Developing MacOS Apps vs. Adobe Air = resource fork, Finder information, or similar detritus not allowed

Report · Feb 22, 2018

Hi,

is anyone still developing macOS Apps using Adobe Air/Flash/Animate?

I've finished a new macOS App and now I'm trying to use my old script (which always worked before) but it seems Apple changed something.

When I use this script in Terminal:

cd /Users/essig/Desktop

cp MacProcess/Info.plist Europa\ meistern.app/Contents/Info.plist

cp MacProcess/Icon.icns Europa\ meistern.app/Contents/Resources/Icon.icns

chmod -R 777 Europa\ meistern.app

codesign -f -v -s "3rd Party Mac Developer Application: Jan Essig " Europa\ meistern.app/Contents/Frameworks/Adobe\ AIR.framework/Versions/Current/Adobe\ AIR_64\ Helper

codesign -f -v -s "3rd Party Mac Developer Application: Jan Essig " Europa\ meistern.app/Contents/Frameworks/Adobe\ AIR.framework/Versions/Current/Adobe\ AIR_64

codesign -f -v -s "3rd Party Mac Developer Application: Jan Essig " Europa\ meistern.app/Contents/Frameworks/Adobe\ AIR.framework/Versions/Current/Adobe\ AIR

codesign -f -v -s "3rd Party Mac Developer Application: Jan Essig " Europa\ meistern.app/Contents/MacOS/Europa\ meistern

codesign -f -v -s "3rd Party Mac Developer Application: Jan Essig " Europa\ meistern.app

codesign -f -v -s "3rd Party Mac Developer Application: Jan Essig " --entitlements MacProcess/entitlement.plist Europa\ meistern.app

codesign --display --entitlements - Europa\ meistern.app

productbuild --component Europa\ meistern.app /Applications EuropaInstaller.pkg --sign "3rd Party Mac Developer Installer: Jan Essig "

I'm getting this error message several times:

Europa meistern.app: replacing existing signature

Europa meistern.app: resource fork, Finder information, or similar detritus not allowed

... however - the .pkg file is built with the script. When I try to upload it vie Application Loader I'm getting this Error Message:

ERROR ITMS-90296: "App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list: [( "com.essig.europameisternmac.pkg/Payload/Europa meistern.app/Contents/MacOS/Europa meistern" )] Refer to App Sandbox page at https://developer.apple.com/devcenter/mac/app-sandbox/ for more information on sandboxing your app."

Does anyone know how to fix this?

A short reply would be GREAT!! Thanks a lot in advance!

Jan

Report · Feb 23, 2018

Good morning,

I received some great hints from PATurmel12 and I guess I´m close do fix this issue.

After publishing the macOS App from Animate CC / Adobe Air (27.0.0.116) I opened the .app (Control Click on the .app file and select 'Show Package Contents‘).

- In the Contents/Resources folder I replaced the Icon.icns file with my own.

- Additions to the Info.plist

<key>LSApplicationCategoryType</key>

<string>public.app-category.education</string>

<key>CFBundleVersion</key>

Then I deleted these Files from the Package:

- webkit .dylib file at Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/WebKit.dylib

- Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/Adobe AIR.vch

- Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/Flash Player.plugin

- Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/_MACOSX (the entire folder)

Then I used this code in Terminal for signing the App:

cd /Users/essig/Desktop

chmod -R 777 Europa\ meistern.app

codesign -f -v -s "3rd Party Mac Developer Application: Jan Essig" Europa\ meistern.app/Contents/Frameworks/Adobe\ AIR.framework/Versions/1.0/Adobe\ AIR

codesign -f -v -s "3rd Party Mac Developer Application: Jan Essig" Europa\ meistern.app/Contents/Frameworks/Adobe\ AIR.framework/Versions/1.0/Adobe\ AIR_64

codesign -f -v -s "3rd Party Mac Developer Application: Jan Essig" Europa\ meistern.app/Contents/Frameworks/Adobe\ AIR.framework/Adobe\ AIR

codesign -f -v -s "3rd Party Mac Developer Application: Jan Essig" Europa\ meistern.app/Contents/Frameworks/Adobe\ AIR.framework/Versions/1.0

codesign -f -v -s "3rd Party Mac Developer Application: Jan Essig" --entitlements MacProcess/entitlement.plist Europa\ meistern.app

codesign --display --entitlements - Europa\ meistern.app

productbuild --component Europa\ meistern.app /Applications EuropaInstaller.pkg --sign "3rd Party Mac Developer Installer: Jan Essig"

… except for the first codesigning line in the script (signing Adobe Air) everything worked - here's the Terminal output:

MacBook-Pro:~ essig$ cd /Users/essig/Desktop

MacBook-Pro:Desktop essig$ chmod -R 777 Europa\ meistern.app

MacBook-Pro:Desktop essig$ codesign -f -v -s "3rd Party Mac Developer Application: Jan Essig" Europa\ meistern.app/Contents/Frameworks/Adobe\ AIR.framework/Versions/1.0/Adobe\ AIR

Europa meistern.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR: code object is not signed at all

In subcomponent: /Users/essig/Desktop/Europa meistern.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR_64

MacBook-Pro:Desktop essig$ codesign -f -v -s "3rd Party Mac Developer Application: Jan Essig" Europa\ meistern.app/Contents/Frameworks/Adobe\ AIR.framework/Versions/1.0/Adobe\ AIR_64

Europa meistern.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR_64: signed Mach-O thin (x86_64) [Adobe AIR_64]

MacBook-Pro:Desktop essig$ codesign -f -v -s "3rd Party Mac Developer Application: Jan Essig" Europa\ meistern.app/Contents/Frameworks/Adobe\ AIR.framework/Adobe\ AIR

