unexpected code-signature change in version 3.5.3

[core-code]

previous versions were signed by

Developer ID: Rich Somerfield (D5C4Q69MRF) however the newest release is signed by

Apple Development: Rich Somerfield (H626MD25P8)

is this a legitimate release? if so please always mention the changed code-signature in the release notes. thanks!

[richie5um]

Thank you for the message. Yes, I did publish a new update yesterday, and I needed to change the code signature (the previous one had expired, I think). I noticed this morning that sparkle updates were failing - I’m assuming this is codesigning related. I’m going to remove this build until I can figure it out. Thanks for the message!

[core-code]

thanks for the confirmation!

i do not believe there is a connection to Sparkle issues. they have always ignored the 'real' code-signature but their recent releases require (Ed)DSA signatures which seem to be missing from the feed ( https://raw.githubusercontent.com/richie5um/richie5um.github.io/master/apps/textbar/sparkle_textbar.xml )

[richie5um]

I seem to be having some issues getting the app signed tonight. I've updated my DeveloperId cert from Apple (the previous one is due to run out in Dec 2021), and while I've installed it locally, I can't seem to get Xcode to sign it with that when uploading for Notarization - checking with the codesign tool, it is the wrong cert (which differs to the one from the previously released build, which is why Sparkle is throwing an error when updating). I've restarted Xcode, but might need the full system restart to get things working. I'll have another go tomorrow. Sigh.

[richie5um]

I've been working/waiting for Apple Support to help with this issue for a few weeks now. Sadly, it seems un-resolvable.

As such, I've created a new developer signing certificate, and published that build. Almost certainly that causes the auto-update to fail (going from the old signed-build to the new signed-build). Future updates with the new cert should be fine. To resolve this, you'll (unfortunately) have to download the new v3.5.6 build manually. Available here: https://raw.githubusercontent.com/richie5um/richie5um.github.io/master/apps/textbar/TextBar.app-3.5.6.zip

Apologies for any inconvenience.

If you have any questions or concerns, please add a comment on this issue, or email me directly rs@richsomerfield.com

[core-code]

Almost certainly that causes the auto-update to fail (going from the old signed-build to the new signed-build).

nope, should be ok. Sparkle signatures are completely different to the macOS-native code-signatures. they rely on OpenSSL / dsa_pub.pem stuff.

[core-code]

hm. the new build is again signed by an "Apple Development" certificate. thats no good. it needs to be signed with a "Developer ID" certificate...

[richie5um]

Hmmm. That is the one I used.. .

[core-code]

codesign -dvv /Users/cc/Downloads/TextBar.app 
Executable=/Users/c/Downloads/TextBar.app/Contents/MacOS/TextBar
Identifier=com.RichSomerfield.TextBar
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=7334 flags=0x10000(runtime) hashes=218+7 location=embedded
Signature size=4868
Authority=Apple Development: Rich Somerfield (H626MD25P8)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=24 Nov 2021 at 21:51:22
Info.plist entries=32
TeamIdentifier=D5C4Q69MRF
Runtime Version=12.0.0
Sealed Resources version=2 rules=13 files=1187
Internal requirements count=1 size=192

[richie5um]

That is what i sent to Apple Support too - and they said it was correct. Let me know if you know specifically what I need to do differently (thanks for the comments so far).

[core-code]

ugh those Apple geniuses. the 'Apple Development' certificate is correct - if you want to upload the package to the Mac App Store. however if you want to distribute directly for download you'll need to use "Developer ID" same as with past versions.

can't say for certain whats going wrong here. how are you exporting the app? i usually do this now: • build an "Archive"
• in the "Organizer" select the archive and click "Distribute App" in the upper right
• select "Developer ID" (!)
• next
.... EDIT: make sure to export the notarized app using the "Export Notarized App" button. do not just pull files out of the .xcarchive

[andrewkember]

I'm guessing this issue is what's causing ... post re-install. (macOS 10.15.7.)

[core-code]

definitely.

[richie5um]

I'm still unable to get it signed by the DeveloperId cert when using the Xcode>Organizer>DistibuteApp>ByDeveloperId. I've tried (quite) a few times now. Will keep trying and researching to see if I can resolve this.

:(