Notarized disk image OK on 10.14.5 but 10.15 won't open it

Thank you, pickman! That gets spctl working.

But no matter how many --verbose options I add, I only get:

rejected

origin=Developer ID Application: <my developer ID info>

with no indication of why it was rejected.

I have a similar issue with my application.

All work perfectly fine on the latest Mojave version.

I have an application bundle, which has been signed, and notarized. This process went fine, no problem even on Catalina. the spctl command works fine;

This application is packaged in a DMG for distribution purpose. The DMG has been signed using my Developer ID Application certificate with the following command:

% codesign -s "Developer ID Application" --timestamp Hopper-4.5.12-demo.dmg

then the DMG has been sent for notarization, and stapled (I just removed the --username and --password of the first command):

% xcrun altool --notarize-app --primary-bundle-id "com.cryptic-apps.hopper-web-4" --file Hopper-4.5.12-demo.dmg
...
% xcrun stapler staple Hopper-4.5.12-demo.dmg 
Processing: /Users/bsr/Downloads/Hopper-4.5.12-demo.dmg
Processing: /Users/bsr/Downloads/Hopper-4.5.12-demo.dmg
The staple and validate action worked!

When I check the final DMG, the signature seems valid:

% codesign -dvvv Hopper-4.5.12-demo.dmg   
Executable=/Users/bsr/Downloads/Hopper-4.5.12-demo.dmg
Identifier=Hopper-4.5.12-demo
Format=disk image
CodeDirectory v=20200 size=306 flags=0x0(none) hashes=1+6 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=700a0162de956bce7163e5b81bbc5fb9c87af48b
CandidateCDHashFull sha256=700a0162de956bce7163e5b81bbc5fb9c87af48bb5039f7a3cef2e657bdc51ba
Hash choices=sha256
CMSDigest=700a0162de956bce7163e5b81bbc5fb9c87af48bb5039f7a3cef2e657bdc51ba
CMSDigestType=2
CDHash=700a0162de956bce7163e5b81bbc5fb9c87af48b
Signature size=8923
Authority=Developer ID Application: Cryptic Apps (2AMA2753NF)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=26 Jun 2019 at 11:36:24
Info.plist=not bound
TeamIdentifier=2AMA2753NF
Sealed Resources=none
Internal requirements count=1 size=180

The stapler validation seems OK too:

% xcrun stapler validate Hopper-4.5.12-demo.dmg
Processing: /Users/bsr/Downloads/Hopper-4.5.12-demo.dmg
The validate action worked!

But I have issues with spctl (the same command works on Mojave):

% spctl --assess --verbose --type open --context "context:primary-signature" Hopper-4.5.12-demo.dmg 
Hopper-4.5.12-demo.dmg: rejected

An interesting point is that "--type install" works (??):

% spctl --assess --verbose --ignore-cache --type install Hopper-4.5.12-demo.dmg  
Hopper-4.5.12-demo.dmg: accepted
source=Notarized Developer ID

But I have an error if I double-click on the DMG in the Finder on Catalina (it works fine on Mojave)...

Ah. "--type install" works for me, too.

My Developer ID is valid for signing apps and for signing kexts (which is unusual but I include signed kexts in my app).

bSr43, do you have a standard Developer ID, or does yours allow you to sign kexts, too?

This is a standard account. I’ve filled a radar, just in case... By the way, I’ve searched for signed DMGs on the Internet. I haven’t found many, but same issue each time (for instance, latest version of FS-UAE at https://fs-uae.net). The irritating thing is that unsigned DMGs open just fine without any warning 😕... But I need signed DMG for Sparkle to work properly...

Thanks for doing that research and testing, bSr43.

I'm going to assume for now that this is a bug in Catalina, since there are now several examples. I'll revisit it for each new Catalina beta.

My case is exactly the same with yours.

I did codesign my disk image (--timestamp --options runtime) and notarize/staple it successfully.

But, only on Catalina beta, it continues to fail to mount it and verify with spctl command.

yoonaui-iMac:tmp yoona$ spctl --assess --verbose --type open --context "context:primary-signature" /Users/yoona/Desktop/notarization/20190702/install_stapled.dmg
/Users/yoona/Desktop/notarization/20190702/install_stapled.dmg: rejected
yoonaui-iMac:tmp yoona$ echo $?
3

I have exactly the same issue, and others are reporting the same with beta 3 also.

I tried looking in the console for entries relating to "CoreServicesUIAgent" (as https://developer.apple.com/library/archive/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG207 indicates that some info may be logged there), however all I see are entries about assertion failure. From searching around other developers suggest looking at "syspolicyd" and "xprotect". I also see "assertion failures" for "syspolicyd" and for "xprotect" I see "analysis results: <private>". I have filed Feedback reports on these.

I don't what else to check. I've even tried Notarizing the application using a Zip file, attaching the ticket to the app, then placing it on the DMG, codesigning the DMG. With or without the ticket the functions you list all get "Rejected".

btw: A Notarized PKG file works, but the process has multiple "Apple installer is trying to access" dialogs, and the resulting application does not appear in LaunchPad, and didn't show up in Spotlight either. I've filed for these also.

I have installed beta 3, and it seems to fix the issue for me:

% spctl --assess --verbose --ignore-cache --type open --context "context:primary-signature" Hopper-4.5.12-demo.dmg
Hopper-4.5.12-demo.dmg: accepted
source=Notarized Developer ID

I haven't changed anything to the DMG file: after installing the beta 3 update, I have deleted the content of my Downloads folder, and I have downloaded the DMG from my website, like any regular customers. The DMG opened just fine.

Catalina beta 3 resolves this issue for me:

$ spctl --assess --verbose --ignore-cache --type open --context "context:primary-signature" Tunnelblick_3.8.0beta03_build_5350.dmg
Tunnelblick_3.8.0beta03_build_5350.dmg: accepted
source=Notarized Developer ID

Like bSr43, I downloaded a fresh copy of the .dmg using Safari from the website, and it opened without complaint.

However, when opening the .dmg via double-click, the window that macOS pops up does not say that the download had been found free of malware, which it does on macOS Mojave.

So, Apple: three steps back and two steps forward.