Based on baptrs' answer, I developed this shell script that coordinates all my frameworks and other binary resources / auxiliary binaries (currently supported types: dylib, bundle and login):
#!/bin/sh # WARNING: You may have to run Clean in Xcode after changing CODE_SIGN_IDENTITY! # Verify that $CODE_SIGN_IDENTITY is set if [ -z "${CODE_SIGN_IDENTITY}" ] ; then echo "CODE_SIGN_IDENTITY needs to be set for framework code-signing!" if [ "${CONFIGURATION}" = "Release" ] ; then exit 1 else # Code-signing is optional for non-release builds. exit 0 fi fi if [ -z "${CODE_SIGN_ENTITLEMENTS}" ] ; then echo "CODE_SIGN_ENTITLEMENTS needs to be set for framework code-signing!" if [ "${CONFIGURATION}" = "Release" ] ; then exit 1 else # Code-signing is optional for non-release builds. exit 0 fi fi ITEMS="" FRAMEWORKS_DIR="${TARGET_BUILD_DIR}/${FRAMEWORKS_FOLDER_PATH}" if [ -d "$FRAMEWORKS_DIR" ] ; then FRAMEWORKS=$(find "${FRAMEWORKS_DIR}" -depth -type d -name "*.framework" -or -name "*.dylib" -or -name "*.bundle" | sed -e "s/\(.*framework\)/\1\/Versions\/A\//") RESULT=$? if [[ $RESULT != 0 ]] ; then exit 1 fi ITEMS="${FRAMEWORKS}" fi LOGINITEMS_DIR="${TARGET_BUILD_DIR}/${CONTENTS_FOLDER_PATH}/Library/LoginItems/" if [ -d "$LOGINITEMS_DIR" ] ; then LOGINITEMS=$(find "${LOGINITEMS_DIR}" -depth -type d -name "*.app") RESULT=$? if [[ $RESULT != 0 ]] ; then exit 1 fi ITEMS="${ITEMS}"$'\n'"${LOGINITEMS}" fi # Prefer the expanded name, if available. CODE_SIGN_IDENTITY_FOR_ITEMS="${EXPANDED_CODE_SIGN_IDENTITY_NAME}" if [ "${CODE_SIGN_IDENTITY_FOR_ITEMS}" = "" ] ; then # Fall back to old behavior. CODE_SIGN_IDENTITY_FOR_ITEMS="${CODE_SIGN_IDENTITY}" fi echo "Identity:" echo "${CODE_SIGN_IDENTITY_FOR_ITEMS}" echo "Entitlements:" echo "${CODE_SIGN_ENTITLEMENTS}" echo "Found:" echo "${ITEMS}" # Change the Internal Field Separator (IFS) so that spaces in paths will not cause problems below. SAVED_IFS=$IFS IFS=$(echo -en "\n\b") # Loop through all items. for ITEM in $ITEMS; do echo "Signing '${ITEM}'" codesign --force --verbose --sign "${CODE_SIGN_IDENTITY_FOR_ITEMS}" --entitlements "${CODE_SIGN_ENTITLEMENTS}" "${ITEM}" RESULT=$? if [[ $RESULT != 0 ]] ; then echo "Failed to sign '${ITEM}'." IFS=$SAVED_IFS exit 1 fi done # Restore $IFS. IFS=$SAVED_IFS
- Save the file in your project. I save my copy in the
Scripts subdirectory in my root project.- My name is
codesign-frameworks.sh .
- Add the “Run Script” build phase immediately after the “Copy built-in frameworks” build phase.
- You can call it "Codesign Embedded Frameworks".
- Paste
./codesign-frameworks.sh (or whatever you called your script above) into the text box of the script editor. Use ./Scripts/codesign-frameworks.sh if you store the script in a subdirectory. - Create an application. All nested structures will be encoded.
If you still get the error "Identity: twoiguous (matches: ...", please comment below. This should no longer be.
Updated 2012-11-14: adding support for frameworks with special characters in their name (this does not include single quotes) in "codesign-frameworks.sh".
Updated 2013-01-30: adding support for special characters in all paths (this should include single quotes) in "codesign-frameworks.sh".
Updated 2013-10-29: adding experimental dylib support.
Updated 2013-11-28: adding rights support. Improved support for experimental dilib.
Updated 2014-06-13: Troubleshooting code names using frameworks containing (nested) frameworks. This was done by adding the -depth option to find , which causes find do a depth traversal. This became necessary due to the problem described here . In short: the containing package can only be signed if its attached packages are already signed.
Updated 2014-06-28: adding support for experimental packages.
Updated 2014-08-22: Code Improvement and Failure Prevention for IFS Recovery.
Updated 2014-09-26: adding support for login items.
Updated 2014-10-26: checking quotes. This fixes the errors “line 31/42: too many arguments”, and the resulting error “code object not signed at all” for paths, including special characters.
Updated 2014-11-07: Resolving an ambiguous identification error (for example, "Mac Developer: Ambiguous ...") when using automatic identity resolution in Xcode. You no longer need to explicitly set the identifier and use "Mac Developer"!
Updated 2015-08-07: Improved semantics.
Improvements are welcome!