| name | signing-entitlements |
| description | Inspect macOS signing, entitlements, and Gatekeeper issues. Use when diagnosing code signing, sandbox, hardened runtime, or trust failures. |
Signing & Entitlements
Quick Start
Use this skill when the failure smells like codesigning rather than compilation:
launch refusal, missing entitlement, invalid signature, sandbox mismatch,
hardened runtime confusion, or trust-policy rejection.
Workflow
-
Inspect the bundle or binary.
- Locate the
.app or executable.
- Identify the main binary inside
Contents/MacOS/.
-
Read signing details.
- Use
codesign -dvvv --entitlements :- <path>.
- Use
spctl -a -vv <path> when Gatekeeper behavior matters.
- Use
plutil -p for entitlements or Info.plist inspection.
-
Classify the failure.
- Unsigned or ad hoc signed
- Wrong identity
- Entitlement mismatch
- Hardened runtime issue
- App Sandbox issue
- Nested code signing issue
- Distribution/notarization prerequisite issue
-
Explain the minimum fix path.
- Say exactly what is wrong.
- Show the shortest set of validation or repair commands.
- Distinguish local development problems from distribution problems.
Useful Commands
codesign -dvvv --entitlements :- <app-or-binary>
spctl -a -vv <app-or-binary>
security find-identity -p codesigning -v
plutil -p <path-to-entitlements-or-plist>
Guardrails
- Never invent missing entitlements.
- Do not conflate notarization with local debug signing.
- If the real issue is a build setting or provisioning profile, say so directly.
Output Expectations
Provide:
- what artifact was inspected
- what signing state it is in
- the exact failure class
- the minimum fix or validation sequence