Another codesign nightmare - updated to Sierra full time

Hi Folks,

For those of you familiar with Apple’s “codesign”, I’ve updated my machine to Sierra because of Adobe requirements for CC17 and my codesign scripts are failing with “error: The specified item could not be found in the keychain.” However, it is in the keychain and I’ve verified that the identity is the same in my codesign call as in the keychain (and it worked fine with the same identify under 10.11.5).

Since Apple’s support is about as useless as teats on a bull (that’s Southern-speak for useless), can anyone here offer guidance on what may have happened since the cert and the ID have not changed?

Try the following in Terminal. What do you get?

security find-identity -p codesigning

Thanks, Gavin. You’re right in that security returns no identities. The question now is why not when they are clearly visible in my login keychain as they have always been.

Which leads me to the real nightmare question - What ELSE has Sierra done to muck up an otherwise functioning environment? :S

:smiley:

From what I understand, Sam Rowlands had to do quite a bit of work for App Wrapper to works as flawlessly as ever. I used it last week to sign a couple apps for the App Store under Sierra 10.12.3 beta, and it went just fine.

I know I had fits with a recent app until I finally realized that the Sparkle framework I was using was way too old. Updated it and it worked fine after that. I think Sam was going to add a check for the Sparkle version.

Tim, I am dealing with the same nightmare now, and have been since Dec. As you mentioned, Apple Support knows nothing about certificates and finally told me they couldn’t help. I’ll let you know if I find a solution.

Until Xcode recognizes them, App Wrapper or anything else isn’t going to see them either.

Have you opened up Xcode and logged in? If so, try logging out and back in again. What does Xcode show for your list of signing identities?

I upgraded to 10.12 and did not have that problem with code-signing, but I did have to change my build scripts to get rid of resource forks and other junk before the signing would work.

[quote=313409:@Tim Jones]Hi Folks,

For those of you familiar with Apple’s “codesign”, I’ve updated my machine to Sierra because of Adobe requirements for CC17 and my codesign scripts are failing with “error: The specified item could not be found in the keychain.” However, it is in the keychain and I’ve verified that the identity is the same in my codesign call as in the keychain (and it worked fine with the same identify under 10.11.5).

Since Apple’s support is about as useless as teats on a bull (that’s Southern-speak for useless), can anyone here offer guidance on what may have happened since the cert and the ID have not changed?[/quote]

Try revoking the certificates and reinstall them. That fixed the issue on my part.

Make sure that it’s ONLY the certificates that are not recognized. I’ve tried to assist customers that have effectively become locked out of code signing, by revoking all identities and then Xcode wouldn’t create new Developer ID certificate. Which I filed as a bug and they told me that’s by design, so when I inquired on how I’am meant to get Developer ID certificates installed… All went quiet… Thankfully for me, I was only setting up a test machine in Sierra and was able to copy my certs from my El Cap machine across, which then worked.

So @Roger Clary & @Tim Jones, a question for both of you. In KeyChain access do you see the certificates? Do they disclosure triangles on them? If so, when you click them, do you see a “Key” entry with your name on it? If you don’t then you have the certificate, but not the code signing key.

I think it’s about time I became reacquainted with the old way of generating and installing code signing identities.

Also can you both check (using KeyChain access) the status of a certificate called “Apple Worldwide Developer Relations Certificate Authority” certificate, do you have it? Has it expired?

Then try installing the latest one.
http://ohanaware.com/support/index.php?article=apple-worldwide-deleveoper-relations-certificate-authority.html

Here’s a wrinkle: App Wrapper says a codesigning error occurred while testing, saying the Developer ID Application is ambiguous because it’s in both /Users/JMcK/Library/Keychains/login.keychain-db and in /Library/Keychains/System.keychain.

So I deleted the one in /System.keychain. App Wrapper then says a codesigning error occurred, without being specific.
I went back and added it back into /System.keychain, and deleted it from /login.keychain.

App Wrapper still says there’s a nonspecific codesigning error.

Right now, I have both Developer ID Application and Developer ID Installer certificates and private keys in System. And the Apple worldwide developer relations certificate authority has not expired.

Suggestions?

