• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Code-signing oddness
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Code-signing oddness

  • Subject: Re: Code-signing oddness
  • From: Martin Wierschin <email@hidden>
  • Date: Thu, 08 May 2014 15:46:03 -0700
> Oh well, thanks for confirming that I'm not the only one who finds it problematic.

We have also had an awful time getting Xcode to sign an OSX app using Developer ID. Our app bundle is relatively complex, with nested frameworks and helper apps, and Xcode can't seem to export a bundle that Gatekeeper/spctl accepts. I've been working with Apple/DTS for three weeks now, and still do not have a solution.

Some of it's my fault for doing stupid things (eg: a build phase deleting headers from a nested framework, thus invalidating its signature), but there are also plain old bugs. The most frustrating part is Xcode's poor error reporting and guidance in this area. A developer should not be able to choose code signing options that produce an invalid exported app without encountering a build warning. And in cases where I'm lucky and Xcode actually gives me an error during export (instead of happily churning out an invalid app), it's always just the generic "code signing failed". The least it could do is report something like the output from "codesign --verify" or "spctl --assess".

I've filed a half-dozen radars on this process and will continue to communicate with DTS. But they've had years to refine code signing and integrate it into Xcode, so it's frustrating to see it's still so rough. I'm coming to Jerry's conclusion:

> building Developer ID apps is an edge case.  Since codesigning is tricky, inconspicuous, and disastrous if not done correctly, I therefore do not trust Xcode to do this.  In the Build Settings of my Developer ID apps, I set Codesigning to “Don’t Codesign”.  My shipping script signs the product recursively using the codesign command-line tool, then assesses it with spctl, and halts shipping if it fails.

A pity, as I really would prefer to let Xcode handle all the details. Apple is the one controlling and dictating this whole process, so it would be nice if the IDE made it reasonably easy to comply.

~Martin


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Xcode-users mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >Code-signing oddness (From: Shane Stanley <email@hidden>)

  • Prev by Date: Committing files to SVN from Xcode.
  • Next by Date: Re: Cocoa (or any Mac API) "browse for computer" dialog
  • Previous by thread: Re: Code-signing oddness
  • Next by thread: Building a framework within an app's project
  • Index(es):
    • Date
    • Thread