I'm signing an app bundle using an Apple Developer ID certificate. I need to sign using the the command line tool since our build is automated and runs from our toolchain. 90% of the time it works fine with this command:
ws5:bin nick$ codesign -fs "Developer ID Application: <my name here>" MyApp.app
ws5:bin nick$ spctl --assess MyApp.app
ws5:bin nick$ 
Note: MyApp.app is not my real application name, and <my name here> is not the actual value.
So, maybe 1 in 10 times it intermittently fails with this error:
MyApp.app: The timestamp service is not available.
I've verified the .app gets through the quarantine mechanism with spctl --assess and by zipping it and downloading the signed file -- so please don't say "you're doing it wrong, use Xcode". I know that Apple doesn't "officially" recommend using codesign for developer ID certificates (according to a WWDC video) but we need to use it for automation and because our app is a strange combination of gcc and Qt build output.
Is the best strategy around this error to just retry until it works again? That's all I can think to do.
I cannot recommend the --timestamp=none workaround. If you do not timestamp your signatures, your binaries will become unsigned/invalid when the certificate expires. At least if you timestamp your signature, the verification will pass as long as the binary was signed while the certificate was still valid. This does not discount the certificate actually being revoked, but should keep you covered in case someone, possibly you, needs to use your archival copies some time past the certificate expiry.
If you don't have the Internet to timestamp your signature, you may as well disable signing altogether until your connection is back up.
EDIT: Or, assuming that your connection is up, but Apple's default timestamp server is being flaky, you could opt to supply your own valid timestamp server.
This problem does seem to arise from network/firewall issues. I was consistently getting this error before using a VPN to get to a less restrictive network. I wonder which server this codesigning tool is trying to access.
A workaround seems to be adding the --timestamp=none flag (to "Other Code Signing Flags" if you're using XCode).
I think this has nothing to do with the way you're signing. I built my project many times this afternoon, in Xcode, with no such problem. But this evening, while riding on a bus with no internet access, I tried to build three times and got this same error every time. So I closed my MacBook Air and we both took a nap. When I arrived home, with wireless internet back on, I was able to build again.
So, apparently, Xcode will not codesign, and therefore fails to build a codesigned app, unless it can reach a timeserver on the internet, or something like that. Quite annoying that the error message does not explain this! Is your internet access intermittent?
Obviously, the brute force workaround of removing the codesigning build phase would probably fix it. I also found an easier workaround, except that I would set a reminder to remember to turn that timestamp switch back on before building for shipping. Otherwise I presume your un-timestamped product might fail Mac App Store review or Gatekeeper.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With