I have a Mac app that was accepted to the Mac App Store when I built it using Xcode 13 (exactly the way I do it now, code signing set to automatic, uploading to the App store using the Organizer in Xcode), but now with Xcode 14.2, minutes after submitting it to the Mac App Store, I will receive a refusal mail with lots of "ITMS-90288: Invalid Code Signing Entitlements" and "TMS-90286: Invalid Code Signing Entitlements" errors, two for each embedded dynamic library.
TMS-90288: Invalid Code Signing Entitlements - The entitlements in your app
bundle signature do not match the ones that are contained in the provisioning
profile. According to the provisioning profile, the bundle contains a key value
that is not allowed: '(My team id).' for the key 'com.apple.application-identifier'
in 'Spatterlight.app/Contents/Frameworks/libc64diskimage.dylib'
ITMS-90286: Invalid Code Signing Entitlements - Your application bundle's
signature contains code signing entitlements that are not supported on macOS.
Specifically, value '(My team id).' for key 'com.apple.application-identifier'
in 'Spatterlight.app/Contents/Frameworks/libc64diskimage.dylib' is not supported.
This value should be a string starting with your TEAMID, followed by a dot '.',
followed by the bundle identifier .
The reply at https://developer.apple.com/forums/thread/710598 seems to indicate that dylibs shouldn't have entitlements at all, but apparently Xcode is adding them anyway, making the app unacceptable to the App Store.
I have tried cleaning the build folder, disabling and enabling automatic signing, signing manually when uploading the app (providing profiles from lists in Xcode rather than doing it automatically). The result is the same.
Note that there are plenty of questions here that may look like duplicates of this (usually with titles like "ERROR ITMS-XXXXX: 'Invalid Code Signing Entitlements'", but none of them seem to be about this problem, which makes me think I am doing something uniquely wrong.
To prevent Xcode from adding malformed entitlements to your dylibs, you can do the following steps:
Create a custom entitlements file: In Xcode, go to File > New > File and select "Entitlements" from the list of file templates. This will create a new .entitlements file in your project.
Specify the custom entitlements file: In your target's Build Settings, find the "Code Signing Entitlements" setting and set it to the name of your custom entitlements file.
Review and edit the entitlements file: Open the custom entitlements file and review the contents. Ensure that only the necessary entitlements are included, and that they are correctly formatted.
Build and sign your dylib: Build your dylib and sign it with your custom entitlements file. You can verify that the entitlements were correctly added by running the codesign command in the Terminal and examining the output.
First I apologise for my english.
could you help me with small problem :slight_smile:
I want to create *.ipa file from ionic project, but in indentify area xcode told me that I must "Fix Issue".
And if I click on the fix issue, so xcode show me modal window with text An App ID identifier "com.xxxxx.xxxxxx" is not available please enter the different sting, but I need use defined string, concretely defined string in "Bundle indentifier".
What can i do? Could somebody help me width this problem?
I try to change "Bundle indentifier" e.g. com.xxxxx.xxxxxx1. I add only 1 to end and it works but I need use Bundle identfier without 1 number in the end of bundle identifier string.
And one thing under Team item I have text "No provisionig profiles found", but if i add 1 to the end of identifier bundle and click to Fix Issue this text "No provisionig profiles found" disappear.
Thank you for any advice,
best regards Peter
You need to have an apple developer account with enough access to do the following:
Create a development/production certificate
Create provisioning profiles based on the above certificate
In order to be able to build an *.ipa file you need to do the following:
Create the development/production certificate
Add the UDID of all devices on which you want to run the *.ipa install
Based on your choice you need to create a provisioning profile for either Development or Ad Hoc distribution.
Archive your project
Time to create your distribution:
if you chose Development, it's rather straight forward, just follow the steps (disable "Rebuild from bitcode" for faster build) - after this you can e-mail the build, but the build will need to be installed through iTunes on a device whose UDID you've added above
if you chose Ad Hoc, you need to upload your build to a remote HTTPS location, along with the corresponding manifest (*.plist) file (if you need further instructions on this, I can help, don't want to go into too many details if this is not what you want)
The "Fix issue" shows every time when your device UDID has not been added to the provisioning profile of the app bundle ID that's been set within the app.
I 've created distribution certificate and 2 provisioning profiles for distribution one with explicit App-Id and one with wildcard. I can see it in project build settings (and in Preferences>Account) and choose it in build settings for release: provisioning profile with explicit App-id.
I built archive with xcode 5 and try to validate it in organizer. But in dialog "Choose a profile to sign with" I can't see provisioning profile with explicit App-id, only this with wildcard. If I use the wildcard-profile the validation failed with message: "The bundle identifier cannot be changed from the current value, ('App-id'. ..." (The message only shows the App-ID suffix without Team-id prefix)
Solved:
The validation error message from Apple was confusing. I tried many things. The reason was a hyphen ("-") within the App-ID. After I had removed the hyphen and had created the provisioning profile with explicit App-Id the validation passed through.
