To recap, my Ruby files for the app are located under ./app, with the gems being "vendored". This library is located at ./app/vendor/bundle/ruby/3.3.0/gems/libui-0.1.2-arm64-darwin/vendor/libui.dylib. I'm curious if I should codesign the libui.dylib before building the binary with Tebako? If so, would I still need to codesign the Contents/Frameworks files under the app bundle? (I'm assuming yes on this latter point.) Thanks in advance for your suggestions.

Thank you for the tips on creating the crash report. Very helpful, and yes, libui.dylib does show up on lines 128 and 270-271 of attached report. However, I'm unclear on next steps. Thanks again. PATHmanager-2025-04-15-102823.ips

Actually, I just found this within the Console output: Library Validation failed: Rejecting '/Users/chip/Library/Containers/com.chipcastle.pathmanager/Data/tmp/tebako-runtime-20250404-48697-v1sra5/libui.dylib' (Team ID: none, platform: no) for process 'PATHmanager(48697)' (Team ID: BXN9N7MNU3, platform: no), reason: mapping process and mapped file (non-platform) have different Team IDs This is strange, because I'm using the same Team ID in the cert when codesigning the libui.dylib and the app bundle. Additionally, I'm unclear on why the dylib would be located under /Users/chip/Library/Containers/com.chipcastle.pathmanager/Data/tmp/tebako-runtime-20250404-48697-v1sra5/libui.dylib, because not only is that not where I initially built the binary, it's not where I copied it for codesigning.

Bug number: FB17118773 I tried exporting from Console any Process matching TestFlight to no avail. I didn't see anything of interest there, though. Thanks.

Here's the file listing in case you see where I should focus. Thanks. sysdiagnose.tree.txt

(Smacks head) Ha! Ok, I moved too fast on that one. Thanks for clarification. I extracted the resulting tar.gz file and inspected quite a few files, but I'm kinda flying blind here TestFlight feedback allows for attaching screenshots, but not other files. The archive is too large to attach here, so what would be of interest? Thanks.

Thank you for the documentation. Let's see if I got the steps straight... I launched TestFlight, then from the Terminal I typed sudo sysdiagnose, clicking Enter for it to start processing. I then clicked Open from TestFlight and clicked Done on both error dialogs. Per the sysdiagnose instructions, I clicked Ctrl-\ within the Terminal to allow it to finish processing. Per the documentation you provided, I waited more than 10 minutes. At that point, neither did sysdiagnose bring the Finder to the front, nor did it create any files under it's directory. Here's verification: λ sudo sysdiagnose -H Password: Sysdiagnoses can be found at '/private/var/tmp' ~ λ ls -alR /private/var/tmp total 0 drwxrwxrwt 2 root wheel 64 Apr 2 21:17 . drwxr-xr-x 36 root wheel 1152 Mar 20 09:49 .. I have yet to hear back from support regarding my bug report, so I'll wait. Thanks again.

Thanks for the tips! I tried sysdiagnose in various incantations, but received no output. Here's a sample: sudo sysdiagnose -H -v 30371 The 30371 is the pid for TestFlight on my system at the time. I'm new to sysdiagnose, so I could've easily used it improperly. I also inspected the contents of /private/var/tmp, which had on 2 directories, one of them being empty. The other only contained a binary file at /private/var/tmp/SoftwareUpdateCore/EventReporterPersistedState/SUCoreEventReporterState.state, but I'm assuming this is not related. At any rate, I clicked on the Send Feedback button from within TestFlight and provided a screenshot along with a description in case that helps. I'll also attach the screenshot here so you can see what I mean. Thanks again.

