I'm trying to get my application, which does not appear in the Dock, to have an option to launch at login. This is tricky, and involves creating a second, helper application which you add as a startup item. This helper app is only responsible for launching the main app and then exiting.
I've followed the instructions here and here and it works like a charm - the problem is, of course, code signing. I have two targets; the helper app target is copied to the Contents/Library/LoginItems subdirectory of the main bundle at compile time. Each bundle has its own bundle identifier and own deployment provisioning profile, but when I validate my archive for the app store, I get the following error:
Invalid provisioning profile. The provisioning profile included in the bundle BUNDLE NAME [BUNDLE NAME.app] is invalid. For more information, visit the Mac OS Developer Portal.
If I remove the helper bundle from my main target, there's no problem. It looks like the presence of another provisioning profile is setting off the error.
How can I include two signed bundles and pass the validation?
I was finally able to resolve this problem by using codesign on a coworker's computer (there must have been something wrong with my Keychain) and deleting the embedded.provisionprofile file from the helper app by adding the following run script:
if [ -f "${BUILT_PRODUCTS_DIR}/${PRODUCT_NAME}.app/Contents/embedded.provisionprofile" ];
then
rm "${BUILT_PRODUCTS_DIR}/${PRODUCT_NAME}.app/Contents/embedded.provisionprofile"
echo "Removed embedded provisioning profile."
else
echo "No profile found"
fi
You should use the same Mac App Store Production Certificate to sign both the helper app and the main application. I haven't tried this in Xcode — we have a helper app that's a bundle resource, but our code signing is a command line script. We didn't have any problems with the app store system.
I'm not sure why you're ending up with a provisioning profile in the built product, and I don't think this is required for app store submission. You can try using codesign manually:
codesign -f -s "3rd Party Mac Developer Application: My Company" \
-i "com.mycompany.loginitem" \
--entitlements path/to/loginitem.entitlements" \
path/to/appname.app/Contents/Library/LoginItems/loginitem.app
codesign -f -s "3rd Party Mac Developer Application: My Company" \
-i "com.mycompany.appname" \
--entitlements path/to/app.entitlements" \
path/to/appname.app
I had the same problem. Instead of removing embedded.provisionprofile from the helper app I've just disabled provisioning (Provision profile: None) leaving code signing identify and entitlements in place. Submitted my app for review without any issues.
Related
I have developed an application for MacOS. I am including notarization process as part of its distribution. I have followed all the steps and I have run:
xcrun altool --notarize-app --primary-bundle-id "${APP_BUNDLE_ID}" --username "${APPLE_DEV_ID}" --password "${DEV_APP_SPECIFIC_PASSWORD}" --file "${DMG_PATH}"
Then I check notarization progress using:
xcrun altool --notarization-info "${notarize_uuid}" -u "${APPLE_DEV_ID}" -p "${DEV_APP_SPECIFIC_PASSWORD}
Output of it is:
RequestUUID: =<Request>
Date: 2019-05-26 09:40:34 +0000
Status: success
LogFileURL: <Log file>
Status Code: 0
Status Message: Package Approved =~ success ]]
Then I launch staple command:
xcrun stapler staple -v <dmg file>
It also ends with success:
The staple and validate action worked!
However when I extract the .app file and run:
spctl --assess --verbose ./macos/MyApp.app
./macos/MyApp.app/: accepted
According to the docs I have read it should say something like: “source=Notarized Developer ID”, right?
I am running this on MacOS Mojave 10.14.5
What am I missing??
Could someone help me?
Thanks in advance
In case someone faces the same problem I will post the solution to this:
First of all you must staple .app file not the dmg. This means you must extract the binary and staple it
Also in order to check if application has been notarized, in
`System Preferences - Security and Privacy`
Option Allow apps downloaded from: must have Apple Store and identifier developers option checked
Hope this helps
Both the app and the dmg may be notarized and stapled, seperately, one after the other. Try doing that and the error should go away.
Short answer
It could be due to an RPATH referencing a path outside the App bundle. Removing this RPATH would resolve the issue.
Inspecting log files
You can find extra information about the rejection (after trying to launch the blocked app) in the Console.app. Note that you should open the Console.app, before trying to open your blocked app, otherwise not all messages may be logged. You should look for process XprotectService in the logs of your device (i.e. choose your device in the left side bar of the Console.app). If the RPATH is indeed the problem, you should find a record like this:
XprotectService: [com.apple.xprotect:xprotect] File /path/to/your/executable/or/library failed on rPathCmd /rpath/causing/the/problem (rpath resolved to: (path not found), bundleURL: /path/to/your/bundle.app)
Inspecting these log files may give you a key to solve other issues too.
Note that I received the following information from an Apple engineer:
Gatekeeper does not inform users via UI about the specifics of the
error, though it is in the logs for developers to look at. The
notarization process is purely about a detecting malicious software
and does not replicate Gatekeeper enforcement. You still need to get
software notarized and test with Gatekeeper.
