CodeSign "build/Release-iphoneos/Nice Saying123.app"
cd "/Users/c28/Documents/Office Projects/Nice Saying123"
setenv PATH "/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin:/Developer/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin"
setenv _CODESIGN_ALLOCATE_ /Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/codesign_allocate
/usr/bin/codesign -f -s "iPhone Developer: dipak kasabwala (29QJU3WV6X)" "--resource-rules=/Users/c28/Documents/Office Projects/Nice Saying123/build/Release-iphoneos/Nice Saying123.app/ResourceRules.plist" --entitlements "/Users/c28/Documents/Office Projects/Nice Saying123/build/Nice Saying123.build/Release-iphoneos/Nice Saying123.build/Nice Saying123.xcent" "/Users/c28/Documents/Office Projects/Nice Saying123/build/Release-iphoneos/Nice Saying123.app"
/Users/c28/Documents/Office Projects/Nice Saying123/build/Release-iphoneos/Nice Saying123.app: replacing invalid existing signature
/Users/c28/Documents/Office Projects/Nice Saying123/build/Release-iphoneos/Nice Saying123.app: CSSMERR_TP_NOT_TRUSTED
Command /usr/bin/codesign failed with exit code 1
I had the exact same error, and tried everything under the sun, including what was on the discussions.apple.com link above. What the problem was for me was that in Keychain Access, the actual Apple WWDR certificate was marked as "Always Trust". It needed to be "System Defaults". That goes for your Development and Distribution certificates, too. If any of them are incorrectly set to "Always Trust", that can apparently cause this problem.
So, in Keychain Access, click on the Apple Worldwide Developer Relations Certificate Authority certificate, select Get Info. Then, expand the Trust settings, and for the combo box for "When using this certificate:", choose "System Defaults".
It's very confusing that selecting "Always Trust" produces an error claiming that something is not trusted :( ... but that's the way it is apparently!
Hattip to #MariaZverina, whose comment/link provided help on this issue.
Edit: you may need to check both Login and System certificates, looking for this problem.
Even I had tried everything everywhere :) but what Nate says is true, it works :)
Just make sure you check both login and system certificates , mine had the System certificates set to Always Trust, making me overlook them.
Apple Code signing authority and Apple Worldwide Developer Relations Certificate Authority.
my error was :
/Users/XXXXXXXX/Library/Developer/Xcode/DerivedData/XXXXXXXXXX-fictlumohhjzjxcfmyfpwvrjakqa/Build/Products/Debug-iphoneos/XXXX XXX.app: object file format unrecognized, invalid, or unsuitable
Command /usr/bin/codesign failed with exit code 1
Try below.
Development system : OSX Lion, Xcode 4.1 iOS 4.3
if you have copied a successfully archived project and modified it for a new version, the copied version may run fine in simulator. But Distribution archive may get the above error. It took a day for me to sort this issue.
Right click Your_Project.xcodeproj> Show package contents & edit project.pbxproj file.
Solution :
- The Info.plist file may be having more than two copies in the project folders. As well wrong/multiple references in configuration sections inside the pbxproj file. o I have deleted those lines except referring them from Build configuration(Distribution). Set the info.plist reference in project settings as below.
Finally check the distribution settings should be like this..
