TIP: avoid "ambiguous matches" in your signing script

Hi everyone!

I use a signing script (updated source below) to sign my executables automatically from the Xojo IDE. However, I have encountered several times a puzzling codesign error “ambiguous matches… from keychain…” which I could resolve by removing some certificates from my keychain but without knowing exactly the consequences of doing so.

However today I have found from the internet a great way to work around that error: instead of using your AppleID (which can correspond to multiple certificates), you can use the SHA-1 hash of the one certificate you want to sign with! The only condition is to strip the spaces from what is displayed in the Keychain app, i.e. use. 012345679ABCDEF0123456789ABCDEF and NOT 01 23 45 67 89 AB CD EF… The SHA-256 hash is not recognized.

Here is the script I use to sign my executables, with or without entitlements. Feel free to use it as you want.

[code]//# Sign app

// SETUP the following values
const entitlementsPath = “” //Absolute path to your entitlements file, if any
const identity as String = “<your_AppleID_or_certificate_SHA1>”
// e.g. “Mac Developer: my.mail@server.com” or SHA-1 (without spaces) of the certificate you want to use

// Get app
dim appPath as String

appPath = CurrentBuildLocationNative + “/” + CurrentBuildAppName + “.app”

// First, clear xattr (finderInfo) which are not supported by codesign
dim command as String

command = “/usr/bin/xattr -cr “”” + appPath + “”""

dim result as string = DoShellCommand( command )

if result<>"" then //Display error if any
Print( "[xattr]: " + result )
return
end if

// Then codesign
command = “/usr/bin/codesign -f --deep” //Available since, at least, macOS High Sierra even without XCode installed

if entitlementsPath<>"" then
command = command + " --entitlements “”" + entitlementsPath + “”""
end if

command = command + " -s “”" + identity + “”" “”" + appPath + “”""

result = DoShellCommand( command )

if result<>"" then //Display error if any
Print( "[codesign]: " + result )
end if[/code]

That’s a great idea, I didn’t know you could do that.

@Gavin Smith — Well me neither, that’s why I published it here. Unfortunately, the SHA-256 does not work