An app signed with a codesign version provided on an older macOS, like Catalina (10.15) will not run on iOS 15 because the lastest version you can install is Xcode 12.4.
Xcode 12.5 seems to change the behavior of codesigning. When installing you get the error message:
The code signature version is no longer supported
Is there a workaround?
Notice
This answer is mostly for people using older versions of Xcode. My build farm was for a time stuck at Xcode 12.4 because some Mac minis couldn't be upgraded past Catalina. If you are using a recent Xcode 13+ this is not your issue. Probably cruft of some kind in your project.
If you're still using an Xcode 12 release it is time to let go. The only reason to use 12.4 would be because you're stuck on Catalina and new problems are cropping up that will not be worked around so easily.
codesign --generate-entitlement-der
Apple has changed the codesign signature to include DER encoded entitlements in addition to the plist encoded entitlements. This additional DER encoded entitlements section is required in iOS 15 and becomes the default behavior of codesign in the latest Xcode. To use codesign on an older machines with an older version of Xcode add the --generate-entitlement-der flag to your call to codesign.
If signing through Xcode, you can add this flag to the OTHER_CODE_SIGN_FLAGS setting in the Build Settings tab.
If codesigning at the command-line:
CODESIGN_ALLOCATE=$( xcrun --find codesign_allocate ); export CODESIGN_ALLOCATE
xcrun codesign --generate-entitlement-der ...
The source of this information was the Apple Forum thread and the answer from Matt Eaton in DTS at Apple.
In the Xcode 12.5 Release Notes there is also a reference to the new signature format. However, it seems the information is not entirely correct.
General advice
If you have a non-trivial setup like CocoaPods, you should probably de-integrate and re-integrate and of course do a project clean. These sorts of 'me too' answers really just add noise to the signal and anyone doing this sort of development should have already tried this.
Here are some visual directions to #CameronLowellPalmer's answer.
I got the steps from
#WayneHenderson's comment underneath the accepted answer.
Follow the red arrows steps 1 - 11 (there is no 8, I made a mistake and went from 7 straight to 9).
The most important thing is step 4, make sure to select All or you won't find the Other Code Signing Flags options.
For step 5 just enter Other Code Signing Flags into the search container.
Steps 9 - 11 is where you enter --generate-entitlement-der
You will need to add the --generate-entitlement-der to your OTHER_CODE_SIGN_FLAGS under Build Settings.
Xcode > Target > General
Section "Embedded Framework, Libraries and Embedded Content"
Set all frameworks in the Embedded field to "Do not Embed"
For people who use Xcode13 like me, the problem may not be because of the code signature of our apps (To check the code signature of apps, see https://developer.apple.com/documentation/xcode/using-the-latest-code-signature-format), but due to the code signature of one of the dependencies, and removing the dependency solves the problem.
In my case, I remove the dependencies one by one, and eventually found that the culprit is FirebaseAnalyticsOnDeviceConversion. remove dependencies
I have spent 2 days to find this issue, Finally i got the solution here from the person Lance Samaria. I would like to share it.
Target-> Build Settings -> Other Code Signing Flags
Add this code --generate-entitlement-der to both Debug and Release
After that Go to Target-> General->Frameworks, Libraries, and Embedded Contents -> Change to "Do not Embed"
Also I renewed Provisioning Profile and IOS Distribution Certificates.
Now Clean Build Folder and Run Your Project.
Thank you so Much for Lance Samaria
I want to share my solution. This worked for me using XCode 12.3, macOS Catalina, and tested using Adhoc distribution.
Build, archive, export ipa as usual using XCode.
Now you have the IPA file, then rename it to zip extension. (make a backup if needed)
Extract it. There should be a Payload folder.
Open terminal, cd to your IPA directory, then run command:
codesign -s "CERTIFICATE_NAME" -f --preserve-metadata --generate-entitlement-der ./Payload/YOUR_APP.app
CERTIFICATE_NAME is your certificate name located in keychain. It maybe looks like this: Apple Distribution: XCompany (XXXXXX)
YOUR_APP is your .app file name located in Payload folder.
This warning showed up, I ignored it.
Warning: default usage of --preserve-metadata implies "resource-rules" (deprecated in Mac OS X >= 10.10)!
Then run zip command:
zip -ru myapp_resigned.ipa Payload
Done. You can redistribute the new IPA.
After testing all solutions, Only one worked for me. Because XCode adds sign signature automatically when you add Framework, Any Framework that needs to Embed & Sign should remove, and add again. Xcode will add the new sign signature automatically.
Go to YourTarget>Frameworks, Libraries, and Embedded Contents.
Remove all frameworks that are Embed & Sign, except CocoaPods.
add removed frameworks again and set to Embed & Sign.
check that pods framework set on Do Not Embed
Now clean and run your app on your device.
