I am having an error when uploading my Worklight Application into iTunes.

The application validation fails with the following error:

Invalid Signature. Code object is not signed at all. The binary at path [MyApp.app/buildtime.sh] contains an invalid signature. Make sure you have signed your application with a distribution certificate, not an ad hoc certificate or a development certificate. Verify that the code signing settings in Xcode are correct at the target level (which override any values at the project level). Additionally, make sure the bundle you are uploading was built using a Release target in Xcode, not a Simulator target. If you are certain your code signing settings are correct, choose "Clean All" in Xcode, delete the "build" directory in the Finder, and rebuild your release target. For more information, please consult https://developer.apple.com/library/ios/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html

My problem is that I submitted the same application 2 weeks ago and it was working fine. Today's version has only the www/ folder content changed, and it fails with this error.

I googled the issue, and found Codesign of Dropbox API fails in Xcode 4.6.3: "code object is not signed at all", but I tried adding the --deep option and this haven't worked for me.

Can this related to something with buildtime.sh script? As I read it, it seems just updating buildtime value in the worklight.plist file:

#!/bin/bash
# Licensed Materials - Property of IBM
# 5725-I43 (C) Copyright IBM Corp. 2006, 2013. All Rights Reserved.
# US Government Users Restricted Rights - Use, duplication or
# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

# Update buildtime in project 
echo -n ${TARGET_BUILD_DIR}/${PRODUCT_NAME}.app/worklight.plist | xargs -0
/usr/libexec/PlistBuddy -c "Set :buildtime `date +\"%s\"`"

Also when googling the issue I found some similar issue at: https://github.com/AppGyver/steroids/issues/918 and they seems to use hybrid applications with sh scripts, which make me believe that the issue is related to the buildtime.sh script.

I deleted the buildtime script, and deleted run script phase on my Xcode project, and this time it is not giving the error.

Is it safe to do so?

Anyone encountered the same error with a Worklight project? Is it related to buildtime.sh script or new Apple policy?

Blog post about this issue in the MFP Developer Center: https://developer.ibm.com/mobilefirstplatform/2015/05/01/recent-changes-in-apples-app-submission-process/

The problem is that Apple is now also checking whether .sh files that are included in the application bundle (.ipa file) are signed or not.

In a Worklight/MobileFirst Platform-based application there happens to be one such .sh file, buildtime.sh, that is being added to the bundle. There is no reason for this file to be in the resulting bundle. The file is needed only during build-time, not run-time.

There is a simple workaround: remove (do not delete) the buildtime.sh file from the target configuration in Xcode (in Build Phases > Copy Bundle Resources).

There are also iFixes available (IBM APAR PI39826, Worklight/MFP Studio/CLI only; no Server change needed) from IBM Fix Central:

• 6.0.0.2-IF201504301500
• 6.1.0.2-IF201504301501
• 6.2.0.1-IF201504301522
• 6.3.0.0-IF201504301455
• 7.0.0.0-IF201504301556

This iFix is meant only for:

• Newly created applications
• Applications that their native folder is deleted and re-generated

By using the iFix these applications will not have the buildtime.sh file in the target configuration.

Existing applications must only simply remove the .sh file from the target configuration as mentioned above, followed by a re-build in Xcode.