On Mac: failed to bundle project: failed to sign app

[HuakunShen]

I am having very weird and inconsistent problem when building and code sign a Tauri app on Mac.

I have certificate and passwords from a previous app that could code sign, and I also generated a new set of certificate and passwords for current project. Let me call them ENV-old and ENV-new.

I could not code sign my current app locally with either ENV-old or ENV-new.
If I use github action CI, ENV-new doesn't work, but ENV-old work.

I also Tried both set of credentials on my previous project. Both ENV-old and ENV-new don't work locally. and only ENV-old works in GitHub Action.

I did check whether there are new terms to sign on Apple's website.
I did try to code sign a brand new tauri app.

What could be wrong with the certificates? They are newly generated following https://tauri.app/v1/guides/distribution/sign-macos/

Here is the log I get with npm run tauri build --verbose, but I can't see the reason this failed.

warning: `app` (lib) generated 16 warnings (run `cargo fix --lib -p app` to apply 7 suggestions)
   Compiling app v0.1.0 (/Users/Dev/Dev/projects/Jarvis/apps/desktop/src-tauri)
warning: `app` (bin "app") generated 7 warnings (7 duplicates)
    Finished `release` profile [optimized] target(s) in 8.23s
    Bundling [tauri_bundler::bundle::macos::app] jarvis.app (/Users/Dev/Dev/projects/Jarvis/target/release/bundle/macos/jarvis.app)
     Running [tauri_bundler::bundle::common] Command `xattr  -crs /Users/Dev/Dev/projects/Jarvis/target/release/bundle/macos/jarvis.app`
     Signing [tauri_bundler::bundle::macos::sign] with identity "Developer ID Application: <User> (<Team ID>)"
     Running [tauri_bundler::bundle::common] Command `security  delete-keychain tauri-build.keychain`
        Info [tauri_bundler::bundle::macos::sign] setup keychain from environment variables...
     Running [tauri_bundler::bundle::common] Command `base64  --decode -i /var/folders/f7/7c6q0gh121vdyh86bv192wpc0000gn/T/.tmpB7t0er/cert.p12.tmp -o /var/folders/f7/7c6q0gh121vdyh86bv192wpc0000gn/T/.tmpB7t0er/cert.p12`
     Running [tauri_bundler::bundle::common] Command `security  create-keychain -p tauri-build tauri-build.keychain`
     Running [tauri_bundler::bundle::common] Command `security  unlock-keychain -p tauri-build tauri-build.keychain`
     Running [tauri_bundler::bundle::common] Command `security  import /var/folders/f7/7c6q0gh121vdyh86bv192wpc0000gn/T/.tmpB7t0er/cert.p12 -k tauri-build.keychain -P MxTUHA3733V3hnmzZqMw -T /usr/bin/codesign -T /usr/bin/pkgbuild -T /usr/bin/productbuild`
1 identity imported.
     Running [tauri_bundler::bundle::common] Command `security  set-keychain-settings -t 3600 -u tauri-build.keychain`
     Running [tauri_bundler::bundle::common] Command `security  set-key-partition-list -S apple-tool:,apple:,codesign: -s -k tauri-build tauri-build.keychain`
keychain: "/Users/Dev/Library/Keychains/tauri-build.keychain-db"
version: 512
class: 0x00000010
attributes:
    0x00000000 <uint32>=0x00000010
    0x00000001 <blob>="Huakun"
    0x00000002 <blob>=<NULL>
    0x00000003 <uint32>=0x00000001
    0x00000004 <uint32>=0x00000000
    0x00000005 <uint32>=0x00000000
    0x00000006 <blob>=0x79848897D86A4FC16950E5CBB71680D3AE9AB4C4  "y\204\210\227\330jO\301iP\345\313\267\026\200\323\256\232\264\304"
    0x00000007 <blob>=<NULL>
    0x00000008 <blob>=0x7B38373139316361322D306663392D313164342D383439612D3030303530326235323132327D00  "{87191ca2-0fc9-11d4-849a-000502b52122}\000"
    0x00000009 <uint32>=0x0000002A  "\000\000\000*"
    0x0000000A <uint32>=0x00000800
    0x0000000B <uint32>=0x00000800
    0x0000000C <blob>=0x0000000000000000
    0x0000000D <blob>=0x0000000000000000
    0x0000000E <uint32>=0x00000001
    0x0000000F <uint32>=0x00000001
    0x00000010 <uint32>=0x00000001
    0x00000011 <uint32>=0x00000000
    0x00000012 <uint32>=0x00000001
    0x00000013 <uint32>=0x00000001
    0x00000014 <uint32>=0x00000001
    0x00000015 <uint32>=0x00000001
    0x00000016 <uint32>=0x00000001
    0x00000017 <uint32>=0x00000001
    0x00000018 <uint32>=0x00000001
    0x00000019 <uint32>=0x00000001
    0x0000001A <uint32>=0x00000001
     Running [tauri_bundler::bundle::common] Command `security  list-keychain -d user -s /Users/Dev/Library/Keychains/login.keychain-db tauri-build.keychain`
        Info [tauri_bundler::bundle::macos::sign] Signing app bundle...
     Signing [tauri_bundler::bundle::macos::sign] /Users/Dev/Dev/projects/Jarvis/target/release/bundle/macos/jarvis.app/Contents/MacOS/jarvis
     Running [tauri_bundler::bundle::common] Command `codesign  --force -s Developer ID Application: <User> (<Team ID>) --keychain tauri-build.keychain --options runtime /Users/Dev/Dev/projects/Jarvis/target/release/bundle/macos/jarvis.app/Contents/MacOS/jarvis`
Developer ID Application: <User> (<Team ID>): ambiguous (matches "Developer ID Application: <User> (<Team ID>)" and "Developer ID Application: <User> (<Team ID>)" in /Users/Dev/Library/Keychains/login.keychain-db)
       Error [tauri_cli_node] failed to bundle project: failed to sign app
 ELIFECYCLE  Command failed with exit code 1.

