Codesigning OS X app with plugins and iTunesLibrary

Question

I have a really weird codesigning problem. A previous, almost identical version has passed validation and been submitted to the App Store, so my codesignature isn't broken.

Recently I've been trying to use the iTunesLibrary framework. This framework only works if your application is codesigned. I'm getting a common error when trying to initialize the framework that indicates a codesigning failure:

Error Domain=NSPOSIXErrorDomain Code=100001 "Could not load." UserInfo=0x100329d80 {NSLocalizedDescription=Could not load., NSUnderlyingError=0x10031a430 "The operation couldn’t be completed. (OSStatus error 100005.)"}

My app is organized into multiple frameworks both dynamically linked and plugins. I have been using the --deep flag to recursively sign my application, but apparently this is wrong. Now I'm using a run script build phase to sign each of my frameworks and plugins. This seems to work as codesign tells me the app is signed.

I've built the app in debug mode as well as archived it and exported as a Developer ID signed program and checked the signature -- both build modes pass. When I run it, I get the above error from iTunesLibrary. The really weird part is, if I export the app and re-sign it myself as below, then iTunesLibrary functions properly:

codesign --force --sign "MyIdentity" --deep MyApp.app

If I use spctl --assess to try to tell me more about this, I learn that this application despite working properly is badly signed:

/Users/me/Desktop/MyApp.app: rejected

The app that iTunesLibrary doesn't like on the other hand passes spctl inspection:

/Users/me/Desktop/MyApp.app: accepted
source=Developer ID
origin=Developer ID Application: Me

Answer 1

The solution is to link the iTunesLibrary framework to your main executable as well as to the framework that is actually using it.

I'd love to know why...

Answer 2

If you’re embedding frameworks, you will need to create a “Copy Files” Build Phase that moves your.framework into the Frameworks destination. After your added Build Phase, add a run script with something such as:

LOCATION="${BUILT_PRODUCTS_DIR}"/"${FRAMEWORKS_FOLDER_PATH}"
IDENTITY="Developer ID Application: Certificate Common Name"
codesign --verbose --force --sign "$IDENTITY" "$LOCATION/your.framework/Versions/A"

In short the --deep flag can't do the job properly. Yes, it recursively signs the nested bundles, however, it applies the parameters for the top-level bundle to all the nested bundles. In turn your app’s entitlements will cause the resulting bundles to be invalid.

man codesign --deep also states:

; anything nested indirectly will require recursive application of the codesign command.