Relative framework paths, the Hardened Runtime and Notarization - macos

After successfully notarizing my app around a dozen times and it working just fine, it now goes through notarization without a hitch and then crashes on launch with:
Dyld Error Message:
Library not loaded: #loader_path/../Frameworks/ShortcutRecorder.framework/Versions/A/ShortcutRecorder
Referenced from: /Applications/Vitamin-R 3.app/Contents/MacOS/Vitamin-R 3
Reason: no suitable image found. Did find:
/Applications/Vitamin-R 3.app/Contents/MacOS/../Frameworks/ShortcutRecorder.framework/Versions/A/ShortcutRecorder: code signing blocked mmap() of '/Applications/Vitamin-R 3.app/Contents/MacOS/../Frameworks/ShortcutRecorder.framework/Versions/A/ShortcutRecorder'
/Applications/Vitamin-R 3.app/Contents/MacOS/../Frameworks/ShortcutRecorder.framework/Versions/A/ShortcutRecorder: code signing blocked mmap() of '/Applications/Vitamin-R 3.app/Contents/MacOS/../Frameworks/ShortcutRecorder.framework/Versions/A/ShortcutRecorder'
/Applications/Vitamin-R 3.app/Contents/MacOS/../Frameworks/ShortcutRecorder.framework/Versions/A/ShortcutRecorder: stat() failed with errno=1
file system relative paths not allowed in hardened programs
Thing is I'm not sure where exactly the runtime path for a framework is determined.. I keep the framework in ~/Libary/Frameworks/ on my development machine, but then it's copied into the app bundle and I'm not quite sure what determines the path at runtime..
Any help would be appreciated.

This could be a codesign certificate issue... Fix it by:
Open Keychain Access: My Certificates > "Right Click" Certificate > get info > Trust > When using this certificates > Use System Defaults

I had exactly the same issue. The solution was to add the framework to the 'Copy Files' build step as well. There you can define the destination to 'Frameworks'.

Related

Error "SteamAPI_Init() failed; ipcserver init failed" when game tries to init Steam on Mac

Full error log is:
[S_API FAIL] SteamAPI_Init() failed; ipcserver init failed .
[S_API] SteamAPI_Init(): SteamAPI_IsSteamRunning() did not locate a running instance of Steam.
[S_API] SteamAPI_Init(): Could not determine Steam client install directory.
Not sure why this is happening. I'm definitely running Steam, have the steam_appid.txt file in the executable's directory, etc.
Ideas...?
Finally figured it out. I needed to remove "App Sandbox" from my project target's "Signing and Capabilities". Looks like sandboxing isn't compatible with Steam builds.
In addition, enabling "Hardened Runtime" is required for Notarizing, which is recommended I guess. But then I needed to check "Disable Library Validation", otherwise I'd get code-signing errors (lack of signing actually) for libsteam_api.dylib.
Hope those two bits help others save some head-banging.

What's different between open App.app file and App.app/contents/MacOS/Electron on MacOS?

I have an electron application.It is an updater with download another application and toolchain.I can't open it with open Updater.app.However, I can use Updater.app/contents/MacOS/Electron to open it.
Here is the log:
Non-fatal error enumerating at <private>, continuing: Error Domain=NSCocoaErrorDomain Code=260 "未能打开文件“PlugIns”,因为它不存在。"
UserInfo={
NSURL=PlugIns/ -- file:///private/var/folders/xn/08sc_nts0n11yyw_3ddlngdh0000gn/T/AppTranslocation/A0F3B185-B4AB-4CC8-A3C5-86DAA22043D5/d/Updater.app/Contents/,
NSFilePath=/private/var/folders/xn/08sc_nts0n11yyw_3ddlngdh0000gn/T/AppTranslocation/A0F3B185-B4AB-4CC8-A3C5-86DAA22043D5/d/Updater.app/Contents/PlugIns,
NSUnderlyingError=0x7fd1d2d13fe0 {Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory"}
}
I would like to know the difference between Updater.app and Updater.app/contents/MacOS/Electron.
Updater.app is a macOS App Bundle. App Bundles are Apple's way of packaging a program - each one is basically just a folder containing an executable program and all the configuration files, helper executables, images, shipped libraries, and other resources the program needs to run.
In your case, Updater.app/Contents/MacOS/Electron is probably the main executable of the app - <App>/Contents/MacOS/ is usually the location of an App Bundle's main executable.
For further reading, look over this answer which further explains the general concept of a macOS App Bundle.

How to troubleshoot when Safari App Extension not appear in Safari Preferences?

