I am creating a .pkg file using “Packages” application.
Previously I would able to create .pkg file with certificate also but now this give me Build Failed error. while If I remove certificate than I can Build .pkg.
Even I am not able to get any error log for error message. If anyone has any better tool or method to create package file and dmg file please tell me.
It is my understanding that signing with Packages presently does not work well. I think there is something in the manual about that, in fact. I build my package with Packages first, then sign it with productsign --sign <sign-id> <src-path> <dst-path>. The <sign-id> should be your "Developer ID Installer" identity, I think. This has been working well for me. You can then verify that the signing worked using spctl -a -v --type install <path>, where <path> is the path to the signed package made by productsign.
cd /location to app
productbuild --component "appname.app" /Applications --sign "3rd Party Mac Developer Installer: Company Name Private Limited" --product "appname.app/Contents/Info.plist" "appname.pkg"
Try PackageMaker application; it is good.
Use above command on terminal and your pkg will be good to go.
I got the cause of this error.
Problem was in my keychain, since I updated my OS to 10.12.3 I was facing this issue. so to resolve this I checked out my keychain where I found my Installer certificate in “Login” part (see image1)
image 1:
so I copy this certificate in System part also (see image 2). All problem goes away, If any time I face this issue again I check keychain again. Problem solved.
image 2:
Related
Currently I am working on submitting an app to the mac app store. I have gone through several steps but am stuck on the last one. This is as I am trying to build my .app file (made in unity) into a .pkg so I am able to Deliver it to iTunes connect via application loader.
I am entering this command into terminal:
productbuild --component GAMENAME.app /Applications --sign "3rd Party Mac Developer Installer: DEVELOPER NAME" GAMENAME.pkg
For some reason though, after entering even though I don not get an error:
Usage: productbuild [--product <requirements-plist>] {--component <component-path> <install-path>} <product-output-path>
Build product with a self-contained bundle, e.g. for the Mac App Store
Usage: productbuild {--content <content-path>} <product-output-path>
Build product with in-app content
Usage: productbuild [--product <requirements-plist>] {--root <root-path> <install-path>} <product-output-path>
Build product with an xcodebuild destination root
Usage: productbuild [options] --distribution <dist-path> [--package-path <search-path>] <product-output-path>
Build product with a distribution and the packages it references
Usage: productbuild --synthesize [--product <requirements-plist>] {--package <pkg-path>} <distribution-output-path>
Synthesize and write a distribution from component packages
See productbuild(1) for details.
I cannot find the .pkg file that has just been built...
I am not sure if this is because it is hidden somewhere or if I have made a mistake I'm unaware of, but any help would be appreciated
So, in short This question basically is how to make a .app to a .pkg which can be using application loader uploaded to iTunes connect...
EDIT:
Ok as someone suggested I might have gotten the initial terminal command wrong after all so any suggestions on where I went wrong would be appreciated.
Your developer name must be followed by the team ID.
Like - "DEVELOPER NAME (ABC123456)"
I'am trying to code sign an app bundle on osx mavericks 10.9.5 with format v2. On previous testing the signing on 10.9.5 (13F12) all went well, all frameworks could be signed without error.
Now, on 13F34, the frameworks could not be signed any more. When i try to sign the first framework with:
codesign -f -v -s "Developer ID Application: MY AG" "My.app/Contents/Frameworks/4DJavaScript.framework"
then the error occurs:
My.app/Contents/Frameworks/4DJavaScript.framework: bundle format is ambiguous (could be app or framework)
When I try to code sign the only version (A) of the framework, the signing succeeds, but on signing the main app the error on the framework reappears.
On looking into the info.plist file of the framework there is (in my sense) the correct entry for the type set:
Bundle OS Type code FMWK
Any suggestions on how to code sign a framework correctly on 10.9.5-13F34?
Thanks, Peter
Your answer didn't work for me so I post mine.
If you previously copied frameworks with cp -r command you will have this problem. With cp -a this problem doesn't appear. That's happening because of different way of resolving symlinks in these two options.
Immediately after posting the bounty on this question, I figured it out. Signing the current version of the framework directly does the trick:
codesign -f -v -s "Developer ID Application: My Dev ID" MyFramework.framework/Versions/Current
I was using electron-packager and needed to use the --no-deref-symlinks flag and bam working for me
I ran into the same problem. In my case the problem was that the .app file I was trying to codesign was stroed in a dropbox folder.
Apparently, dropbox resolves symbolic links by default, i.e. symlinks are completely replaced by the data they point to. Read about it here.
The codesign command cannot recognize the format of the bundle after dropbox resolves the symlinks.
The solution is to not store the bundle you are trying to codesign in a dropbox folder.
My installer is created using PackageMaker. After that I codesigned the installer using the following command.
productsign --sign 'Blah, Inc.' Install.mpkg/ CS/Install.mpkg
This seem to work pretty well and I could see that it is signed using the following command.
pkgutil --check-signature Install.mpkg
Since the certificate is installed on my system in keychain, the installer seem to show a little lock on top right corner. Clicking this opens up the certificate.
If the installer is placed in a system without the certificate installed the lock is no longer seen. However I could still run the command to check for certificate.
1) Is there a graphical way to check for code signing before installing? (I do not want to run command line)
2) I removed a folder from the mpkg file using finder to see if the installer will complain of tampering. But that does not happen. Is there a way the installer can stop install if it is tampered?
3) I also code signed all the binaries in my package (mostly daemons) using xcode's option to use certificate. Again I am able to see the binary as signed, however I do get a message
kernel[0]: CODE SIGNING: cs_invalid_page(0x1000): p=224[MyDaemon] clearing CS_VALID.