Further adventures:

To match what I have in my 13" MBP, I deleted the certificates and keys from System and reinstalled them in Login. (.cer first, then .p12).

security find-identity -p codesigning reports these:

Matching identities

  1. 0308869A5E87EF9F0856DA43C331D6E1EDF344EF “John McKernon”
  2. A9155BE3CB59797E5A96848385DDDE1F1273FEC2 “Developer ID Application: John McKernon”
  3. A9155BE3CB59797E5A96848385DDDE1F1273FEC2 “Developer ID Application: John McKernon”
  4. 0308869A5E87EF9F0856DA43C331D6E1EDF344EF “John McKernon”
  5. A9155BE3CB59797E5A96848385DDDE1F1273FEC2 “Developer ID Application: John McKernon”
  6. A9155BE3CB59797E5A96848385DDDE1F1273FEC2 “Developer ID Application: John McKernon”
  7. 0308869A5E87EF9F0856DA43C331D6E1EDF344EF “John McKernon”
  8. A9155BE3CB59797E5A96848385DDDE1F1273FEC2 “Developer ID Application: John McKernon”
  9. A9155BE3CB59797E5A96848385DDDE1F1273FEC2 “Developer ID Application: John McKernon”
    9 identities found

Valid identities only

  1. A9155BE3CB59797E5A96848385DDDE1F1273FEC2 “Developer ID Application: John McKernon”
  2. A9155BE3CB59797E5A96848385DDDE1F1273FEC2 “Developer ID Application: John McKernon”
  3. A9155BE3CB59797E5A96848385DDDE1F1273FEC2 “Developer ID Application: John McKernon”
  4. A9155BE3CB59797E5A96848385DDDE1F1273FEC2 “Developer ID Application: John McKernon”
  5. A9155BE3CB59797E5A96848385DDDE1F1273FEC2 “Developer ID Application: John McKernon”
  6. A9155BE3CB59797E5A96848385DDDE1F1273FEC2 “Developer ID Application: John McKernon”
    6 valid identities found

The 3 plain “John McKernon” identities are probably my DigiCert ID. I don’t know enough about all this to explain why there are three of everything.

And App Wrapper now runs into a malloc error: codesign(38434,0x7fffdb5693c0) malloc: *** error for object 0x7fdce3801210: double free *** set a breakpoint in malloc_error_break to debug

I feel like I’m running in circles within circles, as indeed I may be…:slight_smile:

So today; I’ve re-written the code signing diagnostics for App Wrapper. This in theory should give us a clearer picture of what’s going on.

http://www.ohanaware.com/appwrapper/codeSigningDiagnosticsV2.zip

Run it and hit the “Send via Email” button and then send the e-mail to me.

@John McKernon sometimes it’s helps to restart your Mac once you’ve messed with the code signing identities. Apple like to cache everything in memory nowdays (and still tell us 16GB is more than enough). Restarting can clear this cache.

For future reference I’ve found the document on Apple site which talks about resettings your identities.
https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/MaintainingCertificates/MaintainingCertificates.html#//apple_ref/doc/uid/TP40012582-CH31

Good catch, Sam. I opened Keychain again and selected to evaluate my developer certs. The root of the problem is “No root cert found.” for each of them.

I’ll refresh my Apple root certs.

Okay - so “resetting” my certs seems to have sorted the Not found issue. Now I’ve faced with the same issue as @Michael Diehr - but, I’m not finding anything that’s not always been there … jeesh!

[quote=313516:@Sam Rowlands]So today; I’ve re-written the code signing diagnostics for App Wrapper. This in theory should give us a clearer picture of what’s going on.

http://www.ohanaware.com/appwrapper/codeSigningDiagnosticsV2.zip[/quote]
That opens up a new world of pain :S … Sent you the mess. I’ll start digging in, but none of that comes up on my 10.11.5 system.

Nothing related, but I just found out my latest DigiCert codesigning which works flawlessly under Windows 10, is not recognized under Windows 7. Probably because sha256 was not yet invented :frowning:

After digging through the settings, it appears that the update from 10.10.5 to 10.12 messes with more than just the certificates. So, a good bit of unscheduled - and what should be unnecessary - work this morning.

Another user on the Apple Developer forums related that their update from 10.11 to 10.12 was painless, but the updates from 10.9.5 and 10.10.5 resulted in these problems and then some. He seems to think that it is Xcode related more than OS X, though.

Sorry Tim, I don’t appear to have received it. I got Roger’s and John’s messages… John has more duplicates than the crazy cat lady has cats. Perhaps you can Copy the result and send me a PM?

I’ve also just posted a minor update, which collects a bit more information and give a cleaner output.
http://www.ohanaware.com/appwrapper/codeSigningDiagnosticsV2.zip

I would say about 80% of those who upgraded to Sierra, had zero problems what so ever. Out of those 20%, half have had serious issues. Poor Roger hasn’t been able to ship since November.

I’ve reported some of these issues to Apple and gotten nowhere, it’s like they simply don’t care about the Developer ID certs anymore.

[duplicated by accident]