codesign is given bad designated requirements when using precompiled Info.plist

Originator:chris
Number:rdar://14807464 Date Originated:22-Aug-2013 10:25 AM
Status:Open Resolved:
Product:OS X SDK Product Version:4.6.3
Classification:Serious Bug Reproducible:Always
 
Summary:

When I use a precompiled Info.plist file with a #ifdef block contained within, codesign is invoked with an incorrect set of designated requirements for the binary.

Steps to Reproduce:

1. Load the attached project, signtest, and choose the signtest scheme. Build for archiving, and view the build log. Expand the codesign log item, and you will see this at the end of the output:

/usr/bin/codesign --force --sign 86351633b75c998646d8053c8058a0d61a418c5a --requirements "=designated => anchor apple generic  and identifier \"signtest\" and ((cert leaf[field.1.2.840.113635.100.6.1.9] exists) or ( certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists  and certificate leaf[subject.OU] = \"FZ6W74R3XC\" ))" /Users/chris/Library/Developer/Xcode/DerivedData/signtest-gbnfvddvfbuzlfhffdmzrpihszlm/Build/Products/Release/signtest.app

2. Now choose the signtest-nopp scheme. Build for archiving, and view the build log. Expand the codesign log item, and you will see this at the end of the output:

/usr/bin/codesign --force --sign 86351633b75c998646d8053c8058a0d61a418c5a --requirements "=designated => anchor apple generic  and identifier \"com.supermegaultragroovy.signtest-copy\" and ((cert leaf[field.1.2.840.113635.100.6.1.9] exists) or ( certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists  and certificate leaf[subject.OU] = \"FZ6W74R3XC\" ))" "/Users/chris/Library/Developer/Xcode/DerivedData/signtest-gbnfvddvfbuzlfhffdmzrpihszlm/Build/Products/Release/signtest copy.app"

Expected Results:

Both schemes—one with a preprocessed Info.plist file that contains an #ifdef block, and one without—should produce identical parameters for the --requirements flag of codesign.

Actual Results:

The scheme with the plist containing an #ifdef block instead uses \"signtest\" as the identifier, and not the proper identifier of \"com.supermegaultragroovy.signtest\"

Regression:

I am not sure this was always broken in Xcode, but I definitely stumbled on it only recently.

Notes:

Note that I have specified my own Developer ID signature to use to sign the product. The --requirements flag only appears to get inserted when a Developer ID signature is chosen to produce the build.

Comments

Sample project here: https://dl.dropboxusercontent.com/u/29159/signtest.zip


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!