning Profiles" and refreshed to download my code signing certificate. Checked my Keychain Access and confirmed that I have "3rd Party Mac Developer ", "Developer ID" and "Mac Developer *" certificates.
At this point the documentation from apple mentioned pulling up your project files. I'm using Wineskin to package my Windows application, so I don't have an Xcode project. I have a .app file produced my Wineskin. I'd like to codesign the .app file that Wineskin produced for me.
I tried:
codesign -s "certificate name" /path/to/my.app
I tried all the possible certificate names that had my name and the word "Application" in them from my Keychain Access.
Every time I get the error "/path/to/my.app: object file format unrecognized, invalid, or unsuitable"
Any idea on how to get past this error? Am I even attempting the proper command? Or is there a different way I should go?
To summarize the comments to my questions, here are the commands I run to sign my .app file for Gatekeeper:
export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/usr/bin/codesign_allocate"
codesign --force --sign "Developer ID Application: <my name>" /path/to/my.app
Thanks, Gordon Davisson and JWWalker!
(edit) If this fails, I realize that installing the "Command Line Tools" from within XCode was needed.
EDIT:
To verify
$ codesign -dv --verbose=4 my.app
In Apple ID account make sure you have few types of certificate?
Make sure you have a valid developer certificate and a private key in your keychain.
If you have some problems with it, the certificate should be revoked via developer.apple.com and generated from the scratch (XCode > Accounts > Manage Certificates).
Then you can use codesign:
codesign --force --deep --sign "Apple Development: FirstName LastName (XXXXXXXXXX)" /Applications/ApplicationName.app
Before using codesign command
Install Command line tool for Xcode from https://developer.apple.com/downloads/index.action section.
(You should have a developer account to download Additional Tools.)
Please check for any hidden file in Payload folder like (.DStore) and if there is one please remove it
Navigate to Payload folder via terminal using cd command
Type ls- a command on terminal
if there is any hidden file apart, delete it by rm -f .DStore
This solution worked for me so please give a try....
Trying to codesign an application for compatability with Gatekeeper introduced in OSX 10.8
Following the instructions in https://developer.apple.com/resources/developer-id/Developer-ID-Tutorial.pdf
Create a Developer Account and waited for confirmation
Created and exported developer certificates from Xcode 4.4
Created a new OSX/Cocoa Application and set Product Name and Company
Identifier field to give correct Bundle Identifier
Then on page 9 of the pdf the section Code Signing with a Developer ID Certificate tells me to go to build settings, and search for “code signing” to show only code signing settings.
But I see no code signing options,
What am I missing ?
Select your target in Xcode and search for "Code Signing Identity" (CODE_SIGN_IDENTITY), and put "Developer ID Application".
You can also manually sign an application in the Terminal:
codesign -f -s "Developer ID Application" MyApp.app
You can verify if your application is correctly signed:
codesign -vvv MyApp.app
I am facing a problem in signing a installer for mac application which I am planning to distribute outside the mac app store. I am using the developer installer certificate to sign the app but it is giving some error. below is command I am using to sign the app.
productsign --sign "Developer ID Installer: XYZ" "/path/to/input" "/path/to/output"
productsign: signing product with identity "Developer ID Installer: XYZ" from keychain "login keychain Path"
productsign: adding intermediate certificate "Developer ID Certification Authority"
productsign: adding intermediate certificate "Apple Root CA"
productsign: error: Can't add contents of input archive to output.
Does anyone have the solution or any idea about this problem.
If I try to create the installer through xcode then it will work fine. But since my application installer contains multiple .pkg file inside it ,we are creating the installer file through pakagemaker. My next query is:
Is it possible to successfully sign a installer created with pakagemaker.
Is it possible to sign a .mpkg file.
Thanks in advance.
If your .pkg is a bundle (a folder with stuff in it) -- flatten it first before signing:
pkgutil --flatten orig.pkg flat.pkg
productsign --sign 'Developer ID Application: Foo Guy' plat.pkg flat_signed.pkg
This goes away when you set the minimum target in the "install properties" to 10.5 (leopard)!
(When you open the installer with packagemaker, select "Project" > "Install Propertiers" to find that setting.)
So it seems to be some sort of compatibility issue.
I have downloaded and installed the WWDR certificate. I have tried setting it to Always Trust and system defaults.
When I try to archive my app I get the CSSMERR_TP_NOT_TRUSTED error.
If I try signing manually I get the same:
/usr/bin/codesign --force --sign "3rd Party Mac Developer Application:
XX XXX-XXX"
/Users/XXX/Library/Developer/Xcode/DerivedData/XXX-fivqootinaolitdbpxccqykoaoqs/ArchiveIntermediates/XXX/InstallationBuildProductsLocation/Users/XXX/Applications/XXX.app
/Users/xxx/Library/Developer/Xcode/DerivedData/xxx-fivqootinaolitdbpxccqykoaoqs/ArchiveIntermediates/xxx/InstallationBuildProductsLocation/Users/xxx/Applications/xxx.app:
replacing invalid existing signature
/Users/xxx/Library/Developer/Xcode/DerivedData/xxx-fivqootinaolitdbpxccqykoaoqs/ArchiveIntermediates/xxx/InstallationBuildProductsLocation/Users/xxx/Applications/xxx.app:
CSSMERR_TP_NOT_TRUSTED
BUT
If I use
sudo /usr/bin/codesign --force --sign
Then it works....
The key is installed in keychain access in the 'login' chain.
Obishawn used one of the suggestions provided by Apple in the following steps published to troubleshoot this error - How do I resolve the CodeSign error: CSSMERR_TP_NOT_TRUSTED?
.
For others experiencing this build error -
CSSMERR_TP_NOT_TRUSTED
the above guide covers a more broad range of potential causes. The error can also occur at Xcode Archive > Share, Validate, or Submit time, and the above steps to resolve it are the same.
Ok, I finally figured mine out. I had the WWDR certificate in my login keychain and my System keychain. I deleted both and reimported a fresh one from Apple and everything works now. I can codesign without using sudo and MonoDevelop can fully compile for distribution and upload to my devices.
My two cents on that problem :
I had to fight with it for some hours. Here are what I had to fix to have codesign do its job :
Ensure that certificates are not duplicated between the login and the system keychain
Ensure no old / expired / revoked versions of the certificates exist in any keychain
Ensure all certificates have "system default" trust policy. If one is set to "always trust", then codesign will fail.
This last point was found on a machine that was migrated to Xcode 8.2 recently. It might be a new behavior of Xcode 8.