I'm developing a Safari App Extension. Previously it worked fine. When I run the project in Xcode, and enable Allow Unsigned Extensions in Safari, I can see my extension in Safari Preferences -> Extensions page.
After I merged code with one of my team member, suddenly the Extension cannot get installed.
I have tried:
Clean the build folder in Xcode, and run again. But no luck.
Restart Xcode doesn't help either.
Use command pluginkit -mAvvv -p com.apple.Safari.extension to check installed Safari extensions list. My extension is not in the list.
There are some errors in Xcode output, but I can't link them with the issue I'm facing:
objc[49476]: Class AMSupportURLConnectionDelegate is implemented in both /System/Library/PrivateFrameworks/EmbeddedOSInstall.framework/Versions/A/EmbeddedOSInstall (0x7fff9a2aa748) and /System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/MobileDevice (0x108db2600). One of the two will be used. Which one is undefined.
objc[49476]: Class AMSupportURLSession is implemented in both /System/Library/PrivateFrameworks/OSPersonalization.framework/Versions/A/OSPersonalization (0x7fff9b5d49f0) and /System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/MobileDevice (0x108db2650). One of the two will be used. Which one is undefined.
2018-12-13 16:25:46.003099+0800 Safari[49476:1264277] Could not connect action, target class SecurityPreferences does not respond to -toggleJavaScriptCanOpenWindows:
2018-12-13 16:25:46.163130+0800 Safari[49476:1264277] AssertMacros: 0 (value = 0x0), file: /BuildRoot/Library/Caches/com.apple.xbs/Sources/BiometricKit/BiometricKit-75.71.1/BiometricKit/BiometricKitXPCClient.m, line: 75
2018-12-13 16:25:46.163219+0800 Safari[49476:1264277] AssertMacros: 0 (value = 0x0), file: /BuildRoot/Library/Caches/com.apple.xbs/Sources/BiometricKit/BiometricKit-75.71.1/BiometricKit/BiometricKitXPCClient.m, line: 396
2018-12-13 16:25:46.163465+0800 Safari[49476:1264277] [Framework-Internal-Legacy] AssertMacros: _xpcClient (value = 0x0), file: /BuildRoot/Library/Caches/com.apple.xbs/Sources/BiometricKit/BiometricKit-75.71.1/BiometricKit/BiometricKit.m, line: 137
2018-12-13 16:25:47.060959+0800 Safari[49476:1264368] [RemotePlistController] The downloaded plist could not be loaded: Error Domain=NSCocoaErrorDomain Code=260 "The file couldn’t be opened because it doesn’t exist."
2018-12-13 16:25:47.128105+0800 Safari[49476:1264277] Scheduling the NSURLConnection loader is no longer supported.
2018-12-13 16:25:47.491811+0800 Safari[49476:1264370] NSURLConnection finished with error - code -1100
2018-12-13 16:25:47.799590+0800 Safari[49476:1264514] [CloudBookmarks] Error fetching remote migration state: Error Domain=com.apple.SafariBookmarksSync.CloudBookmarksErrorDomain Code=0 "(null)"
2018-12-13 16:25:47.953259+0800 Safari[49476:1264277] [WebKit2Callbacks] Page (pid: 0) did become unresponsive
2018-12-13 16:25:47.970927+0800 Safari[49476:1264512] NSURLConnection finished with error - code -1100
2018-12-13 16:25:48.032647+0800 Safari[49476:1264425] [RemotePlistController] The downloaded plist could not be loaded: Error Domain=NSCocoaErrorDomain Code=260 "The file couldn’t be opened because it doesn’t exist."
2018-12-13 16:25:48.125530+0800 Safari[49476:1264426] Calling IOPPFGetProperty simulator_utility_clamp!
2018-12-13 16:25:48.840769+0800 Safari[49476:1264277] [WebKit2Callbacks] Page (pid: 49481) did become responsive
Now I'm running out of options. It lacks official documentation in Apple Developer site.
Is there regular steps to troubleshoot this kind of issue? Is there any kind of system logs which can help me address the error? Any suggestion is appreciated.
Make sure that the extension .appex is listed as embedded content for your App Extension target. Otherwise it doesn't get bundled when you build from Xcode. Look in the project editor under Target_Name > General > Frameworks, Libraries and Embedded Content. The extension should be listed there.
Also check under the Build Phases tab > Dependencies that your extension is added there as well.
Check to see if the code signature of your app is valid. Safari will refuse to list your extension otherwise. Run codesign on your built app as follows:
codesign -d --verify --verbose=3 ~/Library/Developer/Xcode/DerivedData/OnePassword-epeydspviethpabprcrsqenrkiin/Build/Products/Debug_WebStore/1Password\ 7.app
It should show valid on disk and satisfies its Designated Requirement. If it doesn't, Safari will ignore your extension completely, even when Allow Unsigned Extensions is enabled.
I had a similar problem more recently after updating to Xcode 13.2.1 and a I think a MacOS update. My Safari web extensions I was developing stopped showing up in Safari (even with unsigned extensions enabled).
In a Terminal/CLI shell, I ended up running:
PATH=/System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support:"$PATH"
lsregister -f /Applications/Safari.app
And suddenly my extensions started showing up again in Safari. Something screwy happened with Safari and LaunchServices.

