Hi our team is looking into feasibilities of appending customized data to personalized installer, so that we can make new users onboarding experience better. I did some investigations. Append token data to xattr to a dmg, I went though this smoothly. I can successfully retrieve the data back, and the app can still be launched successfully. Want to make sure this doesn't require the dmg to be re-signed and re-notarized, and I didn't miss any steps in between I created a fake simulation app try to sign and notarize. Signing the dmg seems to be successful, but when I notarize, it gave me back Invalid status. Is there anything wrong? This is the signature: Executable=/Users/myname/myname/poc/MySimulation.dmg Identifier=MySimulation Format=disk image CodeDirectory v=20200 size=304 flags=0x0(none) hashes=1+6 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=e2a149614f6e0e3939db3a 4c762adda0e8c24 CandidateCDHashFull sha256=e2a149614f6e0e3939db3a3054adda0e8c24f597ddf4c4503cd27fb83821 Hash choices=sha256 CMSDigest=e2a149614f6e0e3939dba3054c62adda0e8c24f597ddf4c4503cd27fb83821 CMSDigestType=2 CDHash=e2a149614f6e0e39393a3054c762adda0e8c24 Signature size=4789 Authority=Apple Development: myId (someId) Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Signed Time=Oct 14, 2024 at 3:46:08 PM Info.plist=not bound TeamIdentifier=W3TC3HXUZC Sealed Resources=none Internal requirements count=1 size=188 Do you have any other recommendations for us to append some data that doesn't break signing / notarization?

We are facing following message "A timestamp was expected but was not found" during codesign for following .dylib and .pkg and it cause notarization process failed. We are facing this issue for last 3 days. we have access for timestamp.apple.com and 17.0.0.0/8 and we didn't change firewall settings. We are facing this issue randomly and not for all time(scenario is 3:1). We tried the below command to sign the package, codesign --verbose --deep --force --timestamp --options=runtime --sign "" Kindly let us know how to fix this probelm. traceroute timestamp.apple.com traceroute to timestamp.v.aaplimg.com (17.157.80.35), 64 hops max, 52 byte packets .... 10 17.0.9.19 (17.0.9.19) 185.693 ms 17.0.9.17 (17.0.9.17) 180.932 ms 189.060 ms 11 * * * 12 17.0.17.141 (17.0.17.141) 191.513 ms * 17.0.17.137 (17.0.17.137) 183.086 ms 13 * * * 14 * * *

There does not seem to be a way to code sign a PAM module so that an XPC service can verify the signature with setCodeSigningRequirement. There should be a way to build a PAM module (dynamic Library ) so it can be code signed. Put in a bundle and code signing the bundle does not work .

Hi, the documentation says that an application bundle for Mac OS X can have a Frameworks folder within Contents. Using a framework for console applications (no bundle) and GUI applications (bundle), I cannot load the console applications anymore on Ventura. Prior to Ventora I have tested and ran both on Mojave or earlier - I am not sure. To fix the issue, I have moved the frameworks within the application bundle to match the rpath for /Users/lothar/Library/Frameworks when I place the console into /Users/lothar/bin, the same rpath for application bundles works for those within the bin folder. Can I publish an application bundle with that modified layout or do I have to expect getting problems and do rather a Symlink pointing from /Users/lothar/Frameworks to /Users/lothar/Library/Frameworks? Thanks, Lothar

CodeSign /Users/abc007/Library/Developer/Xcode/DerivedData/App-fjztkcxqsstohgfvqdfnedgpwltj/Build/Intermediates.noindex/ArchiveIntermediates/App/InstallationBuildProductsLocation/Applications/App.app (in target 'App' from project 'App') cd /Users/abc007/Documents/WorkSpace/RegulusIT/Release_Oct_2024/UI\ Backup/ios/App Signing Identity: "Apple Development: Yatin Ghat (JS84GYN3O4)" Provisioning Profile: "iOS Team Provisioning Profile: www.rightschool.net" (bdc0759d-b9d0-4470-8e3f-b5b67d3c2586) /usr/bin/codesign --force --sign 82C0E5904219E333688CE627A21522F732446038 --entitlements /Users/abc007/Library/Developer/Xcode/DerivedData/App-fjztkcxqsstohgfvqdfnedgpwltj/Build/Intermediates.noindex/ArchiveIntermediates/App/IntermediateBuildFilesPath/App.build/Release-iphoneos/App.build/App.app.xcent --generate-entitlement-der /Users/abc007/Library/Developer/Xcode/DerivedData/App-fjztkcxqsstohgfvqdfnedgpwltj/Build/Intermediates.noindex/ArchiveIntermediates/App/InstallationBuildProductsLocation/Applications/App.app /Users/abc007/Library/Developer/Xcode/DerivedData/App-fjztkcxqsstohgfvqdfnedgpwltj/Build/Intermediates.noindex/ArchiveIntermediates/App/InstallationBuildProductsLocation/Applications/App.app: errSecInternalComponent Command CodeSign failed with a nonzero exit code

