Cannot wrap app: Domain=IntuneAppPackager Code=1
Closed this issue · 14 comments
Hi,
We have reproduced the issue on 2 computers, both with 17 and 18 versions of the App wrapping tool.
Error:
Failed to sign the app executable.
Cause of the error to be provided for investigation:Error Domain=IntuneAppPackager Code=1 "/usr/bin/codesign exited with an error." UserInfo={Error Description=SignExecutableError, NSLocalizedDescription=/usr/bin/codesign exited with an error.}
Also, those 2 computers have the latest Xcode and MacOS.
I'd like to add, that the wrapping is working for another user on a different computer.
Below is the code that is failing:
Warning: You must specify an AAD client identifier.
Warning: You must specify an AAD reply URI.
WARNING: By default, the Microsoft Intune App Wrapping Tool changes the build string of the target app to help ensure it can be successfully deployed as an upgrade should you decide to wrap the same version/build of the app with a newer version of the wrapping tool (to take advantage of new features). Use of the build string override option (-b) is only recommended if testing revealed some issue in app deployment or functionality caused by the default changes to the build string. For more information on iOS app versions (CFBundleShortVersionString) and build strings (CFBundleVersion), visit https://developer.apple.com/library/ios/documentation/IDEs/Conceptual/AppDistributionGuide/ConfiguringYourApp/ConfiguringYourApp.html#//apple_ref/doc/uid/TP40012582-CH28-SW18
Application packaging in progress...
Version of MACOSX is 14.1.2
Version of XCode installed is Xcode 15.2
Build version 15C500b
Parsing provisioning profile...
Parsing main app provisioning profile...
Parsing extension provisioning profiles...
Checking that main provisioning profile has not expired...
Checking that extension provisioning profiles have not expired...
Checking if signing certificate is valid...
Provided certificate name length matches that of SHA1 hash.
Number of certificates returned by query: 5
Checking certificate at index: 0
Getting certificate common name.
Computing SHA-1 fingerprint of current certificate.
Computing SHA-1 fingerprint of provided certificate.
Checking certificate at index: 1
Getting certificate common name.
Computing SHA-1 fingerprint of current certificate.
Computing SHA-1 fingerprint of provided certificate.
Checking certificate at index: 2
Getting certificate common name.
Computing SHA-1 fingerprint of current certificate.
Computing SHA-1 fingerprint of provided certificate.
Checking certificate at index: 3
Getting certificate common name.
Computing SHA-1 fingerprint of current certificate.
Computing SHA-1 fingerprint of provided certificate.
Possible fingerprint match found. Checking if certificate is contained in provisioning profile...
Computing SHA-256 fingerprint of certificate.
Checking if SHA-256 hash exists in provisioning profile.
Certificate was found in the provisioning profile.
Checking if certificate issuer is Apple.
Checking if signing certificate is found in each extension profile...
Computing SHA-256 fingerprint of certificate.
Checking if SHA-256 hash exists in provisioning profile.
Computing SHA-256 fingerprint of certificate.
Checking if SHA-256 hash exists in provisioning profile.
Creating temporary directories...
Input Parameters
Path to input application: "CHANGED TEXT"
Path to output application: "CHANGED TEXT"
Provisioning profile: "CHANGED TEXT"
Certificate: "CHANGED TEXT"
2024-01-30 13:47:25.115 IntuneMAMFrameworkPatcher[33030:248845] Patching data segment for /var/folders/q_/wrhxms5529lfyxh12_p3fp4h0000gn/T/2F605EBB-2B7C-4E50-89E9-93C45128DB33/destination/Payload/TripViewST.app/Frameworks/IntuneMAMSwift.framework/IntuneMAMSwift
2024-01-30 13:47:25.141 IntuneMAMFrameworkPatcher[33030:248845] Patching data segment for /var/folders/q_/wrhxms5529lfyxh12_p3fp4h0000gn/T/2F605EBB-2B7C-4E50-89E9-93C45128DB33/destination/Payload/TripViewST.app/Frameworks/IntuneMAMSwiftStub.framework/IntuneMAMSwiftStub
2024-01-30 13:47:25.143 IntuneMAMFrameworkPatcher[33030:248845] Patching data segment for /var/folders/q_/wrhxms5529lfyxh12_p3fp4h0000gn/T/2F605EBB-2B7C-4E50-89E9-93C45128DB33/destination/Payload/TripViewST.app/Frameworks/IntuneMAMTelemetry.framework/IntuneMAMTelemetry
Failed to sign the app executable.
