I have a script that builds and codesign an application bundle for MacOS. When I run it from my user's profile, the application is correctly signed, and I can install it on other machines.
The command used is codesign -s <identity> -v <path>, where identity is found by security find-identity -v -p codesigning
But when I run the same script from cronjob, I got an error
error: The specified item could not be found in the keychain.
How it is possible to sign the application from cronjob?
Changed from cronjob to launchd and the codesign -s < identity> --keychain < keychain path> -v < path> is OK
One solution could be to create a separate keychain with the codesigning certificate and pass the keychain path as an argument to codesign as:
codesign -s < identity> --keychain < keychain path> -v < path>
Move signing certificates from the login keychain to the system keychain.
Related
I want to set and get a password in MacOS Keychain Access that is only accessible by a specific golang binary without confirmation prompt.
Any other apps trying to access should require the password before being able to get the password.
It works for a specific binary. But if I build a new binary it starts requiring the password.
Already tried signing the binary with a self signed certificate but does not seem to work.
codesign --force --verify --verbose=4 --deep --timestamp --options=runtime \
--sign "My Self Signed Key" \
ssh-agent
Any ideas? What can I be doing wrong?
I'm trying to codesign + notarize from the command line a small executable file generated out of a javascript file without success. This file is a very simple CLI tool, aimed to be used through the mac's terminal.
downloading the file and attempting to run it results in the error:
"testBinaryFile can’t be opened because the identity of the developer
cannot be confirmed."
(and running it from the terminal, as it should be, results in a "killed" status on the process").
These are the steps that I did:
0. bundling the code into an executable (named testBinaryFile)
Codesigning the executable with:
codesign -s CERTIFICATE_UUID --timestamp -o runtime -v testBinaryFile --force
zipping the executable (so it can be uploaded for notarization):
ditto -c -k testBinaryFile testBinaryFile.zip
sending the zip for notarization:
xcrun altool --notarize-app \
--primary-bundle-id io.test.bundled \
--username <OUR_APPLE_ID> \
--password <OUR_APPLE_APP_SPECIFIC_PASS> \
--file testBinaryFile.zip
polling service until we get back a success notarization message with:
xcrun altool --notarization-info REQUEST_ID -u <OUR_APPLE_ID> -p <OUR_APPLE_APP_SPECIFIC_PASS>
Uploading the zip file to our hosting in Github (also tried on Google's hosting services)
Downloading the zip file, extracting it, and trying to run it -> results in the error attached above.
other notes:
*I have an "Apple Developer ID certificate" that allows distributing the bundled executable outside of the AppStore.
*I use the same bundled executable inside a notarized .dmg installer containing ".app” application (and the bundle inside its /resources), and there I manage to use it without any issues at all
Any clues on how to make it work also just for the bundle?
It is not possible to use certificates from third-party providers (eg Comodo, DigiCert) because such certificates will not pass Gatekeeper which requires an Apple developer issued certificate.
Your gatekeeper security settings is disallowing this because it is not even an app. It may have been quarantined as a result, meaning you would have to run xattr -d com.apple.quarantine /path/to/file to get it to run.
The less preferred method is to lower your security settings.
Also note that because the notarization ticket cannot be stapled to the binary executable, the user would require internet to access the ticket in order to enable code execution.
I am trying to upload our existing app to apple for notarization.
According to the document https://help.apple.com/xcode/mac/current/#/dev88332a81e
I have to open the app the xcode archive organizer.
We have a dmg file generated from our jenkins build server.
How do I open the dmg file in xcode to upload?
Also, is there some command line tool that I can use for the notarization?
You can do it from the command line.
First you will need to extract the .app from your .dmg and resign it, removing the com.apple.security.get-task-allow entitlement in the process (this is added automatically by the build to support debugging and normally gets removed by archiving - the notarization service won't accept a package with that entitlement, however, so you must remove it).
The .entitlements file you use can just be an empty one.
Xcode 10.2 and higher lets you set a build setting "Code Signing Inject Base Entitlements" that will prevent the com.apple.security.get-task-allow entitlement from being added in the first place. You can use this option on e.g. release builds where debugging is not required, and skip this whole dance of resigning and repackaging with an empty entitlements file.
