Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
453 views
in Technique[技术] by (71.8m points)

macos - codesign gives always no identity found error via terminal

I've looked through already existing questions, but none has solved my problems (like recreating certificates). I've built an app where inside the app I have few executables and folders and frameworks. Whenever I try to do codesign -s "our identity" my.app always gives no identity found. Can someone give a step by step process of this.

codesign -s "Developer ID Application: Sai***** (123123123J)" out/Release/Sai.app

Error

Developer ID Application: Sai****** (123123123J): no identity found,

I tried removing "Developer ID Application" and the serial number, but everything gives the same error

Looking for help in these lines

Thank You

question from:https://stackoverflow.com/questions/16036571/codesign-gives-always-no-identity-found-error-via-terminal

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

while I did not do this for apple development code signing, I still think I have some valuable inside that could help you debug such a problem. The difference is that I created my own certificate while you got one from apple.

Check the trust of the cert, it must be trusted for code signing (on yosemite that is the third last in the trust section of the cert view in the keychain access). Be aware that for your code signing the cert should be in the login keychain, I needed it in the System keychain.

At first the cert was not known for codesigning to the keychain, because there was the Extension purpose "Code Signing" missing, you can find this if you look into the keychain and double click on the certificate:

enter image description here

I fixed that (you can not fix it as Apple provides the cert to you. The extension should just be there):

enter image description here

Then I added the certificate to the trusted signing certificates, after I had drag&dropped the certificate from the keychain to my desktop, which created the ~/Desktop/gdb-cert.cer (be aware you can omit -d and -r trustRoot:

$ sudo security add-trusted-cert -d -r trustRoot -p codeSign -k /Library/Keychains/System.keychain ~/Desktop/gdb-cert.cer

This was a bit tricky because I was mislead by some internet posts and did not look at the man page. Some said you should use add-trust (https://llvm.org/svn/llvm-project/lldb/trunk/docs/code-signing.txt). The terrible bit was that the command succeeded, but did not do what it should.

After that I found the new cert in the trusted certs like so:

$ security find-identity -p codesigning

Policy: Code Signing
  Matching identities
      1) E7419032D4..... "Mac Developer: FirstName LastName (K2Q869SWUE)"    (CSSMERR_TP_CERT_EXPIRED)
      2) ACD43B6... "gdb-cert"
  2 identities found

  Valid identities only
      1) ACD43... "gdb-cert"
  1 valid identities found

In my case the apple cert is expired, but the one I was using to sign gdb was not (well, I just created it myself). Also be aware that the policy is named differently for the "security add-trusted-cert"(-p codeSign) and the "security find-identity" command (-p codesigning). I then went on to sign gdb and I also always got:

$ codesign --sign gdb-cert.cer --keychain ~/Library/Keychains/login.keychain `which gdb`
  gdb-cert.cer: no identity found

because I was under the impression that I had to give the file name of the cert file to the --sign option, but that in fact was the CN of the certificate that I should have provided and should be in the trust store. You can find the CN here when double clicking on the cert in the keychain:

enter image description here

or in the above output of "security find-identity -p codesigning". Then I went on to sign and I had to give it the right keychain. In your case this would have to be the ~/Library/Keychains/login.keychain, in my case the System.keychain:

 codesign -s gdb-cert --keychain /Library/Keychains/System.keychain `which gdb` 

That then gave me a working gdb and it should give you a signed application.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...