Yes, that's correct. That error only only occurs when installing via TestFlight and pops up twice. The app is never installed under /Applications. To be clear, before codesigning, the app runs fine on my system (always has). As a further test, if I extract the pkg file that I uploaded via Transporter, which is subsequently available via TestFlight, I get this: /tmp λ xar -xf ~/code/ruby/PATHmanager.pkg /tmp λ ll total 8 drwxrwxrwt 7 root wheel 224 Mar 31 09:23 . drwxr-xr-x 6 root wheel 192 Mar 20 09:49 .. -rw-r--r-- 1 chip staff 1217 Mar 31 09:23 Distribution drwx------ 3 chip wheel 96 Mar 20 09:50 com.apple.launchd.AUOVCHr68r drwx------ 5 chip staff 160 Dec 31 1969 com.chipcastle.pathmanager.pkg srwxr-xr-x 1 chip wheel 0 Mar 20 09:50 mykitty-1525 drwxr-xr-x 2 root wheel 64 Mar 30 15:31 powerlog /tmp λ cpio -i < "com.chipcastle.pathmanager.pkg/Payload" 58137 blocks /tmp λ ll total 8 drwxrwxrwt 8 root wheel 256 Mar 31 09:23 . drwxr-xr-x 6 root wheel 192 Mar 20 09:49 .. -rw-r--r-- 1 chip staff 1217 Mar 31 09:23 Distribution drwxr-xr-x 3 chip wheel 96 Mar 31 09:23 PATHmanager.app drwx------ 3 chip wheel 96 Mar 20 09:50 com.apple.launchd.AUOVCHr68r drwx------ 5 chip staff 160 Dec 31 1969 com.chipcastle.pathmanager.pkg srwxr-xr-x 1 chip wheel 0 Mar 20 09:50 mykitty-1525 drwxr-xr-x 2 root wheel 64 Mar 30 15:31 powerlog /tmp λ open PATHmanager.app The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x600003c9c0f0 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}

Yes, sorry that I wasn't clear - The error did occur when attempting to open the app with TestFlight (the dialog box opened twice with the same message, BTW.) Plus, PATHmanager.app is neither installed under /Applications, nor ~/Applications. If there's something else I can do to get it installed, I'm all ears. :-) I'll post the output of your suggested commands from the extracted .pkg file that was uploaded using Transporter (hopefully that helps?): Signature dump for app bundle /tmp λ codesign -d -vvv "PATHmanager.app/" Executable=/private/tmp/PATHmanager.app/Contents/MacOS/PATHmanager Identifier=com.chipcastle.pathmanager Format=app bundle with Mach-O thin (arm64) CodeDirectory v=20500 size=223206 flags=0x10000(runtime) hashes=6964+7 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=a7e912f449ef085b27467d282bfeca980b8e4d9c CandidateCDHashFull sha256=a7e912f449ef085b27467d282bfeca980b8e4d9c9063d3b31bb34aaa15383e7d Hash choices=sha256 CMSDigest=a7e912f449ef085b27467d282bfeca980b8e4d9c9063d3b31bb34aaa15383e7d CMSDigestType=2 CDHash=a7e912f449ef085b27467d282bfeca980b8e4d9c Signature size=9116 Authority=Apple Distribution: Chip Castle Dot Com, Inc. (BXN9N7MNU3) Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Timestamp=Mar 27, 2025 at 1:01:31 PM Info.plist entries=19 TeamIdentifier=BXN9N7MNU3 Runtime Version=15.0.0 Sealed Resources version=2 rules=13 files=3 Internal requirements count=1 size=204 Since that doesn't tell me much, I'll add this as well: λ codesign -d -r- "PATHmanager.app" Executable=/private/tmp/PATHmanager.app/Contents/MacOS/PATHmanager designated => identifier "com.chipcastle.pathmanager" and anchor apple generic and certificate leaf[subject.CN] = "Apple Distribution: Chip Castle Dot Com, Inc. (BXN9N7MNU3)" and certificate 1[field.1.2.840.113635.100.6.2.1] /* exists */ Signature app for dylib λ codesign -d -vvv "PATHmanager.app/Contents/Frameworks/libui.dylib" Executable=/private/tmp/PATHmanager.app/Contents/Frameworks/libui.dylib Identifier=libui Format=Mach-O universal (x86_64 arm64) CodeDirectory v=20500 size=3281 flags=0x10000(runtime) hashes=97+2 location=embedded Hash type=sha256 size=32 CandidateCDHash sha1=6f0f3b4eefb0e542619665c4c6396f84b765a92f CandidateCDHashFull sha1=6f0f3b4eefb0e542619665c4c6396f84b765a92f CandidateCDHash sha256=51b0d7e81f542de2b8c8a8d091548bfd4b1091e5 CandidateCDHashFull sha256=51b0d7e81f542de2b8c8a8d091548bfd4b1091e5ce8be2b38188f806bed13dc6 Hash choices=sha1,sha256 CMSDigest=705e70b2c2bda6cefedab9ccb490452f2ea83ce07d9ed5e0285c74cd6eedb151 CMSDigestType=2 CDHash=51b0d7e81f542de2b8c8a8d091548bfd4b1091e5 Signature size=9197 Authority=Apple Distribution: Chip Castle Dot Com, Inc. (BXN9N7MNU3) Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Timestamp=Mar 27, 2025 at 1:01:31 PM Info.plist=not bound TeamIdentifier=BXN9N7MNU3 Runtime Version=12.1.0 Sealed Resources=none Internal requirements count=1 size=184 And also: λ codesign -d -r- "PATHmanager.app/Contents/Frameworks/libui.dylib" Executable=/private/tmp/PATHmanager.app/Contents/Frameworks/libui.dylib designated => identifier libui and anchor apple generic and certificate leaf[subject.CN] = "Apple Distribution: Chip Castle Dot Com, Inc. (BXN9N7MNU3)" and certificate 1[field.1.2.840.113635.100.6.2.1] /* exists */ Thanks again.