8917E65D14244E5100B703F8 /* Distribution */ = {
isa = XCBuildConfiguration;
buildSettings = {
ALWAYS_SEARCH_USER_PATHS = NO;
ARCHS = "$(ARCHS_UNIVERSAL_IPHONE_OS)";
CODE_SIGN_ENTITLEMENTS = "";
CODE_SIGN_IDENTITY = "iPhone Distribution: XXXXXXXX XXXXXXX";
"CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "iPhone Distribution: XXXXXXXX XXXXXXX";
COPY_PHASE_STRIP = YES;
GCC_PRECOMPILE_PREFIX_HEADER = YES;
GCC_PREFIX_HEADER = XXXXX_Prefix.pch;
INFOPLIST_FILE = Info.plist;
IPHONEOS_DEPLOYMENT_TARGET = 4.3;
ONLY_ACTIVE_ARCH = NO;
PRODUCT_NAME = "Product Name";
PROVISIONING_PROFILE = "XXXXXXXX-XXXX-4ACA-A26E-XXXXXXXXXXXXX";
"PROVISIONING_PROFILE[sdk=iphoneos*]" = "XXXXXXXX-XXXX-4ACA-A26E-XXXXXXXXXXXXX";
SDKROOT = iphoneos4.3;
SEPARATE_STRIP = YES;
TARGETED_DEVICE_FAMILY = 2;
VALIDATE_PRODUCT = YES;
WRAPPER_EXTENSION = app;
};
name = Distribution;
};
In my case, it turned out to be because neither of the necessary intermediate certificates were installed (Apple WWDR and Developer ID). I just set up a new computer and exported my developer profile from my old machine, which bundles up all of the necessary certificates, keys, provisioning profiles, etc. into a single file, making a neat little package that can be backed up, or in my case, easily moved to a new machine. Unfortunately I had assumed that the intermediate certs would come along for the ride. They didn't. Downloading the intermediate certificates from the Apple developer site and installing those using Keychain Access did the trick.
Note there are two intermediate certificates: the Apple WWDR Intermediate Certificate (which covers both iOS and Mac App Store development and distribution), but there is also a separate Developer ID Intermediate Certificate (which covers Developer IDs, e.g. distributing outside of the App Store).
This occurred for me after another certificate was added to my keychain.
This is a senseless fix, but having tried everything, I unlocked/locked the login keychain and everything was fixed.
hmmmm.
In my case it was the "iPhone Developer" certificate which was marked as "Always Trust". After switching to "System Defaults" it works like a charm! :-)
I also was able to make it work by selecting "System Defaults"
Related
I am trying to create a new self signed cert and then use it to sign an EXE, to address the fact that idiot Autodesk is using an installer that ignores the time stamp and refuses to install something with an expired cert, even their own installer. It's a bug, they know it, and they fixed their installer. But addressing that when you have 30+ deployments that use the old buggy one is a PITA. Anyway...
I expected this would produce a certificate that I would find in the Personal tab.
$certParameters = #{
'DnsName' = 'PxTools'
'Type' = 'CodeSigningCert'
'CertStoreLocation' = 'Cert:\LocalMachine\My'
'NotAfter' = (Get-Date).AddMonths(12)
'KeyAlgorithm' = 'RSA'
'KeyLength' = '4096'
}
$cert = New-SelfSignedCertificate #certParameters
and that I would then be able to use it for signing. But it doesn't populate the $cert variable as expected, and it puts the cert in Intermediate Certification Authorities, and I have yet to figure out how to use
Get-ChildItem cert:\LocalMachine\?? -codesign
To get certs in that location. I have used ??=My to get a cert in Personal, but not sure
A: Why the cert isn't created in Personal as expected
B: How to get the cert from where it IS created
Yesterday I was having an issue to run my app after auto code signing. See the question I post here yesterday.
After spending some time to investigate the issue it turns out the framework certificate somehow corrupted.
The solution is to fix the invalid signature for the framework, and here is how to do so.
P.S. One thing we are certain is that we did tick the Sign On Copy checkbox.
NOTE: VideoBuilderLibrary is a custom framework we built.
To test the code sign state,
# Replace the framework to yours
codesign -v
frameworks/VideoBuilderLibrary.framework/Frameworks/libavutil.55.dylib
[no output]
If there is any invalid signature,
codesign -v
frameworks/VideoBuilderLibrary.framework/Frameworks/libavutil.55.dylib
frameworks/VideoBuilderLibrary.framework/Frameworks/libavutil.55.dylib:
invalid signature (code or signature have been modified)
In architecture: x86_64
To resigned all dylib files in a framewor and fix this, run command below with "YOUR CERTIFICATE NAME" replaced with your cert file name,
cd frameworks/VideoBuilderLibrary.framework/Frameworks
ls | xargs codesign -f -s "YOUR CERTIFICATE NAME"
I have a Mac OSX app that I have previously been able to test - however when I run tests now - it will work once and then fail with the error below in the console. I need to do some drastic things to get it working:
If I
change the location of my Derived Data folder
and clean build folder - then it will usually work again once or twice before but when I run tests again it will happen again.
