I am exporting App archives using the command line tools (xcodebuild). Essentially this is what I running:
xcodebuild -workspace "${WORKSPACE_PATH}" \
-scheme "${SCHEME_NAME}" \
-archivePath "${PROJECT_ARCHIVE}" \
-configuration "${CONFIGURATION}" \
-sdk "${TARGET_SDK}" \
DEVELOPMENT_TEAM="XXXXXXXX" \
OTHER_CODE_SIGN_FLAGS="--keychain /Users/user/Library/Keychains/jenkins.keychain" \
archive
And this is the result:
Check dependencies
No signing certificate "iOS Development" found: No "iOS Development" signing certificate matching team ID "XXXXXXX" with a private key was found.
Code signing is required for product type 'Application' in SDK 'iOS 10.2'
** ARCHIVE FAILED **
The following build commands failed:
Check dependencies
(1 failure)
$ echo $?
65
The code signing fails because codesign ignores the --keychain parameter. Now here is the interesting part. The keychain I want to use is jenkins.keychain-db (as specified above). That certainly does not work. Here is my keychain search list:
$ security list-keychains
"/Users/user/Library/Keychains/login.keychain-db"
"/Library/Keychains/System.keychain"
Obviously jenkins.keychain-db is not in there as it should be. If I am adding the jenkins.keychain-db in the search list it starts working.
Unfortunately this is not a solution for me because I do have multiple keychains with the same private keys and certificates. That leads xcodebuild to pick up the first right certificate that it can find which will fails because the keychain is probably not unlocked.
You can make codesign prefer using your custom keychain with the following commands:
security list-keychains -d user -s jenkins.keychain
security default-keychain -s jenkins.keychain
# to unlock the kechain:
security unlock-keychain -p $PW jenkins.keychain
Put this right before xcodebuild ...
You can omit the -db extension. It's not necessary to use it and will lead to confusing behavior.
You might want to clean this up after the build has finished:
security list-keychains -d user -s login.keychain
security default-keychain -s login.keychain
Related
I have a jenkins server connecting to a remote mac mini through ssh to execute a shell script that has to build an IPA from a unity project.
When the shell script is executed locally on the mac mini everything goes fine. But when the shell script is ran from jenkins (with the exact same parameter and the same user) it fails codesigning the archive.
I will share with you the obfuscated shell script as well as the build log.
Thank you for your help in advance.
The shell script :
#!/bin/bash
# Consider directory paths initialized in parameter here
#
#
# Consider git cleaning / fetching commit here
#
#
# Consider environment / version and build name controls here
#
#
# Start Unity Build :
/Applications/Unity2017.4.10f1/Unity.app/Contents/MacOS/Unity -batchmode -quit -projectPath "$SOURCE_PATH" -executeMethod "BuildManager.BuildPlayer" -logFile "$BUILD_LOG_FILE" -buildEnvironment "$ENVIRONMENT" -buildPlatform "IOS" -buildPath "$TARGET_BUILD_DIR" -overrideVersion "$OVERRIDE_VERSION"
if [ ! -d "${TARGET_BUILD_DIR}/Unity-iPhone.xcodeproj" ]
then
echo "[ERR]Exporting unity project to Xcode failed."
exit 1
else
echo "Build successfull"
fi
#
#
# Consider initializing a param for the provisioning profile file path
#
#
# Consider initializing a param for the plist file path
cd $TARGET_BUILD_DIR
# archive generated xcode project
xcodebuild -scheme "Unity-iPhone" -archivePath "${DEPLOY_DIR_ROOT}/${BUILD_NAME}_${FILE_FORMAT_VERSION}/archive.xcarchive" -sdk iphoneos -configuration Release PROVISIONING_PROFILE="${PROVISIONING_PROFILE_PATH}" archive
if [ $? != 0 ]; then
echo "FAILED ARCHIVING XCODE PROJECT"
exit 1
fi
# export ipa from archive
xcodebuild -exportArchive -archivePath "${DEPLOY_DIR_ROOT}/${BUILD_NAME}_${FILE_FORMAT_VERSION}/archive.xcarchive" -exportOptionsPlist "${PLIST_PATH}" -exportPath "${DEPLOY_DIR_ROOT}/${BUILD_NAME}_${FILE_FORMAT_VERSION}"
if [ $? != 0 ]; then
echo "FAILED EXPORTING IPA FROM ARCHIVE"
exit 1
fi
#
# Section reserved for uploading the ipa to relevant remote storage
#
exit 0
So everything works like a charm (even the build can be installed on a device) when the shell script is ran locally from the terminal on the mac mini.
