The code signature version is no longer supported

Question

An app signed with a codesign version provided on an older macOS, like Catalina (10.15) will not run on iOS 15 because the lastest version you can install is Xcode 12.4.

Xcode 12.5 seems to change the behavior of codesigning. When installing you get the error message:

The code signature version is no longer supported

Is there a workaround?

Answer 1

codesign --generate-entitlement-der

Apple has changed the codesign signature to include DER encoded entitlements in addition to the plist encoded entitlements. This additional DER encoded entitlements section is required in iOS 15 and becomes the default behavior of codesign in the latest Xcode. To use codesign on an older machines with an older version of Xcode add the --generate-entitlement-der flag to your call to codesign.

If signing through Xcode, you can add this flag to the OTHER_CODE_SIGN_FLAGS setting in the Build Settings tab.

If codesigning at the command-line:

CODESIGN_ALLOCATE=$( xcrun --find codesign_allocate ); export CODESIGN_ALLOCATE
xcrun codesign --generate-entitlement-der ...

The source of this information was the Apple Forum thread and the answer from Matt Eaton in DTS at Apple.

In the Xcode 12.5 Release Notes there is also a reference to the new signature format. However, it seems the information is not entirely correct.

Answer 2

Here are some visual directions to @CameronLowellPalmer's answer.

I got the steps from @WayneHenderson's comment underneath the accepted answer.

Follow the red arrows steps 1 - 11 (there is no 8, I made a mistake and went from 7 straight to 9).

The most important thing is step 4, make sure to select All or you won't find the Other Code Signing Flags options.

For step 5 just enter Other Code Signing Flags into the search container.

Steps 9 - 11 is where you enter --generate-entitlement-der

Answer 3

You will need to add the --generate-entitlement-der to your OTHER_CODE_SIGN_FLAGS under Build Settings.

Answer 4

• Xcode > Target > General
• Section "Embedded Framework, Libraries and Embedded Content"
• Set all frameworks in the Embedded field to "Do not Embed"

Answer 5

After testing all solutions, Only one worked for me. Because XCode adds sign signature automatically when you add Framework, Any Framework that needs to Embed & Sign should remove, and add again. Xcode will add the new sign signature automatically.

1. Go to YourTarget>Frameworks, Libraries, and Embedded Contents.
2. Remove all frameworks that are Embed & Sign, except CocoaPods.
3. add removed frameworks again and set to Embed & Sign.
4. check that pods framework set on Do Not Embed

Now clean and run your app on your device.

Answer 6

I want to share my solution. This worked for me using XCode 12.3, macOS Catalina, and tested using Adhoc distribution.

1. Build, archive, export ipa as usual using XCode.

2. Now you have the IPA file, then rename it to zip extension. (make a backup if needed)

3. Extract it. There should be a Payload folder.

4. Open terminal, cd to your IPA directory, then run command:

   codesign -s "CERTIFICATE_NAME" -f --preserve-metadata --generate-entitlement-der ./Payload/YOUR_APP.app

   • CERTIFICATE_NAME is your certificate name located in keychain. It maybe looks like this: Apple Distribution: XCompany (XXXXXX)

   • YOUR_APP is your .app file name located in Payload folder.

5. This warning showed up, I ignored it.

   Warning: default usage of --preserve-metadata implies "resource-rules" (deprecated in Mac OS X >= 10.10)!

6. Then run zip command:

   zip -ru myapp_resigned.ipa Payload

7. Done. You can redistribute the new IPA.

Answer 7

Just my two cents.

As pointed out in other responses, now to sign ios app (compatible with ios and ipados 15) with codesign command on MacOS prior to Big Sur add the --generate-entitlement-der flag. I can sign my app with Xcode 10.3 using this python 2.7 (tried both on MacOS Mojave 10.14 and MacOS Catalina 10.15) snippet code:

from fabric.api import local

local('cp %s "%s"' % ("/path/to/embedded.mobileprovision", app_full_path))
local('xattr -rc %s' % app_full_path)
local("codesign -f --generate-entitlement-der -vv -s \"%s\" --entitlements \"%s/Entitlements.plist\" %s" % (
    env.code_sign_identity, app_full_path, app_full_path)
)

Output example log:

[localhost] local: cp /path/to/embedded.mobileprovision "/path/to/Payload/appname.app"
[localhost] local: xattr -rc /path/to/Payload/appname.app
[localhost] local: codesign -f --generate-entitlement-der -vv -s "iPhone Distribution: XXX S.p.A." --entitlements "/path/to/Payload/appname.app/Entitlements.plist" /path/to/Payload/appname.app
/path/to/Payload/appname.app: replacing existing signature
/path/to/Payload/appname.app: signed app bundle with Mach-O universal (armv7 arm64) [com.name.reverse.dns]

Some additional tips...

• MacOS keychain should contains the Apple certificate used to create the mobile provisioning profile, which is also utilized to distribute the app we’re signing. You can check it using the command security find-identity -p codesigning:

    $ security find-identity -p codesigning
  
    Policy: Code Signing
        Matching identities
        1) AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA "iPhone Distribution: XXX S.p.A."
        ...
        13) CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC "iPhone Developer: Name Surname (DDDDDDDDDD)"
        13 identities found
  
        Valid identities only
        1) AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA "iPhone Distribution: XXX S.p.A."
        ...
        13) CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC "iPhone Developer: Name Surname (DDDDDDDDDD)"
        13 identities found
  
  

• After the ipa zip archive creation, you can use the Gem ipa_analyzer (https://github.com/bitrise-io/ipa_analyzer) to verify if the app is correctly signed:

  
  $ zip -9 -y -r /path/to/appname.ipa /path/to/Payload
  $ gem install ipa_analyzer --user-install
  $ PATHAPP="/path/to/appname.ipa"
  $ ~/.gem/ruby/2.6.0/bin/ipa_analyzer -i ${PATHAPP} -p --info-plist --prov | grep -E "ExpirationDate|CFBundleIdentifier|DER-Encoded-Profile"
    "DER-Encoded-Profile": "#<StringIO:0x00000f0000000008>",
    "ExpirationDate": "2022-09-18T12:15:25+00:00",
    "CFBundleIdentifier": "com.name.reverse.dns",
  

As additional references about this issue, you can read also this Apple documentation page and this Apple forum post.

Answer 8

I have spent 2 days to find this issue, Finally i got the solution here from the person Lance Samaria. I would like to share it.

Target-> Build Settings -> Other Code Signing Flags Add this code --generate-entitlement-der to both Debug and Release

After that Go to Target-> General->Frameworks, Libraries, and Embedded Contents -> Change to "Do not Embed"

Also I renewed Provisioning Profile and IOS Distribution Certificates.

Now Clean Build Folder and Run Your Project.

Thank you so Much for Lance Samaria

Answer 9

My issue was I was using custom framework, and when I embed it in my app. it showing me error The code signature version is no longer supported. i spend whole day to struggle with it. Finally resolved it by adding user-defined settings. In new Xcode 13 which supports arm 64 Project target->Build Settings-> + sign to add user define setting and add a setting. then add VALID_ARCHS as a field under this add the value $(ARCHS_STANDARD). Automatically it will convert it arm64 arm 7. see the attached image for more reference.

Answer 10

Sometimes, like in my case, it's solved just by doing a clean build folder:

Either by going to Product -> Clean Build Folder

Or by using ? + ? + K