Codesigning with renewed certificate

  1. 4 weeks ago

    Duane M

    Nov 20 Pre-Release Testers, Xojo Pro Boston, MA

    My developer certificate just got renewed and my codesigning no longer works. It's always been easy but can't track it down this time.

    In Xcode it shows under Preferences->Accounts->Manage Certificates that my certificate was create on 11/15/17.

    In Keychain in My Certificates it shows my certificate as a Developer ID Application with my name and number. It shows as expiring on 11/16/2022.

    My membership renewed 10 days ago. Not sure what I'm missing here?

    Thanks.

    Duane Mitchell

  2. Duane M

    Nov 20 Pre-Release Testers, Xojo Pro Boston, MA

    From the command line on this page, https://docs.xojo.com/UserGuide:Mac_Code_Signing , I'm getting an error.

    This command, codesign -f -s "Developer ID Application: YourName (345XXYY)" "YourXojoApp.app/Contents/Frameworks/*.dylib", errors with "No such file or directroy."

    But the third command, codesign -f -s "Developer ID Application: YourName (345XXYY)" "YourXojoApp.app", works.

    I've tried sudo as well. I don't see what's wrong the path to the Frameworks?

  3. Duane M

    Nov 20 Pre-Release Testers, Xojo Pro Boston, MA

    Meanwhile I've downloaded my new certificate from Apple and imported it into Keychain. I deleted the older one. I think that's good now.

  4. Tim S

    Nov 20 Pre-Release Testers Canterbury, UK

    I never did figure out how to code sign/notarise from the command line. But it works nicely using AppWrapper.

  5. Sam R

    Nov 20 Pre-Release Testers, Xojo Pro, Third Party Store Hengchun, Pingtung, Taiwan

    @Duane M This command, codesign -f -s "Developer ID Application: YourName (345XXYY)" "YourXojoApp.app/Contents/Frameworks/*.dylib", errors with "No such file or directroy."

    Later versions of code sign don't seem to like this very much, most of the time they tolerate it, but are happier if you explicitly pass in each file's path, rather than a blanket statement.

  6. 3 weeks ago

    Duane M

    Nov 20 Pre-Release Testers, Xojo Pro Boston, MA
    Edited 3 weeks ago

    @Sam R Later versions of code sign don't seem to like this very much, most of the time they tolerate it, but are happier if you explicitly pass in each file's path, rather than a blanket statement.

    I tried that and it seems to have worked. I'll know when I deliver tomorrow. Thanks.

  7. Michael D

    Nov 22 Pre-Release Testers, Xojo Pro
    Edited 3 weeks ago

    @Sam R Later versions of code sign don't seem to like this very much, most of the time they tolerate it, but are happier if you explicitly pass in each file's path, rather than a blanket statement.

    I'm curious of this statement, because the file path expansion should be happening in Bash, before the command is sent to the codesign tool at all.

    E.g. from the codesign tool's point of view, there's no difference between

      tool *.dylib

    and

    tool a.dylib b.dylib c.dylib
  8. Sam R

    Nov 22 Pre-Release Testers, Xojo Pro, Third Party Store Hengchun, Pingtung, Taiwan

    @Duane M I tried that and it seems to have worked. I'll know when I deliver tomorrow. Thanks.

    Excellent I am glad to hear it; let me know if you run into any problems.

    @Michael D I'm curious of this statement, because the file path expansion should be happening in Bash, before the command is sent to the codesign tool at all.

    <shrugs/> Experience has suggested that this doesn't always work.

  9. Michael D

    Nov 23 Pre-Release Testers, Xojo Pro

    @Sam R Experience has suggested that this doesn't always work.

    I wonder if it's something subtle, such as the order in which the wildcard expands to individual files? I think signing is supposed to be done inside-out.

  10. Duane M

    Nov 24 Pre-Release Testers, Xojo Pro Boston, MA

    This became a curious situation. I am not running Catalina on my development iMac. I asked my client not to update. One did, their "lead" user. The problem started with a warning on Catalina that the app "cannot be opened because Apple cannot check it for malicious software." I'd never seen that before and since I had just updated the certificate days earlier I assumed that was the problem. It wasn't. Downloading to my Mojave machine works normally.