When I try to launch my own Java app, I get the following error message. xpcproxy exited due to OS_REASON_CODESIGNING | Launch Constraint Violation, error info: c[5]p[1]m[1]e[0], (Constraint not matched) launch type 3, failure proc [vc: 1]: /bin/bash As far as I know, the failing process path is /bin/bash. This issue is only happening on macOS Sequoia. The Java app works without any issue on MacOS Sonoma or any previous macOS versions. I did not make any changes, including launch constraints or any other settings. After updating to macOS Sequoia, I started getting this error and can no longer launch my app. Thank you so much.

Hello, We use automatic signing and Fastlane on our CI. Fastlane uses xcodebuild to create an archive. xcodebuild -workspace ourApp.xcworkspace -scheme app-dev -destination generic/platform=iOS -archivePath app-dev.xcarchive -skipPackagePluginValidation -allowProvisioningUpdates -authenticationKeyID OurAppStoreConnectAuthKey -authenticationKeyIssuerID OurAppStoreConnectAuthKeyIssuerId -authenticationKeyPath /path/to/OurAppStoreConnectKey.p8 clean archive All works fine, but .... Why does Xcode 16 log out logged Apple ID and create a new every build? As a result, we have more and more Unknown Apple IDs in Xcode, and for each of them an error appears in log. Error: xcodebuild[3174:1804334] DVTDeveloperAccountManager: Failed to load credentials for 0A1DF15C-ETC-ETC: Error Domain=DVTDeveloperAccountCredentialsError Code=0 "Invalid credentials in keychain for 0A1DF15C-ETC-ETC, missing Xcode-Username" UserInfo={NSLocalizedDescription=Invalid credentials in keychain for 0A1DF15C-ETC-ETC, missing Xcode-Username} Of course, the originally logged-in Apple ID has an error corresponding to his non-logged-in state. xcodebuild[3174:1804334] DVTDeveloperAccountManager: Failed to load credentials for originally_logged-in_user: Error Domain=DVTDeveloperAccountCredentialsError Code=0 "Invalid credentials in keychain for originally_logged-in_user, missing Xcode-Token" UserInfo={NSLocalizedDescription=Invalid credentials in keychain for originally_logged-in_user, missing Xcode-Token} Why does this happen and how can it be fixed? Why does Xcode 16 log out its logged Apple ID?

I would like to share my new project on an open source repository like GitHub. it need capabilities like iCloud. The problem is that I would prefer not have my appleid email being send to the open source repository. I saw that I can exclude files but I would be easier if the open source version had no Apple account associated with it. how should I manage the open source version vs the App Store one. Thank you

Hi Apple community, many thanks in advance for your help. My macOS app embeds a Python interpreter, compiled from source, including the Python executable and its associated libraries. We have tried compiling the project with Xcode 16.0 and 16.1 beta 2 over MacOS Sequoia 15.0 and 15.1. The project is 100% developed in Swift6. This is how the project looks like: SampleApp.app SampleApp.app/Contents SampleApp.app/Contents/MacOS SampleApp.app/Contents/MacOS/SampleApp SampleApp.app/Contents/MacOS/bin SampleApp.app/Contents/MacOS/bin/python3.11 SampleApp.app/Contents/Resources SampleApp.app/Contents/Resources/lib SampleApp.app/Contents/Resources/lib/python3.11 SampleApp.app/Contents/Resources/Info.plist Since we want to 'initially' distribute the app directly, Python binary is signed as follows: codesign --deep --force --options runtime --timestamp --sign "$DEVELOPER_ID_APPLICATION" "$BINARY_PATH" App entitlements contain the next entries: <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.files.downloads.read-write</key> <true/> <key>com.apple.security.files.user-selected.read-only</key> <true/> <key>com.apple.security.files.user-selected.read-write</key> <true/> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> The resulting app is signed with entitlements, notarised and stapled. Once the app is running, we can see the next errors on Console: Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=[IDENTIFIER]], pid=58826, auid=502, euid=502, binary_path=[PATH]}, requesting={TCCDProcess: identifier=com.apple.appleeventsd, pid=824, auid=55, euid=55, binary_path=/System/Library/CoreServices/appleeventsd}, Python process runs for some seconds and then the process disappears. We can not see any AMFI message on Console. Then we add to Signing and Capabilities 'Apple Events' from Hardened Runtime section. The resulting app gets signed, notarised and stapled, but when running we get only the next errors: error 09:42:32.787744+0200 SampleApp Can't find or decode reasons error 09:42:32.787832+0200 SampleApp Failed to get or decode unavailable reasons Just in case it is relevant, this is how the app interacts with Python: process.executableURL = URL(fileURLWithPath: [PATH_TO_PYTHON_BINARIE]) process.environment = environment process.arguments = arguments process.standardOutput = pipe try process.run() process.waitUntilExit() We truly appreciate any guidance, help or advice. Thanks!!