What helped in my case was pod deintegrate and pod install. That's all.
I had this problem with the newest Xcode version (13.4.1). As the installation on an iOS device actually stoped working out of nowhere (it did install successfully 10 min ago before I downgraded one dependency), I doubted the proposed solutions relate to my problem.
Just my two cents.
As pointed out in other responses, now to sign ios app (compatible with ios and ipados 15) with codesign command on MacOS prior to Big Sur add the --generate-entitlement-der flag. I can sign my app with Xcode 10.3 using this python 2.7 (tried both on MacOS Mojave 10.14 and MacOS Catalina 10.15) snippet code:
from fabric.api import local
local('cp %s "%s"' % ("/path/to/embedded.mobileprovision", app_full_path))
local('xattr -rc %s' % app_full_path)
local("codesign -f --generate-entitlement-der -vv -s \"%s\" --entitlements \"%s/Entitlements.plist\" %s" % (
env.code_sign_identity, app_full_path, app_full_path)
)
Output example log:
[localhost] local: cp /path/to/embedded.mobileprovision "/path/to/Payload/appname.app"
[localhost] local: xattr -rc /path/to/Payload/appname.app
[localhost] local: codesign -f --generate-entitlement-der -vv -s "iPhone Distribution: COMPANYNAME S.p.A." --entitlements "/path/to/Payload/appname.app/Entitlements.plist" /path/to/Payload/appname.app
/path/to/Payload/appname.app: replacing existing signature
/path/to/Payload/appname.app: signed app bundle with Mach-O universal (armv7 arm64) [com.name.reverse.dns]
Some additional tips...
MacOS keychain should contains the Apple certificate used to create the mobile provisioning profile, which is also utilized to distribute the app we’re signing. You can check it using the command security find-identity -p codesigning:
$ security find-identity -p codesigning
Policy: Code Signing
Matching identities
1) AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA "iPhone Distribution: COMPANYNAME S.p.A."
...
13) CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC "iPhone Developer: Name Surname (DDDDDDDDDD)"
13 identities found
Valid identities only
1) AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA "iPhone Distribution: COMPANYNAME S.p.A."
...
13) CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC "iPhone Developer: Name Surname (DDDDDDDDDD)"
13 identities found
After the ipa zip archive creation, you can use the Gem ipa_analyzer (https://github.com/bitrise-io/ipa_analyzer) to verify if the app is correctly signed:
$ zip -9 -y -r /path/to/appname.ipa /path/to/Payload
$ gem install ipa_analyzer --user-install
$ PATHAPP="/path/to/appname.ipa"
$ ~/.gem/ruby/2.6.0/bin/ipa_analyzer -i ${PATHAPP} -p --info-plist --prov | grep -E "ExpirationDate|CFBundleIdentifier|DER-Encoded-Profile"
"DER-Encoded-Profile": "#<StringIO:0x00000f0000000008>",
"ExpirationDate": "2022-09-18T12:15:25+00:00",
"CFBundleIdentifier": "com.name.reverse.dns",
...
Here a complete output example.
As additional references about this issue, you can read also this Apple documentation page and this Apple forum post.
EDIT: this procedure it's working also with MacOS Monterey (version 12.6.1) and Xcode Version 14.1 (14B47b).
The following changes solved my problem
Go to Project Target and select General
Scroll down to Frameworks, Libraries, and Embedded Content
Turn any Embed & Sign to Do Not Embed
My issue was I was using custom framework, and when I embed it in my app. it showing me error
The code signature version is no longer supported.
i spend whole day to struggle with it. Finally resolved it by adding user-defined settings. In new Xcode 13 which supports arm 64
Project target->Build Settings-> + sign to add user define setting and add a setting. then add VALID_ARCHS as a field under this add the value $(ARCHS_STANDARD). Automatically it will convert it arm64 arm 7.
see the attached image for more reference.
When nothing else works, try turning your device off and back on again. Strangely this finally fixed it for me.
My issue was I was using custom static framework target, and I embed it in my app, Finally resolved it by don't embed it or change static to dynamic framework target
Maybe it will help somebody one day, but the solution for me was connected with the pods and their framework.
When I switched settings to Do not embed everything worked.
I realise that this question has been asked quite a few times already, but I have tried to solve using a lot of the given answers with no luck.
