Hello,
I am facing a rather strange issue with the codesigning of my application. Even though the codesigning and its verification are successful the app fails
the "spctl -a -t exec -vv" command, having the result simply "<app> rejected". This of course also makes the gatekeeper check fail and the app can not be opened automatically. If the search I have done so far is correct, the issue seems to have to do with the apple codesigning authority of the certificate I use (which is generated as per the instructions in the certificates section of my apple developer account) to sign the application. I am pasting the output of the "codesign --display --verbose=4" below, where the authority is stated as "Authority=Apple Worldwide Developer Relations Certification Authority" and not "Authority=Developer ID Certification Authority" . Is that the error, or not, and if so, how can it be addressed?
Executable=<path to executable>
Identifier=<identifier>
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=277 flags=0x0(none) hashes=3+3 location=embedded
OSPlatform=36
OSSDKVersion=657920
OSVersionMin=657664
Hash type=sha256 size=32
CandidateCDHash sha1=bcb52eacecfdbafb650f29b871a42621b24b3e8e
CandidateCDHash sha256=adda0fb0ff45051ab03342b75ab55fdd67f7a7c2
Hash choices=sha1,sha256
Page size=4096
CDHash=adda0fb0ff45051ab03342b75ab55fdd67f7a7c2
Signature size=4687
Authority=Mac Developer: <My Signing ID>
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Apr 18, 2018 at 7:14:33 PM
Info.plist entries=30
TeamIdentifier=<Team Identifier>
Sealed Resources version=2 rules=13 files=167
Internal requirements count=1 size=180
I hope someone can shed some light on this.
-------------------------------------------------------------------------------
This issue has been resolved. We had been signing with the incorrect certificate that is meant to be used for distribution within the Mac App Store
(namely Authority=Mac Developer: <My Signing ID>). The application needed to be signed with the Developer ID Application identity/certificate that can be
created by the team agent in Xcode. Instructions on how to do this can be found here:
https://help.apple.com/xcode/mac/current/#/dev033e997ca
Also let me note that it is recommended not to sign with the codesign --deep parameter; any nested code (eg helper apps/frameworks) needs to be signed recursively from the innermost to the outermost as described here:
I hope this information helps interested readers.