We have a kext-enabled Developer ID which we are using for code signing and I have verified that the certificate contains the 1.2.840.113635.100.6.1.18 extension required. However, kextutil -tn still shows:
Untrusted kexts are not allowed
Kext with invalid signature (-67050) denied: /Library/StagedExtensions/Library/Extensions/A0587A5A-52FC-46DC-832E-81919195902C.kext
After signing, I re-extracted the signature using 'codesign -d --extract-certificates' to verify that the correct kext-enabled Developer ID certificate was indeed used during the signing process.
I have "Apple Worldwide Developer Relations Certification Authority" and "Developer ID Certification Authority" certs in both the login and System keychains.
Any suggestions on where to go from here? Thanks!
I've figured it out. Turns out macOS 10.13+ denies kexts by default -- even those signed with a valid kex-enabled Dev. ID certificate (which we have). The solution is described in this tech note (and alluded to in the comments above):
https://developer.apple.com/library/archive/technotes/tn2459/_index.html
The first time an attempt is made to load the kext, macOS should present the user with a popup informing them that it was blocked. The user then needs to go to System Preferences > Security & Privacy in order to approve the kext. Note that the approval needs to happen within 30 minutes of the load attempt or it will disappear. Subsequent load attempts will be rejected silently but will reactivate the prompt within "Security & Privacy" -- giving the user another chance to approve the kext.
$ csrutil status
System Integrity Protection status: enabled.
$ sudo kextutil -v /Users/xxx.yyy/Library/Developer/Xcode/DerivedData/zzzz-dvqiwdodghcxydamtmpmffakjyrt/Build/Products/Release/zzzz.kext
Defaulting to kernel file '/System/Library/Kernels/kernel'
/Users/xxx.yyy/Library/Developer/Xcode/DerivedData/zzzz-dvqiwdodghcxydamtmpmffakjyrt/Build/Products/Release/zzzz.kext appears to be loadable (not including linkage for on-disk libraries).
Loading /Users/xxx.yyy/Library/Developer/Xcode/DerivedData/zzzz-dvqiwdodghcxydamtmpmffakjyrt/Build/Products/Release/zzzz.kext.
/Users/xxx.yyy/Library/Developer/Xcode/DerivedData/zzzz-dvqiwdodghcxydamtmpmffakjyrt/Build/Products/Release/zzzz.kext successfully loaded (or already loaded).
$ kextstat | grep xxxxxx
161 0 0xffffff7f83af6000 0x3c9000 0x3c9000 com.xxxxxx.driver.zzzz (1) 230E04D6-5C15-373F-8F73-E23566AE3C22 <22 15 5 4 3 1>
Related
i had to reinstall my MacBook Pro. I have installed the newest macOS & Xcode version so
macOS Monterey 12.0.1 (21A559)
and
Version 13.1 (13A1030d)
I'm programming Audio plugins so to test my plugins I'm normally running a DAW (Digital Audio Workstation) in my case I'm working the most of the time with Ableton or Bitwig.
So if I start the debuging process, I get the follow error:
Could not attach to pid XXXXXX
attach failed (Not allowed to attach to process. Look in the console messages (Console.app), near the debugserver entries, when the attach failed. The subsystem that denied the attach permission will likely have logged an informative message about why it was denied.)
If I have an eye to the console.app the the following lines:
[LaunchAttach] (3277) about to task_for_pid(2930)
error: [LaunchAttach] MachTask::TaskPortForProcessID
task_for_pid(2930) failed: ::task_for_pid ( target_tport = 0x0203, pid
= 2930, &task ) => err = 0x00000005 ((os/kern) failure)
macOSTaskPolicy: (com.apple.debugserver) may not get the task control
port of (BitwigStudio) (pid: 2930): (BitwigStudio) is hardened,
(BitwigStudio) doesn't have get-task-allow, (com.apple.debugserver) is
a declared debugger(com.apple.debugserver) is not a declared read-only
debugger
1 +0.000000 sec [0ccd/0103]: error: ::task_for_pid ( target_tport =
0x0203, pid = 2930, &task ) => err = 0x00000005 ((os/kern) failure)
err = ::task_for_pid ( target_tport = 0x0203, pid = 2930, &task ) =>
err = 0x00000005 ((os/kern) failure) (0x00000005)
I have done some research and found this:
Stackoverflow link about What does get-task-allow do
get-task-allow, when signed into an application, allows other
processes (like the debugger) to attach to your app. Distribution
profiles require that this value be turned off, while development
profiles require this value to be turned on (otherwise Xcode would
never be able to launch and attach to your app).
