CODEWITHSUNDEEP
macoscodesignentitlementsosx-gatekeeper
Charles
Charles

Reputation: 2661

OS X gatekeeper/codesign: signature not valid

I'm facing a tricky problem, and I hope someone has encountered something similar before.

I created an OS X app (app bundle, testing on Yosemite 10.10.2), with several helper sub apps as part of this bundle. These sub apps are stored in their own app bundle.

The structure is:

AppName.app
      -> Contents/Frameworks/SubAppName_1.app
      -> Contents/Frameworks/SubAppName_2.app

Etc etc.. This all works great, no problems at all.

The issue starts appearing when I sandbox/codesign my app, to prepare it for Development/AdHoc/Mac App Store deployment.

I'm using following commands to sign my app bundle (+ sub components)

codesign --verbose --force --sign "$IDENTITY" --entitlements entitlements.child "$OUTDIRECTORY/AppName.app/Contents/Frameworks/SubAppName_1.app" 
codesign --verbose --force --sign "$IDENTITY" --entitlements entitlements.child "$OUTDIRECTORY/AppName.app/Contents/Frameworks/SubAppName_2.app" 
codesign --verbose --force --sign "$IDENTITY" --entitlements entitlements.parent "$OUTDIRECTORY/AppName.app"

Again, works great. Signed app boots up, works fine. All features are working, no bugs/crashes/visible errors. Similar to the non sandboxed/codesigned app. Everything runs in the sandbox. I can use the app for hours, no problem.

However, if I then close down the app for a while (say, 15-30 minutes, it's quite random), I get following signature not valid error on one of my sub apps (main bundle spawns them as a sub process).

12:38:56 MBA.local amfid[274]: /Applications/AppName.app/Contents/Frameworks/SubAppName_1.app/Contents/MacOS/SubAppName_1 signature not valid: 0xfffefa31
12:38:56 MBA kernel[0]: proc 82808: load code signature error 4 for file "SubAppName_1"
12:38:57 MBA.local amfid[274]: /Applications/AppName.app/Contents/Frameworks/SubAppName_1.app/Contents/MacOS/SubAppName_1 signature not valid: 0xfffefa31
12:38:57 MBA kernel[0]: proc 82811: load code signature error 4 for file "SubAppName_1"

If I reboot the app after a few minutes, everything still works. Nine out of ten times I need to recompile the app to get it working again. However, occasionally, it randomly starts working again.

When I deploy an AdHoc build of this app on an unrelated Yosemite device, the same thing happens but I get following amfid error code: 0xfffefa2a

Anyone have any ideas what might be causing this? There must be something that I'm doing wrong !

Upvotes: 4

Views: 3763

Answers (1)

Kunis
Kunis

Reputation: 146

We encountered the same problem and opened ticket to Apple developer support. Yet we found a flab in our nested bundle that was causing the issue.

The OS X uses case-insensitive file system. So it basically doesn't matter to name the nested framework "SubAppName_1.app" or "subappname_1.app". It was true till Yosemite. In the OS X 10.10 the Apple started to use the amfid (Apple Mobile File Integrity Daemon) which is a iOS-originated. It seems the amfid does take into account the case sensitivity of the file and folder names.

Finally we aligned all case sensitivity including file names, folder names, soft links and the name compiled into the framework's executable file.

The otool command can help you to check what name is used in compilation:

>otool -L <your main executable> //Gives list of libraries to load
>otool -D <nested bundle's executable> //Gives self-name of the library

As soon as we aligned case sensitivity of all names, the problem disappeared.

Upvotes: 1

Related Questions