How does Xcode set EXPANDED_CODE_SIGN_IDENTITY? - ios

I started getting a codesign error after a certificate expired. I have an updated certificate and the expired one has been deleted. But somehow, Xcode sets EXPANDED_CODE_SIGN_IDENTITY with the SHA-1 of the expired certificate. Where does it get this value? I assume it must be cached somewhere because there is no certificate in the keychain with the SHA-1 it is trying to use for code signing. I searched the pbxproj file and did not find it, nor did a recursive grep starting from the project root yield any results.
Here are some details about my configuration:
There is no account set up in Xcode
Instead of a developer account, I am using the exported certificate from the Team Agent
Xcode version is 6.1.1
OSX version is 10.10.2
The project identity is set up in Xcode like this:
When I check the keychain, it finds the correct identity:
$ security find-identity -p codesigning
Policy: Code Signing
Matching identities
1) F1326572E0B71C3C8442805230CB4B33B708A2E2 "iPhone Developer: XXX XXX (C395QGL4DK)"
In the build output I see the environment variable set incorrectly:
export EXPANDED_CODE_SIGN_IDENTITY=9F5616A53464FC5C003847ED620357A7BC72ABB1
I have tried to fix it with the following:
Delete the certificate from Keychain Access and re-add it
Set the Access Control of the private key to allow all apps
Delete all provisioning profiles and re-add the one I am using
Delete everything under ~/Library/Developer/Xcode/DerivedData
Delete everything under ~/Library/Caches/com.apple.dt.Xcode
Restart Xcode
Reboot the Mac
I have now run out of ideas for things to try. There are two other developers I work with, and both of them experienced the same problem initially. However, they are working again after doing some of the same steps that I have tried. We are all using the same certificate, the same provisioning file, and the same project settings. It must be a setting or lingering cache that is on my system, but I have not been able to find it.
If I could find out where Xcode sets this environment variable, I can clean it up and everything should be fine again.

I was having the same issue and for me the answer was fairly simple: I was trying to use a provisioning profile that was tied to the old certificate (my guess is that EXPANDED_CODE_SIGN_IDENTITY is pulled from the profile you are trying to use).
Anyway, after creating a new profile on the dev center tied to the new certificate, this stopped happening.

if it helps, I'm using jenkins to build app, so all commands run from console...
So i've turned off CODE_SIGNING_ALLOWED and "overrided" EXPANDED_CODE_SIGN_IDENTITY_NAME and EXPANDED_CODE_SIGN_IDENTITY. For some reason it helped me to build app with proper identities.
xcodebuild -project my.xcodeproj/ -sdk iphoneos \
CODE_SIGNING_REQUIRED=YES \
CODE_SIGNING_ALLOWED=NO \
CODE_SIGN_IDENTITY="My Identity" \
EXPANDED_CODE_SIGN_IDENTITY_NAME="My Identity" \
EXPANDED_CODE_SIGN_IDENTITY=<CODE_SIGN_IDENTITY>
Last one could be obtained with
security find-certificate -a -c "My Identity" -Z|grep ^SHA-1|cut -d " " -f3|uniq

Related

Objection + Frida: The application could not be verified

I am using this tutorial to install my app with Frida on an Iphone 8: https://www.secjuice.com/objection-frida-guide/
To get the duplicates out of the way:
Building and deploying via Xcode works fine
The app is deleted several times before deploying again
I've focused on doing the magic of re-signing manually, so without Frida yet, it basically comes down to these few commands, I've first archived via xcode to get an ipa file, I know that it is signed with the distribution profile, so I have also tried to get the contents of the debug build (under Products in XCode), zip that as an ipa and go from there.
Get the certificates identities:
security find-identity -p codesigning -v
Use applesign to sign the ipa:
applesign -i E3990....1881149 -m iOS_Development.mobileprovision -o patched_codesign.ipa MyApp.ipa
iOS_Development.mobileprovision is the Development provisioning profile. I've tried to use the one that is available within the debug build (embedded.mobileprovision) and downloaded from the developer portal. I've also tried to use the iOS Distribution provisioning profile in combination with the correct certificate identifier.
Unzip the re-signed ipa: unzip patched_codesign.ipa
Deploy: ios-deploy --bundle Payload/*.app -W -d
Receive the error:
2020-10-27 08:41:40.304 ios-deploy[4282:27558] [ !! ] Error 0xe800003a: The application could not be verified. AMDeviceSecureInstallApplication(0, device, url, options, install_callback, 0)
Just to clarify that I have chosen the right certificate with the correct provisioning profile:
Also used security cms -D -i some.mobileprovision to verify that the provision profile is indeed a development profile as expected.
What am I doing wrong?

