Certifaction Asset validation failure

[zdavatz]

1. Start Xcode
2. Run Archive
3. Validate the Archive
4. Getting this error
5. 
6. This is strange because the bundle identifier is higher then the lastest version:
7. 
8. Can we do the versioning like this:
9. Use CFBundleVersion as a timestamp, and put my major.minor.build in CFBundleShortVersionString

[zdavatz]

Down one error here, with this solution:

[zdavatz]

now still stuck with this: _App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list: [( "com.ywesee.comedosx.pkg/Payload/CoMed Desitin.app/Contents/MacOS/certifaction-arm64", "com.ywesee.comedosx.pkg/Payload/CoMed Desitin.app/Contents/MacOS/certifaction-x86" )] Refer to App Sandbox page at https://developer.apple.com/documentation/security/app_sandbox for more information on sandboxing your app. (ID: e5bd5a13-84b6-4f12-b3ba-cab6f608f0a3)_

[zdavatz]

codesign -d -vvv --entitlements :- this looks fine:

Executable=/Users/zdavatz/Desktop/AmiKo 2023-07-14 15-23-46/AmiKo Desitin.app/Contents/MacOS/AmiKo Desitin
Identifier=amikoosx
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20400 size=6092 flags=0x0(none) hashes=180+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=0f7cee856d6a261d6ed63b1a63219e0fc53ba157
CandidateCDHashFull sha256=0f7cee856d6a261d6ed63b1a63219e0fc53ba157f71b023072c6d9bd37cadca1
Hash choices=sha256
CMSDigest=0f7cee856d6a261d6ed63b1a63219e0fc53ba157f71b023072c6d9bd37cadca1
CMSDigestType=2
Launch Constraints:
    None
CDHash=0f7cee856d6a261d6ed63b1a63219e0fc53ba157
Signature size=4779
Authority=Apple Development: Zeno Davatz (4E5R6W3JFP)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=14 Jul 2023 at 15:21:54
Info.plist entries=30
TeamIdentifier=4B37356EGR
Sealed Resources version=2 rules=13 files=81
Internal requirements count=1 size=168
Warning: Specifying ':' in the path is deprecated and will not work in a future release
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>com.apple.application-identifier</key><string>4B37356EGR.amikoosx</string><key>com.apple.developer.aps-environment</key><string>development</string><key>com.apple.developer.game-center</key><true/><key>com.apple.developer.icloud-container-identifiers</key><array><string>iCloud.com.ywesee.AmikoDesitin</string></array><key>com.apple.developer.icloud-services</key><array><string>CloudDocuments</string><string>CloudKit</string></array><key>com.apple.developer.team-identifier</key><string>4B37356EGR</string><key>com.apple.developer.ubiquity-container-identifiers</key><array><string>iCloud.com.ywesee.AmikoDesitin</string></array><key>com.apple.security.app-sandbox</key><true/><key>com.apple.security.device.usb</key><true/><key>com.apple.security.files.bookmarks.app-scope</key><true/><key>com.apple.security.files.user-selected.read-write</key><true/><key>com.apple.security.network.client</key><true/><key>com.apple.security.personal-information.addressbook</key><true/><key>com.apple.security.print</key><true/><key>com.apple.security.smartcard</key><true/></dict></plist>

[zdavatz]

why are there two certifaction entries here:

[b123400]

I've tried to sign the Certifaction binaries, but it doesn't go well. When I run the binary from Amiko via NSTask, it fails with an exception:

Couldn't posix_spawn: error 88

Related logs from console:

