iOS standalone - what to do about code signing failures?

Graham Samuel livfoss at mac.com
Mon Jan 7 05:32:45 EST 2013


Thanks Bob for these very useful insights. I had gradually become aware that I was entering a universe of which Apple is a mere member (galaxy?). Your email clarifies this universe to a great extent. What I will say is:

1. IMO (and I'm sure I'm not alone), Apple make the whole thing unnecessarily complicated by (for example) causing developers to use three separate bits of software to get the certification done; using names for different objects created which are either similar or identical to one another; and when things go wrong (or just need renewal) providing inadequate explanations, instructions and workflows to get you back on track (for example the almost completely useless error messages that Dave Kilroy and I have been getting).

2. When you say "now that you are a developer", I bridled a bit, since I've been a developer for years. The trouble is that most of my work has been in producing either private stuff or low-priced educational software for the desktop, in an environment where malicious use and even plagiarism are rare. So up to now the security arrangements for my published stuff have been minimal, and my publisher has been happy. Now with iOS and all that, the game has changed, so I need to learn new tricks. Again, clearly I am not the only one.

I still feel that it would be a very good thing if there were a document to describe Apple's process of certification, including what can go wrong and what to do about it, oriented entirely toward LC developers - a cookbook, if you will. Your mail would be a good introduction! I don't know if I will ever feel comfortable enough to write it, but I haven't given up hope yet.

Thanks again

Graham


On 7 Jan 2013, at 03:01, Robert Sneidar wrote:

> Hi Graham. I feel somewhat obligated at this point to explain certificates. Certificates in the security world are like ID cards, only much harder to forge that real ID cards. A certification agency (in the real world the State of California for example) issues a document that is not easily forged that indicates that the person holding it really is who they say they are. 
> 
> Imagine someone putting out a version of Word, only for a much cheaper price than you can get in a retail store. Trouble is, someone has modified the application to include a payload that does bad, bad things once you install it. How do you prevent such naughty behavior? Well one way is by issuing a certificate from Microsoft to the real entity, that gets checked with the issuing authority whenever the software attempts to install or run. Failure to validate that the software is genuine results in the software not running or even being allowed to install. 
> 
> The reason you don't know a lot about it is that to the end user, this process is usually transparent. Now that you are a developer, you are going to have to deal with it. As far as the Apple keychain is concerned, that is simply a single repository of various security tokens conveniently secured with a single password. You may think this is an exclusive Apple technology, but thankfully it is not. Ever had Internet Explorer ask if you want to remember passwords? Same mechanism. Imagine having to remember 100 user names and passwords! That is what many people attempt to do when interacting with the internet. They create different user names and passwords for every site they visit. Secure, but not practical. They forget almost right away which user name/password they used for each site. The keychain alleviates the "forgetting" part by allowing the user to consolidate all those security tokens under one sign on, even certificates. 
> 
> Contrary to what some may think, this is not a Mac thing. Virtually all modern operating systems incorporate some kind of single sign on mechanism to deal with security. 
> 
> Bob
> 
> 
> On Jan 6, 2013, at 2:10 PM, Graham Samuel wrote:
> 
>> Wow! Breakthrough - thanks to you Dave and to Jacque. I deleted some 'old' certificates in the Keychain utility and suddenly the app got made. There is so much there that I didn't understand - as I've said before, I will try to get more of an insight and publish it. So far the lesson is "don't try to replace or renew, create new certificates and revoke or delete the old ones", and take no notice of the 'renew' button in the corner. Why for example are there are other certificates in the keychain which have expired but which never seem to prevent anything on my system happening? Why is there a keychain at all (Mac heresy!).
>> 
>> As to what you're seeing Dave, until a few minutes ago I wasT getting very much the same as you. There were two screens. For me the odd thing is that none of these great long numbers nor the shorter sequences were recognised as anything attached to my certificates as shown in the Finder nor to my App Identifier, unless I'm mistaken - what are they and where do they come from? I also think the two screens are the same, just one comes from within LC and another is some kind of by-product of LC's interaction with XCode.
>> 
>> Graham
>> 
>> On 6 Jan 2013, at 21:30, Dave Kilroy wrote:
>> 
>>> Hi Graham
>>> 
>>> If I try to build a standalone for iOS I'll get two error messages; the first alert (showing the LiveCode logo) says:
>>> 
>>> "Codesigning failed with 1) 0C076C94DC082497E47F5FA2F5A390A29E2C400 "iPhone Developer: Dave Kilroy (E7QB8D7WFM)" "
>>> 
>>> As well as a "1)" I'll also get a "2)" a "3)" and a "4)" failures, most but not all apparently lined to my 'bad' developer certificate
>>> 
>>> If I 'OK' that error message I'll get another, this time with a red 'X' symbol telling me that "There was an error saving the standalone application" with the same error from the previous alert repeated
>>> 
>>> What do you see when your codesigning fails? With any luck you don't have the same problem I have!
>>> 
>>> BTW, just in case you seem to have an extra, unwanted certificate, it is worth checking that KeyChain (watch out for storage of public and private keys) and Xcode (watch out for the Preferences folder in the Library) are not holding copies of such a certificate on your hard-drive
>>> 
>>> Good luck!
>>> 
>>> Dave
>>> 
>>> 
>>> 
>>>> I've been posting about certificate renewal etc so that I can go on with iOS development after my profiles / certificates or whatever have expired. I thought I had created a new set of stuff, and XCode now reports that I have valid Provisioning Profiles (don't know why I've got more than one, but I have), plus a (valid) specific profile on the device I'm currently trying to test on (an iPad 2).  Oh, and I also have active ad hoc distribution certificate.
>>>> 
>>>> My app works in the simulator, but when I try to save it as a standalone in order to get it onto the iPad, I get codesigning failures: there seem to be six failures (whatever that means) and two of these look identical. I did not get these when I first set up my (now expired) digital 'asset's (/rant don't you hate the hijacking of perfectly good English words for weird technical purposes? /rant).
>>>> 
>>>> Can anyone tell me how to track down these failures and correct them? I just have no idea how to start. I haven't found anything helpful in the iOS notes for LC either. The only clue I have is that the XCode organizer seems to think I'm two teams with slightly different names. I would gladly delete one of these if I knew how, and I suppose it might help.
>>>> 
>>>> I've been staring at the Apple documentation for most of the day but I am well and truly stuck.
>>>> 
>>>> Anxious
>>>> 
>>>> Graham
>>> 
>>> _______________________________________________
>>> use-livecode mailing list
>>> use-livecode at lists.runrev.com
>>> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
>>> http://lists.runrev.com/mailman/listinfo/use-livecode
>> 
>> 
>> _______________________________________________
>> use-livecode mailing list
>> use-livecode at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
> 
> 
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode





More information about the use-livecode mailing list