Carthage: Nested dependencies Xcode 11.2 (macOS app)

Created on 26 Nov 2019 · 23Comments · Source: Carthage/Carthage

Having issues with CodeSign when nesting macOS frameworks ever since started using Xcode 11.2 which has changed how frameworks are added with options of (Signed, Unsigned) etc
Keep getting: code object is not signed at all If a framework is nested within another i.e C->b->A
The same process works for nested iOS frameworks, but not for macOS frameworks for some reason.

I can provide more data, but thought Id air my case first. Maybe I just missed some checkbox or something.

Source

eonist

All 23 comments

I guess it's about time to move to Swift package manager then 😭

eonist on 2 Dec 2019

yes i think project is dead with spm

jafara on 5 Dec 2019

The project is not dead, folks have just been busy! I believe that Carthage removes codesigning from all frameworks that are built and that we need to look into modifying that behavior. I’ve seen similar issues with building Mac Catalyst frameworks but I’m not sure if it is the same root cause.

@eonist Can you provide sample dependencies to reproduce the issue?

DavidBrunow on 5 Dec 2019

Side note: I definitely believe that Swift Package Manager is the way of the future but it isn’t ready yet.

DavidBrunow on 5 Dec 2019

👍1

@jafara 🤦😅.... @DavidBrunow Hey, if you use the latest Xcode 11.2 and any Carthage dep that uses another Carthage dep. Then this happens. It applies with all deps. Even fresh one created from scratch. I tried for 2-3 days with all possible configs. Nothing got passed the CodeSign issue. So I had to give up Carthage. It's a lot of work for me because I use it in 50+ repos.

Hopefully someone figures out the magic configuration to get passed this issue with nested deps and codesign. I think Carthage is great for working with binary .framework and is friendly with build times. ✌️

eonist on 5 Dec 2019

Thanks for the input @eonist -- it would be really helpful if you could share a sample project that recreates it. I'll try to recreate it myself but that will mean blocking off a little more time.

DavidBrunow on 5 Dec 2019

@DavidBrunow alright....I can meet you half way I guess. 👍

https://github.com/eonist/A/tree/4f6e516cf3ed0e33820ddb2d6760b4ac0e9135a7
https://github.com/eonist/B/tree/8c8070175eb9d3ec9d2b261c1cd8012899b58893
https://github.com/eonist/C/tree/198d8b8dcec1d39f14adaf93abec549c84373712

C imports B, which imports A

Warning: these repos moved on to test the same with SPM. SO use commit in the above urls.

eonist on 5 Dec 2019

Thanks @eonist

DavidBrunow on 5 Dec 2019

👍1

Full disclosure: I did mess up my Apple ID code sign at one point. I thought at first it was that. I guess it could have been. But I really tried to solve that as well. I wanted to try it again on a fresh machine. But then time slipped away. Thought id should mention it if, you find no problems then it could have been just some Keychain anomaly. Which coincided with upgrading to Xcode 11.2. Or it happened because of it. 🤷 anyways that's my 2-cents ✌️

eonist on 5 Dec 2019

👍1

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] on 4 Jan 2020

@stale Still relevant tho

eonist on 4 Jan 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] on 4 Feb 2020

Bump

eonist on 4 Feb 2020

Code signing happens in copy-frameworks.

You can check the codesigning procedure here: https://github.com/Carthage/Carthage/blob/4663fc67dc62c81bf9e4653ef894f55b89907b89/Source/CarthageKit/Xcode.swift#L1434

tmspzz on 12 Feb 2020

Might be that for some reason this now requires --deep

--deep  When signing a bundle, specifies that nested code content such as helpers, frameworks, and plug-ins, should be recursively signed in turn. Beware that all signing options you specify will apply, in turn, to such
        nested content.
        When verifying a bundle, specifies that any nested code content will be recursively verified as to its full content. By default, verification of nested content is limited to a shallow investigation that may not
        detect changes to the nested code.
        When displaying a signature, specifies that a list of directly nested code should be written to the display output. This lists only code directly nested within the subject; anything nested indirectly will require
        recursive application of the codesign command.

tmspzz on 12 Feb 2020

👍1

@tmspzz Source of this info? Personally I moved to SPM now. But could be interesting for other devs.

eonist on 12 Feb 2020

man codesign

tmspzz on 12 Feb 2020

@tmspzz what do you mean by that?

eonist on 13 Feb 2020

I thought the questions was where did I get that piece of documentation. I got it from man codesign

tmspzz on 13 Feb 2020

@tmspzz sorry, but What is man codesign?

eonist on 15 Feb 2020

The manual page for the codesign command. You can access it my typing man codesign in your terminal.

tmspzz on 15 Feb 2020

ahh. nice. did not know about that

eonist on 15 Feb 2020

I guess that solves it ✅

eonist on 15 Feb 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Question: How to get the very latest (most recent commit) version of a given repository?

chrislconover · 3Comments

How to install a specific version of carthage?

abbeyjackson · 3Comments

Carthage cannot build watchOS schemes with Xcode 10 GM Seed

CAPIStkidd · 3Comments

Carthage update error: "GitHub API request failed: Bad credentials"

willhains · 3Comments

Add support for "subspecs"

justinmakaila · 4Comments