When it comes to run the shell script remotely through ssh it fails to codesign the archive. The user used over ssh is the same than the one used locally to run the script.
Here is the error :
CodeSign
/#######/Library/Developer/Xcode/DerivedData/Unity-iPhone-#########/Build/Intermediates.noindex/ArchiveIntermediates/Unity-iPhone/InstallationBuildProductsLocation/Applications/#########.app
(in target: Unity-iPhone) cd /#########/xcodeProjPath export
CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
Signing Identity: "#########" Provisioning Profile: "iOS Team
Provisioning Profile: #########"
(#########)
/usr/bin/codesign --force --sign ######### --entitlements
/#########/Library/Developer/Xcode/DerivedData/Unity-iPhone-#########/Build/Intermediates.noindex/ArchiveIntermediates/Unity-iPhone/IntermediateBuildFilesPath/Unity-iPhone.build/Release-iphoneos/Unity-iPhone.build/#########.app.xcent
--timestamp=none /#########/Library/Developer/Xcode/DerivedData/Unity-iPhone-#########/Build/Intermediates.noindex/ArchiveIntermediates/Unity-iPhone/InstallationBuildProductsLocation/Applications/#########.app
/#########/Library/Developer/Xcode/DerivedData/Unity-iPhone-#########/Build/Intermediates.noindex/ArchiveIntermediates/Unity-iPhone/InstallationBuildProductsLocation/Applications/#########.app:
errSecInternalComponent
Command CodeSign failed with a nonzero exit code
** ARCHIVE FAILED **
I m kind of stuck right now since all my attempts didn't work at all ...
Thank you in advance for your help.
EDIT:
mac mini on macOS High Sierra Version 10.13.6 (17G65)
xcode Version 10.0 (10A255)
Ok so for all of you guys struggling around this tricky subject ( totally invisible if we don't know enough about macOS ) there is kind of security system that still makes the difference between a local user and a remote access to a user.
So the keychain handling your keys and certificates ( used by codesign to sign your build ) is not usable out of the box for the remote user. Its needs to be unlocked first !!!
To know about the available keychains on your system just type in on your terminal :
security list-keychains
You should see something like :
"/Users/'YOURUSER'/Library/Keychains/login.keychain-db"
"/Library/Keychains/System.keychain"
And you guessed it right there, you have to unlock the keychain of your user ! Juste run this :
security unlock-keychain -p 'USER_PASSWORD' 'PATH_TO_USER_KEYCHAIN'
And that's it.
N.B:
Please let me know if I understood something wrong about all this.
TLDR :
A. Issue in exporting app with Enterprise Cert
Error : wildcard app id cannot be used to create in house provisioning
profiles
B. Right approach to distribute app on Enterprise and AppStore
We have been distributing apps on Apple's AppStore for years, Enterprise is new addition.
– App has Watch App and supports iOS 8+.
What is done so far:
– Two different dev accounts and certificates.
– Separate provisioning profiles on each accounts
– Build Config and Scheme for Enterprise a AppStore
– using Scheme/Config to switch between settings like bundleId, etc.
– Successfully Archive Enterprise Application
I have NOT created separate info.plist or entitlements (Do I need to?)
Issue: When I try to export Enterprise Archive, I am getting error
wildcard app id cannot be used to create in house provisioning
profiles<
I do have proper provisioning profiles created. None of them are wildcard, except created by Xcode.
I have read this post, which says needs to create different targets. That is overhead of keeping both the targets in sync.
Question:
bool itIsPossible = Can this be achieved with Configuration/Schemes?
if (itIsPossible){
– What else I need to create separate entitlements etc?
}else{
– Do I have to create new target to support Enterprise App?
– Separate Target for Watch and Extension?
– What else I need to create separately Info.plist, entitlements etc?
}
Using Targets
New targets do create some overhead (new files must be added to all relevant targets). New targets allow to easily compartmentalize which file goes where, provide a platform for separate plist & config, Unit Tests, etc.