So there is nothing I can do to debug my programs with that software. Is that correct? :(
You can debug but you have to set the "Code Signing Inject Base Entitlements" to "Yes" for debugging
And then you have to add a provisioning profile. Go to developer.apple.com then select "Certificates, IDs & Profiles" to create a provisioning profile for the bundle ID you are testing.
This solved it for me on terminal
sudo DevToolsSecurity -enable
When you don't have access to the original source code or don't want to rebuild it, such as when developing plug-ins for another app (a DAW in your case), you can easily change the entitlements of the application as follows to enable debugging:
Read the current entitlements as follows (replace daw.app with the actual app name):
codesign --display --xml --entitlements daw.entitlements daw.app
Note: Run this in the Terminal app. It will create a file named daw.entitlements in the current folder. Run the command only once or delete any previously created daw.entitlements; otherwise the command keeps appending to the same file.
Open daw.entitlements in any text editor and insert the following text just before </dict></plist> at the end of the file:
<key>com.apple.security.get-task-allow</key><true/>
Note: If there’s already an entry with the same name, change its value from false to true instead of adding a new one.
Apply the new entitlements as follows (replace daw.app with the actual app name):
codesign -s - --deep --force --options=runtime --entitlements daw.entitlements daw.app
This should do it. In the unlikely chance that you already have a file named daw.entitlements in the same folder, use a different file name in all steps.
I tried all of these and had no luck until I figured out that I also had to disable SIP (system integrity protection) to attach to the audio server plugin I am working on.
Hopefully this helps someone to not lose a whole day on it as I did.
I don't know why electron-builder cannot find a valid identity.
Using the environment variable to debug, I always end up with the same problem where it says there is no valid identity despite listing there to be 1 valid identity underneath.
I have tried specifying the cert name as the "identity" property of the top level key "mac" in package json and leaving it out.
I have tried specifying the keychain (CSC_KEYCHAIN) to login.
I have tried adding the "Developer ID Application: ****" cert to login, System, and custom keychains (I don't know why electron builder keeps making extra keychains called "1").
I have tried adding an "Apple Root CA" to all those keychains from the previous line.
I have tried specifying and omitting CSC_NAME, CSC_LINK + CSC_KEY_PASSWORD.
I have tried CSC_IDENTITY_AUTO_DISCOVERY as false.
Running the command line from this page appears to work (as running spctl -a -t exec -vv 'Appname.dmg' gives back "source=Unnotarized Developer ID" ), but I would like to follow the automatic notarization process suggested here which is based off of electron-builder #3870
When I specify the identity in package json, the closest I get to is saying
Identity name is specified, but no valid identity with this name in the keychain identity=***** allIdentities=
1) BBBBBBBBB "Developer ID Application: ***** (XXXXX)"
1 identities found
Valid identities only
1) BBBBBBBBBB "Developer ID Application: ***** (XXXXX)" <---lists the exact one above
1 valid identities found
at/........
When I run security find-identity -v, or security find-identity -v -p codesigning, the exact same cert appears again.
Have I missed anything?