Europa meistern.app/Contents/Frameworks/Adobe AIR.framework/Adobe AIR: signed bundle with Mach-O thin (x86_64) [com.adobe.AIR]

MacBook-Pro:Desktop essig$ codesign -f -v -s "3rd Party Mac Developer Application: Jan Essig" Europa\ meistern.app/Contents/Frameworks/Adobe\ AIR.framework/Versions/1.0

Europa meistern.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0: replacing existing signature

Europa meistern.app/Contents/Frameworks/Adobe AIR.framework/Versions/1.0: signed bundle with Mach-O thin (x86_64) [com.adobe.AIR]

MacBook-Pro:Desktop essig$ codesign -f -v -s "3rd Party Mac Developer Application: Jan Essig" --entitlements MacProcess/entitlement.plist Europa\ meistern.app

Europa meistern.app: signed app bundle with Mach-O thin (x86_64) [com.essig.europameisternmac]

MacBook-Pro:Desktop essig$ codesign --display --entitlements - Europa\ meistern.app

Executable=/Users/essig/Desktop/Europa meistern.app/Contents/MacOS/Europa meistern

??qq?<?xml version=”1.0″ encoding=”utf-8″?>

<dict>

<key>com.apple.security.app-sandbox</key>

<true/>

<key>com.apple.security.files.user-selected.read-write</key>

MacBook-Pro:Desktop essig$ productbuild --component Europa\ meistern.app /Applications EuropaInstaller.pkg --sign "3rd Party Mac Developer Installer: Jan Essig"

productbuild: Adding component at /Users/essig/Desktop/Europa meistern.app

productbuild: Signing product with identity "3rd Party Mac Developer Installer: Jan Essig" from keychain /Users/essig/Library/Keychains/login.keychain-db

productbuild: Adding certificate "Apple Worldwide Developer Relations Certification Authority"

productbuild: Adding certificate "Apple Root CA"

productbuild: Wrote product to EuropaInstaller.pkg

productbuild: Supported OS versions: [10.8, )

- Final Tests: The .pkg file works well. I’m able to install my App via the .pkg-File on my Mac and the App also works perfect.

Now I was able to transfer my App / the .pkg File via Application Loader successfully to Apple!

…sadly I received an email from Apple with this content after some minutes:

Dear developer,

We have discovered one or more issues with your recent delivery for "Europa meistern". To process your delivery, the following issues must be corrected:

Unable to Sign - This package doesn't meet the current code signing requirements. For more information, see the Code Signing and Application Sandboxing Guide and Technical Note 2206.

Specifically, codesign generated the following error:

com.essig.europameisternmac.pkg/Payload/Europa meistern.app: resource fork, Finder information, or similar detritus not allowed

Once these issues have been corrected, you can then redeliver the corrected binary.

Regards, The App Store team

Does anyone have an idea how to fix this final issue? 🙂

Best regards

Jan

Report · Nov 30, 2018

We're still using Flash/Animate to create AIR apps - it's still a fantastic platform!

I suspect the issue might be something to do with the way Flash/Animate code signs the AIR app, which is now incompatible with the changes Apple has made. What we do is to let Flash/Animate use a self-signed certificate when publishing the AIR app, then strip it out and re-sign the Apple way. I created a guide that we use to sign our apps that may be helpful - it's an accumulation of other helpful guides I've found so I can't take full credit:

For the AIR app...

codesign --deep -f -s "Developer ID Application: your_developer_application_ID" "path_to_app"

The command above recursively signs the app and overwrites any current Signature. The app package will end up with a _CodeSignature folder.

To verify a code signature use this command:

codesign --verify --verbose <path_to_app_bundle>

If you get the message: Finder information, or similar detritus not allowed -->

You can also remove all extended attributes from your app bundle with the xattr command:

xattr -cr <path_to_app_bundle>

If you are creating an installer package for the .app (we have used the file name 'Install.pkg'):

Now you need to digitally sign the Install.pkg (or .mpkg) file. Due to changes made in Mac OS Sierra, this error message can be seen:

'resource fork, Finder information, or similar detritus not allowed'
From the Apple docs: This is a security hardening change that was introduced with iOS 10, macOS Sierra, watchOS 3, and tvOS 10. Code signing no longer allows any file in an app bundle to have an extended attribute containing a resource fork or Finder info.To see which files are causing this error, run this command in Terminal:
xattr -lr <path_to_app_bundle>
replacing <path_to_app_bundle> with the path to your actual app bundle.Here's an example of this command in action:

$ xattr -lr Foo.app

/Applications/Foo.app: com.apple.FinderInfo:

00000000 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 |................|

You can also remove all extended attributes from your app bundle with the xattr command:
xattr -cr <path_to_app_bundle>
Note that browsing files within a bundle with Finder's Show Package Contents command can cause Finder info to be added to those files. Otherwise, audit your build process to see where the extended attributes are being added.
If you have to run this command, then you will need to re-add the icon.

Now you can safely digitally sign the Install.pkg file with the following command (pay attention to the text in bold - the command requires both an input and an output filename):

productsign --sign "Developer ID Installer: your_developer_installer_ID"

+ the path to the Installer you want to sign followed by a space then the path to the Installer again but with an appended name so you know which is the output file that has been signed. The ‘productsign’ command needs an input and an output file to write to, which is not the case for the ‘codesign’ command.

Note that to codesign a .app you need an Apple developer application ID whereas to codesign an installer package (.pkg) you need an Apple developer Installer ID.

Also note that you should use the codesign command to sign a .app but use the productsign to sign a .pkg file.

I hope this helps!

Developing MacOS Apps vs. Adobe Air = resource fork, Finder information, or similar detritus not allowed

1 Correct answer