I have a Mac app that requires custom downloads for each user. I've done everything to sign the app for Gatekeeper, and it all verifies on the build. But when the app gets downloaded from the website with the custom file added, Gatekeeper no longer verifies.
Is there a way to do custom files without re-signing the app for each download? I just need to update a .plist file in the app bundle. The website is written in ASP.Net, so signing on the server probably won't work.
It sounds like you are attempting to sign your .app bundle, upload it to a web-server, and them modify a .plist value inside the .app wrapper before the .app bundle is downloaded and given to a customer.
Gatekeeper will not allow this. (At least, it will not allow it with "version 2" signatures, which are required for deployment on OS X 10.9.5 or later. It was permitted with the older signing system, so if you are content to deploy on OS X < 10.9.5, you could get away with it.)
See Apple Tech Note 2206 for reference (in particular the FAQ "I want to exclude files so I can fix my bundle after I build it"):
https://developer.apple.com/library/mac/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG302
Note: If you modify your .plist entry as you say you will end up with a broken signature, but all hope is not lost. If your users have the default security settings, they can still right-click on your .app bundle and say 'Open.' This will result in some scary security warnings from Apple, but if your users persist in clicking 'OK' then they will be able to run your app just fine.
Related
After upgrading to macOS Catalina with latest Xcode 11, I am not able to read files directly from user path when doing unit testing, example:
PROJECT_DIR + "/FolderX/myFile.json",
I keep getting error Thread 1: EXC_BAD_ACCESS (code=1, address=0x8)
This is also happened when I am trying to open a couchbase lite database with custom path.
Error:
error opening!: 14
Cannot open database, Error : Error Domain=SQLite Code=14 "unable to open database file" UserInfo={NSLocalizedDescription=unable to open database file}
I believe this is an issue due to the read write access between my simulator and the latest Catalina.
My current workaround is to add my files and database to target membership and read the files directly from [NSBundle bundleForClass:[self class]].bundlePath.
Is there any better fix to this? Like tweaking any setting to allow it to read files from custom path like in older versions?
You might try looking in SystemPreferences > Security&Privacy > Privacy tab. From there, scroll down to "Files and Folders" <-- There's where you can see programs and the folders they have been granted access to in Catalina.
Personally, I didn't have time to waste figuring out how the new file permissions are supposed to work, so I let Xcode have full disk permission. (Right above the "files and folders" is "Full Disk Access".
Of course, that solved all my issues... after I get a chance to play with the new file permissions, I may revoke that access and give it explicit folder access.
Well if anyone is still struggling with this, I've moved all my projects outside of ~/Documents/
it is strange that projects under ~/Documents/ doesnt get asked for read permission, other paths do!
I end up putting all my projects under ~/workspace/
** for those who doesnt know, ~/ means /Users/{your username}/
Check your File Access settings in the App Sandbox in your project's settings, under Signing and Capabilities. For example, I couldn't access files in /Users/Bert/Downloads, even after turning on Full Disk Access in Security and Privacy in System Preferences. I had to grant read access to the Downloads Folder in App Sandbox settings.
I distributed my xaf Winforms+Desktop Bridge app to myself via the Windows Store.
following this blog
From the blog, I want to pre-generate the ModelAssembly.dll, Model.Cache.xafml and ModulesVersionInfo file and package them to go in the output directory.
These files are generated by XAF if they don't already exist.
Where the output directory is given by
Path.GetDirectoryName(GetType().Assembly.Location)
When I install and run my app from the store. I get this error message.
Access to the path 'C:\Program Files\WindowsApps\JobTalk.JobTalk_1.0.19.0_x64__8kpaqbvntb9aj\SBD.JobTalk.Workflow.Win10\ModelAssembly.dll' is denied.
In the code I tried looking form Path.GetRelativePath but it is not available in Framework 4.7.2
In short, UWP app doesn't allow to access files via absolute path. Because UWP apps run in sandbox and have very limited access to the files out of the app container. In most scenarios, the UWP app can directly access only their install folder and their application data folder. Since the converted app also is a UWP app, so your app need to follow this rule.
Please check the Prepare to package a desktop application. The document has mentions some scenarios that is related to your question.
Your application writes to the AppData folder or to the registry with the intention of sharing data with another app. After conversion, AppData is redirected to the local app data store, which is a private store for each UWP app.
Your application writes to the install directory for your app. For example, your application writes to a log file that you put in the same directory as your exe. This isn't supported, so you'll need to find another location, like the local app data store.
Here, there's a special scenario that you could access files via files absolute path. It's a restricted capability called as broadFileSystemAccess. Once you add the broadFileSystemAccess capability, you could use the APIs in the Windows.Storage namespace to get all files that the user has access to. Please read File access permissions for more information.
