Cannot sign app in Xcode CSSMERR_TP_NOT_TRUSTED - xcode

I have downloaded and installed the WWDR certificate. I have tried setting it to Always Trust and system defaults.
When I try to archive my app I get the CSSMERR_TP_NOT_TRUSTED error.
If I try signing manually I get the same:
/usr/bin/codesign --force --sign "3rd Party Mac Developer Application:
XX XXX-XXX"
/Users/XXX/Library/Developer/Xcode/DerivedData/XXX-fivqootinaolitdbpxccqykoaoqs/ArchiveIntermediates/XXX/InstallationBuildProductsLocation/Users/XXX/Applications/XXX.app
/Users/xxx/Library/Developer/Xcode/DerivedData/xxx-fivqootinaolitdbpxccqykoaoqs/ArchiveIntermediates/xxx/InstallationBuildProductsLocation/Users/xxx/Applications/xxx.app:
replacing invalid existing signature
/Users/xxx/Library/Developer/Xcode/DerivedData/xxx-fivqootinaolitdbpxccqykoaoqs/ArchiveIntermediates/xxx/InstallationBuildProductsLocation/Users/xxx/Applications/xxx.app:
CSSMERR_TP_NOT_TRUSTED
BUT
If I use
sudo /usr/bin/codesign --force --sign
Then it works....
The key is installed in keychain access in the 'login' chain.

Obishawn used one of the suggestions provided by Apple in the following steps published to troubleshoot this error - How do I resolve the CodeSign error: CSSMERR_TP_NOT_TRUSTED?
.
For others experiencing this build error -
CSSMERR_TP_NOT_TRUSTED
the above guide covers a more broad range of potential causes. The error can also occur at Xcode Archive > Share, Validate, or Submit time, and the above steps to resolve it are the same.

Ok, I finally figured mine out. I had the WWDR certificate in my login keychain and my System keychain. I deleted both and reimported a fresh one from Apple and everything works now. I can codesign without using sudo and MonoDevelop can fully compile for distribution and upload to my devices.

My two cents on that problem :
I had to fight with it for some hours. Here are what I had to fix to have codesign do its job :
Ensure that certificates are not duplicated between the login and the system keychain
Ensure no old / expired / revoked versions of the certificates exist in any keychain
Ensure all certificates have "system default" trust policy. If one is set to "always trust", then codesign will fail.
This last point was found on a machine that was migrated to Xcode 8.2 recently. It might be a new behavior of Xcode 8.

Related

Codesign Failed Compiling for openFrameworks

I continually get a codesign failure when compiling an openFrameworks (C++) program.
I found quite a few people with similar problems but the solutions did not work for me. Here is what I have done, informed by other forum entries:
Create a new Self Signed Root certificate for Code Signing in my keychain
Log out of and back into my keychain
Create a new keychain, switch the default keychain, change the password of the original keychain, change the default keychain back to the original, log back into the main keychain
Export my certificate and private key together in a .p12 file and then import into keychain (also repeated this process with deleting the original certificate and key before importing)
Export the certificate from Xcode (for a planned re-import) but I get "The operation could not be completed // No other information about is available about the problem" (the most unhelpful error message I've ever seen)
"Export Apple ID and Code Signing Assets" and then import of the same (all in Xcode)
Every combination (I think) of the Signing settings in the project
I had a developer account years ago and I wonder if somehow this is interfering with the process. I tried to access my certificates on the Apple Developer site but I don't have access to this portion of the service because my membership is expired.
This error occurs with any openFrameworks example I try as well as a new, blank sketch.
The full error message:
CodeSign bin/mySketchDebug.app
cd /Users/myusername/Documents/of_v0.10.1_osx_release/apps/myApps/mySketch
export CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
Signing Identity: "-"
/usr/bin/codesign --force --sign - --entitlements /Users/myusername/Library/Developer/Xcode/DerivedData/mySketch-etqpupvbyiamwodjeeyxogbqszyj/Build/Intermediates.noindex/mySketch.build/Debug/mySketch.build/mySketchDebug.app.xcent --timestamp=none /Users/myusername/Documents/of_v0.10.1_osx_release/apps/myApps/mySketch/bin/mySketchDebug.app
/Users/myusername/Documents/of_v0.10.1_osx_release/apps/myApps/mySketch/bin/mySketchDebug.app: code object is not signed at all
In subcomponent: /Users/myusername/Documents/of_v0.10.1_osx_release/apps/myApps/mySketch/bin/mySketchDebug.app/Contents/Frameworks/libfmodex.dylib
Command /usr/bin/codesign failed with exit code 1
This is a known problem with openFrameworks <= 0.10.1 and Xcode 11+. It is due to an unsigned libmodex library. This is fixed in the nightly release and in future releases of oF. Please see the following posts for references:
https://forum.openframeworks.cc/t/cant-build-getting-build-failed-with-any-example-code-sign-error/33668/2
https://forum.openframeworks.cc/t/cant-run-examples-in-xcode-signing-issue-with-libfmodex-dylib/33463/4