Jenkins iOS builds on Mac Sierra failing during xcodebuild 8.2 code signing (SecKey API returned -25308)

I have Jenkins CI set up on Mac Sierra to build iOS apps using Xcode 8.2 with automatic signing. All works well when building using Xcode as the developer. However, Jenkins using xcodebuild is failing with the following:
SecKey API returned: -25308, (null)/Users/Shared/Jenkins/Home/workspace/App/build/Build/Intermediates/ArchiveIntermediates/App/InstallationBuildProductsLocation/Applications/App.app/Frameworks/GTMSessionFetcher.framework: unknown error -1=ffffffffffffffff
I have followed the advice in security / codesign in Sierra: Keychain ignores access control settings and UI-prompts for permission, to no avail.
I have tried putting both private keys and certs into the System keychain, to no avail.
If I log in as the Jenkins user and run the codesign command manually, I "Always Allow" access to the keychain, and it works, repeatedly. However, running as invoked by the Jenkins CI does not. (The Jenkins master is the Mac, and I'm using this same Mac to build.)
The error is mentioning the CocoaPod GTMSessionFetcher. Is this something to do with CocoaPods?
Any ideas would be appreciated.
I was experiencing exactly the same issue and I am quite sure that it has nothing to do with CocoaPods, its a codesigning issue. Some of the things I did:
Check that I do not have duplicate Keychain Entries. This post was useful for that. It turned out that I had one entry duplicated.
Check that private keys are allowed to all applications, as explained here
Try this (be aware that since macOS Sierra login.keychain has changed to login.keychain-db), which is the second answer in the advice you mention, but didn't work.
Move both private keys and certs to System keychain (leaving only the certificates on login keychain). This last step was the one that made things work.
In case this is not helpful you can try to unlock the login keychain manually in your Jenkins job (that did the trick for me before I moved keys an certs to System keychain):
node("macOS-sierra") {
.........
stage("Build"){
sh 'security unlock-keychain -p KEYCHAIN_PASS "/Users/YOUR-CI-USER/Library/Keychains/login.keychain-db" && fastlane beta'
}
You can check your keychains with this:
$ security list-keychains

Command /usr/bin/codesign failed with exit code 5

I have recently made the update of mac OS from 10.11 to 10.12 and i can't signing my iOS applications in Xcode 8.0 anymore.
I get this error :
CodeSign /Users/aymericpitre/Library/Developer/Xcode/DerivedData/OrpiDirect-ghphwnhfbtdulhgauptikzmsrqdi/Build/Products/Debug-iphoneos/OrpiDirect.app
cd /Users/aymericpitre/Documents/projets/Ville-de-lyon-iPhone/VilleDelyon_git/ville_de_lyon
export CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
export PATH="/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin:/Applications/Xcode.app/Contents/Developer/usr/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin"
Signing Identity: "iPhone Developer: aymeric xxxx (SYC4JR6K8G)"
Provisioning Profile: "VDL-sierra"
(756b4f3a-26aa-4937-ba40-4cc4eea03e92)
/usr/bin/codesign --force --sign D60599B3AE74EE1D4863C249026FA28545A07689 --entitlements /Users/aymeric/Library/Developer/Xcode/DerivedData/OrpiDirect-ghphwnhfbtdulhgauptikzmsrqdi/Build/Intermediates/OrpiDirect.build/Debug-iphoneos/OrpiDirect.build/OrpiDirect.app.xcent --timestamp=none /Users/aymeric/Library/Developer/Xcode/DerivedData/OrpiDirect-ghphwnhfbtdulhgauptikzmsrqdi/Build/Products/Debug-iphoneos/OrpiDirect.app
Command /usr/bin/codesign failed with exit code 5
The provisioning profile seems to be ok because i find it in the Xcode/preferences/accounts window.
I've tried to run xattr -c * command inside derived folder but it doesn't work.
I finally make it work. After digging into the internal logs, I realized that the problem came from the keychain. I tried to delete all the entries with the GUI, but one couldn't be deleted (named "1")
So I had to delete all the keychain folder:
rm -rf /Users/my_user/Library/Keychains
Rebooted the mac, installed keys again, and everything worked as expected.
Disclaimer: First make a backup of all the needed keys! (export before delete) For any service like Chrome sign-in, you will need to enter your credentials again
I have a very dreadful answer of this. I dont know what was corrupted in my system but after so many reinstallation and deletion of xcode still didn't solve the issue. So I formatted my hdd and reinstall mac OS Sierra and xcode 8 and that solved the issue
Try under Window tab => Organizer, the provisioning that are in your device. Then re-add them (download them again on the apple website). And try to compile again.
Xcode 8 allows you automatic signing. You need to select your target in settings -> General. And you will see the checkbox like on the image:
When you check this checkbox, you will need to choose your team (like in red rectangle on the image). After that Xcode will create a team provision profile for your application, and your application will be signed automatically.
P.S. I you don't see your team in the team dropbox like on the image, you need to Xcode -> Preferencies:
After that you need to enter "Accounts" tab -> tap + button:
After that you the team with your developer account will appear in the Team dropbox like on the 1st image.
I deleted a key named "1" in keychain access.
Then xcode has become to work!