Cause of the error to be provided for investigation:Error Domain=IntuneAppPackager Code=1 "/usr/bin/codesign exited with an error." UserInfo={Error Description=SignExecutableError, NSLocalizedDescription=/usr/bin/codesign exited with an error.}
Below is the code that is working:
WARNING: By default, the Microsoft Intune App Wrapping Tool changes the build string of the target app to help ensure it can be successfully deployed as an upgrade should you decide to wrap the same version/build of the app with a newer version of the wrapping tool (to take advantage of new features). Use of the build string override option (-b) is only recommended if testing revealed some issue in app deployment or functionality caused by the default changes to the build string. For more information on iOS app versions (CFBundleShortVersionString) and build strings (CFBundleVersion), visit https://developer.apple.com/library/ios/documentation/IDEs/Conceptual/AppDistributionGuide/ConfiguringYourApp/ConfiguringYourApp.html#//apple_ref/doc/uid/TP40012582-CH28-SW18
Application packaging in progress...
Version of MACOSX is 13.6
Version of XCode installed is Xcode 14.3.1
Build version 14E300c
Parsing provisioning profile...
Parsing main app provisioning profile...
Parsing extension provisioning profiles...
Checking that main provisioning profile has not expired...
Checking that extension provisioning profiles have not expired...
Checking if signing certificate is valid...
Provided certificate name length matches that of SHA1 hash.
Number of certificates returned by query: 2
Checking certificate at index: 0
Getting certificate common name.
Computing SHA-1 fingerprint of current certificate.
Computing SHA-1 fingerprint of provided certificate.
Possible fingerprint match found. Checking if certificate is contained in provisioning profile...
Computing SHA-256 fingerprint of certificate.
Checking if SHA-256 hash exists in provisioning profile.
Certificate was found in the provisioning profile.
Checking if certificate issuer is Apple.
Checking if signing certificate is found in each extension profile...
Computing SHA-256 fingerprint of certificate.
Checking if SHA-256 hash exists in provisioning profile.
Computing SHA-256 fingerprint of certificate.
Checking if SHA-256 hash exists in provisioning profile.
Creating temporary directories...
Input Parameters
Path to input application: "CHANGED TEXT"
Path to output application: "CHANGED TEXT"
Provisioning profile: "CHANGED TEXT"
Certificate: "CHANGED TEXT"
The application was successfully packaged.
Hi @Lorhaft.
Can you confirm:
- The certificate for the hash specified exists on the Mac
- Evaluating the certificate using 'Keychain Access' shows the certificate is trusted and the root is 'Apple Root CA'
- There are no expired certificates on the device with the same hash.
Thank you,
Neil
Thanks for the response.
I can confirm that the distribution cert, intermediate and root all exists for this application. This includes the Apple Root CA and then the WWDR 3 cert.
I'm not seeing any expired certs either.
Interestingly, other apps using the same distribution cert appear to work. Only a few apps that come from a certain vendor have this issue on our machine.
Hi @Lorhaft - Could you try wrapping with the latest release of the app wrapper and sharing the output? This should provide more information on the specific code signing issue, as we've added additional logging to capture this information.
Hi @Kyle-Reis thanks, please find the output below after installing 19.1.0 app wrapping tool.
Warning: You must specify an AAD client identifier.
Warning: You must specify an AAD reply URI.
WARNING: By default, the Microsoft Intune App Wrapping Tool changes the build string of the target app to help ensure it can be successfully deployed as an upgrade should you decide to wrap the same version/build of the app with a newer version of the wrapping tool (to take advantage of new features). Use of the build string override option (-b) is only recommended if testing revealed some issue in app deployment or functionality caused by the default changes to the build string. For more information on iOS app versions (CFBundleShortVersionString) and build strings (CFBundleVersion), visit https://developer.apple.com/library/ios/documentation/IDEs/Conceptual/AppDistributionGuide/ConfiguringYourApp/ConfiguringYourApp.html#//apple_ref/doc/uid/TP40012582-CH28-SW18
Application packaging in progress...
Version of MACOSX is 13.6.4
Version of XCode installed is Xcode 15.2
Build version 15C500b
Parsing provisioning profile...
Parsing main app provisioning profile...
Parsing extension provisioning profiles...
Checking that main provisioning profile has not expired...
Checking that extension provisioning profiles have not expired...
Checking if signing certificate is valid...
Provided certificate name length matches that of SHA1 hash.
Number of certificates returned by query: 2
Checking certificate at index: 0
Getting certificate common name.
Computing SHA-1 fingerprint of current certificate.
