Upgraded to Big Sur and now my codesigning fails on 10.11 and earlier

BTW since Xcode 12.5 isn’t compatible with Catalina any more we have to live with Xcode 12.4 for a while.

1 Like

But! Apple apparently listened and, from the release notes of Xcode 12.5… (bold added by me)

Signing and Distribution

Resolved Issues

  • Resolved an issue that prevented exporting distribution certificates from Xcode due to a keyboard focus issue in the authentication window. (71011727) (FB8880845)
  • Fixed an issue that caused OS X 10.11 and earlier to reject packages signed in macOS 11 or later. (71695608, 75599040)

EDIT: with this caveat:

  • OS X 10.11 or earlier may reject code signatures added to universal binaries by Xcode 12.5 running in macOS 11.2 or earlier. (70724583) (FB8830007)
    Workaround : Specify --digest-algorithm=sha1,sha256 to the codesign utility at signing time. In Xcode, specify this using the OTHER_CODE_SIGN_FLAGS build setting.

so it looks like it works out of the box if you’re on Big Sur 11.3, but you need the extra command line options to make it work if you’re on 11.0 up to 11.2

6 Likes

Great news! Has anyone verified this yet?

I just tried a fully notarised installer built using macOS 11.3 using the XCode 11.6 command line tools and it ran first time on a OS X 10.10 and 10.11 VM which I don’t remember being the case before unless I built on macOS 10.15, so I wonder if the issue has been resolved at the OS level in the latest macOS 12.3 update. I thought the signing tools were actually a part of the OS rather than XCode, so it makes sense if it’s the case - if anybody can verify it would be appreciated in case I’ve made a mistake about it being fixed somehow as I’m not too sure how XCode 12.5 factors into this.

3 Likes

That’s great news! I’m updating to 11.3 and I will test it asap.

1 Like

Tested here on 10.8 with a Package made on M1 MBA and it seems to work as expected.

3 Likes

Unfortunately, my first attempt didn’t work. On OS X 10.10 the installer shows the same error “signature is invalid”. I haven’t tried the workaround proposed in the notes as it refers to codesign and not productsign, so not sure if there’s anything else I should try.

Edit: success! I was using packages in my build script. If I resign using productsign on Big Sur 11.3 (Silicon) it seems to be finally working! For now I’ve tested 10.9 and 10.10.

1 Like

Great news…! just to confirm, so we can sign plugins and their installers using macOS 11.3 + XCode 12.5 that will run on macOS 10.9, 10.10 and 10.11? Does this work on both M1 and Intel then?

I have not tested 10.11 yet, but I confirm that our test build made on Big Sur 11.3 (Silicon/M1) worked perfectly on 10.9 and 10.10.

1 Like

This isn’t needed if you run codesign outside XCode, right?

Can confirm it works with 10.11 too.

2 Likes

Awesome, thanks!