Please note that the document has explained:
If you submit an app to the Store that declares this capability, you will need to supply additional descriptions of why your app needs this capability, and how it intends to use it.
Xavier's answer explains what was going wrong. The reason it happened on my project was that I missed the step of marking the linked files as "Copy if newer"
My client wants to submit the project by himself so he asked me to get the xcode xcarchive of the project and send him to sign it and upload it.
He gave me his development certificate, I installed it and sign the target with its provision profile.
The build configuration that I'm using for signing is a copy of "Release".
Now when he tries to resign the archive and submit it, iTunes throw an error Invalid Binary and the culprit is the Signature
Its says :
Invalid Signature - Make sure you have signed your application with a
distribution certificate, not an ad hoc certificate or a development
certificate. Verify that the code signing settings in Xcode are
correct at the target level (which override any values at the project
level). Additionally, make sure the bundle you are uploading was built
using a Release target in Xcode, not a Simulator target. If you are
certain your code signing settings are correct, choose "Clean All" in
Xcode, delete the "build" directory in the Finder, and rebuild your
release target. Once you have corrected these issues, go to the app's
version details page (found in the Manage Your Applications module of
iTunes Connect) and click Ready to Submit Binary. Proceed through the
submission process until the app's status is Waiting for Upload. You
can then use Application Loader to upload the corrected binary.
Do I need the private key used by my client?
Can someone please point me to the right direction? Can I get any tutorial or video how to resign the archive and submit it to the store.
I think you should ask your client to generate a distribution certificate and then sign your project with it.
For an ASP.NET web application that is packaged and sold to customers for deployment, what would be the best location for a "read me" file with notes about setup and configuration on the target system?
Requirements:
The file should not be accessible by
users of the web application, only
the person doing setup and
configuration.
The file should be
consumable by the MSI installer
program, so that it can be displayed
as part of the setup wizard UI.
The solution should be simple and very
low cost. (I don't want an elaborate
solution for just a simple text
file.)
Some thoughts I have are to copy the file to *App_Data* or to bin as those are protected folders by default, and then pull the file in from one of those locations in the setup program.
The readme should be a separate file that sits beside the MSI on the media you distribute the web app on. This is a standard practice dating from generations ago the dark ages. If you distribute as a download from the web then have a link for the MSI, and a link for the readme.
You could also include the same file into the MSI, but arguably that is the wrong place for it as the user has yet to reach the configuration stage, and unless they print it they won't be able to refer to it later in the MSI process (if you have any configuration steps in the MSI).
Having the instructions available via the web app is also arguably wrong, as the user may have to do some initial configuration in order to reach the page telling them how to configure the app....
So ship the instructions separately to the MSI, and make sure they look okay and are easily readable when printed out. Remember these pointers:
Instructions are not always read
Instructions are not always read at the time of installation
Instructions are not always read by the same person that does the installation
Instructions are not always read from the screen
Instructions are not always read correctly, even when they are simple
Instructions are not always read (I know that is a duplicate of the first point...)
Don't forget to clearly distinguish between pre-install and post-install configuration instructions (even if they are in the same document) - you want to minimize the risk of the end user getting it wrong (which some of them will do no matter how hard you try).
Build the important message into your application. Do it like Apache where it says "this is a new installation of...." and don't allow that screen to go away until they go in and do all the things that you consider important.
This isn't a problem for your installer to solve.
SO ... here is the scenario ... i have a workflow on a document library that copies a file to a windows directory ... this workflow is set to be started at the time when a new item is added to the document library ... so everything works fine when you are manually uploading files to the doc library ... but the problem occurs when we use emails to populate the doc library instead of the manual uploading of files.
When an email is received ... the workflow starts successfully and runs properly (i have kept workflow history entries to check every section of code is being executed or not) ... the workflow stops when the section where the file is being copied to the windows folder is reached.
I basically think this is a problem with the permissions or access issues. Because when we upload the file manually (i.e. from doc library > upload) everything works fine. But maybe there is some other permission set which is used while an email is received by the doc library ... i have tried by assigning permissions to "Everyone" on the windows folder ... but no luck...
Can someone let me know which windows user account is used when an email is received by a document library? (i think its the IIS default account - but isnt it included in Everyone?? )
One solution which i can devise in my mind is that for the file transfer to the windows folder i should use temporary impersonation for the specific code segment (which writes the doc library file to windows folder) but any suggestions are welcome.
P.S. I dont have access to the server right now so i can only devise approaches in my mind ... cant test them right nw... so it would be good to have all suggestions u have so that once i get the access i can try all stuff :D
This is a well known situation. The system does not know who sent the email so it cannot impersonate a user it has no knowledge about.
Depending on which version of SharePoint you are running, the workflow may not start at all or it may start under the account that published the workflow.
For details see this Microsoft Support Article.