CodeSign /Users/XXXXXXXX/Library/Developer/Xcode/DerivedData/XXXXXXXX-blligpejpeysabczydnolvooizok/Build/Products/Debug-iphoneos/XXXXXXXX.app
cd /Users/XXXXXXXX/Documents/Development/Native/tomhais
export CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
export PATH="/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin:/Applications/Xcode.app/Contents/Developer/usr/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin"
Signing Identity: "iPhone Developer: XXXXXXX"
Provisioning Profile: "iOS Team Provisioning Profile: XXXXXX"
XXXXXXXX
/usr/bin/codesign --force --sign XXXXXXXXX --entitlements /Users/XXXXXXX/Library/Developer/Xcode/DerivedData/XXXXXXX-XXXXXXXX/Build/Intermediates/tomhais.build/Debug-iphoneos/XXXXXX.build/XXXXXXX.app.xcent --timestamp=none /Users/XXXXXXX/Library/Developer/Xcode/DerivedData/XXXXXXX-XXXXXXXX/Build/Products/Debug-iphoneos/tomhais.app
/Users/XXXXXXX/Library/Developer/Xcode/DerivedData/XXXXXXX-XXXXXXXX/Build/Products/Debug-iphoneos/XXXXXXXX.app: code object is not signed at all
In subcomponent: /Users/XXXXXXXX/Library/Developer/Xcode/DerivedData/XXXXXXXX-XXXXXXXX/Build/Products/Debug-iphoneos/XXXXXXXX.app/0CeadLitir.png
Command /usr/bin/codesign failed with exit code 1
I have tried the following:
Deleted my developer account and added it again
Deleted all the provisioning profiles and re-downloaded them
Checked the key-chain access to make sure that they use system
defaults
Checked that my Code Signing is pulling in the right
certificates
Deleted the image from resources/ removed it from `Build Phases / Copy Bundle Resources and added it again'
Rebooted the machine
Cursed at the machine
Any further ideas of what I might try?
What I found was that having a folder named "resources" in the application bundle will cause code sign to fail. This seems to be an undocumented consequence of some implementation detail of iOS apps or code signing, I think. An empty project with just a resources folder with one random file in it reproduced the issue.
I couldn't easily rename the folder with our shared codebase so my solution was to put my "resources" folder in a parent folder with a different name, and adjust the way our resource path was built.
I had the same problem, what resolved it was lock/unlock keychain login as described here: link
First, check your code have lots of useless variables and remove them, then then x code top bar product -> clear and build the folder and run
I had the same problem and spent about a day by trying all suggestions.
Finally, I have solved the problem.
Close Xcode.
Open "Keychain Access.app", find and remove all "Apple Worldwide Developer Relations Certification Authority".
Login to developer.apple.com and remove development and distribution certificate.
Open Xcode again and check "Automatically manage signing". Then Xcode(should be 11.4.1 or later) will download renewed WWDR certificate automatically and generate development certificate.
Clean project and build.
I was working with the ARKit, and the problem appears when I try to convert a .dae element into a .scn after that I try to compile but the non zero exit error appears.
I try everything above but nothing worked for me. But I notice that in the project inside the art.scnassets folder was my new file but without the .snc extension.
So the solution was very simple, I just add the .snc to my file, I Clean My Build Folder from the Product menu in Xcode, I ran it again and that Works for me.
I got an issue with Xcode's Bot. It always returns the "User canceled the operation. Command /usr/bin/codesign failed with exit code 1" error string after running the command below:
/usr/bin/codesign --force --sign <MY_PRIVATE_KEY> --entitlements /Library/Developer/XcodeServer/Integrations/Caches/2cdd321641e8c114e4eba9819b017479/DerivedData/Build/Intermediates/MyApp.build/Debug-iphoneos/MyApp.build/MyApp.app.xcent /Library/Developer/XcodeServer/Integrations/Caches/2cdd321641e8c114e4eba9819b017479/DerivedData/Build/Products/Debug-iphoneos/MyApp.app
I can run this command in Terminal with sudo. I'm using Xcode 6.3.1 and OS X Server 4.1.53 in my Mac 10.10.4.
Thank for your help.
This looks like a code signing error. There are a few different reasons for this to happen so you will need to do some troubleshooting. Can other bots build on your server? If so then its probably a build settings issue in this specific project.
In the Xcode Project go to the Project Target that your trying to build, and then Build Settings, and Code Signing. Under the Provisioning Profile you can either choose Automatic or explicitly choose the correct provision, and then under the Code Signing Identity choose iOS Developer. This is probably where your issue is if its related to the project. Do you have a proper provision setup for the project on the Apple Developer Portal?
If you can't get any bots to run on your server then the issue could be with how you set up Xcode Server. Have you added the server to your team? Here is the blog post that I used to get mine up and running, although you don't need to do all of those steps in the post. Focus specifically on the Setup Certificates section and Setup Provisioning Profiles section.
I fixed the issue by copying the missing provisioning file from my local directory "/Users/phuongle/Library/MobileDevice/Provisioning Profiles" to "/Library/Developer/XcodeServer/ProvisioningProfiles". Do not use the downloaded provisioning file from developer.apple.com directly.
