Develop Reference

OS X App Codesign issue

I have an OS X app which uses a custom built flow outside of XCode. Therefore, I have to use the codesign tool in command line mode to sign everything within the app. The command line I used is:
codesign -f -s "Developer ID Application: MyCompany Inc" -i com.mycompany.myapp -v $Path_To_App
I first signed every binary, framework and plugins within the app by passing the path of each one of them as $Path_To_App. Then I signed the whole app by passing the path of the app folder MyApp.app.
After that, I used the following command to build a dmg file:
hdiutil create -format UDBZ -srcfolder path_to_app_folder myapp.dmg
If I install this dmg file locally, everything is fine. I believe OS X doesn't even check the certificates in this case. But after I upload the dmg file to the web server, download it with a browser and extract the app into the Applications folder, the OS rejects the app as damaged. The message is:
"MyApp" is damaged and can't be opened. You should move it to the trash.
If I check the signature like this, it is fine:
codesign --verify --verbose /Applications/MyApp.app
/Applications/MyApp.app: valid on disk
/Applications/MyApp.app: satisfies its Designated Requirement
However, if I check it with spctl, it does complain:
spctl -a -v /Applications/MyApp.app
/Applications/MyApp.app: a sealed resource is missing or invalid
I am not sure where I do wrong here. Here is the url of the signed dmg file on the web: http://www.slimjet.com/test/slimjet1.dmg .
Thanks a lot for helping!
Here is an update. The damage warning only shows up when I extract the app into the /Applications folder and run it from there. If I drop it into any other folder and run, or directly run it from mounted dmg archive, it is able to run just fine.

It turned out the gatekeeper keeps cached information about previous failures. Even if you fix the problem by applying all the correct signatures later on, spctl command still reports the same error without actually checking it again. The codesign command doesn't use cache but spctl does. I had to reset the system policy database by the following command:
sudo cp /var/db/.SystemPolicy-default /var/db/SystemPolicy
After that, I restart the OS. Then my app runs just fine. Although spctl has a "--ignore-cache" switch, it doesn't have any effect in this case.

You forgot to also codesign:
FlashPeak Slimjet.app/Contents/Versions/13.0.6.0/FlashPeak Slimjet Helper.app
FlashPeak Slimjet.app/Contents/Versions/13.0.6.0/FlashPeak Slimjet Framework.framework/Resources/app_mode_loader.app
Since they not codesigned this is probably the issue; there could be others, but check these first.

Agent admitted failure to sign using the key. OSX

I use GIT Tower to push to a remote repository and also use Terminal to connect to a few amazon AWS instances using key files from my Mac (OSX Mavericks)
For some reason, I've started receiving this error:
Agent admitted failure to sign using the key
I've tried running
ssh-add
I;ve tried resetting the permissions of the file, removed my known_hosts file, everything. Can't get my head round it, I haven't a clue why this has just started, but its very frustrating.
ANY feedback or help would be received with gratitude.
Thanks
Ste

Such kinds of errors may occur due to the incompatibility of OpenSSH. After generating the keys on your home directory, you can fix this error by simply loading your generated keys into your SSH agent with the following command:
>$ ssh-add
Hope this helps.

the culprit is Tower v1.5.3. Had the same behaviour today on my Macs. Downgrading to Tower v1.5.2 helps. If the identity were added with v1.5.3 clear the identities in the SSH Agent (ssh-add -D) before connecting with Tower v1.5.2 again.
Note: You can use Tower v1.5.3, but then your SSH Key must have a passphrase to get this version of Tower to work.
Regards,
Andreas

This is a general problem with the Mac OS update 10.9.2 (see here for a general discussion, outside of Tower: Git push keep getting permission denied after mac 10.9.2 update)
As said before, running "ssh-add -D" on your command line, possibly combined with a restart of your Mac OS should solve the issue.

Tower 1.5.4 is out, with the correct bugfix:
changelog:
Simplify SSH Public Key management after Apple's security update in Mac OS 10.9.2

The way I got around this was to remove all identities. I ran the command
ssh-add -D
The prompt then returns: All identities removed.
I then logged in to my server via SSH and the message disappeared.

