Menu
I've looked through already existing questions, but none has solved my problems (like recreating certificates). I've built an app where inside the app I have few executables and folders and frameworks. Whenever I try to do codesign -s "our identity" my.app always gives no identity found. Can someone give a step by step process of this.
codesign -s "Developer ID Application: Sai***** (123123123J)" out/Release/Sai.app Error
Developer ID Application: Sai****** (123123123J): no identity found,
I tried removing "Developer ID Application" and the serial number, but everything gives the same error
Looking for help in these lines
668
This is a cryptographic process that identifies you as a developer, and identifies your application as something that has been distributed by you. The process of obtaining a code signing identity is slightly different on every platform. The following are guides for every platform that Briefcase supports: Android.
Apple Code Signing Certificate Guide Apple code signing is done from the command line using their (aptly named) codesign tool and should be very straightforward. Note: You can use a DigiCert Code Signing Certificate (standard and EV) to sign your Mac OS software, tools, updates, utilities and applications.
I had some trouble with this as well. Double-check that your code-signing identity is in your keychain, and you might consider using the SHA-1 fingerprint instead of the name after the -s.
You can find the SHA-1 fingerprint by opening up Keychain Access and selecting your Developer ID Application: FOO certificate, and then choosing Get Info. From here, scroll to the bottom of the information until you reach Fingerprints. The SHA-1 fingerprint here can be copied and you will have to remove all of the spaces, but after that you will have a 40-character identifier which will be appropriate for placing after the -s in your codesign statement.
If you are still having problems locating the key, try the following from Terminal:
certtool y | grep Developer\ ID and look for anything with Developer ID Application in the Common Name to verify that the certificate is actually in a keychain that is accessible from Terminal. If you don't see anything in response, that would indicate that the keychain containing your credentials is unavailable to your Terminal session. Reasons for this would include things like the keychain being locked, the shell running as another user, executing the command with different permissions (such as sudo).
After executing the command above, you should have at a minimum the following:
Developer ID Application: <your company name> Developer ID Installer: <your company name> Developer ID Certification Authority If you don't have all three, you should go and download the missing elements. Although you may not currently need to build an Installer, there's no harm in having it around. The Application and Installer elements can be downloaded from the Mac Certificates section of the Certificates, Identifiers, & Profiles tab on Apple's Developer site. You should have listings there that are not expired. You may have listings there as well that have expired. To install the certificates in your keychain:
The Developer ID Certification Authority should have been installed by Xcode, but if it wasn't, you can install it yourself. You will need to download that separately from Developer ID Authority or by clicking on the + link in Certificates tab and use the link at the bottom to download the Certificate.
This would also be a good time to make sure that you have the Apple Worldwide Developer Relations Certification Authority, which is the basis for some of the signing tools. It should be installed in your System keychain, by the Xcode installer and can be downloaded directly from the + link in the Certificates tab above or from Apple WWDR CA.
According to Apple's App Distribution Guide, there are specific keychains that are appropriate for each of the Certificates and keys:
Because Xcode automatically manipulates the keychains, and because some certificates are re-issued regularly when profiles change (although not for Developer ID, since it has multi-year certificates and doesn't require profiles), you can end up with a propagation of unnecessary and potentially confusing certificates in your keychain. It is a good idea to clean these out when they have expired, as they can create some confusion for Xcode.
WARNINGS
Things to do:
50
while I did not do this for apple development code signing, I still think I have some valuable inside that could help you debug such a problem. The difference is that I created my own certificate while you got one from apple.
Check the trust of the cert, it must be trusted for code signing (on yosemite that is the third last in the trust section of the cert view in the keychain access). Be aware that for your code signing the cert should be in the login keychain, I needed it in the System keychain.
At first the cert was not known for codesigning to the keychain, because there was the Extension purpose "Code Signing" missing, you can find this if you look into the keychain and double click on the certificate:
I fixed that (you can not fix it as Apple provides the cert to you. The extension should just be there):
Then I added the certificate to the trusted signing certificates, after I had drag&dropped the certificate from the keychain to my desktop, which created the ~/Desktop/gdb-cert.cer (be aware you can omit -d and -r trustRoot:
$ sudo security add-trusted-cert -d -r trustRoot -p codeSign -k /Library/Keychains/System.keychain ~/Desktop/gdb-cert.cer This was a bit tricky because I was mislead by some internet posts and did not look at the man page. Some said you should use add-trust (https://llvm.org/svn/llvm-project/lldb/trunk/docs/code-signing.txt). The terrible bit was that the command succeeded, but did not do what it should.
After that I found the new cert in the trusted certs like so:
$ security find-identity -p codesigning Policy: Code Signing Matching identities 1) E7419032D4..... "Mac Developer: FirstName LastName (K2Q869SWUE)" (CSSMERR_TP_CERT_EXPIRED) 2) ACD43B6... "gdb-cert" 2 identities found Valid identities only 1) ACD43... "gdb-cert" 1 valid identities found In my case the apple cert is expired, but the one I was using to sign gdb was not (well, I just created it myself). Also be aware that the policy is named differently for the "security add-trusted-cert"(-p codeSign) and the "security find-identity" command (-p codesigning). I then went on to sign gdb and I also always got:
$ codesign --sign gdb-cert.cer --keychain ~/Library/Keychains/login.keychain `which gdb` gdb-cert.cer: no identity found because I was under the impression that I had to give the file name of the cert file to the --sign option, but that in fact was the CN of the certificate that I should have provided and should be in the trust store. You can find the CN here when double clicking on the cert in the keychain:
or in the above output of "security find-identity -p codesigning". Then I went on to sign and I had to give it the right keychain. In your case this would have to be the ~/Library/Keychains/login.keychain, in my case the System.keychain:
codesign -s gdb-cert --keychain /Library/Keychains/System.keychain `which gdb` That then gave me a working gdb and it should give you a signed application.
21
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
