Trouble with CodeSigning for Mac App Store (Sandboxed)

431 views
Skip to first unread message

Ash

unread,
Feb 28, 2012, 9:38:06 AM2/28/12
to Growl Development
Hello all,

I'm trying to submit an app to the mac app store that uses sandboxing.
It's failing validation because the provisioning profile used to sign
Growl.framework doesn't match the profile being used to sign the app.
I'm trying to codesign the Growl.framework but it's not working. This
is my output:

Ashs-MacBook-Pro:500px Uploader ash$ codesign -i "com.500px.uploader" -
f -v -s "3rd Party Mac Developer Application: 500px Inc." ./
Growl.framework/Versions/A
./Growl.framework/Versions/A: replacing existing signature
./Growl.framework/Versions/A: object file format unrecognized,
invalid, or unsuitable

I think this might be because the framework is already signed.

I know there are instructions for this at
http://growl.info/documentation/developer/implementing-growl.php#sandboxinginyourapp
but to be perfectly honest, I'm having a hard time following them. I
found the ruby script and got it to run, but it's failing on line 45:
"No bundle named com.500px.uploader.GNTPClientService.xpc". It *looks*
like I'm supposed to configure this script, but it's not clear either
way. In any case, I don't know how this script is supposed to work or
how to use it. I don't know what GNTPClientService or XPC is and there
are no instructions.

Can anyone suggest how to sign the Framework properly? I've been
struggling for hours at this and getting now where.

Rudy

unread,
Feb 28, 2012, 5:00:34 PM2/28/12
to Growl Development
the first thing i see that is wrong is the -i "com.500px.uploader",
you really should only need to call code sign as:

codesign -f -s "3rd Party Mac Developer Application: 500px Inc." ./
Growl.framework/Versions/A

that takes care of the framework portion of things.

if your app is targeting 10.7+ and isn't network based or you want to
use the xpc for enhanced separation of the networking from your main
app you'd use the GNTPClientService. Ultimately what the instructions
are showing is that you integrate it with your Xcode build process.
The script itself re-labels the bundle to be specific to your app and
signs it with your code signing identity.

I did see your two lines of question in #growl but you were gone
already by the time i was able to reply. we are US based so keep that
in mind when asking questions on IRC.

-rudy

On Feb 28, 9:38 am, Ash <ash.fur...@gmail.com> wrote:
> Hello all,
>
> I'm trying to submit an app to the mac app store that uses sandboxing.
> It's failing validation because the provisioning profile used to sign
> Growl.framework doesn't match the profile being used to sign the app.
> I'm trying to codesign the Growl.framework but it's not working. This
> is my output:
>
> Ashs-MacBook-Pro:500px Uploader ash$ codesign -i "com.500px.uploader" -
> f -v -s "3rd Party Mac Developer Application: 500px Inc." ./
> Growl.framework/Versions/A
> ./Growl.framework/Versions/A: replacing existing signature
> ./Growl.framework/Versions/A: object file format unrecognized,
> invalid, or unsuitable
>
> I think this might be because the framework is already signed.
>
> I know there are instructions for this athttp://growl.info/documentation/developer/implementing-growl.php#sand...

Ash

unread,
Feb 29, 2012, 7:19:43 PM2/29/12
to Growl Development
Hi Rudy,

Thanks for the reply. I'm actually in Toronto, but was still at work
when I was on #growl and had to leave for home.

I copy/pasted the wrong code from the Terminal - I was getting the
same problem when I tried the correct command:
Ashs-MacBook-Pro:500px Uploader ash$ codesign -f -s "3rd Party Mac
Developer Application: 500px Inc." ./Growl.framework/Versions/A
./Growl.framework/Versions/A: replacing existing signature
./Growl.framework/Versions/A: object file format unrecognized,
invalid, or unsuitable

So I still don't know why that's not working.

I'm afraid I don't understand the terminology here; my app has the in/
out-bound network entitlement, but I'm not sure what these XPC
enhancements are or what the GNTPClientService is. I'm only linking
against, then copying, the Growl.framework bundle so I can display
notifications to my users.

I managed to eventually get the bundle to pass validation by
downloading the Growl source and using Xcode to compile my own, signed
copy of the framework. This obviously isn't the best solution,
especially in the long-term or for multi-developer teams. Can you
suggest what I might try next to get the codesign tool to work
properly?