I have no idea why I am getting this error. I believe that I have all the correct provisioning profiles and such. I did just move to a new computer but I did also bring over the private keychain developer key. I have my developer files synced with Dropbox so I didn't need to move over the Xcode project. Here is the error:
CodeSign "/Users/michaellindahl/Library/Developer/Xcode/DerivedData/Fraction_Calculator-cgirhuuvywfnsyenisucsuauquoz/Build/Products/Debug-iphoneos/Fraction Calculator Pro.app"
cd "/Users/michaellindahl/Dropbox/Xcode/lindahl studios/FractionCalculator"
setenv CODESIGN_ALLOCATE /Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/codesign_allocate
setenv PATH "/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin:/Developer/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin"
/usr/bin/codesign --force --sign "iPhone Developer: Michael Lindahl (MXXX0X0XXB)" "--resource-rules=/Users/michaellindahl/Library/Developer/Xcode/DerivedData/Fraction_Calculator-cgirhuuvywfnsyenisucsuauquoz/Build/Products/Debug-iphoneos/Fraction Calculator Pro.app/ResourceRules.plist" --entitlements "/Users/michaellindahl/Library/Developer/Xcode/DerivedData/Fraction_Calculator-cgirhuuvywfnsyenisucsuauquoz/Build/Intermediates/Fraction Calculator.build/Debug-iphoneos/Fraction Calculator Pro.build/Fraction Calculator Pro.xcent" "/Users/michaellindahl/Library/Developer/Xcode/DerivedData/Fraction_Calculator-cgirhuuvywfnsyenisucsuauquoz/Build/Products/Debug-iphoneos/Fraction Calculator Pro.app"
CSSM_SignData returned: 8001094A
/Users/username/Library/Developer/Xcode/DerivedData/Fraction_Calculator-cgirhuuvywfnsyenisucsuauquoz/Build/Products/Debug-iphoneos/Fraction Calculator Pro.app: unknown error -2070=fffffffffffff7ea
Command /usr/bin/codesign failed with exit code 1
Thanks for your insight.
You've almost certainly got corrupted certs :
Revoke old certs, generate new ones, new provisioning profile, the works, magic happens again
This seems senseless, but I simply locked and then unlocked the login keychain and the problem went away. On reflection, the problem occurred after I had added a new certificate to the keychain. Maybe the addition of this additional certificate (unrelated to the current project) caused the problem.
Try going through all of the steps in the Managing Devices and Digital Identities document. This should help you verify that your machine is correctly set up.
I am copying this because I originally posted this at 7 o'clock Singapore time which is 4 in the morning in the US. I recieved no answers so I'm desperate
: error: CFBundleIdentifier '5SXUF33BX9.com.rohan.fart ' contains illegal character ' '
: invalid bundle identifier '5SXUF33BX9.com.rohan.fart '
warning: Unable to extract codesigning entitlements from your application. Please make sure Farticus is a valid Mach executable that's properly codesigned. (-19050) /Users/rohankapur/Documents/Fart /build/Release-iphoneos/Farticus.app/Farticus: code object is not signed - (null)
1) The illegal characters: I checked the info.plist and there are no ''. I did delete all my certificates and re-dowloaded them, and ERRORS start happening.
The warning nable to extract codesigning entitlements from your application. Please make sure Farticus is a valid Mach executable that's properly codesigned. (-19050) /Users/rohankapur/Documents/Fart /build/Release-iphoneos/Farticus.app/Farticus: code object is not signed - (null)
this warning is new but the other warning is old. In keychain access I have my new certificates though. HELP PLEASE!
Make sure you genererated your private keys correctly. Also, its worth pointing out that Apple has stated they will no longer be accepting fart apps into the appstore.
http://blogs.wsj.com/digits/2010/09/09/apples-review-guidelines-we-dont-need-any-more-fart-apps/
I've got a problem that I couldn't solve with a deep search in different resources as most of the "similar" points out to be an error with Icon.png size, etc...
I've tried to upload my application after verifying that:
Correctly builds and run on my device
That my certificates are installed properly
That my certs / profiles are not expired.
That the Icon.png has the proper size and format of 57x57 PNG.
And several other things.
Ran codesign --verify -vvvv MyApp.app which worked fine.
My ZIP File was properly done
When I've tried to upload through the iTunes connect interface I got the simple error above, and that's why I tried with ApplicationLoader, to try and find out what's causing the error looking at the console.