A sealed resource is missing or invalid

I'm trying to deploy my game made with Unity on Mac Store, but got this error during the validation process. I don't know how to correct. Do you have any ideas please ?
Invalid Signature - The main app bundle Kissoro at path Kissoro.app
has following signing error(s):
--prepared:/Volumes/data01/app_data/dstr/mz_8224354388357841556dir/mz_8662652241696651587dir/com.masseka.game.studio.Kissoro.pkg/Payload/Kissoro.app/Contents/Frameworks/libcrypto.dylib
--validated:/Volumes/data01/app_data/dstr/mz_8224354388357841556dir/mz_8662652241696651587dir/com.masseka.game.studio.Kissoro.pkg/Payload/Kissoro.app/Contents/Frameworks/libcrypto.dylib
--prepared:/Volumes/data01/app_data/dstr/mz_8224354388357841556dir/mz_8662652241696651587dir/com.masseka.game.studio.Kissoro.pkg/Payload/Kissoro.app/Contents/Frameworks/libssl.dylib
--validated:/Volumes/data01/app_data/dstr/mz_8224354388357841556dir/mz_8662652241696651587dir/com.masseka.game.studio.Kissoro.pkg/Payload/Kissoro.app/Contents/Frameworks/libssl.dylib
--prepared:/Volumes/data01/app_data/dstr/mz_8224354388357841556dir/mz_8662652241696651587dir/com.masseka.game.studio.Kissoro.pkg/Payload/Kissoro.app/Contents/Frameworks/Mono/MonoEmbedRuntime/osx/libmono.0.dylib
--validated:/Volumes/data01/app_data/dstr/mz_8224354388357841556dir/mz_8662652241696651587dir/com.masseka.game.studio.Kissoro.pkg/Payload/Kissoro.app/Contents/Frameworks/Mono/MonoEmbedRuntime/osx/libmono.0.dylib
--prepared:/Volumes/data01/app_data/dstr/mz_8224354388357841556dir/mz_8662652241696651587dir/com.masseka.game.studio.Kissoro.pkg/Payload/Kissoro.app/Contents/Frameworks/Mono/MonoEmbedRuntime/osx/libMonoPosixHelper.dylib
--validated:/Volumes/data01/app_data/dstr/mz_8224354388357841556dir/mz_8662652241696651587dir/com.masseka.game.studio.Kissoro.pkg/Payload/Kissoro.app/Contents/Frameworks/Mono/MonoEmbedRuntime/osx/libMonoPosixHelper.dylib
/Volumes/data01/app_data/dstr/mz_8224354388357841556dir/mz_8662652241696651587dir/com.masseka.game.studio.Kissoro.pkg/Payload/Kissoro.app:
a sealed resource is missing or invalid . Refer to the Code Signing
and Application Sandboxing Guide at
http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html
and Technical Note 2206 at
https://developer.apple.com/library/mac/technotes/tn2206/_index.html
for more information.
All you have to do is to manually codesign every file in Contents/Frameworks and Contents/Plugins directories inside .app file and to delete all .meta files inside your plugin. After U do these steps, You codesigned once more the whole .app file and create a package which You can uploaded on iTunes Connect without warning mentioned above.
More info: https://forum.unity.com/threads/signing-mac-app-on-os-x-mavericks.206762/

How to solve "Application failed codesign verification" when uploading to iTunes Connect?

