codesign throws err 'errSecInternalComponent' - xcode

I am getting errSecInternalComponent when running the codesign command.
If I go to the keychain and change the certificate to always trust and run codesign command again, I get Warning: unable to build chain to self-signed root for signer "Developer ID Application: xxxxxx (xxxxxx)"./workspace/Myapp.app: errSecInternalComponent
This first time this happened was when I exported the developer certificate from another MacOS and imported it. Then I tried deleting the keychains, recreating it, installing apple root certificates, but still getting the same error.
Finally, I generated a new developer certificate and added it to the keychain, but still not working.
I am not sure what's different about this MAC. It's running Majave now. When the problem first happened it was running High sierra.

There could be many possible reasons for this error. Two frequent issues are:
codesign tool does not have access to the keychain item. Either explicitly give access to codesign or allow all applications to access it.
Unlock the keychain: security unlock-keychain <Full path to keychain>
Can get the full path using, security list-keychains

There were two problems:
I had duplicate identities in my keychain, which is the same with this
Duplicate identity after importing single certificate in OSX 10.10.3
The access permissions for the private key needs to allow codesign or allow all.

Not exactly the same issue, but we encountered a errSecInternalComponent during a build on jenkins. Increasing the timeout after which the keychain is closed again fixed it.

Related

FileMaker Pro 18 Runtime Apple Developer Certificate

I need to create a certified runtime from my Filemaker application which required an Apple Develeoper Certificate. I purchased the certificate and followed some instructions on how I can sign my application with the certificate.
I created it in the keychain (following the official apple documentation) and it appears to be okay, here's a screenshot:
It's shown as active. Then I followed this Instruction and modifed the script, but if I try to access my certificate I always get the error:
error the specified item could not be found in the keychain
This error occurs in the following line of the script:
codesign -f -vvvv -s "Developer ID Installer: Dieter K****** (D********)"
I can't find any errors in the syntax of my script, all other steps work fine.
You may need to use "Developer ID Application" certificate.
Refer this video https://www.youtube.com/watch?v=pBsFCrI_wXA

Codesign Failed Compiling for openFrameworks

I continually get a codesign failure when compiling an openFrameworks (C++) program.
I found quite a few people with similar problems but the solutions did not work for me. Here is what I have done, informed by other forum entries:
Create a new Self Signed Root certificate for Code Signing in my keychain
Log out of and back into my keychain
Create a new keychain, switch the default keychain, change the password of the original keychain, change the default keychain back to the original, log back into the main keychain
Export my certificate and private key together in a .p12 file and then import into keychain (also repeated this process with deleting the original certificate and key before importing)
Export the certificate from Xcode (for a planned re-import) but I get "The operation could not be completed // No other information about is available about the problem" (the most unhelpful error message I've ever seen)
"Export Apple ID and Code Signing Assets" and then import of the same (all in Xcode)
Every combination (I think) of the Signing settings in the project
I had a developer account years ago and I wonder if somehow this is interfering with the process. I tried to access my certificates on the Apple Developer site but I don't have access to this portion of the service because my membership is expired.
This error occurs with any openFrameworks example I try as well as a new, blank sketch.
The full error message:
CodeSign bin/mySketchDebug.app
cd /Users/myusername/Documents/of_v0.10.1_osx_release/apps/myApps/mySketch
export CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
Signing Identity: "-"
/usr/bin/codesign --force --sign - --entitlements /Users/myusername/Library/Developer/Xcode/DerivedData/mySketch-etqpupvbyiamwodjeeyxogbqszyj/Build/Intermediates.noindex/mySketch.build/Debug/mySketch.build/mySketchDebug.app.xcent --timestamp=none /Users/myusername/Documents/of_v0.10.1_osx_release/apps/myApps/mySketch/bin/mySketchDebug.app
/Users/myusername/Documents/of_v0.10.1_osx_release/apps/myApps/mySketch/bin/mySketchDebug.app: code object is not signed at all
In subcomponent: /Users/myusername/Documents/of_v0.10.1_osx_release/apps/myApps/mySketch/bin/mySketchDebug.app/Contents/Frameworks/libfmodex.dylib
Command /usr/bin/codesign failed with exit code 1
This is a known problem with openFrameworks <= 0.10.1 and Xcode 11+. It is due to an unsigned libmodex library. This is fixed in the nightly release and in future releases of oF. Please see the following posts for references:
https://forum.openframeworks.cc/t/cant-build-getting-build-failed-with-any-example-code-sign-error/33668/2
https://forum.openframeworks.cc/t/cant-run-examples-in-xcode-signing-issue-with-libfmodex-dylib/33463/4