I am writing a cross-platform app in Qt (using Qt Creator). One of the target platforms is OS X.
The application is being packaged for installation on OS X by using the BitRock Installer system to create an .app file.
The application is intended for download and use by students and researchers in political science at various different colleges and universities. (A download either from the App Store, or from a product website, is fine.)
I do not need iCloud or any other features associated with the App Store. I just need to be able to distribute this application so that the warning (below) does not appear.
Currently the application is in an alpha-testing state - it is being tested by the product managers only. I would nonetheless prefer to offer the product managers an installation package for OS X that does not present them with the following warning:
The [installer application] can't be opened because it is from an
unidentified developer
(And, more importantly, when the application is released, I also don't want this warning to appear for end users.)
I understand that I need to prepare my application for distribution by using an Apple Developer account and properly signing the application.
I have created a developer account, and I am attempting to follow the steps in the link to sign my application and prepare it for distribution.
However, because the application is built in Qt, not Xcode, I do not know how to follow the steps through to completion, because some of the key steps assume that Xcode is being used.
I have searched for any questions that might describe how to prepare Qt applications on OS X for distribution, but come up empty.
(Further, I would also prefer to have a set of steps provided that is as simple as possible - preferably simpler than the steps provided in the above link - in any case.)
What is the simplest possible set of steps that will allow me to code sign my application, developed with Qt, on OS X, so that it can be distributed?
Prepare .app file
This is a step by step guide to create a signed package which can be uploaded to the Mac App Store, or distributed independently as a standalone application + installer:
Check app icon - it should have all sizes (16x16, 32x32, 64x64, 128x128, 256x256, 512x512, 1024x1024). (See https://stackoverflow.com/a/21028483/368896)
Add compile options for proper generation of debugging symbols:
QMAKE_CFLAGS += -gdwarf-2 QMAKE_CXXFLAGS += -gdwarf-2
(noting that QMAKE_CFLAGS may not be highlighted by Qt Creator as valid, but still may need to be included - see here)
Settings should be saved in a directory with same name as bundle identifier.
Check the application's Info.plist file. It should contain the correct bundle identifier and minimum MacOS X version of 10.6.6.
(Note: though Qt Creator automatically generates a default info.plist file that is placed inside the .app bundle, it is also possible to create your own file and have this automatically used instead. See this link for a sample info.plist file that works with Qt and the App Store, and note that QMAKE_INFO_PLIST does work to use a custom file (see comments in that link).)
(Also, see notes below about how to obtain a bundle identifier.)
(The minimum OS X version - which should be set to 10.6.6 or later - can be set with the following line in the .pro file: QMAKE_MACOSX_DEPLOYMENT_TARGET = 10.6 - but if you use a custom info.plist file, this setting won't take effect, so you must include the proper setting in your custom info.plist anyways; see previous link for the entry that should be used in the file.)
You also need certificates to sign your application and installer: open “Keychain Access” (use Mac OS X search) -> double click on each certificate (look in the kind column for these) and enter password -> check added certificates in Keychain Access.
Register application in iTunesConnect
Log in to your developer account at http://itunesconnect.apple.com (which will reroute you to https://, but you may need to first enter http://)
(Note: If you do not already have one, you must first create a Mac Developer Account, $99/year, in order to proceed.)
Click on “Manage your apps” -> “Add new app”
If application has no Bundle ID - create it.
Creating a new Bundle ID is not intuitive.
To create a new Bundle ID:
-> Log in to the Developer Center website: This is a different site
(perhaps open it in a new tab): http://developer.apple.com.
-> Click Member Center near the very top right (next to the search bar)
-> Click on Manage your certificates, App IDs, devices, and provisioning profiles
(underneath Certificates, Identifiers & Profiles)
-> Click on App IDs in the left navigation bar (in the Identifiers section)
(This might already be selected.)
-> Click on + button
-> The screen you now see (Register Mac App ID / Registering an App ID)
is the screen you use to create a new bundle identifier
-> Enter the necessary information. Write anything for the
App ID Description (it can contain only a short line of text)
The Explicit App ID field is actually the new Bundle ID.
Type a reverse URL here, such as com.mydomain.myapp.
A website or server does not actually need to exist at this URL.
You just make one up here, but of course you can use one that
already exists if you wish.
-> Click Continue, then Submit if you're satisfied, then Done
Now be sure to go back to the previous section, and add the Bundle ID you have just created to the custom info.plist file.
