For those of you familiar with Apple’s “codesign”, I’ve updated my machine to Sierra because of Adobe requirements for CC17 and my codesign scripts are failing with “error: The specified item could not be found in the keychain.” However, it is in the keychain and I’ve verified that the identity is the same in my codesign call as in the keychain (and it worked fine with the same identify under 10.11.5).
Since Apple’s support is about as useless as teats on a bull (that’s Southern-speak for useless), can anyone here offer guidance on what may have happened since the cert and the ID have not changed?
Thanks, Gavin. You’re right in that security returns no identities. The question now is why not when they are clearly visible in my login keychain as they have always been.
Which leads me to the real nightmare question - What ELSE has Sierra done to muck up an otherwise functioning environment? :S
From what I understand, Sam Rowlands had to do quite a bit of work for App Wrapper to works as flawlessly as ever. I used it last week to sign a couple apps for the App Store under Sierra 10.12.3 beta, and it went just fine.
I know I had fits with a recent app until I finally realized that the Sparkle framework I was using was way too old. Updated it and it worked fine after that. I think Sam was going to add a check for the Sparkle version.
Tim, I am dealing with the same nightmare now, and have been since Dec. As you mentioned, Apple Support knows nothing about certificates and finally told me they couldn’t help. I’ll let you know if I find a solution.
I upgraded to 10.12 and did not have that problem with code-signing, but I did have to change my build scripts to get rid of resource forks and other junk before the signing would work.
For those of you familiar with Apple’s “codesign”, I’ve updated my machine to Sierra because of Adobe requirements for CC17 and my codesign scripts are failing with “error: The specified item could not be found in the keychain.” However, it is in the keychain and I’ve verified that the identity is the same in my codesign call as in the keychain (and it worked fine with the same identify under 10.11.5).
Since Apple’s support is about as useless as teats on a bull (that’s Southern-speak for useless), can anyone here offer guidance on what may have happened since the cert and the ID have not changed?[/quote]
Try revoking the certificates and reinstall them. That fixed the issue on my part.
Make sure that it’s ONLY the certificates that are not recognized. I’ve tried to assist customers that have effectively become locked out of code signing, by revoking all identities and then Xcode wouldn’t create new Developer ID certificate. Which I filed as a bug and they told me that’s by design, so when I inquired on how I’am meant to get Developer ID certificates installed… All went quiet… Thankfully for me, I was only setting up a test machine in Sierra and was able to copy my certs from my El Cap machine across, which then worked.
So @Roger Clary & @Tim Jones, a question for both of you. In KeyChain access do you see the certificates? Do they disclosure triangles on them? If so, when you click them, do you see a “Key” entry with your name on it? If you don’t then you have the certificate, but not the code signing key.
I think it’s about time I became reacquainted with the old way of generating and installing code signing identities.
Also can you both check (using KeyChain access) the status of a certificate called “Apple Worldwide Developer Relations Certificate Authority” certificate, do you have it? Has it expired?
Here’s a wrinkle: App Wrapper says a codesigning error occurred while testing, saying the Developer ID Application is ambiguous because it’s in both /Users/JMcK/Library/Keychains/login.keychain-db and in /Library/Keychains/System.keychain.
So I deleted the one in /System.keychain. App Wrapper then says a codesigning error occurred, without being specific.
I went back and added it back into /System.keychain, and deleted it from /login.keychain.
App Wrapper still says there’s a nonspecific codesigning error.
Right now, I have both Developer ID Application and Developer ID Installer certificates and private keys in System. And the Apple worldwide developer relations certificate authority has not expired.
A9155BE3CB59797E5A96848385DDDE1F1273FEC2 “Developer ID Application: John McKernon”
A9155BE3CB59797E5A96848385DDDE1F1273FEC2 “Developer ID Application: John McKernon”
9 identities found
Valid identities only
A9155BE3CB59797E5A96848385DDDE1F1273FEC2 “Developer ID Application: John McKernon”
A9155BE3CB59797E5A96848385DDDE1F1273FEC2 “Developer ID Application: John McKernon”
A9155BE3CB59797E5A96848385DDDE1F1273FEC2 “Developer ID Application: John McKernon”
A9155BE3CB59797E5A96848385DDDE1F1273FEC2 “Developer ID Application: John McKernon”
A9155BE3CB59797E5A96848385DDDE1F1273FEC2 “Developer ID Application: John McKernon”
A9155BE3CB59797E5A96848385DDDE1F1273FEC2 “Developer ID Application: John McKernon”
6 valid identities found
The 3 plain “John McKernon” identities are probably my DigiCert ID. I don’t know enough about all this to explain why there are three of everything.
And App Wrapper now runs into a malloc error: codesign(38434,0x7fffdb5693c0) malloc: *** error for object 0x7fdce3801210: double free *** set a breakpoint in malloc_error_break to debug
I feel like I’m running in circles within circles, as indeed I may be…
Run it and hit the “Send via Email” button and then send the e-mail to me.
@John McKernon sometimes it’s helps to restart your Mac once you’ve messed with the code signing identities. Apple like to cache everything in memory nowdays (and still tell us 16GB is more than enough). Restarting can clear this cache.
Good catch, Sam. I opened Keychain again and selected to evaluate my developer certs. The root of the problem is “No root cert found.” for each of them.
Okay - so “resetting” my certs seems to have sorted the Not found issue. Now I’ve faced with the same issue as @Michael Diehr - but, I’m not finding anything that’s not always been there … jeesh!
[quote=313516:@Sam Rowlands]So today; I’ve re-written the code signing diagnostics for App Wrapper. This in theory should give us a clearer picture of what’s going on.
Nothing related, but I just found out my latest DigiCert codesigning which works flawlessly under Windows 10, is not recognized under Windows 7. Probably because sha256 was not yet invented
After digging through the settings, it appears that the update from 10.10.5 to 10.12 messes with more than just the certificates. So, a good bit of unscheduled - and what should be unnecessary - work this morning.
Another user on the Apple Developer forums related that their update from 10.11 to 10.12 was painless, but the updates from 10.9.5 and 10.10.5 resulted in these problems and then some. He seems to think that it is Xcode related more than OS X, though.
Sorry Tim, I don’t appear to have received it. I got Roger’s and John’s messages… John has more duplicates than the crazy cat lady has cats. Perhaps you can Copy the result and send me a PM?
I would say about 80% of those who upgraded to Sierra, had zero problems what so ever. Out of those 20%, half have had serious issues. Poor Roger hasn’t been able to ship since November.
I’ve reported some of these issues to Apple and gotten nowhere, it’s like they simply don’t care about the Developer ID certs anymore.