Remember that App Store executable and Enterprise executable are two different applications, with different certificates and signatures. (1)
Separate target recommendations (from an actual product)
Shared Entitlements
PROJECT > TARGETS > General > Team > pick separate teams there
< yourTarget >.xconfig (optional & handy)
.plist (most likely, but not required)(2)
(1) Same can be said about Apple Watch executables
(2) Separate plist allows for runtime magic: single code controlled by resources.
It is quite easy to do if you can create separate build script for each application. No need to have separate target.
Here is my build script:
# Created by Nguyen Tuan on 10/8/14.
#!/bin/sh
AP_NAME="$1"
echo "App name $AP_NAME"
FILE_NAME="$2"
echo "FILE_NAME $FILE_NAME"
SCHEME="$3"
echo "SCHEME $SCHEME"
PROVISIONING_NAME="$4"
echo "provisioning $PROVISIONING_NAME"
BUNDLE_ID="$5"
echo "BUNDLE_ID $BUNDLE_ID"
AP_ICON="$6"
echo "AP_ICON $AP_ICON"
PARENT_FOLDER="$7"
echo "PARENT_FOLDER $PARENT_FOLDER"
CONFIG="$8"
echo "CONFIG $CONFIG"
PROJECT_HOME_DIR="$9"
#Goto working folder
MY_PATH="`dirname \"$0\"`"
cd $MY_PATH
echo "build sh: This is the current working directory: $MY_PATH"
SCRIPT_FOLDER=$(basename "$MY_PATH")
MY_NAME=$(whoami)
echo "Script Folder $SCRIPT_FOLDER"
sudo sh sudo.sh
echo "Global PATH: \n$PATH"
#Go up to Project folder
cd ../../
rm -r -f build/$PARENT_FOLDER
PLIST=$PROJECT_HOME_DIR/Info.plist
echo "Please enter build number"
#BUILD_NUMBER=$(/usr/libexec/PlistBuddy -c "Print CFBundleVersion" "$PLIST")
#BUILD_NUMBER=$(expr $BUILD_NUMBER + 1)
BUILD_NUMBER=`git rev-list HEAD --count`
echo "Get provisioning file: UUID + name for $PROVISIONING_NAME"
if test -d ~/Library/MobileDevice/Provisioning\ Profiles/; then
ProfilesDir=~/Library/MobileDevice/Provisioning\ Profiles/
else
ProfilesDir=/Library/Developer/XcodeServer/ProvisioningProfiles/
fi
array=$(ls "$ProfilesDir")
provi=""
for i in $array; \
do output=$(/usr/libexec/PlistBuddy -c 'Print :Name' /dev/stdin <<< $(security cms -D -i "$ProfilesDir/${i%%/}") 2>&1); \
echo $output; \
if [ "$output" == "$PROVISIONING_NAME" ]; then provi=$(/usr/libexec/PlistBuddy -c 'Print :UUID' /dev/stdin <<< $(security cms -D -i "$ProfilesDir/${i%%/}") 2>&1); break; fi;\
done
#echo PROVISIONING_UUID=$provi >> provisioning.properties
echo "selected profile $provi"
/usr/libexec/Plistbuddy -c "Set CFBundleVersion $BUILD_NUMBER" "$PLIST"
/usr/libexec/Plistbuddy -c "Set CFBundleIdentifier $BUNDLE_ID" "$PLIST"
xcodebuild -alltargets -configuration "$CONFIG" clean
xcodebuild -scheme $SCHEME PRODUCT_BUNDLE_IDENTIFIER=$BUNDLE_ID ONLY_ACTIVE_ARCH=NO ARCHS="armv7 arm64" PROVISIONING_PROFILE=$provi PRODUCT_NAME="$AP_NAME" ASSETCATALOG_COMPILER_APPICON_NAME=$AP_ICON archive -archivePath "build/$PARENT_FOLDER/$FILE_NAME.xcarchive"
#xcodebuild -exportArchive -archivePath "build/$PARENT_FOLDER/$FILE_NAME.xcarchive" -exportPath "build/$PARENT_FOLDER"
#-exportOptionsPlist $PLIST
echo "export ipa file"
rm -r -f build/$PARENT_FOLDER/$FILE_NAME.ipa
sh $MY_PATH/create_ipa.sh build/$PARENT_FOLDER/$FILE_NAME.xcarchive build/$PARENT_FOLDER/$FILE_NAME.ipa
mv build/$PARENT_FOLDER/**You need to change this to your app name**/.ipa build/$PARENT_FOLDER/$FILE_NAME.ipa
rm -r -f $HOME/Dropbox/$FILE_NAME.ipa
cp build/$PARENT_FOLDER/$FILE_NAME.ipa $HOME/Dropbox/$FILE_NAME.ipa
rm -r -f "build/$CONFIG-iphoneos"
echo "copy xcarchive file into organizer"
sh $MY_PATH/copy_resource.sh build/$PARENT_FOLDER/$FILE_NAME.xcarchive $MY_NAME
And then create two build command, one for enterprise build and one for app store build, something like this:
AP_NAME="ABCD"
FILE_NAME="An App Name"
SCHEME="Scheme for enterprise build"
PROVISIONING_NAME="Expected provisioning profile, what is shown in XCode"
BUNDLE_ID="app bundle Id"
AP_ICON="custom icon if need?"