I was able to get it submitted to TestFlight, but am now getting a slightly different error for the dylib than before: “libui.dylib” Not Opened Apple could not verify “libui.dylib” is free of malware that may harm your Mac or compromise your privacy. The dylib is located under Contents/Frameworks, so I'm not sure what else there is to be done. Bundle contents λ xar -xf ~/code/ruby/PATHmanager.pkg /tmp λ lsbom "com.chipcastle.pathmanager.pkg/Bom" . 0 0/0 ./PATHmanager.app 40755 0/0 ./PATHmanager.app/Contents 40755 0/0 ./PATHmanager.app/Contents/Frameworks 40755 0/0 ./PATHmanager.app/Contents/Frameworks/libui.dylib 100644 0/0 925632 2654273729 ./PATHmanager.app/Contents/Info.plist 100644 0/0 1415 196399421 ./PATHmanager.app/Contents/MacOS 40755 0/0 ./PATHmanager.app/Contents/MacOS/PATHmanager 100755 0/0 28765680 1121196294 ./PATHmanager.app/Contents/PkgInfo 100644 0/0 8 742937289 ./PATHmanager.app/Contents/Resources 40755 0/0 ./PATHmanager.app/Contents/Resources/AppIcon.icns 100644 0/0 56310 2265036908 ./PATHmanager.app/Contents/_CodeSignature 40755 0/0 ./PATHmanager.app/Contents/_CodeSignature/CodeResources 100644 0/0 2969 2120637324 ./PATHmanager.app/Contents/embedded.provisionprofile 100644 0/0 12377 748912970 /tmp λ cpio -i < "com.chipcastle.pathmanager.pkg/Payload" 58137 blocks /tmp λ find PATHmanager.app PATHmanager.app PATHmanager.app/Contents PATHmanager.app/Contents/_CodeSignature PATHmanager.app/Contents/_CodeSignature/CodeResources PATHmanager.app/Contents/MacOS PATHmanager.app/Contents/MacOS/PATHmanager PATHmanager.app/Contents/Resources PATHmanager.app/Contents/Resources/AppIcon.icns PATHmanager.app/Contents/embedded.provisionprofile PATHmanager.app/Contents/Frameworks PATHmanager.app/Contents/Frameworks/libui.dylib PATHmanager.app/Contents/Info.plist PATHmanager.app/Contents/PkgInfo /tmp λ codesign --verify -vvv "PATHmanager.app" --prepared:/private/tmp/PATHmanager.app/Contents/Frameworks/libui.dylib --validated:/private/tmp/PATHmanager.app/Contents/Frameworks/libui.dylib PATHmanager.app: valid on disk PATHmanager.app: satisfies its Designated Requirement Codesigning output λ ./appstore.rb codesign --remove-signature '/Users/chip/code/ruby/distribution/PATHmanager.app/Contents/Frameworks/libui.dylib' remove_signature returns: true codesign --remove-signature '/Users/chip/code/ruby/distribution/PATHmanager.app' remove_signature returns: true Signing the .app... codesign --preserve-metadata=entitlements --force --verify --verbose=4 --options runtime --timestamp --sign 'Apple Distribution: Chip Castle Dot Com, Inc. (BXN9N7MNU3)' '/Users/chip/code/ruby/distribution/PATHmanager.app/Contents/Frameworks/libui.dylib' /Users/chip/code/ruby/distribution/PATHmanager.app/Contents/Frameworks/libui.dylib: signed Mach-O universal (x86_64 arm64) [libui] sign_app returns: true codesign --preserve-metadata=entitlements --force --verify --verbose=4 --options runtime --timestamp --entitlements '/Users/chip/code/ruby/distribution/PATHmanager.entitlements' --sign 'Apple Distribution: Chip Castle Dot Com, Inc. (BXN9N7MNU3)' '/Users/chip/code/ruby/distribution/PATHmanager.app' /Users/chip/code/ruby/distribution/PATHmanager.app: signed app bundle with Mach-O thin (arm64) [com.chipcastle.pathmanager] sign_app