MacOS error: -67030
Code failed basic validity check (error: -67030): Error Domain=NSOSStatusErrorDomain Code=-67030 UserInfo={SecCSArchitecture=<private>}
AMFI: code signature validation failed.
/Users/b123400/Library/Developer/Xcode/DerivedData/AmiKo-dgwlkhzjntfwuzdsmhptqkxpabqw/Build/Products/Debug/AmiKo Desitin.app/Contents/MacOS/certifaction not valid: Error Domain=AppleMobileFileIntegrityError Code=-420 "The signature on the file is invalid" UserInfo={NSURL=file:///Users/b123400/Library/Developer/Xcode/DerivedData/AmiKo-dgwlkhzjntfwuzdsmhptqkxpabqw/Build/Products/Debug/AmiKo%20Desitin.app/Contents/MacOS/certifaction, NSLocalizedDescription=The signature on the file is invalid}
mac_vnode_check_signature: /Users/b123400/Library/Developer/Xcode/DerivedData/AmiKo-dgwlkhzjntfwuzdsmhptqkxpabqw/Build/Products/Debug/AmiKo Desitin.app/Contents/MacOS/certifaction: code signature validation failed fatally: When validating /Users/b123400/Library/Developer/Xcode/DerivedData/AmiKo-dgwlkhzjntfwuzdsmhptqkxpabqw/Build/Products/Debug/AmiKo Desitin.app/Contents/MacOS/certifaction:
  The code contains a Team ID, but validating its signature failed.
Please check your system log.
validation of code signature failed through MACF policy: 1
check_signature[pid: 47762]: error = 1
proc 47770: load code signature error 4 for file "certifaction"
<private>: Broken signature with Team ID fatal.

Inspecting the codesign of the certifaction binary:

codesign -d -vvvv --entitlements :- /Users/b123400/Library/Developer/Xcode/DerivedData/AmiKo-dgwlkhzjntfwuzdsmhptqkxpabqw/Build/Products/Debug/AmiKo\ Desitin.app/Contents/MacOS/certifaction
Executable=/Users/b123400/Library/Developer/Xcode/DerivedData/AmiKo-dgwlkhzjntfwuzdsmhptqkxpabqw/Build/Products/Debug/AmiKo Desitin.app/Contents/MacOS/certifaction
Identifier=amikoosx.certifaction
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=212857 flags=0x0(none) hashes=6641+7 location=embedded
VersionPlatform=1
VersionMin=720896
VersionSDK=720896
Hash type=sha256 size=32
CandidateCDHash sha256=b4becd89d22c7a6f4bd88ddf13442d31850b680e
CandidateCDHashFull sha256=b4becd89d22c7a6f4bd88ddf13442d31850b680e8c12ed446a5f2ad902ce2420
Hash choices=sha256
CMSDigest=b4becd89d22c7a6f4bd88ddf13442d31850b680e8c12ed446a5f2ad902ce2420
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=1237
Executable Segment flags=0x1
Page size=4096
Launch Constraints:
    None
CDHash=b4becd89d22c7a6f4bd88ddf13442d31850b680e
Signature size=4781
Authority=Apple Development: ... (RNWN8T288Z)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Jul 15, 2023 15:15:48
Info.plist=not bound
TeamIdentifier=4B37356EGR
Sealed Resources=none
Internal requirements count=1 size=188
Warning: Specifying ':' in the path is deprecated and will not work in a future release
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>com.apple.application-identifier</key><string>4B37356EGR.amikoosx</string><key>com.apple.developer.team-identifier</key><string>4B37356EGR</string><key>com.apple.security.app-sandbox</key><true/><key>com.apple.security.inherit</key><true/><key>com.apple.security.network.client</key><true/></dict></plist>

It does have a valid team ID that's same as the main application.

[zdavatz]

codesign -s - -i amikoosx.certifaction --entitlements Certifaction.entitlements -f ./certifaction-arm64

@bettar suggest to do this:

#my codesign function
function cse {
  echo "~~~ Codesign $IDENTITY with entitlements <$1>"
  codesign --timestamp --force \
    --sign "$IDENTITY" \
    --options runtime \
    --entitlements "$PROJECT_DIR/cli.entitlements" \
    "$1"
}

where cli.entitlements is just this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
</dict>
</plist>

[zdavatz]

this works: codesign -s - -i amikoosx.certifaction --entitlements /Users/zdavatz/cli.entitlements -f ./certifaction-x86 codesign -s - -i amikoosx.certifaction --entitlements /Users/zdavatz/cli.entitlements -f ./certifaction-arm64

then archive the App and then validate it.