PARENT_FOLDER="the folder that will contains the build"
CONFIG="Release"
#Goto working folder
MY_PATH="`dirname \"$0\"`"
sh $MY_PATH/build.sh "$AP_NAME" "$FILE_NAME" "$SCHEME" "$PROVISIONING_NAME" "$BUNDLE_ID" "$AP_ICON" "$PARENT_FOLDER" "$CONFIG"
In case you need the copy_resource script:
path=$1
user=$2
echo $path
filename=$(basename "$path")
extension="${filename##*.}"
filename="${filename%.*}"
now=`date +%Y-%m-%d`
et=`date +%H:%M:%S`
PATH="/Users/$user/Library/Developer/Xcode/Archives/$now"
echo $PATH
/bin/mkdir -p $PATH
PATH=$PATH/$filename$et.$extension
/bin/mv $path $PATH
From now on, just run the command and you will see a build either in working folder or in Xcode Organizer
It seems like the provisioning profile is not set correctly.
The easiest way of doing this is to create an additional configuration.
Select the project in the navigator. Then duplicate the Release configuration and rename it to Enterprise Distribution or Enterprise Release.
Then select your target and go to Build Settings. There you can unfold the settings for Code Signing Identity, Provisioning Profile. You also need to use a different bundle identifier.
Check what configuration you use in the archive scheme too.
We had the error
Wildcard app id cannot be used to create in house provisioning
profiles
We solved it by manually adding a Distribution (In House) Provisioning Profile in the Apple Developer Portal...
I have follow the guideline from the following websites to use Jenkins to build iOS apps.
https://wiki.jenkins-ci.org/display/JENKINS/Xcode+Plugin
http://savvyapps.com/blog/continuous-integration-ios-jenkins
I have exported my developer profile and imported it to Jekins and call before the Xcode build. From the console log, Jenkins installed the provisioning during the build.
$ security import /Users/Shared/Jenkins/Home/developer-profiles/957b9655-81ce-46a0-8686-1f67f7d17a41/developer/identities/18BAD5E662ED3759CD8D7C85E33390324BBD130E.p12 -k jenkins-testApp-1-DevBuild -P ******** -T /usr/bin/codesign -T /usr/bin/productsign jenkins-testApp-1-DevBuild
$ security import /Users/Shared/Jenkins/Home/developer-profiles/957b9655-81ce-46a0-8686-1f67f7d17a41/developer/identities/7A5A56DA487E33DE5D16567DC8868B7CD9A865D6.p12 -k jenkins-testApp-1-DevBuild -P ******** -T /usr/bin/codesign -T /usr/bin/productsign jenkins-testApp-1-DevBuild
$ security import /Users/Shared/Jenkins/Home/developer-profiles/957b9655-81ce-46a0-8686-1f67f7d17a41/developer/identities/F19D5511EC904BA5CC9D65F306B8CD4D2B0BB19B.p12 -k jenkins-testApp-1-DevBuild -P ******** -T /usr/bin/codesign -T /usr/bin/productsign jenkins-testApp-1-DevBuild
$ security show-keychain-info jenkins-testApp-1-DevBuild
Keychain "jenkins-testApp-1-DevBuild" lock-on-sleep timeout=300s
Installing 0b3a6836-af47-4afd-9484-9ca4ccec6c6d.mobileprovision
Installing 0ef7bac8-0408-4c38-bf6c-3afb004ee451.mobileprovision
Installing 193e9795-97b1-4d4a-981d-a51714e381a4.mobileprovision
However the build is fail because of code sign error. Does anyone how to solve this issue? Thanks.