codesign throws err 'errSecInternalComponent'

I am getting errSecInternalComponent when running the codesign command.
If I go to the keychain and change the certificate to always trust and run codesign command again, I get Warning: unable to build chain to self-signed root for signer "Developer ID Application: xxxxxx (xxxxxx)"./workspace/Myapp.app: errSecInternalComponent
This first time this happened was when I exported the developer certificate from another MacOS and imported it. Then I tried deleting the keychains, recreating it, installing apple root certificates, but still getting the same error.
Finally, I generated a new developer certificate and added it to the keychain, but still not working.
I am not sure what's different about this MAC. It's running Majave now. When the problem first happened it was running High sierra.
There could be many possible reasons for this error. Two frequent issues are:
codesign tool does not have access to the keychain item. Either explicitly give access to codesign or allow all applications to access it.
Unlock the keychain: security unlock-keychain <Full path to keychain>
Can get the full path using, security list-keychains
There were two problems:
I had duplicate identities in my keychain, which is the same with this
Duplicate identity after importing single certificate in OSX 10.10.3
The access permissions for the private key needs to allow codesign or allow all.
Not exactly the same issue, but we encountered a errSecInternalComponent during a build on jenkins. Increasing the timeout after which the keychain is closed again fixed it.

Build Failed While creating package .pkg file

I am creating a .pkg file using “Packages” application.
Previously I would able to create .pkg file with certificate also but now this give me Build Failed error. while If I remove certificate than I can Build .pkg.
Even I am not able to get any error log for error message. If anyone has any better tool or method to create package file and dmg file please tell me.
It is my understanding that signing with Packages presently does not work well. I think there is something in the manual about that, in fact. I build my package with Packages first, then sign it with productsign --sign <sign-id> <src-path> <dst-path>. The <sign-id> should be your "Developer ID Installer" identity, I think. This has been working well for me. You can then verify that the signing worked using spctl -a -v --type install <path>, where <path> is the path to the signed package made by productsign.
cd /location to app
productbuild --component "appname.app" /Applications --sign "3rd Party Mac Developer Installer: Company Name Private Limited" --product "appname.app/Contents/Info.plist" "appname.pkg"
Try PackageMaker application; it is good.
Use above command on terminal and your pkg will be good to go.
I got the cause of this error.
Problem was in my keychain, since I updated my OS to 10.12.3 I was facing this issue. so to resolve this I checked out my keychain where I found my Installer certificate in “Login” part (see image1)
image 1:
so I copy this certificate in System part also (see image 2). All problem goes away, If any time I face this issue again I check keychain again. Problem solved.
image 2:

Signing mac installer (pkgmaker)