Hi Apple community, many thanks in advance for your help. My macOS app embeds a Python interpreter, compiled from source, including the Python executable and its associated libraries. We have tried compiling the project with Xcode 16.0 and 16.1 beta 2 over MacOS Sequoia 15.0 and 15.1 This is how the project looks like: SampleApp.app SampleApp.app/Contents SampleApp.app/Contents/MacOS SampleApp.app/Contents/MacOS/SampleApp SampleApp.app/Contents/MacOS/bin SampleApp.app/Contents/MacOS/bin/python3.11 SampleApp.app/Contents/Resources SampleApp.app/Contents/Resources/lib SampleApp.app/Contents/Resources/lib/python3.11 SampleApp.app/Contents/Resources/Info.plist Since we want to 'initially' distribute the app directly, Python binary is signed as follows: codesign --deep --force --options runtime --timestamp --sign "$DEVELOPER_ID_APPLICATION" "$BINARY_PATH" App entitlements contain the next entries: <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.files.downloads.read-write</key> <true/> <key>com.apple.security.files.user-selected.read-only</key> <true/> <key>com.apple.security.files.user-selected.read-write</key> <true/> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> The resulting app is signed with entitlements, notarised and stapled. Once the app is running, we can see the next error on Console: Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=[IDENTIFIER]], pid=58826, auid=502, euid=502, binary_path=[PATH]}, requesting={TCCDProcess: identifier=com.apple.appleeventsd, pid=824, auid=55, euid=55, binary_path=/System/Library/CoreServices/appleeventsd}, Python process is not running, we can't see any AMFI message. Next we added to Signing and Capabilities 'Apple Events' from Hardened Runtime section. The resulting app gets signed, notarised and stapled, but when running we get only the next errors: error 09:42:32.787744+0200 SampleApp Can't find or decode reasons error 09:42:32.787832+0200 SampleApp Failed to get or decode unavailable reasons Just in case it is relevant, this is how the app interacts with Python: process.executableURL = URL(fileURLWithPath: [PATH_TO_PYTHON_BIN]) process.environment = environment process.arguments = arguments process.standardOutput = pipe try process.run() process.waitUntilExit() We truly appreciate any guidance, help or advice. Thanks!!

The actual error: pkgbuild: error: Could not find appropriate signing identity for “Developer ID installer: My Name (DeveloperID)”. I'm trying to sign a program written with gfortran. The steps worked the last time (Mar 23) I built this code. The steps to error: a) xcrun notarytool store-credentials --apple-id "***" --team-id "yyy" Giving Profile Name zzz and App-specific password b) codesign --force --timestamp --options=runtime -s "Developer ID Application: My Name (yyy)" AppName c) pkgbuild --root ROOT --identifier org.aaa.bbb --version "1.1.1" --sign "Developer ID installer: My Name (yyy)" AppName.pkg ROOT contains the package contents At this point I get the error pkgbuild: error: Could not find appropriate signing identity for “Developer ID installer: My Name (yyy)” Are there steps that have changed. Any suggestions? Thanks, David

Using .p12 file (included ios developer and ios distribution), to keychain login tried to register iPhone Developer and iPhone Distribution. But iPhone Distribution is not displayed. MacOS: 15.0.1

My mac os is 15.0.1. Using .p12 file (included ios developer and ios distribution), to keychain login tried to register iPhone Developer and iPhone Distribution. But iPhone Distribution is not displayed.

Hi, I have an Electron app that I build, sign, notarize, and staple using electron-builder. It includes Sound Exchange (SoX), which I was invoking from the homebrew installed version. It builds a dmg and works fine. However, my users are non-technical, thus cannot be expected to install dev tools, homebrew, and sox from the command line and set paths. Therefore, I need to include a SoX binary in my app. I have a static SoX binary that works. However, when I try to run it from my electron app, I get Error: spawn / <path>/sox EACCES. Electron-builder is signing the SoX binary codesign --sign <sign number> --force --timestamp --options runtime --entitlements dist/entitlements/entitlements.mac.plist /<app path>Contents/Resources/bin/sox/sox The app sign/notarize works fine, the dmg mounts, and the app runs until I try to invoke SoX. Also, I verified the sox binary and entire app are signed and the app staple is valid. I am running the app from /Applications. Please help me!

