My developer certificate just got renewed and my codesigning no longer works. It's always been easy but can't track it down this time.
In Xcode it shows under Preferences->Accounts->Manage Certificates that my certificate was create on 11/15/17.
In Keychain in My Certificates it shows my certificate as a Developer ID Application with my name and number. It shows as expiring on 11/16/2022.
My membership renewed 10 days ago. Not sure what I'm missing here?
Thanks.
Duane Mitchell
From the command line on this page, https://docs.xojo.com/UserGuide:Mac_Code_Signing , I'm getting an error.
This command, codesign -f -s "Developer ID Application: YourName (345XXYY)" "YourXojoApp.app/Contents/Frameworks/*.dylib", errors with "No such file or directroy."
But the third command, codesign -f -s "Developer ID Application: YourName (345XXYY)" "YourXojoApp.app", works.
I've tried sudo as well. I don't see what's wrong the path to the Frameworks?
@Duane M This command, codesign -f -s "Developer ID Application: YourName (345XXYY)" "YourXojoApp.app/Contents/Frameworks/*.dylib", errors with "No such file or directroy."
Later versions of code sign don't seem to like this very much, most of the time they tolerate it, but are happier if you explicitly pass in each file's path, rather than a blanket statement.
@Sam R Later versions of code sign don't seem to like this very much, most of the time they tolerate it, but are happier if you explicitly pass in each file's path, rather than a blanket statement.
I tried that and it seems to have worked. I'll know when I deliver tomorrow. Thanks.
@Sam R Later versions of code sign don't seem to like this very much, most of the time they tolerate it, but are happier if you explicitly pass in each file's path, rather than a blanket statement.
I'm curious of this statement, because the file path expansion should be happening in Bash, before the command is sent to the codesign tool at all.
E.g. from the codesign tool's point of view, there's no difference between
tool *.dylib
and
tool a.dylib b.dylib c.dylib
@Duane M I tried that and it seems to have worked. I'll know when I deliver tomorrow. Thanks.
Excellent I am glad to hear it; let me know if you run into any problems.
@Michael D I'm curious of this statement, because the file path expansion should be happening in Bash, before the command is sent to the codesign tool at all.
<shrugs/> Experience has suggested that this doesn't always work.
This became a curious situation. I am not running Catalina on my development iMac. I asked my client not to update. One did, their "lead" user. The problem started with a warning on Catalina that the app "cannot be opened because Apple cannot check it for malicious software." I'd never seen that before and since I had just updated the certificate days earlier I assumed that was the problem. It wasn't. Downloading to my Mojave machine works normally.
I use Xojo2DMG to certify my app and build a dmg for distribution. In order to make a good test of the certification I had to send it to myself and download it. The app tested correctly for certification using this command.
codesign -d -vvvv "/path_to/MyApp.app"
The Xojo2DMG scripts do use a line like this.
codesign -f -s "Developer ID Application: YourName (345XXYY)" "YourXojoApp.app/Contents/Frameworks/*.dylib"
It works there within Xojo2DMG but it doesn't in Terminal. I put some time into trying to figure out why be couldn't figure it out.
So the conclusion, for me at least, is that there never really was a problem with certifying my app.
@Duane M I'd never seen that before and since I had just updated the certificate days earlier I assumed that was the problem. It wasn't. Downloading to my Mojave machine works normally.
You need to Notarize your application with Apple.
You now have two choices (that I'm aware of); use a tool like App Wrapper to handle the entire process for you, or I'm pretty certain that there are some here who'll be able to help you do Notarization without it.
@Duane M The Xojo2DMG scripts do use a line like this.
That has been provided before macOS 10.15 and Notarization have existed. It just does CodeSigning (and creation of DMG), not notarization.
You'd need to add 'codesigning with hardened runtime' and 'notarization' to it. It's still possible to do it all yourself in a Script. But it isn't as straight-forward as it used to be ;)
@Sam R You now have two choices (that I'm aware of);
A third choice worked in this circumstance and that is to specifically "Open Anyway" in System Preferences-->Security & Privacy. There's not a lot of users so I might just stick to this. At least for now.
@Jürg O That has been provided before macOS 10.15 and Notarization have existed. It just does CodeSigning (and creation of DMG), not notarization.
You'd need to add 'codesigning with hardened runtime' and 'notarization' to it. It's still possible to do it all yourself in a Script. But it isn't as straight-forward as it used to be ;)
hmmm...that's all I can say is hmmm...
Your scripts were a great tools while it lasted. Thanks!
Looks like my solution choices are AppWrapper or just have them specifically allow the app to run in System Prefs.
@Duane M Your scripts were a great tools while it lasted.
Just for fun... I've updated Xojo2DMG . It's now codesigning with TimeStamp and hardened runtime, and allows to perform a fully automated/scripted Notarization.
But it isn't as straight-forward as it used to be
You can try it "as is". Read the comments, modify according to your needs.
Look at it just as an example of how to do it all yourself, fully scripted and automated.
It's possible. But it's also likely you're running into issues. That's when you don't get any support from Xojo2DMG, which you would get (and much more) by AppWrapper.
@Duane M I will download it and try it out. I'll report back. Maybe create a new thread?
Just revive the old one ;)