Also save the Team ID in case you need it later - this is the string that precedes the Bundle > > ID (called the prefix) that you see when you look at the details of the Bundle ID you've just > > > created in the Developer Center.
Now, go back to the iTunesConnect website. (Perhaps in another tab - this is not the Developer Center website.)
In the App Information section, select language. Then, enter app name. Make up a random string of characters for the SKU field (I use something of the format 2436-7623-7782-8327). Finally, select the Bundle ID. Click Continue.
Select availability date (simply as far as possible, for now - currently, it's only possible to make it available for at most 2 years). Select price tier (can be any - customer can change later). Click Continue.
Enter detailed application information on the following screen, and click Save.
Click “View Details” in app page -> Click “Ready to upload binary” -> On summary page click on link “latest version of Application Loader” and download it -> Click “Continue”.
Creating and Uploading installer
Check application Info.plist - enter right bundle id, app name, category.
Build application in release mode.
Extract debug symbols. At the command line:
dsymutil MyApp.app/Contents/MacOS/MyApp -o MyApp.app.dSYM
Execute the helper program macdeployqt (included with Qt). At the command line:
/path/to/macdeployqt /path/to/myapp.app
(macdeployqt can be found in QTDIR/bin. See this link for a handful of official details.)
Running macdeployqt modifies your existing application by incorporating the necessary Qt frameworks internal to the .app bundle and changing various other internal settings in the application.
Codesign application:
Codesigning is a tricky step.
(1) Obtaining a DISTRIBUTION CERTIFICATE
You must first create a Distribution certificate, if you don't already have one. (Not a
Developer certificate.)
(The following steps are taken from this link, with a correction regarding the certificate
type)
-> Open Xcode (version 5 as of this writing)
-> Navigate to Xcode > Preferences
-> Click the Accounts tab
-> If you have not already done so, add the Apple ID that is registered in the Mac Developer
Program
-> Select the Apple ID that you want to use, and click View Details
-> In the window that opens, click Add (+) and then select Mac App Distribution.
(2) Code signing the application with the Distribution Certificate
To properly codesign, every .framework and .dylib inside the .app bundle must FIRST
be signed; and then the .app itself must be signed. See critical steps in bottom paragraph of
this grey block before you codesign the internal Qt frameworks - and be sure to do this first.
The command to sign the internal libraries/frameworks, and the command to sign the main .app,
is the same:
codesign -s "3rd Party Mac Developer Application: Daniel Nissenbaum (S6V5TT9QRL)" –-entitlements
MyEntitlements.plist MyApp.app
The --entitlements MyEntitlements.plist option is only necessary if you actually have
entitlements beyond the basic
defaults. I (Dan Nissenbaum) did not select additional privileges for my app when I created the
Bundle ID in Developer Center (such as ability to access iCloud, push notifications, etc.). So, I
left off the --entitlements option, and I have not looked into how to obtain a
MyEntitlements.plist file.
Note regarding the -s argument: See paragraph below for information about finding the correct
name to use (this is the Distribution Certificate "Common Name").
This codesign command is for the main .app. To codesign the internal (Qt)
libraries/frameworks,
which must be done first, use the proper path; i.e., in the command above, use
MyApp.app/Contents/Frameworks/QtCore.framework rather than MyApp.app - and note that
the path to the libraries/frameworks must be just to the root of the internal library/framework
bundle, not to inside the internal library/framework bundle.
Various other internal .dylibs or .frameworks may also need to be signed, in addition to the
Qt .frameworks - if you try to sign your main application but have not
signed all of the internal .dylibs/.frameworks, you will receive an error indicating another
internal
.dylib/.framework that needs signing. Just proceed through them all. In my case, there were
about
10 additional .dylibs that needed to be signed after I completed signing the Qt .frameworks.
Once you have the developer certificate, you need to find the name of the certificate for use with
the codesign process. Open "Keychain Access" (to find this, simply type "Keychain Access" into
the Search bar in the Finder, and locate the application from among the results returned). In the
main list that you see when Keychain Access runs, you will see your Developer certificate among
various other things. There will also be some other certificates - ignore those. It should be
obvious which certificate is the correct one. In my case (which is standard, I assume), the
certificate name is "3rd Party Mac Developer Application: Daniel Nissenbaum (S6V5TT9QRL)".
This is the official name of the certificate, to be
used as the -s argument to codesign, but to really confirm this, double-click on the
certificate and in the info window that appears, have a look at the "Common Name". The value of
Common Name is the official text to use as the -s argument of codesign.
Note regarding a complication with codesign'ing the internal Qt frameworks. As of today,
when macdeployqt is run, the Qt frameworks are not fully copied correctly into the .app bundle.