I just want to note here for everyone having the same issue with me.
I started getting a codesign error after a certificate expired. I have an updated certificate and the expired one has been deleted. But somehow, Xcode sets EXPANDED_CODE_SIGN_IDENTITY with the SHA-1 of the expired certificate. Where does it get this value? I assume it must be cached somewhere because there is no certificate in the keychain with the SHA-1 it is trying to use for code signing. I searched the pbxproj file and did not find it, nor did a recursive grep starting from the project root yield any results.
Here are some details about my configuration:
There is no account set up in Xcode
Instead of a developer account, I am using the exported certificate from the Team Agent
Xcode version is 6.1.1
OSX version is 10.10.2
The project identity is set up in Xcode like this:
When I check the keychain, it finds the correct identity:
$ security find-identity -p codesigning
Policy: Code Signing
Matching identities
1) F1326572E0B71C3C8442805230CB4B33B708A2E2 "iPhone Developer: XXX XXX (C395QGL4DK)"
In the build output I see the environment variable set incorrectly:
export EXPANDED_CODE_SIGN_IDENTITY=9F5616A53464FC5C003847ED620357A7BC72ABB1
I have tried to fix it with the following:
Delete the certificate from Keychain Access and re-add it
Set the Access Control of the private key to allow all apps
Delete all provisioning profiles and re-add the one I am using
Delete everything under ~/Library/Developer/Xcode/DerivedData
Delete everything under ~/Library/Caches/com.apple.dt.Xcode
Restart Xcode
Reboot the Mac
I have now run out of ideas for things to try. There are two other developers I work with, and both of them experienced the same problem initially. However, they are working again after doing some of the same steps that I have tried. We are all using the same certificate, the same provisioning file, and the same project settings. It must be a setting or lingering cache that is on my system, but I have not been able to find it.
If I could find out where Xcode sets this environment variable, I can clean it up and everything should be fine again.
I was having the same issue and for me the answer was fairly simple: I was trying to use a provisioning profile that was tied to the old certificate (my guess is that EXPANDED_CODE_SIGN_IDENTITY is pulled from the profile you are trying to use).
Anyway, after creating a new profile on the dev center tied to the new certificate, this stopped happening.
if it helps, I'm using jenkins to build app, so all commands run from console...
So i've turned off CODE_SIGNING_ALLOWED and "overrided" EXPANDED_CODE_SIGN_IDENTITY_NAME and EXPANDED_CODE_SIGN_IDENTITY. For some reason it helped me to build app with proper identities.
xcodebuild -project my.xcodeproj/ -sdk iphoneos \
CODE_SIGNING_REQUIRED=YES \
CODE_SIGNING_ALLOWED=NO \
CODE_SIGN_IDENTITY="My Identity" \
EXPANDED_CODE_SIGN_IDENTITY_NAME="My Identity" \
EXPANDED_CODE_SIGN_IDENTITY=<CODE_SIGN_IDENTITY>
Last one could be obtained with
security find-certificate -a -c "My Identity" -Z|grep ^SHA-1|cut -d " " -f3|uniq
When I try to run my application on a simulator, everything works fine. But when I try to build it to test it on a real device, I get the following error:
CodeSign /Users/fvoordeckers/Library/Developer/Xcode/DerivedData/MyProject-##########/Build/Products/Debug-iphoneos/MyProject.xctest
cd /Users/fvoordeckers/Documents/Projecten/MyProject/iOS
export CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
export PATH="/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin:/Applications/Xcode.app/Contents/Developer/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin"
Signing Identity: "iPhone Developer: Frederik (########)"
/usr/bin/codesign --force --sign ##################/Users/fvoordeckers/Library/Developer/Xcode/DerivedData/MyProject-##########/Build/Products/Debug-iphoneos/MyProject.xctest
/Users/fvoordeckers/Library/Developer/Xcode/DerivedData/MyProject-##########/Build/Products/Debug-iphoneos/MyProject.xctest: bundle format unrecognized, invalid, or unsuitable
Command /usr/bin/codesign failed with exit code 1
I've changed IDs with #. I created a provisioning profile that includes the device I'm using and al the required certificates. It doesn't seem to have a problem with the app but with the xctest... I also tried adding the '--deep' flag to the signing configuration but it didn't help...
Go to Edit Scheme in xcode -> In Build Target -> Remove MyProject.xctest completely or uncheck all the boxes of MyProject.xctest Analyze , Test etc..
Clean your project and then Run on the device.
I had the very same issue and nothing helped (updating the schemes, changing the provisioning profiles or code signing identity, etc.) except updating Xcode to its latest beta version: Xcode 7.3 Beta 4.
I guess Apple did some major improvements in this new version :)