Consol tool and codesigning

Our desktop application includes a Consol tool (to run XojoScripts).
If we codesign this consol tool (“theTool”), we get no error.

The calls to code sign the consol tool are :
codesign -f --timestamp --options runtime -s “our Apple Certifcate” “theTool/theTool\ Libs/star.dylib”
codesign -f --timestamp --options runtime -s “our Apple Certifcate” “theTool/Resources/*”
codesign -f --timestamp --options runtime -s “our Apple Certifcate” “theTool/theTool”

If we check if it is correct with “/usr/sbin/spctl -a theTool”
we get “a sealed resource is missing or invalid" !

And we put this tool inside the "FrameWork“ folder of the desktop application “ourApplication”
and then
codesign -f --timestamp --options runtime -s “our Apple Certifcate” “ourApplication/Contents/Frameworks/theTool”

We have now problem to notarize it (we hadn’t in the past, 2 months ago).
We get the message “The signature of the binary is invalid.” !
We don’t see what has been changed now.

We did the same way in the past without any problem
Now, impossible to notarize…
Thanks for your help.

(star.dylib because we cannot write the star character in this forum editor…)

What happens if you add the --deep switch?

 --deep  When signing a bundle, specifies that nested code content such as
         helpers, frameworks, and plug-ins, should be recursively signed
         in turn. Beware that all signing options you specify will apply,
         in turn, to such nested content.
         When verifying a bundle, specifies that any nested code content
         will be recursively verified as to its full content. By default,
         verification of nested content is limited to a shallow investiga-
         tion that may not detect changes to the nested code.
         When displaying a signature, specifies that a list of directly
         nested code should be written to the display output. This lists
         only code directly nested within the subject; anything nested
         indirectly will require recursive application of the codesign

Same thing :frowning: :worried:

Have you tried App Wrapper to see if that helps?

The whole code signing / notarization thing seems like a moving target to me, and one which I for one am happy to delegate to Sam. I’m not sure if there is a trial available. I have been getting my licenses as part of the Omegabundle offers.

1 Like

I build and populate my complete apps and then code sign that using --deep. I don’t sign the individual parts. Works like a charm (there are 8 console helpers included in Contents/MacOS/Helpers/) and passes notarization.

Also, do you really still need --timestamp?

App Wrapper 4.3 includes support for signing console applications, however there is a read in the App Wrapper UI that you need to follow, because the process can’t 100% be automated just yet, it requires Xojo made a change to how they build console applications. I have a feedback and will look up the report id when I am at my work computer.

Apple have been advising against using this option for a long time now, in recent releases of the macOS it doesn’t work as well as it used to do so.

After many compilations, I can say that my problem come from the Consol tool.
If I don’t include the Consol tool, I get no error when calling /usr/sbin/spctl -a
If I include the Consol Tool with or without code sign, I get invalid signature (code or signature have been modified)… Strange.
I wonder if it is not due to the fact that the tool is included via the “CopyFile build step” of Xojo 2021R1.1 (no problem with Xojo 2020R2.1)…

Sounds like you are codesign and then adding your console app.

App Wrapper uses a helper application, to which App Wrapper adds itself and before the codesigning is carried out on itself.

Nothing to do with the “CopyFile build step”.
I get no problem if the Consol Tool is not code signed and if I put it inside the content folder and not in the Framework !
Second surprise : with 2021.R1(and 2020R2) create an empty desktop project and set it to ARM our Universal. Build it. Open the Content folder : you get a _CodeSignature folder with a CodeResources file ! But whith which certificate is it created ??

To build a “Universal” Consol tool, Xojo 2021R1 and R2 include a code signing.
If I don’t add my own code signing (let the Xojo code signing) I get
/usr/sbin/spctl -a myTool
myTool: invalid API object reference
If I add it I get
/usr/sbin/spctl -a myTool
myTool: rejected
In both case : an error.
What must we do with Consol tool ?

Buy a license for AppWrapper. That will get you out of problems for a small fee.

1 Like

I know now the reason of my problem !
With Intel build, I was used to run a postbuild script to codesign the application.
But with ARM or Universal, I have to do this (with the Terminal) AFTER the build is completely finished.
(it’s not very practical…)

Thanks for your help.
And yes ChristopheDV, I*'ll buy a Sam’s product : ExeWrapper for our Windows version :slight_smile:

You have to use the latest version of Xojo 2021r2 for this. The post build scripts before r2 were done for each part of the build. In r2 the post build scripts are done for the finished universal version.

OK, but we have many tests to do before validating 2021R2 (the jsonitem bugs of 2021R1 were a huge problem)…
I can do code signing also by using the IDEScript that build all our versions.

Forum for Xojo Programming Language and IDE. Copyright © 2021 Xojo, Inc.