OS X: codesign debug builds?

Today while using Xojo 2021R3.1 I ran into an application entitlements issue when running the app in the debugger. If I built the app, I was able to access the items I’d added as entitlements in my application’s .plist, but if I ran it in the debugger, that access was denied.

After a LOT of research into why this was happening, I discovered that it appears that Xojo uses ad-hoc codesigning to sign full builds, but does not codesign debug builds at all.

Before I go open a feature request - I just wanted to make sure I’m not missed something obvious: Is Xojo supposed to be signing debug builds and this is just broken? Is there a setting for this somewhere that I missed?

In the mean time I’ve added a post build script to my project that signs both debug and release builds, so my original issue has been solved… but as OS X gets more and more locked down code signing even debug builds is becoming more and more important. It would be nice to have it built into Xojo.

App Wrapper’s build scripts have enabled this for many years. I spent a lot of time trying to improve the scripting flow with App Wrapper 4, so it becomes a matter of copy/paste and then you can control the wrapping flow from within App Wrapper.

If you don’t use App Wrapper, you can download the FREE trial and see what I mean. App Wrapper 4

Hi Sam - I do own and use AppWrapper. It’s a fantastic tool. I have only ever used it for wrapping / packaging / notarizing software that has been well tested and debugged and is ready for release. I was not aware that it could hook directly into Xojo’s build system until today. For now I’ve just popped in my own one-liner post-build script that calls codesign on the command line to sign my app when I run it in the debugger… to me this was quite a bit simpler than hooking into AppWrapper.

If Xojo can ad-hoc sign when you hit the build button, why doesn’t it do so when you hit the run button?

Hi Kimball,
I am glad to hear that App Wrapper helps you.

If you wanna try the App Wrapper 4 scripting (as it does almost full wrap on debug), select “Scripting” from the sidebar of an App Wrapper document and follow the on-screen instructions. It really is as simple as copying the script from the window, adding a “Script” build step and pasting in the App Wrapper script.

I can’t answer this question, only Ad-hoc helps for simple applications, but it really is limited and Apple are adding more and more complex steps to the process.

Alrighty man, have a great week.

Feedback request: <https://xojo.com/issue/67215>

Also: <https://xojo.com/issue/62854> : Adhoc signing optional.

My own feature request got lumped with this one:

I would like to see adhoc codesigning as extra build step so that I can both arrange when to do adhoc codesigning and also tell Xojo when not to do it. The latter is also important because adhoc codesigning doesn’t make sense when the app is already codesigned.

Ok, so looking at the IDE and running it here, the IDE does do ad-hoc signing of debug runs for ARM builds because there are hardware requirements to do so and the debugged app would not launch without it. We can certainly expand that to Intel builds as well.

Now to answer @Beatrix_Willius question, the IDE will check before signing to see if there’s already a signature in place so we don’t inadvertently overwrite it.


That’s great. But I still don’t need the adhoc codesign. When there is only an adhoc codesign I can see the checkbox for Full Disk Access getting reset by macOS. I have to use full codesign for the $%&& Full Disk Access to work.

1 Like

Right, and since we’ve implemented this feature request for a future release, you could just add a post-build script to codesign for you if necessary and then the IDE won’t sign it again.