rules_apple icon indicating copy to clipboard operation
rules_apple copied to clipboard
verified publisher icon bazelbuild

Invalid signature format on watchOS8 with watchos_application/watchos_extension (no issues on watchOS7)

Open rsahara opened this issue 4 years ago • 7 comments

The issue

We're getting an error ("failed to install") when we try to install our watch app built with watchos_application/watchos_extension with an enterprise account, on watchOS8.

In the iPhone's logs, we have this line during the error:

0x16b073000 -[ACXInstallQueue _onQueue_deQueueNextOperation]_block_invoke_2: Failed to install app jp.mofu.app (p = N, ui = Y) : Error Domain=ACXErrorDomain Code=17 "Got error 17 in install done from remote side (MI error ApplicationVerificationFailed ; Extended 0xe8008029 ; Desc Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.bpgygq/extracted/Payload/MofuWatchKitApp.app : 0xe8008029 (The code signature version is no longer supported.))" UserInfo={SourceFileLine=646, NSLocalizedDescription=Got error 17 in install done from remote side (MI error ApplicationVerificationFailed ; Extended 0xe8008029 ; Desc Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.bpgygq/extracted/Payload/MofuWatchKitApp.app : 0xe8008029 (The code signature version is no longer supported.)), FunctionName=-[ACXServerInstallOperation receivedDictionaryOrData:]}

The same app can be installed without problems on watchOS7.

Some investigations

I found a discussion about this error: https://developer.apple.com/forums/thread/682775?page=2. This error should only happen when an app is built on Catarina or older OS, but our app was built on Big Sur.

I've checked the signature of each embedded executable by running codesign -dvvvvv (app/appex) and it appeared that only the watch app (and the watch extension) did have invalid signatures, the "missing hash slot entitlement for -7" (as explained in the thread).

% codesign -dvvvvv MofuWatchKitApp.app 
Executable=/Users/JP22226/Downloads/MOFU/Payload/MOFU.app/Watch/MofuWatchKitApp.app/MofuWatchKitApp
Identifier=jp.mofu.WatchKitApp
Format=app bundle with Mach-O universal (armv7k arm64_32)
CodeDirectory v=20400 size=581 flags=0x0(none) hashes=9+5 location=embedded
VersionPlatform=4
VersionMin=131072
VersionSDK=459776
Hash type=sha256 size=32
CandidateCDHash sha1=b08b3e8aff5e7f70c6c9c524eba55e028bb23167
CandidateCDHashFull sha1=b08b3e8aff5e7f70c6c9c524eba55e028bb23167
CandidateCDHash sha256=1b1decdd7f29371b2deadc3929e650b6845659ec
CandidateCDHashFull sha256=1b1decdd7f29371b2deadc3929e650b6845659ec3a02dc03d146b94489851379
Hash choices=sha1,sha256
CMSDigest=4ee491dd144384a15092b30c51737e20c6180fbbb5c399e6fcef593fe7a9aa26
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=16384
Executable Segment flags=0x1
Page size=4096
    -5=16e2e5607b53070fb4dbf7f26f69167c79a0e02f32d484eead934409fdee9e7f
    -4=0000000000000000000000000000000000000000000000000000000000000000
    -3=345335a7d7b363e26004e1096fd059674016381530bb7862104d2a189e4328e0
    -2=0aeee5154dd9ab1541f398a54e8439d120728ed52a6b6cf3f170a77fce492183
CDHash=1b1decdd7f29371b2deadc3929e650b6845659ec
Signature size=4779
Authority=iPhone Distribution: Mofu
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Aug 20, 2021 12:14:04
Info.plist entries=25
TeamIdentifier=MOFUMOFU
Sealed Resources version=2 rules=10 files=36
Internal requirements count=1 size=192

Some workarounds

Re-signing

I followed the instructions in the thread. Unzipping the ipa, re-signing the executables with --generate-entitlement-der, zipping the ipa again worked.

% codesign -s "iPhone Distribution: Mofu" -f --preserve-metadata --generate-entitlement-der MofuWatchKitApp.app/
Warning: default usage of --preserve-metadata implies "resource-rules" (deprecated in Mac OS X >= 10.10)!
MofuWatchKitApp.app/: replacing existing signature

# Same on the other embedded executables, then on the main app.

Passing the option to codesign

By passing

    codesignopts = ["--generate-entitlement-der"],

to where we're using watchos_extension (codesignopts available) and watchos_application (with a few changes to hardcode codesignopts), the resulting IPA was OK.

I don't know why we only have this problem with the watch app. All the other extensions are OK (they all have the -7 value and they all launch successfully).

rsahara avatar Aug 24 '21 08:08 rsahara

Are you on Big Sur? And using Xcode 12.5?

keith avatar Aug 24 '21 17:08 keith

Yes, on Big Sur 11.5.1, using Xcode 12.5.1.

rsahara avatar Aug 25 '21 00:08 rsahara

Hearing from some folks that this is an Xcode bug that was supposed to be fixed in 13.0 beta 5 but was not, and happens with xcodebuild as well. If we're just missing a flag that Xcode started passing we can probably add that

keith avatar Aug 26 '21 17:08 keith

Checkout https://developer.apple.com/documentation/xcode/using-the-latest-code-signature-format

It looks like your value of CodeDirectory v=20400 is mentioned to be "the old format" (it should be 20500). Based on this doc I think all you have to do is regenerate your provisioning profile and rebuild like normal

keith avatar Sep 24 '21 16:09 keith

Thanks, I'll try again.

rsahara avatar Sep 27 '21 08:09 rsahara

Hi rsahara. Did you solve the problem?

I also compiled project using XCode13 on Big Sur 11.6, but it was exactly the same and it didn't solve the problem.😥

fatenumber25 avatar Oct 02 '21 07:10 fatenumber25

I just tried by regenerating the provisioning profiles but I still have the same problem. I'm still using the workaround (codesignopts = ["--generate-entitlement-der"]) for now.

rsahara avatar Oct 04 '21 03:10 rsahara

Closing as it doesn't reproduce on a recent environment (Bazel/Xcode/rules)

rsahara avatar Apr 04 '23 05:04 rsahara