Thanks again,
Ash

Rudy Richter

unread,
Mar 1, 2012, 8:07:16 PM3/1/12
to Growl Development
i'm not sure what you're doing differently, what version of the dev
tools are you dealing with? its entirely possible that the version of
code sign that you're using isn't recognizing some aspect of the
binary properly.

I ran similar commands on a directly downloaded Growl.framework off of
growl.info and it resigned it fine for me.

gaius:Framework rudy$ codesign -f -s "Developer ID Application"
Growl.framework/Versions/A/
Growl.framework/Versions/A/: replacing existing signature

gaius:Framework rudy$ codesign -dvvvv Growl.framework/Versions/A/
Executable=/Volumes/Forever/Users/rudy/Downloads/Growl-1.3.1-SDK/
Framework/Growl.framework/Versions/A/Growl
Identifier=com.growl.growlframework
Format=bundle with Mach-O universal (i386 x86_64)
CodeDirectory v=20100 size=1833 flags=0x0(none) hashes=85+3
location=embedded
Hash type=sha1 size=20
CDHash=5e9adfd00086630a6c9024b8e2bbfb55e64783f7
Signature size=4240
Authority=Developer ID Application: Ambrosia Software, Inc.
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=Mar 1, 2012 7:53:32 PM
Info.plist entries=17
Sealed Resources rules=4 files=1
Internal requirements count=1 size=368

The XPC is something we added to simplify the process of getting
approved for the Mac App Store for developers that don't need the in/
out-bound network communication entitlement for their application. It
is a far more attractive prospect for the developer to not have to
justify why they need network for their whole app just to talk to
Growl. Their app would just claim their normal entitlements, include
the XPC (which claims network for itself and only itself) and have a
far easier time getting approved. That isn't the only benefit to the
XPC but it is a pretty nice one. The real benefit is that you've
segmented off a possible attack vector into your app's address space
by using the XPC, if a vulnerability was discovered in the network
implementation that growl uses (GCDAsyncSockets) or the code that
we've layered onto of GCDAsyncSockets the impact would be limited to
the XPC process. It was one of the big messages Apple was pushing at
WWDC last year. All that said Growl will work without the XPC, its an
optional enhancement.

What code did you download exactly? hopefully you pulled from the
right hg tag and didn't build something using the default branch. If
you used default you shipped something 6 months out of date...

-rudy

Ash

unread,
Mar 1, 2012, 8:25:41 PM3/1/12
to Growl Development
I re-downloaded the framework from the website and got the same error.
Then I looked in Keychain Access and I had two certificates with the
same name, the name I was using, only one had a revoked. As of Xcode
4.3, you can chose which certificate you want to use, even if they
have the same name, which is why I wasn't getting the compiler warning
I typically would have. Sorry for the trouble!

I really do appreciate your explanation of XPC - it's hard to break
into new frameworks without a knowledge of the jargon of that space.

Ash

Ash

unread,
Mar 1, 2012, 8:42:11 PM3/1/12
to Growl Development
Or maybe I spoke too soon: this is from the latest SDK download from
growl.info:

unknown-b8-8d-12-43-e8-32:Framework ash$ codesign -f -s "3rd Party Mac
Developer Application: 500px Inc." ./Growl.framework/Versions/A
./Growl.framework/Versions/A: replacing existing signature
./Growl.framework/Versions/A: object file format unrecognized,
invalid, or unsuitable
unknown-b8-8d-12-43-e8-32:Framework ash$ pwd
/Users/ash/Downloads/Growl-1-2.3.1-SDK/Framework

I'll look into it and get back to you.

Chris Forsythe

unread,
Mar 1, 2012, 9:12:35 PM3/1/12
to growl-de...@googlegroups.com
Is there any reason that you're using the 1.2.3 framework instead of the 1.3.1 framework?

-- 
Chris Forsythe

--
You received this message because you are subscribed to the Google Groups "Growl Development" group.
To post to this group, send email to growl-de...@googlegroups.com.
To unsubscribe from this group, send email to growl-developm...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/growl-development?hl=en.