They are missing their Info.plist file. But these necessary Info.plist files DO exist inside
the Qt installation. You can simply use the Finder to copy them. (For example on my system, the
required Info.plist file for the QtWidgets.framework framework has this path (where "Qt"
corresponds to the root path of your Qt installation):
Qt/5.1.1/clang_64/lib/QtWidgets.framework/Contents/Info.plist. This is to be copied into
MyApp.app/Contents/Frameworks/QtWidgets.framework/Resources. Ditto for all of the other Qt
frameworks that were copied into the MyApp.app bundle by macdeployqt. See
https://stackoverflow.com/a/19639825/368896 for more details.exists and is enabled for code
Create installer (a different certificate is required; see comment):
productbuild –-component ./MyApp.app /Applications –-sign "3rd Party Mac Developer Installer: Daniel Nissenbaum (S6V5TT9QRL)" MyApp.pkg
Note that a different certificate is required to be used as the argument to the --sign parameter. The certificate has type "Mac Installer Certificate", rather than "Mac App Distribution" (the type of the certificate used with codesign, above). To create this certificate, follow the same steps above, but select Mac Installer Certificate as the type. Use its Common Name as the argument to the --sign parameter here.
The ./ preceeding the application name might be important. Also, use the same argument to the --sign parameter that you did when you ran codesign - the Common Name of your Developer certificate. See above.
Check the installer:
sudo installer -store -pkg MyApp.pkg -target /
If there are no errors, you now have a legitimate Mac application, packaged into a legitimate Mac installer, both of which can be distributed to anyone. You can distribute them by simply sending them the .pkg file (via website, Dropbox, etc.), or you can upload to the Mac App Store.
I have not confirmed these steps, which are for actually uploading the application to the Mac App Store: Open Application Loader and sign in with Apple Developer Account -> Select “Deliver Your App” -> Choose right AppID -> Click on “Choose…” button on “Application Information” page and select created pkg file -> Click “Send”.
Additional information
Information about entitlements
Information about Info.plist
Additional information about deploying app to Mac AppStore
First, see Sign Qt applications on Mac with Developer ID and Sign a Framework for OSX 10.9
Basically,
compile your application
run macdeployqt
check using otool -L ... the dependencies of all your frameworks, libraries and plugins
use install_name_tool -change ... to change any dependencies not properly deployed to inside the bundle
sign your frameworks and bundle (see the 2 links given above)
You will need to pay Apple for a developer ID to be able to sign your application otherwise your users will have to deal with Gatekeeper.
First of all, please, check the following link
As you wrote, you may distribute your application outside of the App Store. Such bundles or pkg installers should be signed with the Developer ID signing identity. This is the only signature that will pass checks by MacOS GateKeeper.
You must be a "Team Agent" to obtain this. If you are working alone this should be no problem for you. If you are not "Team Agent" you will need to create the certificate request and send it to your "Team Agent" who will generate the public key for you and send it back.
Once you will have a valid Developer ID signing identity (as people wrote in comments) you can just sign your app with similar command line command: codesign "Developer ID ...." myApplicationPath.app
P.S. Latest xCode provides a nice UI to obtain different types of signing identities. Just check the link at the top of answer.
I have this code signing issue that came up only recently when I tried to submit my Mac application (not iOS) with Xcode 4.4.1
When I tried to validate my app's archive, validation fails with these two errors:
Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. According to the provisioning profile, the bundle contains a key value that is not allowed: 'com.(mycompany).(myapp)' for the key 'com.apple.application-identifier' in 'MyAppBundle.app/Contents/MacOS/MyAppExecutable'
Invalid code signing entitlements. Your application's bundle signature contains code signing entitlements that are not supported on Mac OS X. Specifically, value 'com.(mycompany).(myapp)' for key 'com.apple.application-identifier' in 'MyAppBundle.app/Contents/MacOS/MyAppExecutable' is not supported. This value should be a string starting with your TEAMID, followed by a dot '.' followed by the bundle identifier.
This bundle is invalid. Apple is not currently accepting applications built with this version of the OS.
I've tried the following but none of them worked:
re-downloading and re-generating code signing certificates.
Specifying my team ID in the code signing parameters:
-i "(TEAMID).com.(mycompany).(myapp)" --entitlements "(MyAppEntitlementFile).entitlements"
Anybody can help? Thanks in advance.
I've fixed this by editing my entitlements file using Xcode's property list editor (not the fancy-looking GUI in the target's Summary tab) and remove the key named com.apple.application-identifier along with its value.
I'm not sure how that key-value pair got there in the first place because I'm quite confident that I didn't put it in there myself. This project was originally coded for Snow Leopard without sandboxing and went through a number of Xcode versions. Perhaps an old version of Xcode put it there and it conflicted with the newer one.