We are looking to provide better tooling for developers in the future
to pre-flight some of these common errors.
Contact Apple
If you are not able to solve your issue with the above information, you may want to contact Apple itself using the Feedback Assistant. They do not respond very quickly (~1-2 weeks), but the answers are rather to the point.
I'm trying to build a continuous integration's script on my xcode project, but I'm stuck trying to archive my xcode project using xcodebuild command. When trying :
sudo xcodebuild -scheme MyScheme -archivePath builds/XXX.xcarchive archive DEVELOPMENT_TEAM=YYY CODE_SIGN_IDENTITY='iPhone Distribution' CODE_SIGN_STYLE='Manual' PROVISIONING_PROFILE_SPECIFIER=ZZZ
XXX is my project name
YYY is my development team identifier, like ABC123DEF, it's a string
ZZZ is my provisionning profile name, not a code but a string, like "My Provisionning Profile"
I always get this error :
error: No profile for team 'YYY' matching 'ZZZ' found: Xcode couldn't find any provisioning profiles matching 'YYY/ZZZ'. Install the profile (by dragging and dropping it onto Xcode's dock item) or select a different one in the General tab of the target editor.
However, when opening manually the XCode project and trying to archive, it works perfectly.
What am I missing? How can I get the full list of team/provisionning_profile installed on my Mac?
What I have tried so far :
I tried to remove the part where I specify the development team and provisionning profile, leaving only the scheme identifier. Same result considering the scheme is defined with the same informations.
I tried to go in my mobileprovision folder to check if the provisionning profile exists (it exists)
I tried to display the xcode archive command lines in the editor (On the Report navigator tab). Actually it never shows the xcodebuild command directly but a bunch of subcommands. However I could find out that my XXX team identifier and YYY provisionning profile that I am using are using in this script
Does anyone know how I can solve this issue?
I finally found the problem, it came from the sudo before xcodebuild.
The sudo command will run the following action under the root user by default, which doesn't have any provisioning profile installed, as I always registered them under my user profile.
here is what I did :
sudo -u myuser xcodebuild -scheme MyScheme -archivePath builds/XXX.xcarchive archive DEVELOPMENT_TEAM=YYY CODE_SIGN_IDENTITY='iPhone Distribution' CODE_SIGN_STYLE='Manual' PROVISIONING_PROFILE_SPECIFIER=ZZZ
and the error disappeared.
Hope this can help someone.
Provisioning profiles are in ~/Library/MobileDevice/Provisioning Profiles/
You could add -allowProvisioningUpdates to allow xcodebuild to "solve" the problem itself, but... ¯_(ツ)_/¯ for how safe/good the result will be. You've specified "manual" so I assume you don't want to do this.
I suspect you are trying to archive the project but only have a development profile installed. Build a Release build of the project from within Xcode and that should get it to download a release (distribution) provisioning profile for you which you can then use from the command line.
I have an application which uses FFMPEG and FFPROBE to perform some tasks on a video the user can open with my application.
For non-sandboxed applications everything works fine, but when my app is running in a sandbox FFPROBE doesn't seem to get started.
The Console says the following:
08.06.15 12:27:55,803 secinitd[281]: ffprobe[4049]: registration request failed: (0x11, 0x0) Container object initialization failed.
failed to get bundleid for app "/Users/Alex/.../ffprobe"
The path to ffprobe mentioned in this messages points to the MacOS directory within the app bundle (a Build Phase copies these two binaries into the executable directory).
I've searched a lot and found some hints regarding entitlements. Of course my sandboxed app has its entitlements and when building my application it gets signed (with --deep signing flag). It even passes the technical App Store check for entitlements.
Now I'm stuck and wonder why my application is not able to launch FFPROBE (and FFMPEG).
Does anybody have a clue?
It seems like I've found a solution. I don't know whether all of these steps are necessary, but here is what I've tried and what seems (!) to work:
I added an entitlements file which contains true for the keys com.apple.security.inheritand com.apple.security.app-sandbox
I added a plist file for each used binary and filled the keys CFBundleName and CFBundleIdentifier with suitable values (I don't know whether this step is necessary)
I added a Run Script build phase which executes codesign -f -s "your certificate" --entitlements ./ffmpeg.entitlements ./Build/Intermediates/ArchiveIntermediates/App\ Store/InstallationBuildProductsLocation/Applications/<my app>/Contents/MacOS/ffmpeg
for each binary used.
These steps result in suitable entitlements when trying to submit the app to the Mac App Store and it results in a correct usage of the embedded binaries (at least on my development Mac and the Mac of some colleagues).