returns: true Verifying signature for /Users/chip/code/ruby/distribution/PATHmanager.app/Contents/Frameworks/libui.dylib codesign --verify --verbose=4 '/Users/chip/code/ruby/distribution/PATHmanager.app/Contents/Frameworks/libui.dylib' /Users/chip/code/ruby/distribution/PATHmanager.app/Contents/Frameworks/libui.dylib: valid on disk /Users/chip/code/ruby/distribution/PATHmanager.app/Contents/Frameworks/libui.dylib: satisfies its Designated Requirement verify_app_signature for /Users/chip/code/ruby/distribution/PATHmanager.app/Contents/Frameworks/libui.dylib returns: true Verifying signature for /Users/chip/code/ruby/distribution/PATHmanager.app codesign --verify --verbose=4 '/Users/chip/code/ruby/distribution/PATHmanager.app' --prepared:/Users/chip/code/ruby/distribution/PATHmanager.app/Contents/Frameworks/libui.dylib --validated:/Users/chip/code/ruby/distribution/PATHmanager.app/Contents/Frameworks/libui.dylib /Users/chip/code/ruby/distribution/PATHmanager.app: valid on disk /Users/chip/code/ruby/distribution/PATHmanager.app: satisfies its Designated Requirement verify_app_signature for /Users/chip/code/ruby/distribution/PATHmanager.app returns: true Building the .pkg... productbuild --sign '3rd Party Mac Developer Installer: Chip Castle Dot Com, Inc. (BXN9N7MNU3)' --identifier 'com.chipcastle.pathmanager' --version '1.23' --component '/Users/chip/code/ruby/distribution/PATHmanager.app' /Applications '/Users/chip/code/ruby/PATHmanager.pkg' productbuild: Adding component at /Users/chip/code/ruby/distribution/PATHmanager.app productbuild: Signing product with identity "3rd Party Mac Developer Installer: Chip Castle Dot Com, Inc. (BXN9N7MNU3)" from keychain /Users/chip/Library/Keychains/login.keychain-db productbuild: Adding certificate "Apple Worldwide Developer Relations Certification Authority" productbuild: Adding certificate "Apple Root CA" productbuild: Wrote product to /Users/chip/code/ruby/PATHmanager.pkg productbuild: Supported OS versions: [Min: 12.0, Before: None] build_package returns: true Verifying signature for /Users/chip/code/ruby/distribution/PATHmanager.app/Contents/Frameworks/libui.dylib codesign --verify --verbose=4 '/Users/chip/code/ruby/distribution/PATHmanager.app/Contents/Frameworks/libui.dylib' /Users/chip/code/ruby/distribution/PATHmanager.app/Contents/Frameworks/libui.dylib: valid on disk /Users/chip/code/ruby/distribution/PATHmanager.app/Contents/Frameworks/libui.dylib: satisfies its Designated Requirement verify_app_signature for /Users/chip/code/ruby/distribution/PATHmanager.app/Contents/Frameworks/libui.dylib returns: true Verifying signature for /Users/chip/code/ruby/distribution/PATHmanager.app codesign --verify --verbose=4 '/Users/chip/code/ruby/distribution/PATHmanager.app' --prepared:/Users/chip/code/ruby/distribution/PATHmanager.app/Contents/Frameworks/libui.dylib --validated:/Users/chip/code/ruby/distribution/PATHmanager.app/Contents/Frameworks/libui.dylib /Users/chip/code/ruby/distribution/PATHmanager.app: valid on disk /Users/chip/code/ruby/distribution/PATHmanager.app: satisfies its Designated Requirement verify_app_signature for /Users/chip/code/ruby/distribution/PATHmanager.app returns: true Any ideas? Thanks in advance.

