Simple command line code-sign

my understanding is the terminal command to codesign an OSX (macOS) app is

codesign -f --deep -s 'signing_id' appname.app

so I went to keychain and found
Valid certificates
login/Mac Developer: R.David S (64Zxxxxxxx)
login/3rd Party Mac Developer Installer: R.David S (25Dxxxxxxx)
login/Developer ID Application: R.David S (25Dxxxxxxx)
login/Developer ID Installer: R.David S (25Dxxxxxxx)
login/3rd Party Mac Developer Application: R.David S (25Dxxxxxxx)

and when I tried to test it using 25Dxxxxxxx I get

25dxxxxxxx: ambiguous (matches “iPhone Distribution: R.David S (25Dxxxxxxx)” and “iPhone Distribution: R.David S (25Dxxxxxxx)” in /Users/daveS/Library/Keychains/login.keychain)

and if I use the 64Zxxxxxxx I get

64Zxxxxxxx: no identity found

am I choosing the wrong value for the signing id?

Apple assigned those values via Xcode

I don’t use the numbers. Just my name. So it should be ‘Developer ID Application: R.David S’

This is my post build script to do the codesigning. Maybe it helps:

[code] // Codesign if it’s a Beta or Final
If PropertyValue(“App.StageCode”) = “2” Or PropertyValue(“App.StageCode”) = “3” Then

// This App
Dim sApp As String = CurrentBuildLocation + "/""" + CurrentBuildAppName + ".app"""

// CodeSign Command
Dim sCodeSign As String = "codesign --force --sign ""Developer ID Application: Marco Hof"""

// Show Result
Dim sResult As String

// Sign everything is in /Contents/Helpers
sResult = sResult + DoShellCommand(sCodeSign + " " + sApp + "/Contents/Helpers/*")

// Sign foreign stuff in Frameworks
sResult = sResult + DoShellCommand(sCodeSign + " " + sApp + "/Contents/Frameworks/lib123*")
sResult = sResult + DoShellCommand(sCodeSign + " " + sApp + "/Contents/Frameworks/whatever*")

// Sign binary itself
sResult = sResult + DoShellCommand(sCodeSign + " " + sApp + "/Contents/MacOS/" + CurrentBuildAppName)

// Sign bundle
sResult = sResult + DoShellCommand(sCodeSign + " " + sApp)

// Debug
//sResult = sResult + DoShellCommand("spctl -a -v" + " " + sApp)
sResult = DoShellCommand("spctl -a -v" + " " + sApp)

Print(sResult)    

End If[/code]
I’ve set ‘Applies To’ (in the inspector) to ‘Release’ so it only does it on Builds.

thanks! that was the missing piece it seems

what does the meaning of the results of “spctl” mean?

x.app: accepted
source=Developer ID
override=security disabled

the first two lines make sense (I assume it is verifying the signing… but what is security disabled?

That’s just a notification that your Gatekeeper is off.
In Preferences => Security & Privacy, you have set ‘Allow Apps Downloaded From’ to ‘Anywhere’.
I have that set to ‘Mac App Store and identified developers’. You can always open an unsigned App by right clicking and then ‘Open’.

In the MAS is a Free App called ‘RB App checker Lite’. Works great to see if your App is properly signed.

Thanks…
so for checking purposes, the only “important” line is “Source=” which seems to be "

if it is signed properly

and

if it is an unsigned app

and you can check the signing using

codesign -d myapp.app

which returns

or

if it is signed.

in your script above… do you need to go to all those levels? or could you not just add “–deep” into the first codesign command?

For deploying and making the DMG, I use a script that checks for: ‘myapp.app: accepted’. I don’t look at ‘source=’
I use spctl for the quick check but for more detailed information, you can also do: codesign -vvvv -d myapp.app

As for not using -deep, I prefer it this way because sometimes, the order in which things are codesigned matter.
I’ve had libraries that make the codesigning fail because with -deep, it signed the app binary first. While it should have signed the library first. (or the other way around. I cannot remember exactly)

I ran SPCTL on an unsigned app and got

y.app: accepted
source=no usable signature

as opposed to this on a signed app

x.app: accepted
source=Developer ID

BOTH said “accepted”, but only one was actually signed.

If your Gatekeeper is on (Allow Apps downloaded from: Mac App Store and identified developer), you should get ‘rejected’.

understood, but my point, isn’t “source” a more reliable indicator?
since accepted/rejected is what gatekeeper would “do”, but is not indicitive of the signing status

spctl: This subsystem maintains and evaluates rules that determine whether the system allows the installation,execution, and other operations on files on the system.
So if your gatekeeper is off, it will pass the test. Mine is always set to the default so I use spctl.

Maybe ‘codesign -vvvv -d myapp.app’ is more what you’re looking for?

seems more prudent I think :slight_smile: thanks you have been quite helpful

ok… one more bit of confusion

This says OUTSIDE of MAS

and this says TO MAS

does this mean if you sign it using “3rd Party” certificate, you cannot deploy it yourself? that is MUST go thru MAS first?