Ash

unread,
Mar 1, 2012, 9:14:50 PM3/1/12
to Growl Development
Sorry - looks like Finder was just naming the successive downloads to
the SDK in a weird way: http://cl.ly/3B3U2l2P3Y1i013b2D3R

On Mar 1, 9:12 pm, Chris Forsythe <ch...@growl.info> wrote:
> Is there any reason that you're using the 1.2.3 framework instead of the 1.3.1 framework?
>
> --
> Chris Forsythe
>
>
>
>
>
>
>
> On Thursday, March 1, 2012 at 7:42 PM, Ash wrote:
> > Or maybe I spoke too soon: this is from the latest SDK download from
> > growl.info (http://growl.info):
>
> > unknown-b8-8d-12-43-e8-32:Framework ash$ codesign -f -s "3rd Party Mac
> > Developer Application: 500px Inc." ./Growl.framework/Versions/A
> > ./Growl.framework/Versions/A: replacing existing signature
> > ./Growl.framework/Versions/A: object file format unrecognized,
> > invalid, or unsuitable
> > unknown-b8-8d-12-43-e8-32:Framework ash$ pwd
> > /Users/ash/Downloads/Growl-1-2.3.1-SDK/Framework
>
> > I'll look into it and get back to you.
>
> > On Mar 1, 8:25 pm, Ash <ash.fur...@gmail.com (http://gmail.com)> wrote:
> > > I re-downloaded the framework from the website and got the same error.
> > > Then I looked in Keychain Access and I had two certificates with the
> > > same name, the name I was using, only one had a revoked. As of Xcode
> > > 4.3, you can chose which certificate you want to use, even if they
> > > have the same name, which is why I wasn't getting the compiler warning
> > > I typically would have. Sorry for the trouble!
>
> > > I really do appreciate your explanation of XPC - it's hard to break
> > > into new frameworks without a knowledge of the jargon of that space.
>
> > > Ash
>
> > > On Mar 1, 8:07 pm, Rudy Richter <rarich...@gmail.com (http://gmail.com)> wrote:
>
> > > > i'm not sure what you're doing differently, what version of the dev
> > > > tools are you dealing with? its entirely possible that the version of
> > > > code sign that you're using isn't recognizing some aspect of the
> > > > binary properly.
>
> > > > I ran similar commands on a directly downloaded Growl.framework off of
> > > > growl.info (http://growl.info) and it resigned it fine for me.
> > > > > On Feb 28, 5:00 pm, Rudy <r...@growl.info (http://growl.info)> wrote:
>
> > > > > > the first thing i see that is wrong is the -i "com.500px.uploader",
> > > > > > you really should only need to call code sign as:
>
> > > > > > codesign -f -s "3rd Party Mac Developer Application: 500px Inc." ./
> > > > > > Growl.framework/Versions/A
>
> > > > > > that takes care of the framework portion of things.
>
> > > > > > if your app is targeting 10.7+ and isn't network based or you want to
> > > > > > use the xpc for enhanced separation of the networking from your main
> > > > > > app you'd use the GNTPClientService.  Ultimately what the instructions
> > > > > > are showing is that you integrate it with your Xcode build process.
> > > > > > The script itself re-labels the bundle to be specific to your app and
> > > > > > signs it with your code signing identity.
>
> > > > > > I did see your two lines of question in #growl but you were gone
> > > > > > already by the time i was able to reply.  we are US based so keep that
> > > > > > in mind when asking questions on IRC.
>
> > > > > > -rudy
>
> > To post to this group, send email to growl-de...@googlegroups.com (mailto:growl-de...@googlegroups.com).
> > To unsubscribe from this group, send email to growl-developm...@googlegroups.com (mailto:growl-developm...@googlegroups.com).

Rudy

unread,
Mar 6, 2012, 11:13:55 AM3/6/12
to Growl Development
just following up, did this get fully sorted out? or are you still
having trouble?

-rudy

Ash

unread,
Mar 6, 2012, 11:15:09 AM3/6/12
to Growl Development
Hi,

Thanks for the follow up. I still can't get codesign to work properly,
but the project was set back a bit, so I'm going to get the latest
stable version and compile in, signing it as I do so.

Ash
> ...
>
> read more »

Rudy

unread,
Mar 8, 2012, 4:37:27 PM3/8/12
to Growl Development
I'd make sure you grab from the maintenance-1.3 branch in that case,
it is the most up to date.

could you possibly also zip up the one you tried signing? I'd like to
try resigning what you signed and see what it tells me.

thanks
-rudy
> ...
>
> read more »

Ash

unread,
Mar 9, 2012, 11:57:06 AM3/9/12
to Growl Development
Sure, it's here: http://ashfurrow.com/Growl.framework.zip
> ...
>
> read more »
Reply all
Reply to author
Forward
0 new messages