Codesign failed with exit code 1 - failing to build copy resources

I realise that this question has been asked quite a few times already, but I have tried to solve using a lot of the given answers with no luck.
CodeSign /Users/XXXXXXXX/Library/Developer/Xcode/DerivedData/XXXXXXXX-blligpejpeysabczydnolvooizok/Build/Products/Debug-iphoneos/XXXXXXXX.app
cd /Users/XXXXXXXX/Documents/Development/Native/tomhais
export CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
export PATH="/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin:/Applications/Xcode.app/Contents/Developer/usr/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin"
Signing Identity: "iPhone Developer: XXXXXXX"
Provisioning Profile: "iOS Team Provisioning Profile: XXXXXX"
XXXXXXXX
/usr/bin/codesign --force --sign XXXXXXXXX --entitlements /Users/XXXXXXX/Library/Developer/Xcode/DerivedData/XXXXXXX-XXXXXXXX/Build/Intermediates/tomhais.build/Debug-iphoneos/XXXXXX.build/XXXXXXX.app.xcent --timestamp=none /Users/XXXXXXX/Library/Developer/Xcode/DerivedData/XXXXXXX-XXXXXXXX/Build/Products/Debug-iphoneos/tomhais.app
/Users/XXXXXXX/Library/Developer/Xcode/DerivedData/XXXXXXX-XXXXXXXX/Build/Products/Debug-iphoneos/XXXXXXXX.app: code object is not signed at all
In subcomponent: /Users/XXXXXXXX/Library/Developer/Xcode/DerivedData/XXXXXXXX-XXXXXXXX/Build/Products/Debug-iphoneos/XXXXXXXX.app/0CeadLitir.png
Command /usr/bin/codesign failed with exit code 1
I have tried the following:
Deleted my developer account and added it again
Deleted all the provisioning profiles and re-downloaded them
Checked the key-chain access to make sure that they use system
defaults
Checked that my Code Signing is pulling in the right
certificates
Deleted the image from resources/ removed it from `Build Phases / Copy Bundle Resources and added it again'
Rebooted the machine
Cursed at the machine
Any further ideas of what I might try?
What I found was that having a folder named "resources" in the application bundle will cause code sign to fail. This seems to be an undocumented consequence of some implementation detail of iOS apps or code signing, I think. An empty project with just a resources folder with one random file in it reproduced the issue.
I couldn't easily rename the folder with our shared codebase so my solution was to put my "resources" folder in a parent folder with a different name, and adjust the way our resource path was built.
I had the same problem, what resolved it was lock/unlock keychain login as described here: link
First, check your code have lots of useless variables and remove them, then then x code top bar product -> clear and build the folder and run
I had the same problem and spent about a day by trying all suggestions.
Finally, I have solved the problem.
Close Xcode.
Open "Keychain Access.app", find and remove all "Apple Worldwide Developer Relations Certification Authority".
Login to developer.apple.com and remove development and distribution certificate.
Open Xcode again and check "Automatically manage signing". Then Xcode(should be 11.4.1 or later) will download renewed WWDR certificate automatically and generate development certificate.
Clean project and build.
I was working with the ARKit, and the problem appears when I try to convert a .dae element into a .scn after that I try to compile but the non zero exit error appears.
I try everything above but nothing worked for me. But I notice that in the project inside the art.scnassets folder was my new file but without the .snc extension.
So the solution was very simple, I just add the .snc to my file, I Clean My Build Folder from the Product menu in Xcode, I ran it again and that Works for me.

