According to my Jenkins building log, I was sure that the following raised while my OS X upgraded to 10.9.5.
+ /usr/bin/codesign --verify -vvvv /Users/dobbymini/jenkins/workspace/DobbyBuild/build/Archive.xcarchive/Products/Applications/Dobby.app
Program /usr/bin/codesign returned 1 : [/Users/dobbymini/jenkins/workspace/DobbyBuild/build/Archive.xcarchive/Products/Applications/Dobby.app: resource envelope is obsolete
]
Codesign check fails : /Users/dobbymini/jenkins/workspace/DobbyBuild/build/Archive.xcarchive/Products/Applications/Dobby.app: resource envelope is obsolete
I've found the official document OS X Code Signing In Depth mentioned that it was related to the issue of 'version 2 signa'
Note: It is necessary to sign code while running OS X Mavericks to get a version 2 signature. The actual code signing machinery is part of the operating system, not the codesign tool. It will not work to copy the codesign tool from Mavericks to an older OS X version.
Apparently my OS version is high enough to have the version 2 signature. so there should be something wrong as mentioned by this document
Structure your bundle according to the expectations for OS X version 10.9 or later:
Only include signed code in directories that should contain signed code.
Only include resources in directories that should contain resources.
Do not use the --resource-rules flag or ResourceRules.plist. They have been obsoleted and will be rejected.
The question is, I have not much idea about the limitation above.
Would anybody kindly help to provide some example?
This code changed I found should be for the 3rd item above. https://github.com/maciekish/iReSign/commit/37b11a43c50afb8e94ca8b2fda192f23d39e7bf3
This is an issue with Mac OSX 10.9.5 and later. Apple will fix this in future release.
Please see my comments for xcodebuild - codesign -vvvv says"resource envelope is obsolete"
Related
I got this message from Apple
An app signed with a codesign version provided on an older macOS, like
Catalina (10.15) will not run on iOS 15 because the latest version you
can install is Xcode 12.4. Xcode 12.5 seems to change the behavior of
codesigning. When installing you get the error message The code
signature version is no longer supported. Is there a workaround?
They also suggested following Using the Latest Code Signature Format documentation for making the app compatible with the new signature format.
One of the steps was to see Page Size by running this command.
% codesign -dv /path/to/MyApp.app
They said that the output will have Page size.
Page size=4096
-7=f4c7c0ae394247097dca9b19333001200747691e1d9e25ec0cf0f35a8ade21f3
-6=0000000000000000000000000000000000000000000000000000000000000000
-5=7379374fd375633558fd972e33809c06e61f9f8191f67c71875899b0dc290945
-4=0000000000000000000000000000000000000000000000000000000000000000
-3=53cc3cc9830555e6d7bc864522fdf160b61ccc0d2fda9331368d333dfaa4fe24
But when I run the command I don't see the Page Size. Here is the output.
To see the page size in xcode you need to use this:
codesign -dvvvvv MyApp.app
If it's not working try to Re-sign your app and try again this command.
I have successfully downloaded STS-4 on Mac OS Catalina, but getting the following error when launching it:“SpringToolSuite4” can’t be opened because Apple cannot check it for malicious software. Anyone got a solution to this?
Looks, it was because of a permission issue for me.
This helped me.
codesign --force --deep --sign - /Applications/SpringToolSuite4.app
Link to refer
The Spring Tools 4 for Eclipse distribution prior to the just released 4.4.2 version was signed, but not yet notarized by Apple. macOS Catalina requires downloaded apps to be notarized in order to run them directly, therefore you get the mentioned error message.
Spring Tools 4 for Eclipse 4.4.2 got released today and is officially notarized, so you should be able to run that just as-is after downloading.
There also exists a workaround for older versions of the tooling, which can be found in the comments here: https://github.com/spring-projects/sts4/issues/375
Hope this helps!
After many problems to codesign an Mac OSX app finally I got a working combination (what to sign, where it should be located).
My question is if there's some system command to do the exact same verification the system does on a downloaded app. I've used codesign --display and RB App Checker that passed the verification in some cases but when downloading the app didn't succeed.
You don't say what version of Mac OS X you develop under, or what version of Mac OS X you're downloading and testing on. That's important because there were changes in code signatures and GateKeeper in Mavericks and later.
See Apple's tech note for details, but what I use is:
spctl -a -v path/to/my.app
Tried to check Gatekeeper Conformance using check-signature tool as described here running the following command:
./check-signature ~/Desktop/folder/test.pkg
and got the following output:
(c) 2014 Apple Inc. All rights reserved.
/Users/username/Desktop/folder/test.pkg: Warning: bundle installers are deprecated, please use regular installer packages.
/Users/username/Desktop/folder/test.pkg.pkg: resource envelope is obsolete (custom omit rules)
Can somebody help me to understand what the above output means?
Your "resource envelope is obsolete" error means you have a "version 1" signature and are checking it on a machine running OS X 10.9.5 or newer.
Starting with OS X 10.9.5 and continuing with 10.10 and later, Apple has changed the way code signing works. Apple Tech Note 2206, available here:
https://developer.apple.com/library/mac/technotes/tn2206/_index.html
explains the new code signing requirements. In general, you will need to sign your code and package on a machine running 10.9 or later in order to generate a "version 2" signature. Note: you cannot simply copy the 'codesign' or 'productsign' from a 10.9 machine to a machine running 10.8 or lower. These tools rely on other components of the OS to do their work, so you actually need to generate your signature on a machine running 10.9 or higher.
I'm trying to codesign an app package that will obey the GateKeeper changes in 10.9.5 and 10.10. The documentation I've seen states that you must codesign on a 10.9 system in order to create a Version 2 envelope.
However, my 10.9.4 system is generating a codesign with a Version 1 envelope. Has anybody else seen this? I've tried reinstalling the xcode developer tools to no avail.
On 10.9.4 my app passes the GateKeeper check:
spctl -a -t exec -vv AppName.app/
AppName.app/: accepted
source=Developer ID
origin=Developer ID Application: Our Company, Inc.
On 10.10 things aren't happy:
spctl -a -t exec -vv AppName.app/
AppName.app/: rejected
AppName.app/: rejected
source=obsolete resource envelope
Im finding that my call to codesign that worked on 10.9.4 does not work when run on 10.9.5 more details at How do I change how I sign Java application after updating to OSX 10.9.5
It doesn't like something within the bundled jdk, no idea what though.