Code Sign error: No codesigning identities found: No codesigning identities (i.e. certificate and private key pairs) that match the provisioning profile specified in your build settings (“Auth-Dev”) were found.
CodeSign error: code signing is required for product type 'Application' in SDK 'iOS 8.4'
** BUILD FAILED **
I finally solved this by copying the development cert from login to System in Keychain access.
Reference: http://code-dojo.blogspot.co.uk/2012/09/fix-ios-code-signing-issue-when-using.html
I installed a Jenkins and startet a Project with the Git Plugin, Xcode Plugin and the Testflight Plugin.
I can create automatic builds with the setup, but it is failing at the point on creating the .ipa files for Testflight.
The problem are at Debug and Release settings in different ways though…
If i try to create a .ipa via the Debug settings it will fail at the point that there is no build/Debug-iphoneos folder (i tried to turn of the clean option but it didn't helped). But the Xcode Build is not failing on the command line
When i try to switch to Release the linker is failing (ld).
Whithout the .ipa files i can't submit to Testflight and get a automated Test distributing.
Here is the script I'm using. (Obviously I removed the personal information, but you should be fine to understand it).
TARGET_NAME="-" # Target name
TARGET_SDK="iphoneos" # Target SDK: iphoneos
CONFIGURATION="Release" # Build Configuration
BUILD_DIR="build" # Directory where the build is generated
ARCHS="armv7" # Valid Architectures
APP_NAME="-" # Application name
## Provisioning configurations
BUILD_ARCHIVED_DIR="BuildArchived" # Directory with the history of builds
DEVELOPER_NAME="-" # Developer name
PROVISIONING_PROFILE=Prototype.mobileprovision # Provisioning profile file
PROVISIONING_DIR=~/Library/MobileDevice/Provisioning\ Profiles/ # Provisioning dir
## TestFlight App
TESTFLIGHT_API_TOKEN="-"
TESTFLIGHT_TEAM_TOKEN="-"
#Release Notes
BUILDSCRIPTS_DIR="build"
TESTFLIGHT_RELEASE_NOTES_FILE="ios_testflight-releasenotes"
#Distribution Lists
TESTFLIGHT_DISTRIBUTION_LISTS="Jenkins"
# Returns to the root directory of the build
cd ../ios
PROJECT_BUILDDIR="${BUILD_DIR}/${CONFIGURATION}-${TARGET_SDK}"
CURRENT_DIR=`pwd`
# fix for the newest sdk
# Only export the environment variable if the location exists,
# otherwise it breaks the signing process!
if [ -f "/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/codesign_allocate" ]
then
echo Export environment variable for codesign_allocate location
export CODESIGN_ALLOCATE=/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/codesign_allocate
fi
#changing the build version
INFO_PLIST_PATH="${CURRENT_DIR}/${TARGET_NAME}/${TARGET_NAME}-Info.plist"
/usr/libexec/PlistBuddy -c "Set :CFBundleVersion ${SVN_REVISION}" $INFO_PLIST_PATH
# compile project
echo Building Project
xcodebuild -target "${TARGET_NAME}" -sdk "${TARGET_SDK}" ARCHS=${ARCHS} -configuration "${CONFIGURATION}" clean build
#Check if build succeeded
#if [ $? != 0 ]
#then
# exit 1
#fi
# Create output dir ($x) if doesn't exist
mkdir -p $BUILD_ARCHIVED_DIR
# .ipa file generation
echo Generating .ipa file
/usr/bin/xcrun -sdk "${TARGET_SDK}" PackageApplication -v "${PROJECT_BUILDDIR}/${APP_NAME}.app" -o "${CURRENT_DIR}/${BUILD_ARCHIVED_DIR}/${APP_NAME}.ipa" --sign "${DEVELOPER_NAME}"
#zipping the .dSYM to send to Testflight
echo Generating zip file
/usr/bin/zip -r "${CURRENT_DIR}/${BUILD_ARCHIVED_DIR}/${APP_NAME}.app.dSYM.zip" "${CURRENT_DIR}/${PROJECT_BUILDDIR}/${APP_NAME}.app.dSYM"
echo Sending to TestFlight
curl http://testflightapp.com/api/builds.json -F file="#${CURRENT_DIR}/${BUILD_ARCHIVED_DIR}/${APP_NAME}.ipa" -F dsym="#${CURRENT_DIR}/${BUILD_ARCHIVED_DIR}/${APP_NAME}.app.dSYM.zip" -F api_token="${TESTFLIGHT_API_TOKEN}" -F team_token="${TESTFLIGHT_TEAM_TOKEN}" -F notes="This build was uploaded via the upload API" -F notify=False -F distribution_lists="${TESTFLIGHT_DISTRIBUTION_LISTS}"
echo Submission ended
I imagine the Scheme your build is targeting is incorrect.