How to fix curl: (60) SSL certificate: Invalid certificate chain

I get the following error running curl https://npmjs.org/install.sh | sh on Mac OSX 10.9 (Mavericks):
install npm#latest
curl: (60) SSL certificate problem: Invalid certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html
How do I fix this?

First off, you should be wary of urls that throw SSL errors. That being said, you can suppress certificate errors in curl with
curl -k https://insecure.url/content-i-really-really-trust

Using the Safari browser (not Chrome, Firefox or Opera) on Mac OS X 10.9 (Mavericks) visit https://registry.npmjs.org
Click the Show certificate button and then check the checkbox labelled Always trust. Then click Continue and enter your password if required.
Curl should now work with that URL correctly.

NOTE: This answer obviously defeats the purpose of SSL and should be used sparingly as a last resort.
For those having issues with scripts that download scripts that download scripts and want a quick fix, create a file called ~/.curlrc
With the contents
--insecure
This will cause curl to ignore SSL certificate problems by default.
Make sure you delete the file when done.
UPDATE
12 days later I got notified of an upvote on this answer, which made me go "Hmmm, did I follow my own advice remember to delete that .curlrc?", and discovered I hadn't. So that really underscores how easy it is to leave your curl insecure by following this method.

The problem is an expired intermediate certificate that is no longer used and must be deleted. Here is a blog post from Digicert explaining the issue and how to resolve it.
https://blog.digicert.com/expired-intermediate-certificate/
I was seeing the issue with Github not loading via SSL in both Safari and the command line with git pull. Once I deleted the old expired cert everything was fine.

After updating to OS X 10.9.2, I started having invalid SSL certificate issues with Homebrew, Textmate, RVM, and Github.
When I initiate a brew update, I was getting the following error:
fatal: unable to access 'https://github.com/Homebrew/homebrew/': SSL certificate problem: Invalid certificate chain
Error: Failure while executing: git pull -q origin refs/heads/master:refs/remotes/origin/master
I was able to alleviate some of the issue by just disabling the SSL verification in Git. From the console (a.k.a. shell or terminal):
git config --global http.sslVerify false
I am leary to recommend this because it defeats the purpose of SSL, but it is the only advice I've found that works in a pinch.
I tried rvm osx-ssl-certs update all which stated Already are up to date.
In Safari, I visited https://github.com and attempted to set the certificate manually, but Safari did not present the options to trust the certificate.
Ultimately, I had to Reset Safari (Safari->Reset Safari... menu). Then afterward visit github.com and select the certificate, and "Always trust" This feels wrong and deletes the history and stored passwords, but it resolved my SSL verification issues. A bittersweet victory.

On MacOS High Sierra/10.13:
~$brew install curl ca-certificates
works like a charm for me.

Another cause of this can be duplicate keys in your KeyChain. I've seen this problem on two macs where there were duplicate "DigiCert High Assurance EV Root CA". One was in the login keychain, the other in the system one. Removing the certificate from the login keychain solved the problem.
This affected Safari browser as well as git on the command line.

Let's say you try to download something using curl or install hub
using brew, then, you get an error like:
==> Downloading https://ghcr.io/v2/linuxbrew/core/ncurses/manifests/6.2
curl: (60) SSL certificate problem: unable to get local issuer certificate
Then, let ghcr.io being the server, execute following commands:
cd ~
# Download the cert:
openssl s_client -showcerts -servername ghcr.io -connect ghcr.io:443 > cacert.pem
# type "quit", followed by the "ENTER" key / or Ctrl+C
# see the data in the certificate:
openssl x509 -inform PEM -in cacert.pem -text -out certdata-ghcr.io.txt
# move the file to certificate store directory:
sudo mv cacert.pem /usr/local/share/ca-certificates/cacert-ghcr.io.crt
# update certificates
sudo update-ca-certificates
# done !
References
SSL Certificate Verification
Snippet

