I'm pulling my hair out over this and still can't find what's wrong. Basically, I have an app that I'm ready to launch but whenever I archive and build I keep getting an "Application Failed Codesign" warning.
This is the code signing:
This is the warning I get:
And this is my keychain, all certificates are active:
Make sure that the release configuration is signed with a distribution certificate not a development certificate.
Related
I have replaced my keychain password and it deleted all the items in it. I started getting the
Item not found in a keychain error, so I regenerated development certificates, and now on every project, I get Command PhaseScriptExecution failed with a nonzero exit code
I have tried
locking and unlocking login in Keychain Acess
cleaning build folder
restarting my mac
pod deintegrate pod install
re-deleting keychain
restore previous keychain
This issue shows itself only while building on a real device
At this point I have no idea what can I do to make this error go away.
Ok, this situation is an absolute joke, but that what helped me to solve this.
Restoring all my previous keychains
Deleting all certificates to my name in each of them.
I continually get a codesign failure when compiling an openFrameworks (C++) program.
I found quite a few people with similar problems but the solutions did not work for me. Here is what I have done, informed by other forum entries:
Create a new Self Signed Root certificate for Code Signing in my keychain
Log out of and back into my keychain
Create a new keychain, switch the default keychain, change the password of the original keychain, change the default keychain back to the original, log back into the main keychain
Export my certificate and private key together in a .p12 file and then import into keychain (also repeated this process with deleting the original certificate and key before importing)
Export the certificate from Xcode (for a planned re-import) but I get "The operation could not be completed // No other information about is available about the problem" (the most unhelpful error message I've ever seen)
"Export Apple ID and Code Signing Assets" and then import of the same (all in Xcode)
Every combination (I think) of the Signing settings in the project
I had a developer account years ago and I wonder if somehow this is interfering with the process. I tried to access my certificates on the Apple Developer site but I don't have access to this portion of the service because my membership is expired.
This error occurs with any openFrameworks example I try as well as a new, blank sketch.
The full error message:
CodeSign bin/mySketchDebug.app
cd /Users/myusername/Documents/of_v0.10.1_osx_release/apps/myApps/mySketch
export CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
Signing Identity: "-"
/usr/bin/codesign --force --sign - --entitlements /Users/myusername/Library/Developer/Xcode/DerivedData/mySketch-etqpupvbyiamwodjeeyxogbqszyj/Build/Intermediates.noindex/mySketch.build/Debug/mySketch.build/mySketchDebug.app.xcent --timestamp=none /Users/myusername/Documents/of_v0.10.1_osx_release/apps/myApps/mySketch/bin/mySketchDebug.app
/Users/myusername/Documents/of_v0.10.1_osx_release/apps/myApps/mySketch/bin/mySketchDebug.app: code object is not signed at all
In subcomponent: /Users/myusername/Documents/of_v0.10.1_osx_release/apps/myApps/mySketch/bin/mySketchDebug.app/Contents/Frameworks/libfmodex.dylib
Command /usr/bin/codesign failed with exit code 1
This is a known problem with openFrameworks <= 0.10.1 and Xcode 11+. It is due to an unsigned libmodex library. This is fixed in the nightly release and in future releases of oF. Please see the following posts for references:
https://forum.openframeworks.cc/t/cant-build-getting-build-failed-with-any-example-code-sign-error/33668/2
https://forum.openframeworks.cc/t/cant-run-examples-in-xcode-signing-issue-with-libfmodex-dylib/33463/4
I am getting errSecInternalComponent when running the codesign command.
If I go to the keychain and change the certificate to always trust and run codesign command again, I get Warning: unable to build chain to self-signed root for signer "Developer ID Application: xxxxxx (xxxxxx)"./workspace/Myapp.app: errSecInternalComponent
This first time this happened was when I exported the developer certificate from another MacOS and imported it. Then I tried deleting the keychains, recreating it, installing apple root certificates, but still getting the same error.
Finally, I generated a new developer certificate and added it to the keychain, but still not working.
I am not sure what's different about this MAC. It's running Majave now. When the problem first happened it was running High sierra.
There could be many possible reasons for this error. Two frequent issues are:
codesign tool does not have access to the keychain item. Either explicitly give access to codesign or allow all applications to access it.
Unlock the keychain: security unlock-keychain <Full path to keychain>
Can get the full path using, security list-keychains
There were two problems:
I had duplicate identities in my keychain, which is the same with this
Duplicate identity after importing single certificate in OSX 10.10.3
The access permissions for the private key needs to allow codesign or allow all.