Computing SHA-1 fingerprint of provided certificate.
Checking certificate at index: 1
Getting certificate common name.
Computing SHA-1 fingerprint of current certificate.
Computing SHA-1 fingerprint of provided certificate.
Possible fingerprint match found. Checking if certificate is contained in provisioning profile...
Computing SHA-256 fingerprint of certificate.
Checking if SHA-256 hash exists in provisioning profile.
Certificate was found in the provisioning profile.
Checking if certificate issuer is Apple.
Checking if signing certificate is found in each extension profile...
Computing SHA-256 fingerprint of certificate.
Checking if SHA-256 hash exists in provisioning profile.
Computing SHA-256 fingerprint of certificate.
Checking if SHA-256 hash exists in provisioning profile.
Creating temporary directories...
Input Parameters
Path to input application: /users/nickknight/Downloads/IntuneMDM/Packages/TripView/6.0.0-681 R1/Source/TripViewST-B681.ipa
Path to output application: /users/nickknight/Downloads/IntuneMDM/Packages/TripView/6.0.0-681 R1/Wrapped App/TripView_6.0.0-681_Trains_R1.ipa
Provisioning profile: /users/nickknight/Downloads/IntuneMDM/Packages/TripView/6.0.0-681 R1/Provisioning Profile/com_grofsoft_tripview_SydneyTrains_Exp_12_Dec_2024.mobileprovision
Certificate: REMOVED
/var/folders/qt/mgrl7f410cn9h1b7xzn5b98h0000gn/T/70FF78A3-72E5-4F2A-81E4-77B1C14E2670/destination/Payload/TripViewST.app/Watch/WatchAppST.app/PlugIns/WatchAppST Extension.appex: replacing existing signature
/var/folders/qt/mgrl7f410cn9h1b7xzn5b98h0000gn/T/70FF78A3-72E5-4F2A-81E4-77B1C14E2670/destination/Payload/TripViewST.app/Watch/WatchAppST.app/PlugIns/WatchAppST Extension.appex: resource fork, Finder information, or similar detritus not allowed
Failed to sign the app executable.
Cause of the error to be provided for investigation:Error Domain=IntuneAppPackager Code=1 "/usr/bin/codesign exited with an error." UserInfo={Error Description=SignExecutableError, NSLocalizedDescription=/usr/bin/codesign exited with an error.}
Sorry I've realised I've put the whole code in.
You probably only want the Log:
Warning: Warning: You must specify an AAD client identifier.
Warning: Warning: You must specify an AAD reply URI.
Warning: WARNING: By default, the Microsoft Intune App Wrapping Tool changes the build string of the target app to help ensure it can be successfully deployed as an upgrade should you decide to wrap the same version/build of the app with a newer version of the wrapping tool (to take advantage of new features). Use of the build string override option (-b) is only recommended if testing revealed some issue in app deployment or functionality caused by the default changes to the build string. For more information on iOS app versions (CFBundleShortVersionString) and build strings (CFBundleVersion), visit https://developer.apple.com/library/ios/documentation/IDEs/Conceptual/AppDistributionGuide/ConfiguringYourApp/ConfiguringYourApp.html#//apple_ref/doc/uid/TP40012582-CH28-SW18
Message: Application packaging in progress...
Verbose: Version of MACOSX is 13.6.4
Verbose: Version of XCode installed is Xcode 15.2
Build version 15C500b
Verbose: Parsing provisioning profile...
Verbose: Parsing main app provisioning profile...
Verbose: Parsing extension provisioning profiles...
Verbose: Checking that main provisioning profile has not expired...
Verbose: Checking that extension provisioning profiles have not expired...
Verbose: Checking if signing certificate is valid...
Verbose: Provided certificate name length matches that of SHA1 hash.
Verbose: Number of certificates returned by query: 2
Verbose: Checking certificate at index: 0
Verbose: Getting certificate common name.
Verbose: Computing SHA-1 fingerprint of current certificate.
Verbose: Computing SHA-1 fingerprint of provided certificate.
Verbose: Checking certificate at index: 1
Verbose: Getting certificate common name.
Verbose: Computing SHA-1 fingerprint of current certificate.
Verbose: Computing SHA-1 fingerprint of provided certificate.
Verbose: Possible fingerprint match found. Checking if certificate is contained in provisioning profile...
Verbose: Computing SHA-256 fingerprint of certificate.
Verbose: Checking if SHA-256 hash exists in provisioning profile.
Verbose: Certificate was found in the provisioning profile.
Verbose: Checking if certificate issuer is Apple.