Any ideas of what I can do to fix it permanently - below is pretty much Greek to me..
I have tried the following:
moving the derived data into Documents
installing new Xcode from Appstore.
Deleting and re-adding Certificates and profiles
2017-01-15 16:41:51.247064 XXXXXX[51736:892136] Unable to load
configuration data from specified path
/var/folders/59/7ylv57053bv3c0rbbcc1mcg40000gp/T/com.apple.dt.XCTest/FDF2A461-45D7-4E64-B650-602DF0725CA7/remote-container/tmp/XXXXXXTests-FDF2A461-45D7-4E64-B650-602DF0725CA7.xctestconfiguration;
error: You don’t have permission. 2017-01-15 16:41:51.247221
XXXXXX[51736:892136] IDEBundleInjection Arguments: (
"/Users/XXXXXX/XXXXXX/XXXXXX/XXXXXX-eghnritsumpbbqgylbzrxqfximew/Build/Products/Debug/XXXXXX.app/Contents/MacOS/XXXXXX",
"-NSTreatUnknownArgumentsAsOpen",
NO,
"-ApplePersistenceIgnoreState",
YES ) 2017-01-15 16:41:51.248336 XXXXXX[51736:892136] IDEBundleInjection Environment: {
"APP_SANDBOX_CONTAINER_ID" = "com.XXXXXX.XXXXXX";
"Apple_PubSub_Socket_Render" = "/private/tmp/com.apple.launchd.hKPiBBDAAG/Render";
"CFFIXED_USER_HOME" = "/Users/XXXXX/Library/Containers/com.XXXXXX.XXXXXX/Data";
"DTX_CONNECTION_SERVICES_PATH" = "/Applications/Xcode.app/Contents/SharedFrameworks/DTXConnectionServices.framework";
"DYLD_FRAMEWORK_PATH" = "/Users/XXXXX/XXX/XXXXXXX/XXXXXX-eghnritsumpbbqgylbzrxqfximew/Build/Products/Debug:/Users/XXXXX/XXX/XXXXXXX/XXXXXX-eghnritsumpbbqgylbzrxqfximew/Build/Products/Debug:/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/Library/Frameworks";
"DYLD_INSERT_LIBRARIES" = "";
"DYLD_LIBRARY_PATH" = "/Users/XXXXX/XXX/XXXXXXX/XXXXXX-eghnritsumpbbqgylbzrxqfximew/Build/Products/Debug:/Users/XXXXX/XXX/XXXXXXX/XXXXXX-eghnritsumpbbqgylbzrxqfximew/Build/Products/Debug:/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/Library/Frameworks";
HOME = "/Users/XXXXX/Library/Containers/com.grant.XXXXXX/Data";
LOGNAME = XXXXX;
MallocNanoZone = 1;
NSUnbufferedIO = YES;
"OS_ACTIVITY_DT_MODE" = YES;
PATH = "/Applications/Xcode.app/Contents/Developer/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin";
PWD = "/Users/XXXXX/XXX/XXXXXXX/XXXXXX-eghnritsumpbbqgylbzrxqfximew/Build/Products/Debug";
SHELL = "/bin/bash";
"SSH_AUTH_SOCK" = "/private/tmp/com.apple.launchd.dNK7oacOAX/Listeners";
TMPDIR = "/var/folders/59/7ylv57053bv3c0rbbcc1mcg40000gp/T/com.grant.XXXXXX/";
USER = XXXXX;
XCInjectBundleInto = "/Users/XXXXX/XXX/XXXXXXX/XXXXXX-eghnritsumpbbqgylbzrxqfximew/Build/Products/Debug/XXXXXX.app/Contents/MacOS/XXXXXX";
"XCODE_DBG_XPC_EXCLUSIONS" = "com.apple.dt.xctestSymbolicator";
XCTestConfigurationFilePath = "/var/folders/59/7ylv57053bv3c0rbbcc1mcg40000gp/T/com.apple.dt.XCTest/FDF2A461-45D7-4E64-B650-602DF0725CA7/remote-container/tmp/XXXXXXTests-FDF2A461-45D7-4E64-B650-602DF0725CA7.xctestconfiguration";
"XPC_FLAGS" = 0x0;
"XPC_SERVICE_NAME" = "com.apple.dt.Xcode.23100";
