Consol tool and codesigning

Vincent_MERCEY · August 9, 2021, 4:25pm

Our desktop application includes a Consol tool (to run XojoScripts).
If we codesign this consol tool (“theTool”), we get no error.

The calls to code sign the consol tool are :
codesign -f --timestamp --options runtime -s “our Apple Certifcate” “theTool/theTool\ Libs/star.dylib”
codesign -f --timestamp --options runtime -s “our Apple Certifcate” “theTool/Resources/*”
codesign -f --timestamp --options runtime -s “our Apple Certifcate” “theTool/theTool”

If we check if it is correct with “/usr/sbin/spctl -a theTool”
we get “a sealed resource is missing or invalid" !

And we put this tool inside the "FrameWork“ folder of the desktop application “ourApplication”
and then
codesign -f --timestamp --options runtime -s “our Apple Certifcate” “ourApplication/Contents/Frameworks/theTool”

We have now problem to notarize it (we hadn’t in the past, 2 months ago).
We get the message “The signature of the binary is invalid.” !
We don’t see what has been changed now.

We did the same way in the past without any problem
Now, impossible to notarize…
Thanks for your help.

(star.dylib because we cannot write the star character in this forum editor…)

Kem_Tekinay · August 9, 2021, 4:35pm

What happens if you add the --deep switch?

 --deep  When signing a bundle, specifies that nested code content such as
         helpers, frameworks, and plug-ins, should be recursively signed
         in turn. Beware that all signing options you specify will apply,
         in turn, to such nested content.
         When verifying a bundle, specifies that any nested code content
         will be recursively verified as to its full content. By default,
         verification of nested content is limited to a shallow investiga-
         tion that may not detect changes to the nested code.
         When displaying a signature, specifies that a list of directly
         nested code should be written to the display output. This lists
         only code directly nested within the subject; anything nested
         indirectly will require recursive application of the codesign
         command.

Vincent_MERCEY · August 9, 2021, 4:37pm

Same thing

Douglas_Handy · August 9, 2021, 4:40pm

Have you tried App Wrapper to see if that helps?

The whole code signing / notarization thing seems like a moving target to me, and one which I for one am happy to delegate to Sam. I’m not sure if there is a trial available. I have been getting my licenses as part of the Omegabundle offers.

Tim_Jones · August 9, 2021, 8:11pm

I build and populate my complete apps and then code sign that using --deep. I don’t sign the individual parts. Works like a charm (there are 8 console helpers included in Contents/MacOS/Helpers/) and passes notarization.

Also, do you really still need --timestamp?

Sam_Rowlands · August 10, 2021, 1:08am

App Wrapper 4.3 includes support for signing console applications, however there is a read in the App Wrapper UI that you need to follow, because the process can’t 100% be automated just yet, it requires Xojo made a change to how they build console applications. I have a feedback and will look up the report id when I am at my work computer.

Apple have been advising against using this option for a long time now, in recent releases of the macOS it doesn’t work as well as it used to do so.

Vincent_MERCEY · August 10, 2021, 9:07am

After many compilations, I can say that my problem come from the Consol tool.
If I don’t include the Consol tool, I get no error when calling /usr/sbin/spctl -a myAp.app
If I include the Consol Tool with or without code sign, I get myApp.app: invalid signature (code or signature have been modified)… Strange.
I wonder if it is not due to the fact that the tool is included via the “CopyFile build step” of Xojo 2021R1.1 (no problem with Xojo 2020R2.1)…

Sam_Rowlands · August 10, 2021, 10:28am

Sounds like you are codesign and then adding your console app.

App Wrapper uses a helper application, to which App Wrapper adds itself and before the codesigning is carried out on itself.

Vincent_MERCEY · August 10, 2021, 10:29am

Nothing to do with the “CopyFile build step”.
I get no problem if the Consol Tool is not code signed and if I put it inside the content folder and not in the Framework !
Second surprise : with 2021.R1(and 2020R2) create an empty desktop project and set it to ARM our Universal. Build it. Open the Content folder : you get a _CodeSignature folder with a CodeResources file ! But whith which certificate is it created ??

Vincent_MERCEY · August 10, 2021, 2:14pm

To build a “Universal” Consol tool, Xojo 2021R1 and R2 include a code signing.
If I don’t add my own code signing (let the Xojo code signing) I get
/usr/sbin/spctl -a myTool
myTool: invalid API object reference
If I add it I get
/usr/sbin/spctl -a myTool
myTool: rejected
In both case : an error.
What must we do with Consol tool ?

ChristopheDV · August 10, 2021, 2:35pm

Buy a license for AppWrapper. That will get you out of problems for a small fee.

Vincent_MERCEY · August 11, 2021, 9:16am

I know now the reason of my problem !
With Intel build, I was used to run a postbuild script to codesign the application.
But with ARM or Universal, I have to do this (with the Terminal) AFTER the build is completely finished.
(it’s not very practical…)

Thanks for your help.
And yes ChristopheDV, I*'ll buy a Sam’s product : ExeWrapper for our Windows version

Beatrix_Willius · August 11, 2021, 9:22am

You have to use the latest version of Xojo 2021r2 for this. The post build scripts before r2 were done for each part of the build. In r2 the post build scripts are done for the finished universal version.

Vincent_MERCEY · August 11, 2021, 9:35am

OK, but we have many tests to do before validating 2021R2 (the jsonitem bugs of 2021R1 were a huge problem)…
I can do code signing also by using the IDEScript that build all our versions.