[pewsheen]

I just noticed these two lines:

Running [tauri_bundler::bundle::common] Command `codesign  --force -s Developer ID Application: <User> (<Team ID>) --keychain tauri-build.keychain --options runtime /Users/Dev/Dev/projects/Jarvis/target/release/bundle/macos/jarvis.app/Contents/MacOS/jarvis`
Developer ID Application: <User> (<Team ID>): ambiguous (matches "Developer ID Application: <User> (<Team ID>)" and "Developer ID Application: <User> (<Team ID>)" in /Users/Dev/Library/Keychains/login.keychain-db)

Are there two certificates with the same name in your keychain?

[HuakunShen]

@pewsheen I think so. Does the name have to be unique?

[pewsheen]

Yeah, it is using the name to get the certificate. It can’t decide which one to use if there are two identical names.

[HuakunShen]

I removed the certificates on my mac, also reset keychain, now getting new error.

Warning: unable to build chain to self-signed root for signer

keychain tauri-build.keychain --options runtime /Users/user/Dev/projects/devclean/devclean-ui/src-tauri/target/release/bundle/macos/devclean-ui.app/Contents/MacOS/devclean-ui`
/Users/user/Dev/projects/devclean/devclean-ui/src-tauri/target/release/bundle/macos/devclean-ui.app/Contents/MacOS/devclean-ui: replacing existing signature
Warning: unable to build chain to self-signed root for signer "Developer ID Application: <User> (<Team ID>)"
/Users/user/Dev/projects/devclean/devclean-ui/src-tauri/target/release/bundle/macos/devclean-ui.app/Contents/MacOS/devclean-ui: errSecInternalComponent
       Error [tauri_cli_node] failed to bundle project: failed to sign app

I am not familiar with the code signing process.

Do I have to install some certificate for this to work?

[HuakunShen]

I also tried to code sign in a clean macos VM also didn't work, and there is no meaningful error message.

Bundling devclean-ui.app (/Users/<user>/Downloads/devclean-main/devclean-ui/src-tauri/target/release/bundle/macos/devclean-ui.app)
    Signing with identity "Developer ID Application: <User> (<Team ID>)"
    Info setup keychain from environment variables...
    Info Signing app bundle...
    Signing /Users/<user>/Downloads/devclean-main/devclean-ui/src-tauri/target/release/bundle/macos/devclean-ui.app/Contents/MacOS/devclean-ui
    Error failed to bundle project: failed to sign app

[pewsheen]

Did you use the certificate that was downloaded from Apple Developer > Certificates?

Can you bundle the app by using APPLE_SIGNING_IDENTITY="-" pnpm tauri build?