Build Failed While creating package .pkg file

I am creating a .pkg file using “Packages” application.
Previously I would able to create .pkg file with certificate also but now this give me Build Failed error. while If I remove certificate than I can Build .pkg.
Even I am not able to get any error log for error message. If anyone has any better tool or method to create package file and dmg file please tell me.
It is my understanding that signing with Packages presently does not work well. I think there is something in the manual about that, in fact. I build my package with Packages first, then sign it with productsign --sign <sign-id> <src-path> <dst-path>. The <sign-id> should be your "Developer ID Installer" identity, I think. This has been working well for me. You can then verify that the signing worked using spctl -a -v --type install <path>, where <path> is the path to the signed package made by productsign.
cd /location to app
productbuild --component "appname.app" /Applications --sign "3rd Party Mac Developer Installer: Company Name Private Limited" --product "appname.app/Contents/Info.plist" "appname.pkg"
Try PackageMaker application; it is good.
Use above command on terminal and your pkg will be good to go.
I got the cause of this error.
Problem was in my keychain, since I updated my OS to 10.12.3 I was facing this issue. so to resolve this I checked out my keychain where I found my Installer certificate in “Login” part (see image1)
image 1:
so I copy this certificate in System part also (see image 2). All problem goes away, If any time I face this issue again I check keychain again. Problem solved.
image 2:

Signing mac installer (pkgmaker)

My installer is created using PackageMaker. After that I codesigned the installer using the following command.
productsign --sign 'Blah, Inc.' Install.mpkg/ CS/Install.mpkg
This seem to work pretty well and I could see that it is signed using the following command.
pkgutil --check-signature Install.mpkg
Since the certificate is installed on my system in keychain, the installer seem to show a little lock on top right corner. Clicking this opens up the certificate.
If the installer is placed in a system without the certificate installed the lock is no longer seen. However I could still run the command to check for certificate.
1) Is there a graphical way to check for code signing before installing? (I do not want to run command line)
2) I removed a folder from the mpkg file using finder to see if the installer will complain of tampering. But that does not happen. Is there a way the installer can stop install if it is tampered?
3) I also code signed all the binaries in my package (mostly daemons) using xcode's option to use certificate. Again I am able to see the binary as signed, however I do get a message
kernel[0]: CODE SIGNING: cs_invalid_page(0x1000): p=224[MyDaemon] clearing CS_VALID.
Googling, I found http://feedback.photoshop.com/photoshop_family/topics/photoshop_13_0_4_x64_how_can_i_get_rid_of_the_could_not_complete_your_request_because_of_a . However I am still not very clear what they are getting at. Could someone help me?
You can sign .mpkg packages but you must sign it with the Developer ID Application cert and not the Developer ID Installer cert.
When you sign the .mpkg you get a number a warnings that the inner packages must be signed but the signing seems to be valid with or without the inner .pkg signed.
I have tested that modifying an internal .pkg causes the .mpkg to fail the Gatekeeper check
So for the each internal .pkg files you should:
sudo productsign --sign "<Developer ID Installer: Cert>" "<source.mpkg>/Contents/Packages/<source.pkg>" "<destination.mpkg>/Contents/Packages/<source.pkg>"
for then for the .mpkg do:
sudo productsign --sign "<Developer ID Application: Cert>" "<Source .mpkg>" "<Destination .mpkg>"
You can sign only flat packages. Your package has extension .mpkg which I believe is the older bundle format. Make sure you are using flat packages if you want to sign them.

Cannot sign app in Xcode CSSMERR_TP_NOT_TRUSTED

I have downloaded and installed the WWDR certificate. I have tried setting it to Always Trust and system defaults.
When I try to archive my app I get the CSSMERR_TP_NOT_TRUSTED error.
If I try signing manually I get the same:
/usr/bin/codesign --force --sign "3rd Party Mac Developer Application:
XX XXX-XXX"
/Users/XXX/Library/Developer/Xcode/DerivedData/XXX-fivqootinaolitdbpxccqykoaoqs/ArchiveIntermediates/XXX/InstallationBuildProductsLocation/Users/XXX/Applications/XXX.app
/Users/xxx/Library/Developer/Xcode/DerivedData/xxx-fivqootinaolitdbpxccqykoaoqs/ArchiveIntermediates/xxx/InstallationBuildProductsLocation/Users/xxx/Applications/xxx.app:
replacing invalid existing signature
/Users/xxx/Library/Developer/Xcode/DerivedData/xxx-fivqootinaolitdbpxccqykoaoqs/ArchiveIntermediates/xxx/InstallationBuildProductsLocation/Users/xxx/Applications/xxx.app:
CSSMERR_TP_NOT_TRUSTED
BUT
If I use
sudo /usr/bin/codesign --force --sign
Then it works....
The key is installed in keychain access in the 'login' chain.
Obishawn used one of the suggestions provided by Apple in the following steps published to troubleshoot this error - How do I resolve the CodeSign error: CSSMERR_TP_NOT_TRUSTED?
.
For others experiencing this build error -
CSSMERR_TP_NOT_TRUSTED
the above guide covers a more broad range of potential causes. The error can also occur at Xcode Archive > Share, Validate, or Submit time, and the above steps to resolve it are the same.
Ok, I finally figured mine out. I had the WWDR certificate in my login keychain and my System keychain. I deleted both and reimported a fresh one from Apple and everything works now. I can codesign without using sudo and MonoDevelop can fully compile for distribution and upload to my devices.
My two cents on that problem :
I had to fight with it for some hours. Here are what I had to fix to have codesign do its job :
Ensure that certificates are not duplicated between the login and the system keychain
Ensure no old / expired / revoked versions of the certificates exist in any keychain
Ensure all certificates have "system default" trust policy. If one is set to "always trust", then codesign will fail.
This last point was found on a machine that was migrated to Xcode 8.2 recently. It might be a new behavior of Xcode 8.

Resources