As an update, I was able to remove the AppleDouble file, remove the com.apple.macl extended attribute, and extract the pkg again. This time everything looks normal - no AppleDouble files, no extended attributes on any file in the app bundle, including the binary. Transporter reports the following even though the sandbox property is in the entitlements file: Validation failed (409) App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list: [( "com.chipcastle.pathmanager.pkg/Payload/PATHmanager.app/Contents/MacOS/PATHmanager" )] Refer to App Sandbox page at https://developer.apple.com/documentation/security/app_sandbox for more information on sandboxing your app. (ID: 784e5cd5-38e6-4b93-be65-640ff87f6d66)

Ok, I had to get some support from the tebako folks before I could reply. Here's the output of the codesign --verify -vvv "PATHmanager.app" command you suggested: Extract pkg contents /tmp λ xar -xf ~/code/ruby/PATHmanager.pkg Verify Bill of Materials /tmp λ lsbom com.chipcastle.pathmanager.pkg/Bom . 0 0/0 ./PATHmanager.app 40755 0/0 ./PATHmanager.app/Contents 40755 0/0 ./PATHmanager.app/Contents/Frameworks 40755 0/0 ./PATHmanager.app/Contents/Frameworks/libui.dylib 100644 0/0 925632 3337342204 ./PATHmanager.app/Contents/Info.plist 100644 0/0 1415 1981579098 ./PATHmanager.app/Contents/MacOS 40755 0/0 ./PATHmanager.app/Contents/MacOS/._PATHmanager 100755 0/0 0 0 ./PATHmanager.app/Contents/MacOS/PATHmanager 100755 0/0 30036560 1901427662 ./PATHmanager.app/Contents/PkgInfo 100644 0/0 8 742937289 ./PATHmanager.app/Contents/Resources 40755 0/0 ./PATHmanager.app/Contents/Resources/AppIcon.icns 100644 0/0 56310 2265036908 ./PATHmanager.app/Contents/_CodeSignature 40755 0/0 ./PATHmanager.app/Contents/_CodeSignature/CodeResources 100644 0/0 2822 2461487254 Check Payload /tmp λ cpio -i < com.chipcastle.pathmanager.pkg/Payload 60595 blocks /tmp λ find com.chipcastle.pathmanager.pkg com.chipcastle.pathmanager.pkg com.chipcastle.pathmanager.pkg/Bom com.chipcastle.pathmanager.pkg/Payload com.chipcastle.pathmanager.pkg/PackageInfo Inspect .app folder contents /tmp λ find PATHmanager.app PATHmanager.app PATHmanager.app/Contents PATHmanager.app/Contents/_CodeSignature PATHmanager.app/Contents/_CodeSignature/CodeResources PATHmanager.app/Contents/MacOS PATHmanager.app/Contents/MacOS/PATHmanager PATHmanager.app/Contents/Resources PATHmanager.app/Contents/Resources/AppIcon.icns PATHmanager.app/Contents/Frameworks PATHmanager.app/Contents/Frameworks/libui.dylib PATHmanager.app/Contents/Info.plist PATHmanager.app/Contents/PkgInfo Verify with codesign /tmp λ codesign --verify -vvv "PATHmanager.app" --prepared:/private/tmp/PATHmanager.app/Contents/Frameworks/libui.dylib --validated:/private/tmp/PATHmanager.app/Contents/Frameworks/libui.dylib PATHmanager.app: valid on disk PATHmanager.app: satisfies its Designated Requirement Conclusion The only thing I see that strange is the ._PATHmanager file when inspecting the BOM. Any suggestions are appreciated. Thank you.