"__CF_USER_TEXT_ENCODING" = "0x1F6:0x0:0x2";
"__XCODE_BUILT_PRODUCTS_DIR_PATHS" = "/Users/XXXXX/XXX/XXXXXXX/XXXXXX-eghnritsumpbbqgylbzrxqfximew/Build/Products/Debug";
"__XPC_DYLD_FRAMEWORK_PATH" = "/Users/XXXXX/XXX/XXXXXXX/XXXXXX-eghnritsumpbbqgylbzrxqfximew/Build/Products/Debug";
"__XPC_DYLD_LIBRARY_PATH" = "/Users/XXXXX/XXX/XXXXXXX/XXXXXX-eghnritsumpbbqgylbzrxqfximew/Build/Products/Debug";
}
In Xcode 9 I found a solution, that worked for me.
Go to Xcode > File > Project Settings... (or Workspace Settings...)
Select New Build System (Preview) as Build System under Shared Settings.
Make sure to select Use Shared Setting under Per-User Project Settings.
I too logged a bug with Apple. Experienced it on Xcode 9. However, I then played with it some more and found that by changing the Derived Data Folder to Custom and disabling code coverage in my Test config for my scheme, the error went away. It seems that some combination of these two caused the issue.
I have logged a bug with Apple as it appears that no one else is getting this error.
Edit: Elise has filed bug Apple #34737491, if you are experiencing it - then please raise a bug and reference that ticket so Apple can see how big the impact is.
In the identity server samples we find code like this in Startup.cs
var certFile = env.ApplicationBasePath + "\\idsrv3test.pfx";
var signingCertificate = new X509Certificate2(certFile, "idsrv3test");
How would I go about replacing this for production scenarios?
For the record, the code proposed in the image posted by RuSs:
options.SigningCertificate = LoadCertificate();
public X509Certificate2 LoadCertificate()
{
string thumbPrint = "104A19DB7AEA7B438F553461D8155C65BBD6E2C0";
// Starting with the .NET Framework 4.6, X509Store implements IDisposable.
// On older .NET, store.Close should be called.
using (var store = new X509Store(StoreName.My, StoreLocation.LocalMachine))
{
store.Open(OpenFlags.ReadOnly);
var certCollection = store.Certificates.Find(X509FindType.FindByThumbprint, thumbPrint, validOnly: false);
if (certCollection.Count == 0)
throw new Exception("No certificate found containing the specified thumbprint.");
return certCollection[0];
}
}
Get a dedicated cert - either via your PKI or self-generate one:
http://brockallen.com/2015/06/01/makecert-and-creating-ssl-or-signing-certificates/
Import the key pair into the Windows certificate store, and load it from there at runtime.
To step up security, some people deploy the keys to a dedicated device (called an HSM) or to a dedicated machine (e.g. behind a firewall). The ITokenSigningService allows moving the actual token signing to that separate machine.
Recently I decided to revamp my token signing issuing process. If you're running Windows 10, you can use the awesome powershell cmdlet called New-SelfSignedCertificate.
