Signing & Entitlements

Quick Start

Use this skill when the failure smells like codesigning rather than compilation: launch refusal, missing entitlement, invalid signature, sandbox mismatch, hardened runtime confusion, or trust-policy rejection.

Workflow

1. Inspect the bundle or binary.

   • Locate the .app or executable.
   • Identify the main binary inside Contents/MacOS/.

2. Read signing details.

   • Use codesign -dvvv --entitlements :- <path>.
   • Use spctl -a -vv <path> when Gatekeeper behavior matters.
   • Use plutil -p for entitlements or Info.plist inspection.

3. Classify the failure.

   • Unsigned or ad hoc signed
   • Wrong identity
   • Entitlement mismatch
   • Hardened runtime issue
   • App Sandbox issue
   • Nested code signing issue
   • Distribution/notarization prerequisite issue

4. Explain the minimum fix path.

   • Say exactly what is wrong.
   • Show the shortest set of validation or repair commands.
   • Distinguish local development problems from distribution problems.

Useful Commands

• codesign -dvvv --entitlements :- <app-or-binary>
• spctl -a -vv <app-or-binary>
• security find-identity -p codesigning -v
• plutil -p <path-to-entitlements-or-plist>

Guardrails

• Never invent missing entitlements.
• Do not conflate notarization with local debug signing.
• If the real issue is a build setting or provisioning profile, say so directly.

Output Expectations

Provide:

• what artifact was inspected
• what signing state it is in
• the exact failure class
• the minimum fix or validation sequence