Why does my app not get code-signed?

I’m confused by the context here. You tagged this thread with macOS, leading me to believe that you’re targeting the Mac. Is that correct?

If so, I have follow-up questions about this:

I wish to produce an approved app for private distribution

So, you plan to distribute your Mac app independently, outside of the Mac App Store, right?

however, when I submit the app for authorization with the App [S]tore [C]onnect

Are you referring to the notary service here?

If so, are you trying to notarise from Xcode? Or from the command line?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks for reply. I am indeed attempting to distribute a Mac app and I am using Xcode to authorize it. I suspect that my development ID and Mac Developer certificates are not being read by Xcode.

I am using Xcode to authorize it

You mean “notarise”, right?

So, just to confirm, you’ve created an Xcode archive (using Product > Archive) and then, in the Xcode organiser, you click Distribute App and then follow the Developer ID > Upload workflow. Is that right?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Yes, that seems right. Right before I select the "Validate" button, I see a panel that shows the following:

Team: Antony Nispel (Individual) Certificate: Cloud Managed Apple Distribution (Expires 4/12/23) Profile: Mac Team Store Provisioning Profile: com.paidiaacademicsoftware.SpellAnalysis (Expires 4/12/23)  Symbols: Included Architectures: arm64 Version: 3.5 (3.0)

ENTITLEMENTS com.apple.developer.team-identifier 73ZUW8A5RN com.apple.application-identifier 73ZUW8A5RN.com.paidiaacademicsoftware.SpellAnalysis

So it looks like Apple recognizes my developer certificates and me as a team member despite what I wrote earlier on. However, upon receiving my validation report, it shows "App Store Connect Operation Error, asset validation failed" seven times. Keep in mind that I don't wish to distribute my app at the App Store, but using my own resources.

I watched a video on how to motorize an app from the command line which might provide a better feedback log upon failure of acceptance. I ran into trouble over the Apple ID input that I am currently trying to figure out.

Thank you for your continuing help--I have been at this for at least a week.

Right before I select the "Validate" button …

Keep in mind that I don't wish to distribute my app at the App Store, but using my own resources.

I’m confused. To distribute your app outside of the App Store you want Developer ID signing and neither of the Developer ID workflows have a Validate button. The sequences are:

• Distribute App > Developer ID > Export

• Distribute App > Developer ID > Upload

The former just re-signs the app using your Developer ID signing identity and exports that copy to your local machine. The latter does the same thing but then submits the result to the notary service.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

OK. I stand corrected: I should select the Distribute App option and not the Validate option. This leads to the panel where I should select Developer ID. So part of my problem was selecting the wrong options.

Now I must choose from 4 radio buttons, and it seems I should choose the Developer ID option and not the App Store Connect radio button.

Now appears another panel where I should choose to Upload instead of Export. However upon doing this, I immediately receive the strange report: "Hardened Runtime is not enabled." In fact I have provided this capability along with Signing. I also made sure that Hardened runtime is enabled within my Build settings. I have tried very hard to remedy this issue with no luck.

Thanks for your help.

To distribute a Developer ID signed product successfully, you must notarise it. The notary service requires that all executable have the hardened runtime enable. To learn more about the hardened runtime, see Hardened Runtime.

In fact I have provided this capability along with Signing. I also made sure that Hardened runtime is enabled within my Build settings.

OK. Does your app have any nested executables? For example, an app extension, a helper app, a command-line tool, an XPC Service, or a Service Management login item? If so, those must also have the hardened runtime enabled.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

As far as I can tell, my app has no nested executables. I did find a couple of AppleScript files that are not essential to the app and so I removed them. This apparently wasn't the problem since I still get the same report about needing to provide a hardened runtime capability even after I cleaned the build folder. It would sure be nice if Apple's log would specify which parts of the app need to be runtime hardened.

I will keep looking. Thank you for your persistence.

It would sure be nice if Apple's log would specify which parts of the app need to be runtime hardened.

The notary service itself does that. If you submit your app using the notarytool — see Customizing the Notarization Workflow — you get back a JSON log with details about the error.

However, in this case I think Xcode is preflighting the request, so that you don’t waste time trying to upload an app that’s just going to be rejected.

Try this:

1. In the organiser, click Distribute App but this time follow the Developer ID > Export workflow.

2. That will export a Developer ID signed app that’s equivalent to what Xcode generates when you do Developer ID > Upload. Open a Terminal window and change to the directory containing that app.

3. In Terminal, run this command:

   % find Test704451.app -type f -print0 | xargs -0 file | grep "Mach-O.*executable"
   

   IMPORTANT Replace Test704451.app with the equivalent path for your app.

   If, as you believe, your app contains a single Mach-O executable, that will report only one file, the main executable of your app bundle.

4. Now run this command:

   % codesign -d -vvv Test704451.app 
   …
   CodeDirectory v=20400 size=779 flags=0x0(none) …
   …
   

   The flags field shows runtime if the hardened runtime is enabled or none, as shown here, if it’s not.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I went ahead and code signed my app just as you instructed. Then applied the "find" command. This seems to show that there is only one executable and that it is not code hardened:

Identifier=com.paidiaacademicsoftware.SpellAnalysis
Format=app bundle with Mach-O thin (arm64)
CodeDirectory v=20400 size=4588 flags=0x0(none)

If this is the case, somehow Xcode is not implementing the code hardening capability I assign it.

I went ahead and attempted to implement code hardening using Terminal:

codesign --force --options runtime --timestamp --sign "Developer ID Application:Antony Nispel (73ZUW8A5RN)" /Users/antonynispel/Desktop/SpellAnalysis\ 2022-04-22\ 09-44-49/SpellAnalysis.app 

The response is:

Developer ID Application:Antony Nispel (73ZUW8A5RN): no identity found

or when I use just my name:

Developer ID Application:Antony Nispel: no identity found

Perhaps I am supplying the wrong ID or there is a problem with my ID?

What do you think? Thanks.

After tweaking the codesign command --particularly replacing double quotes with single quotes and no quotes for the app address, I believe I got it to work:

codesign --force --options runtime --sign 'Developer ID Application: Antony Nispel (73ZUW8A5RN)' /Users/antonynispel/Desktop/SpellAnalysis\ 2022-04-22\ 09-44-49/SpellAnalysis.app 

`replacing existing signature' was the report. Then I ran the test command you suggested above to view status of hardened runtime:

codesign -d -vvv /Users/antonynispel/Desktop/SpellAnalysis\ 2022-04-22\ 09-44-49/SpellAnalysis.app

gave me this report: 'CodeDirectory v=20500 size=4468 flags=0x10000(runtime)'

I take this to be a sign of success, right? Now I should get on with the packaging and its notarization. I am indebted to your continued assistance, without which I would never have succeeded.

Thank you.

I’m glad to hear that you’re making progress.

It’s weird that Xcode isn’t enabling the hardened runtime even though you’ve added the capability. If you create a new test project from one of the standard templates, does it exhibit the same problem?

I take this to be a sign of success, right?

Kinda. I would consider Xcode doing the right thing to be success (-:

Now I should get on with the packaging and its notarization.

Indeed. On that front:

• Creating Distribution-Signed Code for Mac

• Packaging Mac Software for Distribution

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"