Googling, I found http://feedback.photoshop.com/photoshop_family/topics/photoshop_13_0_4_x64_how_can_i_get_rid_of_the_could_not_complete_your_request_because_of_a . However I am still not very clear what they are getting at. Could someone help me?
You can sign .mpkg packages but you must sign it with the Developer ID Application cert and not the Developer ID Installer cert.
When you sign the .mpkg you get a number a warnings that the inner packages must be signed but the signing seems to be valid with or without the inner .pkg signed.
I have tested that modifying an internal .pkg causes the .mpkg to fail the Gatekeeper check
So for the each internal .pkg files you should:
sudo productsign --sign "<Developer ID Installer: Cert>" "<source.mpkg>/Contents/Packages/<source.pkg>" "<destination.mpkg>/Contents/Packages/<source.pkg>"
for then for the .mpkg do:
sudo productsign --sign "<Developer ID Application: Cert>" "<Source .mpkg>" "<Destination .mpkg>"
You can sign only flat packages. Your package has extension .mpkg which I believe is the older bundle format. Make sure you are using flat packages if you want to sign them.
I paid the $99 to get a developer license w/ Apple. Installed Xcode 4.3. Went to the Organizer and "Provisioning Profiles" and refreshed to download my code signing certificate. Checked my Keychain Access and confirmed that I have "3rd Party Mac Developer ", "Developer ID" and "Mac Developer *" certificates.
At this point the documentation from apple mentioned pulling up your project files. I'm using Wineskin to package my Windows application, so I don't have an Xcode project. I have a .app file produced my Wineskin. I'd like to codesign the .app file that Wineskin produced for me.
I tried:
codesign -s "certificate name" /path/to/my.app
I tried all the possible certificate names that had my name and the word "Application" in them from my Keychain Access.
Every time I get the error "/path/to/my.app: object file format unrecognized, invalid, or unsuitable"
Any idea on how to get past this error? Am I even attempting the proper command? Or is there a different way I should go?
To summarize the comments to my questions, here are the commands I run to sign my .app file for Gatekeeper:
export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/usr/bin/codesign_allocate"
codesign --force --sign "Developer ID Application: <my name>" /path/to/my.app
Thanks, Gordon Davisson and JWWalker!
(edit) If this fails, I realize that installing the "Command Line Tools" from within XCode was needed.
EDIT:
To verify
$ codesign -dv --verbose=4 my.app
In Apple ID account make sure you have few types of certificate?
Make sure you have a valid developer certificate and a private key in your keychain.
If you have some problems with it, the certificate should be revoked via developer.apple.com and generated from the scratch (XCode > Accounts > Manage Certificates).
Then you can use codesign:
codesign --force --deep --sign "Apple Development: FirstName LastName (XXXXXXXXXX)" /Applications/ApplicationName.app
Before using codesign command
Install Command line tool for Xcode from https://developer.apple.com/downloads/index.action section.
(You should have a developer account to download Additional Tools.)
Please check for any hidden file in Payload folder like (.DStore) and if there is one please remove it
Navigate to Payload folder via terminal using cd command
Type ls- a command on terminal
if there is any hidden file apart, delete it by rm -f .DStore
This solution worked for me so please give a try....
I have downloaded and installed the WWDR certificate. I have tried setting it to Always Trust and system defaults.
When I try to archive my app I get the CSSMERR_TP_NOT_TRUSTED error.
If I try signing manually I get the same:
/usr/bin/codesign --force --sign "3rd Party Mac Developer Application:
XX XXX-XXX"
/Users/XXX/Library/Developer/Xcode/DerivedData/XXX-fivqootinaolitdbpxccqykoaoqs/ArchiveIntermediates/XXX/InstallationBuildProductsLocation/Users/XXX/Applications/XXX.app
/Users/xxx/Library/Developer/Xcode/DerivedData/xxx-fivqootinaolitdbpxccqykoaoqs/ArchiveIntermediates/xxx/InstallationBuildProductsLocation/Users/xxx/Applications/xxx.app:
replacing invalid existing signature
/Users/xxx/Library/Developer/Xcode/DerivedData/xxx-fivqootinaolitdbpxccqykoaoqs/ArchiveIntermediates/xxx/InstallationBuildProductsLocation/Users/xxx/Applications/xxx.app:
CSSMERR_TP_NOT_TRUSTED
BUT
If I use
sudo /usr/bin/codesign --force --sign
Then it works....
The key is installed in keychain access in the 'login' chain.
Obishawn used one of the suggestions provided by Apple in the following steps published to troubleshoot this error - How do I resolve the CodeSign error: CSSMERR_TP_NOT_TRUSTED?
.
For others experiencing this build error -
CSSMERR_TP_NOT_TRUSTED
the above guide covers a more broad range of potential causes. The error can also occur at Xcode Archive > Share, Validate, or Submit time, and the above steps to resolve it are the same.
Ok, I finally figured mine out. I had the WWDR certificate in my login keychain and my System keychain. I deleted both and reimported a fresh one from Apple and everything works now. I can codesign without using sudo and MonoDevelop can fully compile for distribution and upload to my devices.
My two cents on that problem :
I had to fight with it for some hours. Here are what I had to fix to have codesign do its job :
Ensure that certificates are not duplicated between the login and the system keychain
Ensure no old / expired / revoked versions of the certificates exist in any keychain
Ensure all certificates have "system default" trust policy. If one is set to "always trust", then codesign will fail.
This last point was found on a machine that was migrated to Xcode 8.2 recently. It might be a new behavior of Xcode 8.