Thanks for the suggestion. I was able to extract libui.dylib by running bundle install with the following configuration: cat ~/code/ruby/pathos_macos/.bundle/config --- BUNDLE_PATH: "vendor/" BUNDLE_WITHOUT: "development:test" This created vendor/ruby/3.3.0/gems/libui-0.1.2-arm64-darwin/vendor/libui.dylib, which I ditto'd over to ~/Desktop/distribution/PATHmanager.app/Contents/Frameworks/libui.dylib I bumped version (as described previously) and ran my codesigning script which signs in the following order (under /Users/chip/Desktop/distribution/PATHmanager.app/): Contents/Frameworks/libui.dylib Contents/MacOS/PATHmanager PATHmanager.app directory After uploading the .pkg file using Transporter, I get this old error: Validation failed (409) App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list: [( "com.chipcastle.pathmanager.pkg/Payload/PATHmanager.app/Contents/MacOS/PATHmanager" )] Refer to App Sandbox page at https://developer.apple.com/documentation/security/app_sandbox for more information on sandboxing your app. (ID: dce05eba-fbda-496f-b0fb-31e85eee0152) It's the same entitlements file that I've been using, which does include the com.apple.security.app-sandbox entitlement, so I continue to be puzzled. I'll look into this further and post any updates or progress I've made. Thank you for your continued support. It has been greatly appreciated.

I think I'm closing in on a solution. Here's what I did to get here: 1. Removed all development gems from Gemfile & bundled bundle install --without development test This removed the date gem, which was the original complaint by macOS, along with other gems (i.e., psych, rdoc, debug). 2. Created executable tebako clean && tebako press --root=/Users/chip/code/ruby/pathos_macos --entry-point=/Users/chip/code/ruby/pathos_macos/bin/pathos_macos -o ~/Desktop/pathos 3. Copied over executable to .app folder cp ~/Desktop/pathos ~/Desktop/distribution/PATHmanager.app/Contents/MacOS/PATHmanager 4. Fixed ownerships (needs further investigation) chown -R chip:staff ~/Desktop/distribution 5. Bumped version number manual file edit in Info.plist & appstore.rb (codesigning script) 6. Ran codesigning script ~/code/ruby/pathos_macos/assets/appstore.rb 7. Uploaded package via Transporter Located at (~/Desktop/PATHmanager.pkg) 8. Test with TestFlight I had to remove myself from QA/Testers on AppStore Connect and then add myself back for it to update the version properly. 9. Discovered error “libui.dylib” can’t be opened because it was not downloaded from the App Store 10. Clicked "Show in Finder" This created ~/Library/Containers/com.chipcastle.pathmanager/Data/tmp/tebako-runtime-20250313-19572-kgrc66 which had a quarantine attribute. I removed it with xattr -d com.apple.quarantine tebako-runtime-20250313-19572-kgrc66 but then the folder was automatically removed. Do you have any suggestions on getting libui.dylib to be accepted? Thanks!