Xcode Command /usr/bin/codesign failed with exit code 1 : errSecInternalComponent

I am trying to add new provisioning profile to my Xcode, to test an app on the device. Here are the steps I followed:
Deleted all certificates and provisioning profiles
Create/Add IOS Dev Certificate
Add My IOS Device Online
Create IOS Provisioning Profile
Add IOS Provisioning Profile
Clean App
Build Then Run App
Set Codesigning nd Provisioning Profile In Build Settings
Lots of Googling > to no successes
Here is the error I get:
CSSM_SignData returned: 800108E6
/Users/alexpelletier/Library/Developer/Xcode/DerivedData/MyExpense-efnqzvoqwngzcmazaotyalepiice/Build/Products/Debug-iphoneos/MyExpense.app: errSecInternalComponent
Command /usr/bin/codesign failed with exit code 1
Open Keychain Access, then in the File menu select Lock All Keychains.
Then go back to Xcode and clean and rebuild. It will prompt you for your password again to unlock the keychain.
After this, assuming you have no other compile issues, it will succeed!
This occurs when the login keychain is locked. To unlock the login keychain, run:
security unlock-keychain login.keychain
If your keychain is password-protected, specify the password using the -p option:
security unlock-keychain -p PASSWORD login.keychain
If you're using a continuous integration system, you'll likely want to inject the password via an environment variable/token, which most CI systems offer in their settings.
The error code in question is described in Apple's docs as an internal error, so it's entirely possible this occurs in other cases too.
It seems like a bug in the code signing mechanism, restarting your mac should solve the problem
Had the same issue on High Sierra/Xcode 9.4.1, all attempts to sign ended in errSecInternalComponent
Go to Keychain Access
Go to the login keychain
Select the category "My Certificates"
Find the certificate you're signing with and expand it to see the key.
Double click the key
Go to the "Access control" tab.
Update key access control to "Allow all applications to access this item"
Alternatively:
run codesign command on mac terminal and "Always allow" /usr/bin/codesign access to key
If trying to sign from ssh/CI you also need to run
security unlock-keychain login.keychain
before trying to sign app bundle
I have met the same problem, I restart my macOS,and it works.
In China,we have a saying between developers:
Little problems,just restart.Big problems,should reinstall.
Sometimes,the above saying will greatly help you!
In case it helps someone else, I encountered an errSecInternalComponent error with codesign because I was running it over an ssh session to my macOS machine. Running the same command from a terminal window on the macOS machine itself worked.
Presumably this is because codesign needs access to the private key from the login keychain.
Running security unlock-keychain login.keychain (as explained by cbracken's answer) from the same session also should work.
As pointed out by #Equilibrium in one of the comments, if you are in command line env. like Jenkins(my case), you might need to pass the password to the security-unlock command mentioned in the solutions.
So instead of using,
security unlock-keychain login.keychain
use:
security unlock-keychain -p <login-keychain-password> <path-to-login-keychain>
where path-to-login keychain can be $HOME/Library/Keychains/login.keychain(my case) or simply login.keychain
for anyone that encountered this issue from jenkins and ssh:
high possibility that you have not granted access to the private key in keychain, i tried but not sure why all of these are not working:
security import .p12 file with -A or -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k #{password} #{keychainPath}
change all provisioning profile to [UUID].mobileprovision and copy them to '~/Library/MobileDevice/Provisioning\ Profiles' on jenkins server
clean derived data and reboot jenkins server
make sure default keychain is login keychain and unlocked it.
finally resolved by:
1.ssh [user]#[jenkinsServerIP] -L 5900:localhost:5900, log into jenkins server
2.open 'vnc://localhost'
this will launch a remote screen, if your jenkins server allow this...
then open keychain.app to grant access of /usr/bin/codesign to the private key
good luck
Nothing work for me from the above Solution.
Fallowing Solution Work for me...
First Open Keychain Access
Then Select Login And click Certificates
Double click Apple Worldwide Developer Relations Certificate Authority
Open trust section, and set to "Use System Defaults" from "Always Trust"
Clean the build folder and run
I ran security unlock-keychain login.keychain and my login password didn't work. So I rebooted, and then just ran Xcode again and it worked. Running the command works as well. Strange issue.
If trying to sign from ssh run command:
security unlock-keychain login.keychain
before trying to sign app bundle
or from UI
Update key access control to "Allow all applications to access this item"
Thx to #Equilibrium and #Jon McClung
