Code signing identity should be explicitly set by Projucer

Hi…

Since updating to Xcode 11, I’m getting build failures with:

.app: resource fork, Finder information, or similar detritus not allowed

Command /usr/bin/codesign failed with exit code 1

I’m not sure exactly what that’s referring to, but it exposes a related problem in that if I don’t set a code-signing identity in Projucer, it doesn’t add a CODE_SIGN_IDENTITY setting to the XCBuildConfiguration in the .pbxproj file. This causes Xcode to default to a setting of “Sign to run locally”.

I believe what the Projucer should do if no signing identity is specified, is explicitly set the CODE_SIGN_IDENTITY to an empty string. i.e.

CODE_SIGN_IDENTITY = "";

This will cause Xcode not to attempt to sign for any builds where no signing identity is supplied rather than using whatever its default setting happens to be.

I’ve now added this as an issue here.

I can’t reproduce any errors, but perhaps it’s because I don’t have access to any Macs without some signing certificates installed. Are you using a machine without certificates?

No, I have certificates, but I just don’t want to codesign for debug builds. You should be able to reproduce the problem if you Set the code signing Identity to “Sign to Run Locally” and the Development Team to “”. To do this, you may need to select the disclosure arrow in Xcode Build Settings for Development Team, select Other… and then remove any text.

So, the Signing settings look like this:

Code Signing Identity: Sign to Run Locally
Code Signing Style: Automatic
Development Team:

If Projucer were to set CODE_SIGN_IDENTITY = ""; in the pbxproj when no identity is set then the resulting settings would be:

Code Signing Identity:
Code Signing Style: Automatic
Development Team:

OK, I think this is actually two separate (probably unrelated) issues:

  1. The signing error (.app: resource fork, Finder information, or similar detritus not allowed) which occurs for me when I have a valid signing identity set, but only for “Standalone Plugin” builds
  2. The inability to disable signing from the Projucer, which is reported in the above GitHub issue.

I will further investigate “1” and if I can reliably reproduce a minimal example I will post a separate issue.

UPDATE
It seems like the “detritus” issue is fixed by running xattr -rc on the .app bundle from the command line. It isn’t clear to me why this works or how the bundle got corrupted in the first place. It doesn’t contain any images or other resources.

1 Like

Since updating to XCode 11 signcode fails for me as well.

unsealed contents present in the bundle root
Command /usr/bin/codesign failed with exit code 1

Read somewhere that this might happen if I use an application icon that is not in a proper location.

I’ll try to remove the resources and see if that solves it.

So, removing the icon didn’t help. However rebuilding from scratch did.

This is in the documentation:

Known Issues

  • Incremental builds to may fail to codesign properly for non-source related changes to your project, such as resource file modifications, which can result in the app failing to launch. (41254808) Workaround: Change a source file within the same target to trigger the codesign process, or perform a clean build.

https://developer.apple.com/documentation/xcode_release_notes/xcode_11_release_notes

Why do you want to disable local code signing?

My primary reason is to work around the above problem. But in general I have no reason to sign from Xcode since my code signing for distribution is done from a separate shell script (Makefile). So I would prefer to just disable signing as it is simply an unnecessary build step for debug builds.

Having the same problem here. Completely remove builds folder and recreate an Xcode 11 project using the Projucer: Command /usr/bin/codesign failed with exit code 1. Straight out of the box.

Going to Build Settings > Code Signing Identity > Other… and deleting the $(CODE_SIGN_IDENTITY_$(_DEVELOPMENT_TEAM_IS_EMPTY)) also solves the problem.

Thanks for reporting!

Still seems like the code signing identity is an issue in JUCE 6.1.3
If I enter nothing in Projucer I get “Sign to run Locally” on every target - which causes the codesign error.
If I edit each target and remove the “-” that Projucer added to “Code Signing Identity” I can build again.
Obviously this is not a useable workaround when building from commandline or scripts.

Am I missing something?

@thecargocult please see

and let’s continue the discussion there, instead of resurrecting old threads.