Here is my example usage:
New-SelfSignedCertificate -Type Custom
-Subject "CN=TokenSigningForIdServer"
-TextExtension #("2.5.29.37={text}1.3.6.1.5.5.7.3.3")
-KeyUsage DigitalSignature
-KeyAlgorithm RSA
-KeyLength 2048
-CertStoreLocation "Cert:\LocalMachine\My"
Make sure you are running the command as an admin. You can obtain the certificate details by opening certlm.msc. It should be stored below Personal\Certificates.
Most of the flags should be obvious, apart from the -TextExtention one. It specifies that an Enhaced Key Usage field is set to the "Code Signing" value. You can play around with the algorithm used, key length, even add extentisons by refering to the following documentation page.
Here is how I load it from a thumbprint in my config:
Click here to see image
I have just learned about the possibility to use OTHER_CODE_SIGN_FLAGS to specify the keychain which includes the cert needed for building and signing an app. But unfortunately I cannot get it to work.
My script looks something like this:
#!/bin/bash
TARGET="MyProject"
CONFIGURATION="Release"
SDK="iphoneos"
IDENTITY="iPhone Developer: John Doe (XX22RR22O)"
KEYCHAIN="/Users/username/Library/Keychains/someKeyChain.keychain"
PASSWORD=""
security unlock-keychain -p ${PASSWORD} ${KEYCHAIN}
xcodebuild -target "${TARGET}" -configuration ${CONFIGURATION} -sdk $SDK CODE_SIGN_IDENTITY="${IDENTITY}" OTHER_CODE_SIGN_FLAGS="--keychain ${KEYCHAIN}"
But that fails:
Check dependencies
[BEROR]Code Sign error: The identity 'iPhone Developer: John Doe (XX22RR22O)' doesn't match any valid certificate/private key pair in the default keychain
But if I switch to the keychain first it works but that is not useable on a build server where multiple builds could happen simultaneously:
#!/bin/bash
TARGET="MyProject"
CONFIGURATION="Release"
SDK="iphoneos"
IDENTITY="iPhone Developer: John Doe (XX22RR22O)"
KEYCHAIN="/Users/username/Library/Keychains/someKeyChain.keychain"
PASSWORD=""
security unlock-keychain -p ${PASSWORD} ${KEYCHAIN}
security default-keychain -s ${KEYCHAIN}
xcodebuild -target "${TARGET}" -configuration ${CONFIGURATION} -sdk $SDK CODE_SIGN_IDENTITY="${IDENTITY}" OTHER_CODE_SIGN_FLAGS="--keychain ${KEYCHAIN}"
Hope you guys can help
-Morten
I found that if I didn't add the keychain to keychain search list, xcodebuild would not respect the OTHER_CODE_SIGN_FLAG --keychain setting. I had to add this code:
// Early in the script
ORIGINAL_KEYCHAINS=`security list-keychains -d user`
// After I create my keychain, add it to the list
security list-keychains -d user -s ${ORIGINAL_KEYCHAINS} "${KEYCHAIN_NAME}"
// On cleanup
security list-keychains -d user -s ${ORIGINAL_KEYCHAINS}
Needless to say, I lost hours figuring this out.
Also of help, making sure the keychain stays open for the length of your build. As advised here:
security -v set-keychain-settings -lut 7200 ${KEYCHAIN_NAME}
The answer is to upgrade: Xcode 4.3 respects the OTHER_CODE_SIGN_FLAGS flag during the Check dependencies build step.
I ran into the same problem while trying to set up CI for our iOS projects. I ended up updating the PackageApplication Perl script to support passing a keychain option. Location:
/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/PackageApplication
I'm still waiting for some licensing clarification from Apple so that I can publish my updated script to GitHub.
None of these really works unless you have the simplest of scripted builds going. Like #Tyler said, PackageApplication doesn't support specifying the keychain, and some versions of xcode will require there be no duplicate certificates across keychains when they check dependencies.
Don't waste your times, just call Apple and ask them to rename one of your certificates (they will actually rename your company --- by appending a suffix --- and you just have to regenerate your certificates and update your profiles).