Codesign verify returns invalid argument

StackOverflow https://stackoverflow.com/questions/21189162

  •  29-09-2022
  •  | 
  •  

Question

I have an app that was signed on my build server (without errors). Apparently something went wrong and when I open it in Finder I get a message that the app is damaged.

The problem is, when I do

codesign --verify --verbose MyApp.app

I get

MyApp.app: Invalid argument

It works with any other App from Applications folder. I would expect to get a more detailed error on how the signature is broken.

Is there any option to get more details? What could cause that behaviour?

Was it helpful?

Solution 2

You can get more detailed information by using the verbose flag like this to increase the level of verbosity:

codesign --verify --verbose=4
codesign --verify -vvvv
codesign -v -vvvv

These are all the same command, just different ways of inputting it:

-v, --verbose Sets (with a numeric value) or increments the verbosity level of output. Without the verbose option, no output is produced upon success, in the classic UNIX style. If no other options request a different action, the first -v encountered will be interpreted as --verify instead (and does not increase verbosity).

Apple considers this a 'bug' according to their man page:

The dual meaning of the -v option, indicating either verbosity or verification, confuses some people. If you find it confusing, use the unambiguous long forms --verbose and --verify instead.

There are also some free utilities available such as Codesign Checker, that might be useful.

OTHER TIPS

@l'L'l 's answer was correct concerning how to get more detailed logs so I accepted it.

However, for the reference, the real problem was the zip command. On my build server I zip the built app bundle. Yet I used the zip command line tool to do so, which does not handle aliases correctly. So when you have frameworks in your bundle they ususally have aliases pointing to the current binary version and headers. When you zip this with zip -r these aliases will be resolved. Then of course the code signature is no longer valid.

The correct way to zip files on Mac is to use the ditto command:

ditto -c -k --keepParent --sequesterRsrc "my source file" "myArchive.zip"

The same is true for the cp copy command. cp -r will expand alias files. The correct copy command is cp -R

It had always worked before with the 'wrong' commands. I guess something was changed in OS X 10.9.1 either with the comamnd line tools or with the signature validation...

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top