I had the same issue Found out the problem is with code signing the app.
Opened the developer account and accepted the updated agreement and it worked.
Right clicking on the private key associated with the codesigning cert in the keychain, and then clicking on 'allow all applications' instead of relying on a prompt fixed it for me, since the build was happening via ssh.
I had to:
1) delete the certificate associated to the project
2) Back to the Xcode and revoke the app certificate
3) The Xcode require a new certificate
4) Lock all KeyChain
5) Clean the project
6) Rebuild
That's it. Hope it helps to anyone.
If you get errSecInternalComponent after
Warning: unable to build chain to self-signed root for signer …
, you might have the wrong Apple World Wide Developer Relations root certificate in your keychain. In this case, make sure that you import the WWDR certificate with which your developer certificate was signed. I imported the WWDR certificate expiring in 2023 and two hours later finally realized that it didn't work because my developer certificate had been signed with the WWDR certificate expiring in 2030 (AppleWWDRCAG3.cer). Download page: https://www.apple.com/certificateauthority/
Posting a work-around that we finally had to resort to, in case someone else is running out of things to try...
After installing a new Apple Distribution certificate in our "login" keychain, our Jenkins job suddenly started to fail singning iOS apps with the same errSecInternalComponent error:
Command /usr/bin/codesign failed with exit code 1
Our build pipeline calls security unlock-keychain, and we have no problems with our Enterprise Distribution cert (which was coincidentally updated and installed in the same Keychain just a few weeks prior), where the unlocking works as expected.
After trying all the usual things mentioned in this thread and elsewhere, we ended up running codesign manually as the Jenkins user in a new Terminal window, taking the exact same command as found in the Jenkins log: /usr/bin/codesign --force --sign...
This prompted entering the password to unlock the Keychain, which we did, and then selected "Always Allow".
After that Jenkins manages to sign (as expected).
This is obviously a bit of a work-around since we might have to do this again when the cert has expired, and it's really strange that unlocking works for Enterprise certs, but not the cert used for distributing through App Store... They literally share the same pipeline.
Just try it once using mac terminal but not from ssh session
security unlock-keychain login.keychain
And choose always allow in the prompted dialog.
And then you could xcodebuild in the remote session.
The above methods are useless to me.
I resoled it by:
Open keychain access.
Click Login Menu.
Remove all personal certificates.
Clean the project.
Rebuild.
That's it. Hope it helps to anyone.
In my case, this solved.
xcode -> preferences -> accounts -> select the account -> manage certificate -> (+) in bottom left -> Apple development
Ref: https://stackoverflow.com/a/62646138/234110
In my case BUCK was trying to sign the IPA for development, but there were not any development certificates installed. Changing the build config to release (this is what I needed - to build for iTunes) fixed it for me.
Just wanted to callout if someone face similar issue what I did. In my case my apple dev and distribution certificates, keys and provisioning profiles where upto date. My iOS code build was working in user mode without any issue however it does not work due to code sign issue when the code build runs with root privileges i.e. % sudo or invoking the Xcode using sudo through command line.
So, I copied the corresponding working certificates and keys the login to the system location in the keychain tool. Then it started working without any code sign issue.
Similarly, we can export the required certificates, keys for build from the working machine and import those into non working machine's keychain tool may solve the issue.
For me, I was able to sign files when using the Mac directly or via VNC, but not via ssh. I figured it must be something to do with access to the certificate within the keychain. I was already doing a security unlock-keychain [keychain name] but this didn't appear good enough.
What finally fixed it for me was (within a direct/VNC connection, not ssh):
Make sure the keychain in which your certificate resides is locked. Close Keychain Access.
Open Terminal
Do not run security unlock-keychain [keychain name].
Run a signing process using codesign tool. You will be challenged for a password to the keychain.
Enter the password and click "Always allow"
From now on I was able to use codesign via ssh, so long as I included security unlock-keychain [keychain name] before the command.
If you have a code signing certificate with the same name in the keychain, make sure you remove it. I had one which XCode reported as "Missing private key". I had to remove it via Keychain Access before the correct certificate was used by codesign.

Resources