Not exactly the same issue, but we encountered a errSecInternalComponent during a build on jenkins. Increasing the timeout after which the keychain is closed again fixed it.
My installer is created using PackageMaker. After that I codesigned the installer using the following command.
productsign --sign 'Blah, Inc.' Install.mpkg/ CS/Install.mpkg
This seem to work pretty well and I could see that it is signed using the following command.
pkgutil --check-signature Install.mpkg
Since the certificate is installed on my system in keychain, the installer seem to show a little lock on top right corner. Clicking this opens up the certificate.
If the installer is placed in a system without the certificate installed the lock is no longer seen. However I could still run the command to check for certificate.
1) Is there a graphical way to check for code signing before installing? (I do not want to run command line)
2) I removed a folder from the mpkg file using finder to see if the installer will complain of tampering. But that does not happen. Is there a way the installer can stop install if it is tampered?
3) I also code signed all the binaries in my package (mostly daemons) using xcode's option to use certificate. Again I am able to see the binary as signed, however I do get a message
kernel[0]: CODE SIGNING: cs_invalid_page(0x1000): p=224[MyDaemon] clearing CS_VALID.
Googling, I found http://feedback.photoshop.com/photoshop_family/topics/photoshop_13_0_4_x64_how_can_i_get_rid_of_the_could_not_complete_your_request_because_of_a . However I am still not very clear what they are getting at. Could someone help me?
You can sign .mpkg packages but you must sign it with the Developer ID Application cert and not the Developer ID Installer cert.
When you sign the .mpkg you get a number a warnings that the inner packages must be signed but the signing seems to be valid with or without the inner .pkg signed.
I have tested that modifying an internal .pkg causes the .mpkg to fail the Gatekeeper check
So for the each internal .pkg files you should:
sudo productsign --sign "<Developer ID Installer: Cert>" "<source.mpkg>/Contents/Packages/<source.pkg>" "<destination.mpkg>/Contents/Packages/<source.pkg>"
for then for the .mpkg do:
sudo productsign --sign "<Developer ID Application: Cert>" "<Source .mpkg>" "<Destination .mpkg>"
You can sign only flat packages. Your package has extension .mpkg which I believe is the older bundle format. Make sure you are using flat packages if you want to sign them.
I have downloaded and installed the WWDR certificate. I have tried setting it to Always Trust and system defaults.
When I try to archive my app I get the CSSMERR_TP_NOT_TRUSTED error.
If I try signing manually I get the same:
/usr/bin/codesign --force --sign "3rd Party Mac Developer Application:
XX XXX-XXX"
/Users/XXX/Library/Developer/Xcode/DerivedData/XXX-fivqootinaolitdbpxccqykoaoqs/ArchiveIntermediates/XXX/InstallationBuildProductsLocation/Users/XXX/Applications/XXX.app
/Users/xxx/Library/Developer/Xcode/DerivedData/xxx-fivqootinaolitdbpxccqykoaoqs/ArchiveIntermediates/xxx/InstallationBuildProductsLocation/Users/xxx/Applications/xxx.app:
replacing invalid existing signature
/Users/xxx/Library/Developer/Xcode/DerivedData/xxx-fivqootinaolitdbpxccqykoaoqs/ArchiveIntermediates/xxx/InstallationBuildProductsLocation/Users/xxx/Applications/xxx.app:
CSSMERR_TP_NOT_TRUSTED
BUT
If I use
sudo /usr/bin/codesign --force --sign
Then it works....
The key is installed in keychain access in the 'login' chain.
Obishawn used one of the suggestions provided by Apple in the following steps published to troubleshoot this error - How do I resolve the CodeSign error: CSSMERR_TP_NOT_TRUSTED?
.
For others experiencing this build error -
CSSMERR_TP_NOT_TRUSTED
the above guide covers a more broad range of potential causes. The error can also occur at Xcode Archive > Share, Validate, or Submit time, and the above steps to resolve it are the same.
Ok, I finally figured mine out. I had the WWDR certificate in my login keychain and my System keychain. I deleted both and reimported a fresh one from Apple and everything works now. I can codesign without using sudo and MonoDevelop can fully compile for distribution and upload to my devices.
My two cents on that problem :
I had to fight with it for some hours. Here are what I had to fix to have codesign do its job :
Ensure that certificates are not duplicated between the login and the system keychain
Ensure no old / expired / revoked versions of the certificates exist in any keychain
Ensure all certificates have "system default" trust policy. If one is set to "always trust", then codesign will fail.
This last point was found on a machine that was migrated to Xcode 8.2 recently. It might be a new behavior of Xcode 8.