Verbose: Checking if signing certificate is found in each extension profile...
Verbose: Computing SHA-256 fingerprint of certificate.
Verbose: Checking if SHA-256 hash exists in provisioning profile.
Verbose: Computing SHA-256 fingerprint of certificate.
Verbose: Checking if SHA-256 hash exists in provisioning profile.
Verbose: Creating temporary directories...
Verbose: Input Parameters
Path to input application: /users/nickknight/Downloads/IntuneMDM/Packages/TripView/6.0.0-681 R1/Source/TripViewST-B681.ipa
Path to output application: /users/nickknight/Downloads/IntuneMDM/Packages/TripView/6.0.0-681 R1/Wrapped App/TripView_6.0.0-681_Trains_R1.ipa
Provisioning profile: /users/nickknight/Downloads/IntuneMDM/Packages/TripView/6.0.0-681 R1/Provisioning Profile/com_grofsoft_tripview_SydneyTrains_Exp_12_Dec_2024.mobileprovision
Certificate: 62 67 B3 74 33 C4 D1 03 03 3A 85 AF 88 41 3C 79 FB 4B 97 7C
Warning: /var/folders/qt/mgrl7f410cn9h1b7xzn5b98h0000gn/T/70FF78A3-72E5-4F2A-81E4-77B1C14E2670/destination/Payload/TripViewST.app/Watch/WatchAppST.app/PlugIns/WatchAppST Extension.appex: replacing existing signature
/var/folders/qt/mgrl7f410cn9h1b7xzn5b98h0000gn/T/70FF78A3-72E5-4F2A-81E4-77B1C14E2670/destination/Payload/TripViewST.app/Watch/WatchAppST.app/PlugIns/WatchAppST Extension.appex: resource fork, Finder information, or similar detritus not allowed
Error: Failed to sign the app executable.
Cause of the error to be provided for investigation:Error Domain=IntuneAppPackager Code=1 "/usr/bin/codesign exited with an error." UserInfo={Error Description=SignExecutableError, NSLocalizedDescription=/usr/bin/codesign exited with an error.}
Hi @Lorhaft , it looks like there is a problem with one of the app's extensions:
/var/folders/qt/mgrl7f410cn9h1b7xzn5b98h0000gn/T/70FF78A3-72E5-4F2A-81E4-77B1C14E2670/destination/Payload/TripViewST.app/Watch/WatchAppST.app/PlugIns/WatchAppST Extension.appex: resource fork, Finder information, or similar detritus not allowed
Please see Apple's documentation on this issue:
https://developer.apple.com/library/archive/qa/qa1940/_index.html
It's interesting that the signing failure doesn't occur on both machines, since according to the doc, this requirement was introduced back in iOS 10. Are you certain that the same version of the app is being wrapped on both machines?
@Lorhaft - Maybe this is what is causing it to happen inconsistently (from the doc linked above):
"Note that browsing files within a bundle with Finder's Show Package Contents command can cause Finder info to be added to those files. Otherwise, audit your build process to see where the extended attributes are being added."
Thanks for that @Kyle-Reis .
I am assuming the app developer will need to fix this? We will forward the error to them
@Lorhaft Is it possible that after downloading, the contents of the app bundle were inspected using the "Show Package Contents" command? According to that last note I mentioned, this can cause this issue to occur. Maybe try grabbing a new copy of the app bundle from the source and wrapping without inspecting the contents first?
Thanks, I have tried replacing the source IPA with the original we were supplied, and not touching it (just immediately running the script) and the error still occurs unfortunately
Yep, so the issue is occuring for us on two different Macs, and we are definately not using the Show Package contents command. I've also nailed it down to 4 apps having the issue.
The rest of the customer apps (there are quite a few) are not having the issue.
There is still one person who can wrap the apps, so hopefully that does not break in the meantime
Thanks for the updates, @Lorhaft. From the Apple doc I shared earlier, running the command below might help determine which files within the app bundle are the problematic ones, which could be useful information for the app developer:
xattr -lr <path_to_app_bundle>
You could also try running the command to remove all extended attributes, but I think this may invalidate the original code signature of the application which will prevent successful wrapping:
xattr -cr <path_to_app_bundle>
Hi, glad to say it's been resolved @Kyle-Reis
The issue we found, was that by even clicking on the file once, or using Get info to get the file path, it returned the error.
When I copied the original files to USB, then threw them in downloads and did not touch, it worked
To be clear, we never actually did "Show Contents" and inspected the files inside. The issue came from simply looking at the file in the Finder, or copying the filepath from Get info.