I've updated recently to XCode 6.3 and started having some strange code signing issues. Occasionally XCode will start complain about the code signing issues. And either will have issue like :
invalid or unsupported format for signature ... Command /usr/bin/codesign failed with exit code 1
or
... Command /usr/bin/codesign failed with exit code 11
Can not find pattern yet, but looks like issue with XCode code sign, as sometimes after cleanup and restart of XCode it will work.
I did not change any settings regarding code signing. Project structure is quite complicated, it has referenced projects and pods.
Any help appreciated.
** Update **
It did not help for me to remove derived data or restarting XCode.
But it did work if i removed the project and downloaded fresh from git. This removed XCode files which are not committed to git.
Again after clean it has stopped working. And in the console logs i've got something like this:
codesign[4111]: Internal error unloading bundle CFBundle 0x7fb44a40adc0 <(null)> (framework, not loaded)
** Another Update **
Found on twitter someone who has the same issue.
Looks like the issue is caused by --deep option in code signing.
https://github.com/atom/atom-shell/issues/1396
Solution is to not code sign app and frameworks inside with --deep. But rather code sign each framework separately.
http://furbo.org/2013/10/17/code-signing-and-mavericks/
Just had this happen to me as well after the latest X-Code update. But X-Code had been advising me to update my project settings for a while now, I just hadn't got round to it. The link you provide explains it well.
It actually shows up as an issue in the navigator, and X-Code will offer to fix it automatically for you when you select the issue. You just need to remove the --deep option from your Build Settings yourself.
This worked with my 2 3rd party frameworks, Sparkle and Syphon.
Problem was caused by --deep code signing option and entitlements.
To solve it i had to manually code sign the frameworks.
This required adding new run script build phase, and running script similar to this one:
IDENTITY="HEX_IDENTITY"
export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate"
FRAMEWORKS_LOCATION="${BUILT_PRODUCTS_DIR}"/"${FRAMEWORKS_FOLDER_PATH}"
EXECUTABLES_LOCATION="${BUILT_PRODUCTS_DIR}"/"${EXECUTABLE_FOLDER_PATH}"
codesign --verbose --force --deep --verify --sign "$IDENTITY" "$EXECUTABLES_LOCATION/MY_HELPER_APP.app"
codesign --verbose --force --deep --verify --sign "$IDENTITY" "$FRAMEWORKS_LOCATION/MY_FRAMEWORK/Versions/A"
HEX_IDENTITY can be obtained by using shell command:
security find-identity
This will display list of signing identities with their hex numbers.
After exporting application as the app I verified the code signing with command:
codesign --verify --verbose --deep MyApp.app
spctl --verbose --assess --type execute MyApp.app
References:
http://furbo.org/2013/10/17/code-signing-and-mavericks/
https://developer.apple.com/library/mac/technotes/tn2206/_index.html
I've successfully created my first OmniAuth strategy and packaged it as a gem. I added this to the Gemfile in GitLab and ran bundle install --path vendor/bundle --no-deployment, which installed the gem.
Next I updated the gitlab.yml file by duplicating the section we have for GitHub and completing it with our own values.
As directed by the GitLab reference instructions at https://github.com/gitlabhq/gitlabhq/blob/5-3-stable/doc/install/installation.md
I then added two image files to the vendor/assets/images/authbuttons directory, all lowercase in the format of "strategyname_32.png" and "strategyname_64.png".
Finally I restarted GitLab and on the login page I now see a button for our new provider (which works, yea!) but the images that I uploaded aren't used for the button, instead a basic grey button is being used.
I cannot find anything in any of the logs indicating that it's not able to find the image files and I've tried renaming the files using various cases since this is on a Ubuntu system.
I also executed a rake assets:precompile RAILS_ENV=production but that didn't seem to make a difference.
Am I missing something to get this provider to be represented by our image instead of the basic HTML button on the login page? I don't see any steps that I've missed in the instructions.
It turns out this is "by design" that additional providers load as an HTML button and don't use a graphic placed in the path vendor/assets/images/authbuttons as mentioned in the installation instructions. This is because only providers listed in the default_providers() function within the app/helpers/oauth_helper.rb use images in the vendor/assets/images/authbuttons directory to display on the login page.
So for me to successfully use my custom omniauth provider and have a graphic element for the login link on the GItLab login page I did the following:
Stop GitLab sudo service gitlab stop
placed my two graphics in the vendor/assets/images/authbuttons directory
added my provider as one of the default providers in the default_providers() function of the app/helpers/oauth_helper.rb file
Added a section for my provider in config/gitlab.yml with the client_id and client_secret
Added my omniauth strategy to the Gemfile file
Installed the gem from the GitLab root directory using sudo -u git -H bundle install --without development test postgres --path vendor/bundle --no-deploy
Precompiled the assets from the GitLab root directory using sudo -u git -H rake assets:precompile RAILS_ENV=production
Start GitLab sudo service gitlab start