Note also the use of the --options runtime, which specifies your app was built with the hardened runtime, and is also required.
codesign -f -s "Developer ID Application: Name (ID)" --entitlements my-entitlments.entitlements --options runtime MyApp.app
Now you need to repackage your .app back inside a .dmg, and resign that:
(I use the --options runtime flag here too, though not sure if it's necessary)
codesign -s "Developer ID Application: Name (ID)" MyApp.dmg --options runtime
Then use altool to submit your .dmg:
(Username and password must be someone on the macOS team in the developer portal)
xcrun altool --notarize-app -f MyApp.dmg --primary-bundle-id my-app.myapp -u username -p password
If it upload successfully, you will get back a token:
RequestUUID = 28fad4c5-68b3-4dbf-a0d4-fbde8e6a078f
Then you can check the status with altool, using that token:
xcrun altool --notarization-info 28fad4c5-68b3-4dbf-a0d4-fbde8e6a078f -u username -p password
Eventually, it will either succeed or fail. Just keep checking. Check the "Status" field of the response, which should be "success". The response will also include a log file that you can use to troubleshoot errors.
Assuming it succeeds, you need to staple the notarization to the app:
xcrun stapler staple MyApp.dmg
And then validate:
xcrun stapler validate MyApp.dmg
The validate action worked!
You can also apply the quarantine flag to your .app and try to launch it, you will see the new Gatekeeper dialog:
xattr -w com.apple.quarantine MyApp.app
With Xcode 13 and later, notarization via command-line has come down to these 2 basically:
xcrun notarytool store-credentials "<key>" --apple-id "<your apple id>" --team-id <your teamid> --password "<app specific password>"
and
xcrun notarytool submit <your file>.dmg --keychain-profile "<key>" --wait
At the time of writing this answer, the apple documentation is confusing as they have mentioned using the secret 2FA password instead of the app specific password. You can go through these steps to create an app specific password.
Slightly longer version here: https://blog.rampatra.com/how-to-notarize-a-dmg-or-zip-file-with-the-help-of-xcode-s-notary-tool
I am trying to codesign the DMG application even after the app is signed from apple developer certificate. I am getting error of "DMG cannot be opened because the identity of the developer is not identified" while opening the app from the Application
I tried to sign the complete dmg generated from the appdmg and codesign both the ways
"code-sign": {
"signing-identity": "Developer ID Application: ******* (4B9GHJ9X43)"
}
Verifying dmg signing from spctl
spctl -a -t open --context context:primary-signature -v **M.dmg
***.dmg: accepted
codesign -v ****.dmg && echo SIGNED!
SIGNED!
source=Developer ID
Another approach tried is signing the dmg again after the signing the .app
codesign -f -vvvv --strict --deep -s "Developer ID Application: ******* (4B9GHJ9X43)" ****.app
appdmg ./*****.json ./****.dmg
codesign -f -vvvv --strict --deep -s "Developer ID Application: ******* (4B9GHJ9X43)" ****.dmg
But i am still getting the same error
Any pointers on this is highly appreciated
We need to sign all the folders of the Frameworks that we are using inside the app and any dylibs that we generating ***.app/Contents/MacOS
codesign -f -vvvv --strict --deep -s "Developer ID Application: Corporation (****)" ***.app/Contents/MacOS/libncursesw.5.dylib
codesign -f -vvvv --strict --deep -s "Developer ID Application: Corporation (****)" ***.app
This will give you the prompt of your application is downloaded from the Internet do you want to open it and a Open button if are not downloading the DMG from the App Store
I'm running xcodebuild in a script to archive and export my project. I'm code signing using a keychain file.
In order to avoid the prompt to enter the keychain password, I'm using
security unlock-keychain -p <Password> <Keychain file>
This command finishes successfully without any output
Still, when I run xcodebuild, I'm getting prompted with
codesign wants to use the "myKeychain" keychain.
What am I missing? I'm running xcode 9.4.1
The problem was that the I issued the unlock-keychain before the build, and the signing was happening like 45 minutes later. The unlocking expired.
This can be solved with
security set-keychain-settings -lut 7200 <keychain>
I solved it by issuing the unlock command right before the signing