My installer is created using PackageMaker. After that I codesigned the installer using the following command.
productsign --sign 'Blah, Inc.' Install.mpkg/ CS/Install.mpkg
This seem to work pretty well and I could see that it is signed using the following command.
pkgutil --check-signature Install.mpkg
Since the certificate is installed on my system in keychain, the installer seem to show a little lock on top right corner. Clicking this opens up the certificate.
If the installer is placed in a system without the certificate installed the lock is no longer seen. However I could still run the command to check for certificate.
1) Is there a graphical way to check for code signing before installing? (I do not want to run command line)
2) I removed a folder from the mpkg file using finder to see if the installer will complain of tampering. But that does not happen. Is there a way the installer can stop install if it is tampered?
3) I also code signed all the binaries in my package (mostly daemons) using xcode's option to use certificate. Again I am able to see the binary as signed, however I do get a message
kernel[0]: CODE SIGNING: cs_invalid_page(0x1000): p=224[MyDaemon] clearing CS_VALID.
Googling, I found http://feedback.photoshop.com/photoshop_family/topics/photoshop_13_0_4_x64_how_can_i_get_rid_of_the_could_not_complete_your_request_because_of_a . However I am still not very clear what they are getting at. Could someone help me?
You can sign .mpkg packages but you must sign it with the Developer ID Application cert and not the Developer ID Installer cert.
When you sign the .mpkg you get a number a warnings that the inner packages must be signed but the signing seems to be valid with or without the inner .pkg signed.
I have tested that modifying an internal .pkg causes the .mpkg to fail the Gatekeeper check
So for the each internal .pkg files you should:
sudo productsign --sign "<Developer ID Installer: Cert>" "<source.mpkg>/Contents/Packages/<source.pkg>" "<destination.mpkg>/Contents/Packages/<source.pkg>"
for then for the .mpkg do:
sudo productsign --sign "<Developer ID Application: Cert>" "<Source .mpkg>" "<Destination .mpkg>"
You can sign only flat packages. Your package has extension .mpkg which I believe is the older bundle format. Make sure you are using flat packages if you want to sign them.

How to codesign an existing Mac OS X .app file for gatekeeper?

I paid the $99 to get a developer license w/ Apple. Installed Xcode 4.3. Went to the Organizer and "Provisioning Profiles" and refreshed to download my code signing certificate. Checked my Keychain Access and confirmed that I have "3rd Party Mac Developer ", "Developer ID" and "Mac Developer *" certificates.
At this point the documentation from apple mentioned pulling up your project files. I'm using Wineskin to package my Windows application, so I don't have an Xcode project. I have a .app file produced my Wineskin. I'd like to codesign the .app file that Wineskin produced for me.
I tried:
codesign -s "certificate name" /path/to/my.app
I tried all the possible certificate names that had my name and the word "Application" in them from my Keychain Access.
Every time I get the error "/path/to/my.app: object file format unrecognized, invalid, or unsuitable"
Any idea on how to get past this error? Am I even attempting the proper command? Or is there a different way I should go?
To summarize the comments to my questions, here are the commands I run to sign my .app file for Gatekeeper:
export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/usr/bin/codesign_allocate"
codesign --force --sign "Developer ID Application: <my name>" /path/to/my.app
Thanks, Gordon Davisson and JWWalker!
(edit) If this fails, I realize that installing the "Command Line Tools" from within XCode was needed.
EDIT:
To verify
$ codesign -dv --verbose=4 my.app
In Apple ID account make sure you have few types of certificate?
Make sure you have a valid developer certificate and a private key in your keychain.
If you have some problems with it, the certificate should be revoked via developer.apple.com and generated from the scratch (XCode > Accounts > Manage Certificates).
Then you can use codesign:
codesign --force --deep --sign "Apple Development: FirstName LastName (XXXXXXXXXX)" /Applications/ApplicationName.app
Before using codesign command
Install Command line tool for Xcode from https://developer.apple.com/downloads/index.action section.
(You should have a developer account to download Additional Tools.)
Please check for any hidden file in Payload folder like (.DStore) and if there is one please remove it
Navigate to Payload folder via terminal using cd command
Type ls- a command on terminal
if there is any hidden file apart, delete it by rm -f .DStore
This solution worked for me so please give a try....

Resources