After attempting all of the above solutions to eliminate the "curl: (60) SSL certificate problem: unable to get local issuer certificate" error, the solution that finally worked for me on OSX 10.9 was:
Locate the curl certificate PEM file location
'curl-config --ca' -- > /usr/local/etc/openssl/cert.pem
Use the folder location to identify the PEM file
'cd /usr/local/etc/openssl'
Create a backup of the cert.pem file
'cp cert.pem cert_pem.bkup'
Download the updated Certificate file from the curl website
'sudo wget http://curl.haxx.se/ca/cacert.pem'
Copy the downloaded PEM file to replace the old PEM file
'cp cacert.pem cert.pem'
This is a modified version of a solution posted to correct the same issue in Ubuntu found here:
https://serverfault.com/questions/151157/ubuntu-10-04-curl-how-do-i-fix-update-the-ca-bundle

I started seeing this error after installing the latest command-line tools update (6.1) on Yosemite (10.10.1). In this particular case, a reboot of the system fixed the error (I had not rebooted since the update).
Mentioning this in case anyone with the same problem comes across this page, like I did.

In some systems like your office system, there is sometimes a firewall/security client that is installed for security purpose. Try uninstalling that and then run the command again, it should start the download.
My system had Netskope Client installed and was blocking the ssl communication.
Search in finder -> uninstall netskope, run it, and try installing homebrew:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
PS: consider installing the security client.

If you are behind a corporate firewall like Palo Alto it will intercept all TLS/SSL traffic, inspect it and re-encrypt it using its own using self-signed certificates. Although these certificates will typically be available on your workstation, the various programs like npm, Git, curl, etc. will not inherit them from the workstation.
If you are working in an enterprise do not use the -k or --insecure option because this turns of the TLS/SSL encryption completely and opens up you and your organization to compromise
The solution is to add this self signed certificate to the specific certificate chain that is used by the program you are trying to use. I have included a link to Adrian Escutia Soto's answer which is the best way of addressing this. Unfortunately, I cannot comment or upvote on it because I don't have enough reputation points

Xcode can't verify the identity of the server "github.com", Xcode

Sorry for the dumb question, but I've been getting this on Xcode. I'm not sure if it's because I updated to Mountain Lion or not. Every time I click continue, I just get the same message and it never proceeds. I am able to pull or push from the command line however. Does anyone know how to solve this? Thanks!

Just click "Show Certificate", unfold the disclosure arrow and set the "Trust" dropdown option menu to "Always Trust". Accept and re-enter your password if asked. It should be fine now. (Sorry for not being more precise, but I don't have the Certificate window under my eyes right now.)

None of the certificates in the CA chain for GitHub appears to have just expired or be closed to expire.
This article (on rail app, but also relevant here) suggests:
install MacPorts
use OpenSsl
if have a directory /opt/local/etc/openssl:
$ cd /opt/local/etc/openssl
$ sudo curl -O http://curl.haxx.se/ca/cacert.pem
$ sudo mv cacert.pem cert.pem
$ setenv SSL_CERT_FILE /opt/local/etc/openssl/cacert.pem

Anyone facing this issue, quit your proxy and try again.

Ruby/Github: Appropriate general solution for OpenSSL::SSL::SSLError?

Every now and then I'm encountering problems with scripts hosted on Github which have been linked using https. I've usually managed to get around it one way or the other, but I'm wondering what's the proper way of solving this?
Here's an example: I'd like to make use of this Rails Application template.
Running
rails new APP_NAME -m https://raw.github.com/RailsApps/rails3-application-templates/master/rails3-devise-rspec-cucumber-template.rb -T
will throw:
certificate verify failed (OpenSSL::SSL::SSLError)
What is the proper way of going about this situation without editing the script itself?
UPDATE
I've tried so far as well
export GIT_SSL_NO_VERIFY=true
but I keep on getting the same error.
I also exported the certificate from Firefox as github.com.pem and simply dragged it into my unlocked Keychain Access. The certificate is now listed but the error remains the same.
UPDATE 2
As awful this solution is, this hack works: http://blog.dominicsayers.com/2011/08/16/howto-use-a-rails-template-from-github-on-windows/

It seems that simply "updating" the certificates is the best option:
$ cd /usr/share/curl/
$ sudo wget http://curl.haxx.se/ca/cacert.pem
$ sudo mv curl-ca-bundle.crt old.curl-ca-bundle.crt
$ sudo mv cacert.pem curl-ca-bundle.crt