Additionally, TestFlight has a plugin for Jenkins so you can script your build process and execute the upload to TestFlight using the their Jenkins Plugin. I have provided a build script example that works for me via manual command line and under Jenkins CI.
If you would like to see the full setup, you can find a iOS/Git/TestFlight tutorial here: Jenkins iOS – Git, xcodebuild, TestFlight
xcodebuild -alltargets clean
rm -rf "./JenkinsBuild/*"
xcodebuild -target HelloJenkins PROVISIONING_PROFILE="00000000-0000-0000-0000-000000000000" CONFIGURATION_BUILD_DIR=JenkinsBuild
rm -rf "./JenkinsArchive/*"
xcodebuild -scheme HelloJenkins archive PROVISIONING_PROFILE="00000000-0000-0000-0000-000000000000" CODE_SIGN_IDENTITY="iPhone Developer: Jonny Appleseed (XXXXXXXXXX)" -archivePath ./JenkinsArchive/HelloJenkins.xcarchive
rm -rf "./JenkinsIPAExport/*"
xcodebuild -exportArchive -exportFormat IPA -exportProvisioningProfile iOS\ Team\ Provisioning\ Profile:\ com.yourAPP.HelloJenkins -archivePath ./JenkinsArchive/HelloJenkins.xcarchive -exportPath ./JenkinsIPAExport/HelloJenkins.ipa
I'm having trouble packaging an app as an IPA with PackageApplication. Codesign verification fails with "does not satisfy its designated Requirement":
+ /usr/bin/codesign --verify -vvvv -R=anchor apple generic and (certificate 1[field.1.2.840.113635.100.6.2.1] exists and (certificate leaf[field.1.2.840.113635.100.6.1.2] exists or certificate leaf[field.1.2.840.113635.100.6.1.4] exists)) /var/folders/8j/n5d5y1bj6wz3l8gs_djqn3400000gn/T/8xonyTiAuP/Payload/Planner.app
Program /usr/bin/codesign returned 3 : [/var/folders/8j/n5d5y1bj6wz3l8gs_djqn3400000gn/T/8xonyTiAuP/Payload/Planner.app: valid on disk
/var/folders/8j/n5d5y1bj6wz3l8gs_djqn3400000gn/T/8xonyTiAuP/Payload/Planner.app: does not satisfy its designated Requirement
/var/folders/8j/n5d5y1bj6wz3l8gs_djqn3400000gn/T/8xonyTiAuP/Payload/Planner.app: explicit requirement satisfied
What requirement is designated here?!?
I'm building with xcodebuild:
xcodebuild -workspace MyWorkspace.xcworkspace -scheme Planner -ask iphoneos clean build archive
which creates an Xcode archive for me inside ~/Library/Developer/Xcode/Archives So far so good.
Then I've read that people use PackageApplication but that fails for me:
xcrun -sdk iphoneos PackageApplication -v path/to/Planner.app -o Planner.ipa --sign 9990807058544973D70EA9A9F3BB3949D51C0983 --embed my_profile.mobileprovision
with the above error.
What part am I missing here? Is there another way to do this?
This is Xcode 4.5.
You can check what the designated requirements for your .app file are by running the following command:
codesign -d -r- path/to/file.app
Your output should include a line that starts with designated =>. What follows after are your designated requirements. An example of this output would be:
designated => identifier "com.organization.project" and certificate root = H"abcdef0123456789abcdef0123456789abcdef12"
The -d flag displays information and the -r- flag writes the requirements to stdout.
You can use Apple's page on Code Signing Requirement Language to interpret what these requirements mean.
If you want to narrow down which particular requirement is failing, you can run the tests individually by entering the following command:
codesign -v -R="certificate root = H\"abcdef0123456789abcdef0123456789abcdef12\"" /path/to/file.app
The -v flag performs verification on your app and the -R flag passes in an explicit requirement to test.