If not, then why would you choose one cert over the other?

[quote=278761:@Dave S]does this mean if you sign it using “3rd Party” certificate, you cannot deploy it yourself? that is MUST go thru MAS first?

If not, then why would you choose one cert over the other?[/quote]
3rd Party certificate is for MAS submission only, if you ship an app with this cert via your own website, your users will not be able to open it. Developer ID is for distribution through your own site or alternative sources to the Mac App Store.

Actually the app works, but it says it is from an unidentified developer.

anyone know cause/solution to this error?

.app signature too large to embed (size limitationn of on-disk representation) in subcomponent /cryptolib.dylib

I get that if I try to sign for MAS, but not if I attempt to sign for outside deployment
this is just a test app, so I haven’t ruined anything (yet)

When using Marco’s script (Thank you very much by the way), I get the error

Apple cannot check for malicious software

when I execute the app.

Any idea why this happens and how to correct the problem?

More information on my error.

The application was signed by “Apple Root CA”, “Developer ID Application: ENGINEERED SOFTWARE, INCORPORATED (4F3MGJ7966)”.
The (unverified) signing-time is: Dec 22, 2019, 10:26:44 PM.
The verified timestamp is: Dec 22, 2019, 10:26:50 PM.
The object code format is “app bundle with Mach-O thin (x86_64)”.
The signature contains the Team ID “4F3MGJ7966”.
Both bundle and signing identifiers are “org.iqf.SixSigmaExam.Version.3.7.1”.
The signature specifies implicit requirements. ?
The requirements specify the Team ID “4F3MGJ7966”.
This matches the Team ID contained in the signature.
The signature specifies resource rules (v1). ?
The signature specifies resource rules (v2). ?
Gatekeeper assessment: PASS (Developer ID). ?
Requirements and resources validate correctly.

The code signature has the UUID “FD977DAF-2A68-D46A-FF84-B84E95E8B413”.
Executable code for x86_64 has the UUID “68740679-A0A1-348E-BA6A-2A0747656C52”.

A signing-time snapshot of the application’s Info.plist was found. ?
Version (4.0.0.3.0)

The signature contains 3 certificates. ?
Certificate “Apple Root CA”: ?
Your keychain contains this trusted root certificate.
Will expire on Feb 9, 2035.
Certificate “Developer ID Certification Authority”: ?
Will expire on Feb 1, 2027.
Certificate “Developer ID Application: ENGINEERED SOFTWARE, INCORPORATED (4F3MGJ7966)”: ?
Will expire on Dec 22, 2024.
SHA1 fingerprint: “8306F8BE9A1FC58DA734E94F165001376E1F7D77”.
Team ID or Organizational Unit: “4F3MGJ7966”.
This matches the Team ID contained in the signature.

The application is probably from an authorized Apple Developer.

There is one embedded framework. ?

7 auxiliary executables have been found. ?
2 data files have executable permissions, but should not. ? ?
One executable is signed by “Apple Root CA”, “Developer ID Application: Christian Schmitz Software GmbH (RZ52899P4B)”. ?
6 executables are signed by “Apple Root CA”, “Developer ID Application: Xojo, Incorporated (6MG2NQJ3FZ)”. ?
6 executable files have no executable permissions, but should. ? ?

More detail on the “6 executable files have no executable permissions, but should.”

/Users/miriandodson/Desktop/Exam/IQFSixSigmaExam.app/Contents/Frameworks/AppearancePakCocoa.dylib
/Users/miriandodson/Desktop/Exam/IQFSixSigmaExam.app/Contents/Frameworks/InternetEncodings.dylib
/Users/miriandodson/Desktop/Exam/IQFSixSigmaExam.app/Contents/Frameworks/MBS_TextInputCanvas_TextInputCanvas_Plugin_19770.dylib
/Users/miriandodson/Desktop/Exam/IQFSixSigmaExam.app/Contents/Frameworks/RegEx.dylib
/Users/miriandodson/Desktop/Exam/IQFSixSigmaExam.app/Contents/Frameworks/SQLiteDatabase.dylib
/Users/miriandodson/Desktop/Exam/IQFSixSigmaExam.app/Contents/Frameworks/XML.dylib

[quote]When using Marco’s script (Thank you very much by the way), I get the error
Apple cannot check for malicious software
when I execute the app.
Any idea why this happens and how to correct the problem?[/quote]

Search the forum for ‘notarisation’ or ‘notarise’.
You now need to upload your codesigned app / package to Apple so that they can apply their seal of approval.

I use this script to notarise a dmg and pkg installer files

https://github.com/Mortennn/Notarize

It works very well and implements the ‘pause’ and ‘check for response’ nicely.

Usage: --package <path> --username <username> --password <password> --primary-bundle-id <primary-bundle-id> --asc-provider <provider_shortname>
Lee