I'm trying to codesign an app package that will obey the GateKeeper changes in 10.9.5 and 10.10. The documentation I've seen states that you must codesign on a 10.9 system in order to create a Version 2 envelope.
However, my 10.9.4 system is generating a codesign with a Version 1 envelope. Has anybody else seen this? I've tried reinstalling the xcode developer tools to no avail.
On 10.9.4 my app passes the GateKeeper check:
spctl -a -t exec -vv AppName.app/
AppName.app/: accepted
source=Developer ID
origin=Developer ID Application: Our Company, Inc.
On 10.10 things aren't happy:
spctl -a -t exec -vv AppName.app/
AppName.app/: rejected
AppName.app/: rejected
source=obsolete resource envelope
Im finding that my call to codesign that worked on 10.9.4 does not work when run on 10.9.5 more details at How do I change how I sign Java application after updating to OSX 10.9.5
It doesn't like something within the bundled jdk, no idea what though.
Related
I need to distribute one unsigned app for Mac OS with arm64 arch.And I want users to automatically sign the application with ad-hoc certificate like this codesign -s ###### app.But these users are not developers, and have no Xcode installed.
Is it possible to create Apple Development identity (########## "Apple Development:mail#mail.com (########)) using Apple ID and password without Xcode tools?
I know the app Sideloadly is able to do this, but it is closed-source and I'm too stupid to interpret function with disassembler.
You can use the next command:
codesign -fs- name.app -deep
But before don't forget to install Xcode command-line tools:
sudo xcode-select --install
We've made a game with Unity 5, which runs without any problems on Mac OSX. But for the Mac OSX App Store from Apple, the game must be codesigned.
I've done that a lot of times in the past and there I didn't have problems. But I have made a clean install of OSX on the Mac a few weeks ago. I installed all the certificates and they seem to work. But I can't check in the terminal, which codesign commands I used in the past, and there maybe the problem...
In Unity I build the app with the Mac Appstore Validation.
Then I edit the info.plist, add the icons, create the entitlements-file (do all which was listed in several documents) and go to the terminal.
There I type in the directory of the app:
chmod -R a+xr “APPNAME.app"
codesign -f -v -s "3rd Party Mac Developer Application: COMPANY-NAME" "APPNAME.app/Contents/Frameworks/MonoEmbedRuntime/osx/libmono.0.dylib"
codesign -f --deep -s '3rd Party Mac Developer Application: COMPANY-NAME' --entitlements "APPNAME.entitlements" "APPNAME.app"
productbuild --component "APPNAME.app" /Applications --sign "3rd Party Mac Developer Installer: COMPANY-NAME" "APPNAME.pkg"
Everything works fine, even with the libmono.0.dylib. There I get the result that the existing codesigning will be replaced. I am not sure, but I had in mind, that we have codesigned 3 lines in the past, but we didn't have used any more Frameworks or Plugins now.
Then I test the pkg. I install it and was asked about the login-details and I login with a iTunesConnect testuser-account. The app will be installed and when I try to run it, it will be closed after a few seconds. Then something curious happens. I must login again with the testuser and after that the game starts without problem (without trying to start it again!)
I upload the pkg with the ApplicationLoader 3.1 (3.6 didn't work, because it says to me, that I can't submit an IPA-file, even it is a pkg, a lot have that problem and use an old version of the loader) and that worked too. But I got the result of Apple with the rejection: "...launched app and immediately stopped from launching." So they can't start it.
When I check the codesigned app with spctl -a -t exec -vv <APPNAME> I got the result:
<APPNAME>: rejected
...
But I didn't know where I've done the mistake?!
Does anyone has an idea of what I am doing wrong?
You mean in the savety case to recreate the certificates? I am sure, that I have done that when setup the Mac new, but if there can't happen any wrong, I can do it again for going sure...
Edit: I've created new certificates for that mac and try to codesign again. When I make the check with spctl -a -t exec -vv <APPNAME> I got the rejected again.
