How to codesign Kivy application on Mac OS X
342 views
Skip to first unread message
man...@gmail.com
Dec 6, 2016, 12:16:21 AM12/6/16
to Kivy users support
Hi,
I am having trouble to properly codesign Kivy application on Mac. I built my application using buildozer, which uses Kivy. It doesn't use GStreamer or other additional SDL2 dependencies, so I removed those from the Kivy.app for buildozer. The application built fine and produces the .dmg correctly. Then I have to mount and copy out the .app and sign it using the following command:
$ codesign -s "<my certificate>" /path/to/my.app
However when I verify the resulting application it shows the following message (command included):
$ codesign --verify -vvvv -R='anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.1] exists and (certificate leaf[field.1.2.840.113635.100.6.1.2] exists or certificate leaf[field.1.2.840.113635.100.6.1.4] exists)' critter.app
--prepared:/Users/xiyueden/Projects/critter/Source/bin/critter.app/Contents/Frameworks/SDL2.framework/Versions/Current/.
--validated:/Users/xiyueden/Projects/critter/Source/bin/critter.app/Contents/Frameworks/SDL2.framework/Versions/Current/.
critter.app: valid on disk
critter.app: satisfies its Designated Requirement
test-requirement: code failed to satisfy specified code requirement(s)
spctl also reports similar issue:
$ spctl -a -vvvv critter.app
critter.app: a sealed resource is missing or invalid
Before signing the .app, running it will prompt that the app is from an unidentified developer and fails to run by default. After signing it will report that this .app is broken and suggest to move it to trash.
I'm not sure what can be wrong here. Anyone with experience on Mac can shed some lights on me? If you need more information let me know.
Thank you.
I am having trouble to properly codesign Kivy application on Mac. I built my application using buildozer, which uses Kivy. It doesn't use GStreamer or other additional SDL2 dependencies, so I removed those from the Kivy.app for buildozer. The application built fine and produces the .dmg correctly. Then I have to mount and copy out the .app and sign it using the following command:
$ codesign -s "<my certificate>" /path/to/my.app
However when I verify the resulting application it shows the following message (command included):
$ codesign --verify -vvvv -R='anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.1] exists and (certificate leaf[field.1.2.840.113635.100.6.1.2] exists or certificate leaf[field.1.2.840.113635.100.6.1.4] exists)' critter.app
--prepared:/Users/xiyueden/Projects/critter/Source/bin/critter.app/Contents/Frameworks/SDL2.framework/Versions/Current/.
--validated:/Users/xiyueden/Projects/critter/Source/bin/critter.app/Contents/Frameworks/SDL2.framework/Versions/Current/.
critter.app: valid on disk
critter.app: satisfies its Designated Requirement
test-requirement: code failed to satisfy specified code requirement(s)
spctl also reports similar issue:
$ spctl -a -vvvv critter.app
critter.app: a sealed resource is missing or invalid
Before signing the .app, running it will prompt that the app is from an unidentified developer and fails to run by default. After signing it will report that this .app is broken and suggest to move it to trash.
I'm not sure what can be wrong here. Anyone with experience on Mac can shed some lights on me? If you need more information let me know.
Thank you.
ZenCODE
Dec 6, 2016, 3:43:02 AM12/6/16
to Kivy users support
Is there a reason you are doing it via command line and not through XCode? XCode will do this automatically for you as you upload the app...
man...@gmail.com
Dec 6, 2016, 3:49:43 AM12/6/16
to kivy-...@googlegroups.com
Hi,
On 12/6/16 12:43 AM, ZenCODE wrote:
> Is there a reason you are doing it via command line and not through
> XCode? XCode will do this automatically for you as you upload the app...
>
Thanks for your reply. We didn't develop our application within XCode
and were not distributing it through App Store. Yet we still wish to
minimize the extra work a user needs to do before using our application.
Also we'd like to make our packaging scriptable.
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Kivy users support" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/kivy-users/O2XLL7deuDI/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> kivy-users+...@googlegroups.com
> <mailto:kivy-users+...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
On 12/6/16 12:43 AM, ZenCODE wrote:
> Is there a reason you are doing it via command line and not through
> XCode? XCode will do this automatically for you as you upload the app...
>
and were not distributing it through App Store. Yet we still wish to
minimize the extra work a user needs to do before using our application.
Also we'd like to make our packaging scriptable.
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Kivy users support" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/kivy-users/O2XLL7deuDI/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> kivy-users+...@googlegroups.com
> <mailto:kivy-users+...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
ZenCODE
Dec 6, 2016, 8:52:07 AM12/6/16
to Kivy users support
Okay, entirely reasonable (and the way I'd prefer too). But unfortunately, I've never tried code signing outside of XCode. As your console output does not specify which resource is missing, it might be worth trying it from XCode just to see if it gives you more info: i.e. which resource. You can then revert back to the console one you know that.
Otherwise, sorry, can't help. Good luck.
Otherwise, sorry, can't help. Good luck.
man...@gmail.com
Dec 6, 2016, 8:40:19 PM12/6/16
to kivy-...@googlegroups.com
Hi ZenCODE,
Thanks for the suggestions. Anyway I have made some progress by first
signing the containing frameworks and then sign the executable. Now the
codesign verification passes, though spctl still reports issues:
critter.app: rejected (resource envelope is obsolete (version 1 signature))
[...]
However, codesign does report version 2:
$ codesign -dvvvv critter.app
[...]
Sealed Resources version=2 rules=13 files=1437
Internal requirements count=1 size=180
[...]
And running the code still prompts about unidentified developer.
I searched about this and someone said it had been fixed by some XCode
revisions but I'm using the latest XCode, and my system is macOS
10.12.1. Not sure what to do here.
Thanks for the suggestions. Anyway I have made some progress by first
signing the containing frameworks and then sign the executable. Now the
codesign verification passes, though spctl still reports issues:
critter.app: rejected (resource envelope is obsolete (version 1 signature))
[...]
However, codesign does report version 2:
$ codesign -dvvvv critter.app
[...]
Sealed Resources version=2 rules=13 files=1437
Internal requirements count=1 size=180
[...]
And running the code still prompts about unidentified developer.
I searched about this and someone said it had been fixed by some XCode
revisions but I'm using the latest XCode, and my system is macOS
10.12.1. Not sure what to do here.
man...@gmail.com
Dec 21, 2016, 7:02:13 AM12/21/16
to kivy-...@googlegroups.com
So I finally managed to fix the problem. The solution is simple but
tedious. One should maintain the directorial structure under the bundle
imperatively, specifically:
* No directories under *.framework/ except Versions. Replace everything
else with symlinks from Versions/Current/*
* No lingering files under **/Versions/Current/. Some of the frameworks
I use have LICENSE.* files there. I just removed them.
And after that it works. the command is:
$ codesign -f -v --deep -s "YOUR IDENTITY" your.app
Hope this helps.
tedious. One should maintain the directorial structure under the bundle
imperatively, specifically:
* No directories under *.framework/ except Versions. Replace everything
else with symlinks from Versions/Current/*
* No lingering files under **/Versions/Current/. Some of the frameworks
I use have LICENSE.* files there. I just removed them.
And after that it works. the command is:
$ codesign -f -v --deep -s "YOUR IDENTITY" your.app
Hope this helps.
ZenCODE
Dec 21, 2016, 11:53:47 AM12/21/16
to Kivy users support
Great stuff. Thanks for posting your findings :-)
Reply all
Reply to author
Forward
0 new messages