I've got a problem that I couldn't solve with a deep search in different resources as most of the "similar" points out to be an error with Icon.png size, etc...
I've tried to upload my application after verifying that:
Correctly builds and run on my device
That my certificates are installed properly
That my certs / profiles are not expired.
That the Icon.png has the proper size and format of 57x57 PNG.
And several other things.
Ran codesign --verify -vvvv MyApp.app which worked fine.
My ZIP File was properly done
When I've tried to upload through the iTunes connect interface I got the simple error above, and that's why I tried with ApplicationLoader, to try and find out what's causing the error looking at the console.
The console showed the following:
16/02/10 13:25:52 ApplicationLoader[549] *** Codesign error (please ignore invalid option comments): got requirements(0x800000, 534)
Executable=/var/folders/WZ/WZu24JnOGNe9L79GWq0IlU+++TI/-Tmp-/MyApp.zip/MyApp.app/MyApp
Identifier=com.realtimed.MyApp
Format=bundle with Mach-O thin (armv6)
CodeDirectory v=20100 size=829 flags=0x0(none) hashes=33+5 location=embedded
Signature size=4333
Authority=iPhone Developer: My Name (XXXXXXXXX)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=16/02/2010 13:22:24
Info.plist entries=17
Sealed Resources rules=3 files=28
Internal requirements count=1 size=144
Executable=/var/folders/WZ/WZu24JnOGNe9L79GWq0IlU+++TI/-Tmp-/MyApp.zip/MyApp.app/MyApp
got entitlements(0x800400, 317)
codesign_wrapper-0.7.3: using Apple CA for profile evaluation
codesign_wrapper-0.7.3: Caling codesign with the following args:
codesign_wrapper-0.7.3: /usr/bin/codesign
codesign_wrapper-0.7.3: --verify
codesign_wrapper-0.7.3: -vvvv
codesign_wrapper-0.7.3: -R=anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.1] exists and certificate leaf[field.1.2.840.113635.100.6.1.4] exists
codesign_wrapper-0.7.3: --entitlements
codesign_wrapper-0.7.3: /var/tmp/signingbox/codesign_wrapper_entitlements.plist
codesign_wrapper-0.7.3: /var/folders/WZ/WZu24JnOGNe9L79GWq0IlU+++TI/-Tmp-/MyApp.zip/MyApp.app
**/var/folders/WZ/WZu24JnOGNe9L79GWq0IlU+++TI/-Tmp-/MyApp.zip/MyApp.app: valid on disk
/var/folders/WZ/WZu24JnOGNe9L79GWq0IlU+++TI/-Tmp-/MyApp.zip/MyApp.app: satisfies its Designated Requirement
test-requirement: failed to satisfy code requirement(s)
codesign_wrapper-0.7.3: failed to execute codesign(1)**
Any help / feedback or ideas on how to solve the situation would be highly appreciated.
I found the solution to this problem after deeply looking at the log file.
Although I created my own Distribution Profile and assigned to the CODE SIGNING IDENTITY the correct value for the developer certificate, it didn't work giving me an error: "Application failed codesign verification".
The problem is at the following line:
Authority=iPhone Developer: My Name
(XXXXXXXXX)
Despite the correct selection in the project settings for the Distribution profile, XCode was compiling it with the developer certificate.
I finally solved it: Right click on the "Targets" -> Get info -> and there it was selected (don't ask me why) the wrong distribution certificate instead of the right one.
I corrected that and it finally was accepted.
Related links (you need a developer account): https://devforums.apple.com/message/147964
Excellent post. I too was having this trouble and after much headache realized that both the Project AND the Target should be checked for using the correct Code Signing Identity. Somehow Xcode was reverting back to the Developer Provisioning Profile instead of the Distribution Provisioning Profile. It even did so on a build right after I had deliberately selected the correct one!
I. To be safe, first do the following:
Clean all builds.
Delete contents of build folder in finder.
Delete existing code signing identities from the project and target settings.
Restart Xcode.
II. Then check the Project for the correct Provisioning Profile:
Go to Project Settings > Build Tab > Code Signing Identity
Select the appropriate Distribution Provisioning Profile
III. Now check the Target:
Target > Get Info > Build Tab > Code Signing Identity
Select the appropriate Distribution Provisioning Profile
IV. Cross fingers and hope you never see that blasted little yellow triangle again.
Cy took the right approach for solving this problem - When "Application failed codesign verification" is a build warning, expand that item in the build log and scan for the root cause of the failed signature verification.
In the case of Cy.'s original post you'll see that the root issue was "test-requirement: failed to satisfy code requirement(s)", and in my experience this is almost always caused by signing with the wrong certificate i.e. an iPhone Developer profile instead of iPhone Distribution.
The root cause is not always an obvious explanation, but should guide you at least with additional search terms or troubleshooting ideas.
For others experiencing the "Application failed codesign verification" during Xcode Archive Validation or Submission, look to the build log at Product > Archive time for a build warning by the same title and expand that for the root cause. Then take a look at Apple's complete list of potential causes of this error at the following URL "How do I resolve the error: Application failed codesign verification?"
Check that the TARGET (and not only the Project) is setup with the correct Code Signing Identity for Release

Resources