The console showed the following:
16/02/10 13:25:52 ApplicationLoader[549] *** Codesign error (please ignore invalid option comments): got requirements(0x800000, 534)
Executable=/var/folders/WZ/WZu24JnOGNe9L79GWq0IlU+++TI/-Tmp-/MyApp.zip/MyApp.app/MyApp
Identifier=com.realtimed.MyApp
Format=bundle with Mach-O thin (armv6)
CodeDirectory v=20100 size=829 flags=0x0(none) hashes=33+5 location=embedded
Signature size=4333
Authority=iPhone Developer: My Name (XXXXXXXXX)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=16/02/2010 13:22:24
Info.plist entries=17
Sealed Resources rules=3 files=28
Internal requirements count=1 size=144
Executable=/var/folders/WZ/WZu24JnOGNe9L79GWq0IlU+++TI/-Tmp-/MyApp.zip/MyApp.app/MyApp
got entitlements(0x800400, 317)
codesign_wrapper-0.7.3: using Apple CA for profile evaluation
codesign_wrapper-0.7.3: Caling codesign with the following args:
codesign_wrapper-0.7.3: /usr/bin/codesign
codesign_wrapper-0.7.3: --verify
codesign_wrapper-0.7.3: -vvvv
codesign_wrapper-0.7.3: -R=anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.1] exists and certificate leaf[field.1.2.840.113635.100.6.1.4] exists
codesign_wrapper-0.7.3: --entitlements
codesign_wrapper-0.7.3: /var/tmp/signingbox/codesign_wrapper_entitlements.plist
codesign_wrapper-0.7.3: /var/folders/WZ/WZu24JnOGNe9L79GWq0IlU+++TI/-Tmp-/MyApp.zip/MyApp.app
**/var/folders/WZ/WZu24JnOGNe9L79GWq0IlU+++TI/-Tmp-/MyApp.zip/MyApp.app: valid on disk
/var/folders/WZ/WZu24JnOGNe9L79GWq0IlU+++TI/-Tmp-/MyApp.zip/MyApp.app: satisfies its Designated Requirement
test-requirement: failed to satisfy code requirement(s)
codesign_wrapper-0.7.3: failed to execute codesign(1)**
Any help / feedback or ideas on how to solve the situation would be highly appreciated.
I found the solution to this problem after deeply looking at the log file.
Although I created my own Distribution Profile and assigned to the CODE SIGNING IDENTITY the correct value for the developer certificate, it didn't work giving me an error: "Application failed codesign verification".
The problem is at the following line:
Authority=iPhone Developer: My Name
(XXXXXXXXX)
Despite the correct selection in the project settings for the Distribution profile, XCode was compiling it with the developer certificate.
I finally solved it: Right click on the "Targets" -> Get info -> and there it was selected (don't ask me why) the wrong distribution certificate instead of the right one.
I corrected that and it finally was accepted.
Related links (you need a developer account): https://devforums.apple.com/message/147964
Excellent post. I too was having this trouble and after much headache realized that both the Project AND the Target should be checked for using the correct Code Signing Identity. Somehow Xcode was reverting back to the Developer Provisioning Profile instead of the Distribution Provisioning Profile. It even did so on a build right after I had deliberately selected the correct one!
I. To be safe, first do the following:
Clean all builds.
Delete contents of build folder in finder.
Delete existing code signing identities from the project and target settings.
Restart Xcode.
II. Then check the Project for the correct Provisioning Profile:
Go to Project Settings > Build Tab > Code Signing Identity
Select the appropriate Distribution Provisioning Profile
III. Now check the Target:
Target > Get Info > Build Tab > Code Signing Identity
Select the appropriate Distribution Provisioning Profile
IV. Cross fingers and hope you never see that blasted little yellow triangle again.
Cy took the right approach for solving this problem - When "Application failed codesign verification" is a build warning, expand that item in the build log and scan for the root cause of the failed signature verification.
In the case of Cy.'s original post you'll see that the root issue was "test-requirement: failed to satisfy code requirement(s)", and in my experience this is almost always caused by signing with the wrong certificate i.e. an iPhone Developer profile instead of iPhone Distribution.
The root cause is not always an obvious explanation, but should guide you at least with additional search terms or troubleshooting ideas.
For others experiencing the "Application failed codesign verification" during Xcode Archive Validation or Submission, look to the build log at Product > Archive time for a build warning by the same title and expand that for the root cause. Then take a look at Apple's complete list of potential causes of this error at the following URL "How do I resolve the error: Application failed codesign verification?"
Check that the TARGET (and not only the Project) is setup with the correct Code Signing Identity for Release