Hi, I've recently observed a sudden increase in support requests for one of my apps on the Mac App Store, reporting the error " is damaged and can't be opened. Please re-download it from the Mac App Store", all on different systems: macOS 12, macOS 13, and macOS 15 Sequoia. Re-downloading does not resolve the issue most of the time. One user reported that being connected to the internet resolved it - perhaps this is an OCSP issue again? I myself cannot reproduce this issue. Has there been a change in code-signing recently? Have some certificates changed? Anything else I should be aware of? What is the best course of action to have users take who experience this, when re-downloading the app from the Mac App Store does not work? Thank you, – Matthias

I'm using PyBind11 to allow use of Python code within my C++ application. The application links successfully, but on the py::module::import below: LOGICAL WebServer:: CheckForPort() { EPython::Prepare(); auto socket = py::module::import("socket"); auto s = socket.attr("socket")(socket.attr("AF_INET"),socket.attr("SOCK_STREAM")); if (s == Py_None) return L_TRUE; auto rc = s.attr("connect_ex")("localhost",8810); // // Returns zero if port in in use // return (rc.cast<int>() == 0); } I get a run-time error libc++abi: terminating due to uncaught exception of type pybind11::error_already_set: ImportError: dlopen(/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/lib-dynload/math.cpython-311-darwin.so, 0x0002): tried: '/Users/Shared/Develop/IntelApps/WinTD 5/DerivedData/WinTDOSX/Build/Products/Debug/math.cpython-311-darwin.so' (no such file), '/usr/lib/system/introspection/math.cpython-311-darwin.so' (no such file, not in dyld cache), '/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/lib-dynload/math.cpython-311-darwin.so' (code signature in <855730B8-106D-389C-BF65-36A98463EDB5> '/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/lib-dynload/math.cpython-311-darwin.so' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), I have no idea how to fix the code signature error---this is intended for distribution, so that presumably would be a file on the user's computer. I tried to link in the .so file, but that's a rabbit hole as there are a near endless set of further dependencies.

I have tried to manually install binaries using Finder by clicking and dragging from the Desktop into "/usr/local/bin/". The binaries come with a collection of frameworks etc. All the binaries are adhoc signed. macOS asks for Admin credentials which is fine. But then, when I execute the binaries in Terminal, Gatekeeper shows the now expected "'[binary"] Not Opened Apple could not verify ........" etc. It shows that dialog for every component and requires user input 2-3 times to allow each component of which there are perhaps dozens. BUT, none of that happens if I install those binaries using AppleScript. So, it might have a call like this: do shell script "curl -L " &amp; download_URL &amp; " -o " &amp; download_binary_zip with administrator privileges do shell script "unzip -o " &amp; download_binary_zip &amp; " -d " &amp; usr_bin_folder with administrator privileges The resulting installs work perfectly. Is this intended ? Using both install methods requires Admin credentials. Why does using a script work but using Finder does not ?

Hello, We are using automatic signing for a couple of projects, and we're struggling to get it to work in a CI with Xcode 16. It was working with Xcode 15 but with Xcode 16 we get the following errors : error: The operation couldn’t be completed. Unable to log in with account ''. The login details for account '' were rejected. error: Provisioning profile "iOS Team Provisioning Profile: com.bundleid.my" doesn't include signing certificate "Apple Development: Foobar (TEAMID)". Any ideas ?

I am developing a mobile application with Delphi 11. I compiled the application using iOS SDK 17.5. I uploaded it to the Apple Store for testing and first tested it on an iPhone 7 (software version 15.7.1). The application worked smoothly. Later, I tested it on an iPhone 14 (software version 17.6.1) and an iPhone 11 (software version 18). On both of these devices, the application crashed before opening. Since the same application is available on the Apple Store, I downloaded it from there and saw that it worked fine on the last two devices. I thought that the SDK needed to be upgraded for newly compiled and submitted applications. However, in that case, it should have thrown an error when submitting the application to the Apple Store. I updated macOS and Xcode and upgraded to SDK 18. I also set SDK 18 in Delphi. When I compiled with these settings, I again saw that it worked normally on my first device, while the application crashed on the next two devices. Considering it could be an issue with a module in the application, I compiled a blank form by removing all permission requests for testing, but the result did not change. What can I do about this? Do you have any suggestions?

When I make ipa by commond tools,Some errors have occurred.Has anyone encountered it before？ Ps:debug mode is ok，release mode is not ok. error: exportArchive: Code signing "FBAEMKit.framework" failed. Error Domain=IDEDistributionPipelineErrorDomain Code=0 "Code signing "FBAEMKit.framework" failed." UserInfo={NSLocalizedDescription=Code signing "FBAEMKit.framework" failed., NSLocalizedRecoverySuggestion=View distribution logs for more information.}