For the Mac OSX App Store I only need the certificates
3rd Party Mac Developer Application
3rd Party Mac Developer Installer
Mac OS Developer
And in the certificates (dev area at developer.apple.com) I have additional:
Mac App Distribution
Mac Installer Distribution
After many problems to codesign an Mac OSX app finally I got a working combination (what to sign, where it should be located).
My question is if there's some system command to do the exact same verification the system does on a downloaded app. I've used codesign --display and RB App Checker that passed the verification in some cases but when downloading the app didn't succeed.
You don't say what version of Mac OS X you develop under, or what version of Mac OS X you're downloading and testing on. That's important because there were changes in code signatures and GateKeeper in Mavericks and later.
See Apple's tech note for details, but what I use is:
spctl -a -v path/to/my.app
According to my Jenkins building log, I was sure that the following raised while my OS X upgraded to 10.9.5.
+ /usr/bin/codesign --verify -vvvv /Users/dobbymini/jenkins/workspace/DobbyBuild/build/Archive.xcarchive/Products/Applications/Dobby.app
Program /usr/bin/codesign returned 1 : [/Users/dobbymini/jenkins/workspace/DobbyBuild/build/Archive.xcarchive/Products/Applications/Dobby.app: resource envelope is obsolete
]
Codesign check fails : /Users/dobbymini/jenkins/workspace/DobbyBuild/build/Archive.xcarchive/Products/Applications/Dobby.app: resource envelope is obsolete
I've found the official document OS X Code Signing In Depth mentioned that it was related to the issue of 'version 2 signa'
Note: It is necessary to sign code while running OS X Mavericks to get a version 2 signature. The actual code signing machinery is part of the operating system, not the codesign tool. It will not work to copy the codesign tool from Mavericks to an older OS X version.
Apparently my OS version is high enough to have the version 2 signature. so there should be something wrong as mentioned by this document
Structure your bundle according to the expectations for OS X version 10.9 or later:
Only include signed code in directories that should contain signed code.
Only include resources in directories that should contain resources.
Do not use the --resource-rules flag or ResourceRules.plist. They have been obsoleted and will be rejected.
The question is, I have not much idea about the limitation above.
Would anybody kindly help to provide some example?
This code changed I found should be for the 3rd item above. https://github.com/maciekish/iReSign/commit/37b11a43c50afb8e94ca8b2fda192f23d39e7bf3
This is an issue with Mac OSX 10.9.5 and later. Apple will fix this in future release.
Please see my comments for xcodebuild - codesign -vvvv says"resource envelope is obsolete"
I have a Mac App, I export it as a pkg for distribution, using the latest XCode.
Deployment target is 10.7.3.
I have got many user reports that the app can't be installed on 10.7.5 "appname can't be installed on this computer"
There is no further information in the logs.
My understanding is that this message can happen when a 64 bit only app is installed on a 32 bit mode OS, however the systems are running 64 bit kernel.
Any idea on how to fix this? The problem seems to be happening exclusively on 10.7.5 so far, might be a 10.7.5 bug, but I would still need a workaround.
I was able to somewhat work around the problem by manually building an installer package from the instructions found in Making OS X Installer Packages like a Pro - Xcode Developer ID ready pkg
I was however forced to bypass that process a little bit, mainly I think because of the priviliged helper tool I provide with the app.
These were my steps, forged by despreate trial an error, your milage may vary:
# In the release directory built by xcode, app already signed by xcode:
$ pkgbuild --component MyApp.app --install-location /Applications MyApp.pkg
$ productbuild --synthesize --package MyApp.pkg Distribution.xml
$ productbuild --distribution Distribution.xml --package-path . ./Installer.pkg
$ nano Distribution.xml
# added attribute customLocation="/Applications"
# to the choice-element for my app id.
$ productsign --sign "Developer ID Installer: Jon Larsson (...)" \
Installer.pkg InstallerSigned.pkg
The s produced an acceptable installer, though a little incomplete, which I think is because of an incomplete Distribution.xml.