Post

Replies

Boosts

Views

Activity

how to delete a 'ghost' signing certificate (Xcode 13.2.1)
In my keychain, I have one Developer ID Application certificate, with a private key, for my Team. In Xcode's Accounts/Manage Certificates dialog, there are three Developer ID Application certificates, two of which have a red 'x' badge and the status 'missing private key'. I can right click on any of those three entries and my only enabled choice is "Export". Email creator or Delete are disabled. Why? In my Team's account, there are indeed three Developer ID Application certificates, with different expiration dates, but I only have the private key for one of them. By choosing Manual signing, I can choose a specific certificate from my keychain, but Xcode 13.2.1 tells me that this certificate is missing its private key - but I can see that private key in my keychain!
1
0
1.6k
Mar ’22
why "you do not have permission to open the application" now
For some time I've been sharing an internal macOS app with my colleagues by simply building it locally, zipping it up and emailing, or sharing on Slack or Teams. In the Target Settings in Xcode, Signing and Capabilities, the Team is set to my company, the Signing Certificate is set to Development (not "Sign to run locally"). This has worked for some time. None of the recipients complained that they couldn't run the app. Of course it is not notarized so they need to right-click and select Open the first time around. When I examine the signature of the app I distribute this way, using `codesign -dvvv, the signing authority is me (not my company). One of my colleagues recently migrated to a new Mac Mini M1. On this Mac, when attempting to open the app, he saw the "you do not have permission to open the application" alert. He's supposed to consult his sys admin (himself). I fixed the problem by Archiving a build and explicitly choosing to sign it using the company's Developer ID certificate. The version produced this way has a signing authority of my company, not me, and my colleague can run it. Does anyone know why my previous builds work on other machines for other users? It appears that the locally-built app was actually signed by my personal certificate, although Xcode's UI said it would be signed by my company - but it didn't only work for me? What is the expected behavior if you try to open an app signed with a personal certificate on a machine owned by a different person? Should Security & Privacy offer the option of approving that particular personal certificate?
1
0
1.5k
Jan ’22
driverkit installation app fails with code signature error
I recently updated my test machine to Big Sur beta 3. I built a driver installation app, which hosts a driverkit extension. The app used to run on Big Sur b1. Now, it won't launch at all in the debugger, it fails with this error: Domain: RBSRequestErrorDomain Code: 5 from Finder it fails with an error -1, and no further information. If I move it to /Applications and run it from there, I get a crash report which says it failed due to a code signing error. xception Type: EXCCRASH (Code Signature Invalid) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Note: EXCCORPSE_NOTIFY the thing is, codesign says it is fine: codesign -v -vvv /Applications/DriverInstallationApp.app /Applications/DriverInstallationApp.app: valid on disk /Applications/DriverInstallationApp.app: satisfies its Designated Requirement spctl says 'rejected' without giving a reason. I have SIP turned off on this machine, so I'd never notarized the app before. So in desperation I tried notarizing the app. Once notarized, the app is "accepted" by spctl, but it still crashes with the same "code signature invalid" error. Does anyone have any ideas on how I can debug this?
5
0
2.8k
Jul ’20
DriverKit unsigned dext for local execution
I'm trying to build the driverkit sample from github (https://github.com/knightsc/USBApp)according to this: https://developer.apple.com/system-extensions/"If you plan to deploy drivers built with DriverKit, allow other developers to use your system extensions, or use the EndpointSecurity API, you’ll need to request an entitlement from Apple.While your request is in review, you can test system extensions on your Mac by temporarily turning off System Integrity Protection."I'm trying to build on a system with SIP off, but I can't get as far as testing because Xcode won't build or sign the dext. I don't want it signed, because I have no entitlements, I'd be happy to run it locally to figure out if it is worth proceeding with even requesting entitlements.Has anyone been able to build and test a dext without already having entitlements?
2
1
1.7k
Apr ’20
DriverKit, USBDriverKit and SystemExtensions
I've watched the video of WWDC 2019 session 702, System Extensions and DriverKit, and I'm still a little puzzled.For instance, what's the point of USBDriverKit, that is, why would I use it in preference to the already extant user-mode USB APIs? The demo shows an extension that does nothing - it logs to the debugger, but it doesn't provide any services to multiple clients in the system. In a KEXT, those services are provided by publishing them in the IORegistry; they provide well-known interfaces in the kernel to which a well-known user client can connect. If my extension ships in my own app, and provides services only to that app, I may as well implement the extension's functions directly in my app.How does my app (or more importantly, a third-party app) communicate with my dext? That wasn't covered in session 702. Neither was the case of replacing or augmenting an existing system driver, for example filtering the data passing through a USB mass storage driver, based on sideband data which the standard system driver cannot convey. For a kext, I would simply call IORegisterService and the rest of the stack would be build on top of my driver.Is the sample code for the demo of session 702 available? Any other sample code for DriverKit?
2
0
1.6k
Jul ’19