    I use Xojo2DMG to certify my app and build a dmg for distribution. In order to make a good test of the certification I had to send it to myself and download it. The app tested correctly for certification using this command.

    codesign -d -vvvv "/path_to/MyApp.app"

    The Xojo2DMG scripts do use a line like this.

    codesign -f -s "Developer ID Application: YourName (345XXYY)" "YourXojoApp.app/Contents/Frameworks/*.dylib"

    It works there within Xojo2DMG but it doesn't in Terminal. I put some time into trying to figure out why be couldn't figure it out.

    So the conclusion, for me at least, is that there never really was a problem with certifying my app.

  11. Sam R

    Nov 24 Pre-Release Testers, Xojo Pro, Third Party Store Hengchun, Pingtung, Taiwan

    @Duane M I'd never seen that before and since I had just updated the certificate days earlier I assumed that was the problem. It wasn't. Downloading to my Mojave machine works normally.

    You need to Notarize your application with Apple.

    You now have two choices (that I'm aware of); use a tool like App Wrapper to handle the entire process for you, or I'm pretty certain that there are some here who'll be able to help you do Notarization without it.

  12. Jürg O

    Nov 24 Pre-Release Testers, Xojo Pro

    @Duane M The Xojo2DMG scripts do use a line like this.

    That has been provided before macOS 10.15 and Notarization have existed. It just does CodeSigning (and creation of DMG), not notarization.
    You'd need to add 'codesigning with hardened runtime' and 'notarization' to it. It's still possible to do it all yourself in a Script. But it isn't as straight-forward as it used to be ;)

  13. Duane M

    Nov 25 Pre-Release Testers, Xojo Pro Boston, MA

    @Sam R You now have two choices (that I'm aware of);

    A third choice worked in this circumstance and that is to specifically "Open Anyway" in System Preferences-->Security & Privacy. There's not a lot of users so I might just stick to this. At least for now.

    @Jürg O That has been provided before macOS 10.15 and Notarization have existed. It just does CodeSigning (and creation of DMG), not notarization.
    You'd need to add 'codesigning with hardened runtime' and 'notarization' to it. It's still possible to do it all yourself in a Script. But it isn't as straight-forward as it used to be ;)

    hmmm...that's all I can say is hmmm...

    Your scripts were a great tools while it lasted. Thanks!

    Looks like my solution choices are AppWrapper or just have them specifically allow the app to run in System Prefs.

  14. Jürg O

    Nov 25 Pre-Release Testers, Xojo Pro

    @Duane M Your scripts were a great tools while it lasted.

    Just for fun... I've updated Xojo2DMG . It's now codesigning with TimeStamp and hardened runtime, and allows to perform a fully automated/scripted Notarization.

    But it isn't as straight-forward as it used to be

    You can try it "as is". Read the comments, modify according to your needs.
    Look at it just as an example of how to do it all yourself, fully scripted and automated.
    It's possible. But it's also likely you're running into issues. That's when you don't get any support from Xojo2DMG, which you would get (and much more) by AppWrapper.

  15. Duane M

    Nov 25 Pre-Release Testers, Xojo Pro Boston, MA

    @Jürg O Well that's pretty cool! Thanks! I will download it and try it out. I'll report back. Maybe create a new thread?

  16. Jürg O

    Nov 25 Pre-Release Testers, Xojo Pro

    @Duane M I will download it and try it out. I'll report back. Maybe create a new thread?

    Just revive the old one ;)

  17. 2 weeks ago

    Jürg O

    Nov 27 Pre-Release Testers, Xojo Pro

    @Duane M Well that's pretty cool! Thanks! I will download it and try it out.

    It got even better ;) Just head over to the thread for Xojo2DMG .
    And maybe still try to see if AppWrapper is the better solution for you ;)

or Sign Up to reply!