Codesigning with renewed certificate

My developer certificate just got renewed and my codesigning no longer works. It’s always been easy but can’t track it down this time.

In Xcode it shows under Preferences->Accounts->Manage Certificates that my certificate was create on 11/15/17.

In Keychain in My Certificates it shows my certificate as a Developer ID Application with my name and number. It shows as expiring on 11/16/2022.

My membership renewed 10 days ago. Not sure what I’m missing here?

Thanks.

Duane Mitchell

From the command line on this page, https://documentation.xojo.com/topics/application_deployment/apple_requirements/signing_your_mac_application.html, I’m getting an error.

This command, codesign -f -s “Developer ID Application: YourName (345XXYY)” “YourXojoApp.app/Contents/Frameworks/*.dylib”, errors with “No such file or directroy.”

But the third command, codesign -f -s “Developer ID Application: YourName (345XXYY)” “YourXojoApp.app”, works.

I’ve tried sudo as well. I don’t see what’s wrong the path to the Frameworks?

Meanwhile I’ve downloaded my new certificate from Apple and imported it into Keychain. I deleted the older one. I think that’s good now.

I never did figure out how to code sign/notarise from the command line. But it works nicely using AppWrapper.

Later versions of code sign don’t seem to like this very much, most of the time they tolerate it, but are happier if you explicitly pass in each file’s path, rather than a blanket statement.

I tried that and it seems to have worked. I’ll know when I deliver tomorrow. Thanks.

I’m curious of this statement, because the file path expansion should be happening in Bash, before the command is sent to the codesign tool at all.

E.g. from the codesign tool’s point of view, there’s no difference between

  tool *.dylib

and

tool a.dylib b.dylib c.dylib

Excellent I am glad to hear it; let me know if you run into any problems.

Experience has suggested that this doesn’t always work.

I wonder if it’s something subtle, such as the order in which the wildcard expands to individual files? I think signing is supposed to be done inside-out.

This became a curious situation. I am not running Catalina on my development iMac. I asked my client not to update. One did, their “lead” user. The problem started with a warning on Catalina that the app “cannot be opened because Apple cannot check it for malicious software.” I’d never seen that before and since I had just updated the certificate days earlier I assumed that was the problem. It wasn’t. Downloading to my Mojave machine works normally.

I use Xojo2DMG to certify my app and build a dmg for distribution. In order to make a good test of the certification I had to send it to myself and download it. The app tested correctly for certification using this command.

codesign -d -vvvv “/path_to/MyApp.app”

The Xojo2DMG scripts do use a line like this.

codesign -f -s “Developer ID Application: YourName (345XXYY)” “YourXojoApp.app/Contents/Frameworks/*.dylib”

It works there within Xojo2DMG but it doesn’t in Terminal. I put some time into trying to figure out why be couldn’t figure it out.

So the conclusion, for me at least, is that there never really was a problem with certifying my app.

You need to Notarize your application with Apple.

You now have two choices (that I’m aware of); use a tool like App Wrapper to handle the entire process for you, or I’m pretty certain that there are some here who’ll be able to help you do Notarization without it.

That has been provided before macOS 10.15 and Notarization have existed. It just does CodeSigning (and creation of DMG), not notarization.
You’d need to add ‘codesigning with hardened runtime’ and ‘notarization’ to it. It’s still possible to do it all yourself in a Script. But it isn’t as straight-forward as it used to be :wink:

A third choice worked in this circumstance and that is to specifically “Open Anyway” in System Preferences–>Security & Privacy. There’s not a lot of users so I might just stick to this. At least for now.

[quote]@Jürg Otter That has been provided before macOS 10.15 and Notarization have existed. It just does CodeSigning (and creation of DMG), not notarization.
You’d need to add ‘codesigning with hardened runtime’ and ‘notarization’ to it. It’s still possible to do it all yourself in a Script. But it isn’t as straight-forward as it used to be ;)[/quote]
hmmm…that’s all I can say is hmmm…

Your scripts were a great tools while it lasted. Thanks!

Looks like my solution choices are AppWrapper or just have them specifically allow the app to run in System Prefs.

Just for fun… I’ve updated Xojo2DMG. It’s now codesigning with TimeStamp and hardened runtime, and allows to perform a fully automated/scripted Notarization.

You can try it “as is”. Read the comments, modify according to your needs.
Look at it just as an example of how to do it all yourself, fully scripted and automated.
It’s possible. But it’s also likely you’re running into issues. That’s when you don’t get any support from Xojo2DMG, which you would get (and much more) by AppWrapper.

@Jürg Otter Well that’s pretty cool! Thanks! I will download it and try it out. I’ll report back. Maybe create a new thread?

Just revive the old one :wink:

It got even better :wink: Just head over to the thread for Xojo2DMG.
And maybe still try to see if AppWrapper is the better solution for you :wink: