Successfully notarized app rejected by gatekeeper

Code Signing General
moonmartin OP
Created Jan ’20
Replies 6
Boosts 0
Views 2.8k
Participants 4

Codesigning app with hardened runtime (no exceptions), packing it into a dmg (unsigned) and notarizing/stapling the dmg. Xcode 11.2, macOS 10.15.2.

All steps of codesigning and notarization/stapling are successful, without any warnings or issues.

Upload of dmg to website, download through browser and installing the app from dmg.

Still after this, spctl says:

my.app/: accepted

source=Notarized Developer ID

origin=Developer ID Application: Qlucore AB (3HJ98U983V)


But when I try to start the same app, I get a dialog saying:

<app> cannot be opened because the developer cannot be verified.


Any suggestions on how to move the investigation forward would be much appreciated.

Answered by DTS Engineer in 402589022

Successfully notarized app rejected by gatekeeper

Notarising your app is necessary to pass Gatekeeper, but it’s not sufficient. Gatekeeper has its own array of checks, and it’s easy to trip over one of those checks even though your notarisation is copacetic.

Unfortunately it’s not always easy to work out what Gatekeeper is grumpy about. I’ve posted some hints on this thread.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Replies  6
Boosts  0
Views  2.8k
Participants  4
DTS Engineer OP
Apple
Jan ’20
Accepted Answer

Successfully notarized app rejected by gatekeeper

Notarising your app is necessary to pass Gatekeeper, but it’s not sufficient. Gatekeeper has its own array of checks, and it’s easy to trip over one of those checks even though your notarisation is copacetic.

Unfortunately it’s not always easy to work out what Gatekeeper is grumpy about. I’ve posted some hints on this thread.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
moonmartin OP
Jan ’20

Thank you for the linked tips! This is really useful info, and I think hints of this dimension should be much more visible in the official pages, like maybe one of these:

https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution

https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/resolving_common_notarization_issues


Our problem turned out to be Xprotect service that logged "Error" about useless/misleading embedded LC_RPATH settings in a couple of our .dylibs bundled in the app. This never showed as a problem in any other way, since the correct search paths are there too, so our app could execute fine anyway (in developer build).


The bundled dylib is 3rd party, so we ended up having to fix it before bundling with


install_name_tool -delete_rpath ...


(That makes me wonder, is it ever a good idea to have LC_RPATH settins at all on dylibs? Shouldn't that always be set on executables only?)


Also, the error message in the GUI dialog from Gatekeeper is really, really bad - misleading.


BR,

Martin

0
DTS Engineer OP
Apple
Jan ’20

I’m glad to hear you got this sorted out.

Also, the error message in the GUI dialog from Gatekeeper is really, really bad - misleading.

I don’t think you’ll see much movement on that front. From an end user’s perspective, the message is pretty reasonable. It doesn’t help developer’s much, but that’s not its purpose.

You could certainly filing an enhancement request for Gatekeeper to log more actionable errors when it rejects an app.

And speaking of enhancement requests:

I think hints of this dimension should be much more visible in the official pages

That’d make a fine ER as well.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
vpicaver OP
Mar ’20

rpath was exactly the problem I was having! Thanks!

0
PopGorn OP
Apr ’21
Hi !
I've been stuck on the same issue for one week now.
My app and dmg are notarized and signed, spctl returns the "accepted" message, but my clients still cannot open the app without forcing it.
I've already tried updating all the RPATH without success (not sure if I'm doing it correctly though).
How could I get an error log telling me what's wrong ? I'm sure it's just a small correction to do but I have no clues!

Really hope there is a solution to this!
0
DTS Engineer OP
Apple
Apr ’21
Given that you’ve ruled out the root cause of the issue that started this thread (a rogue rpath entry), I recommend that you start a new thread about this (make sure to tag it with Gatekeeper so that I see it).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
0
Successfully notarized app rejected by gatekeeper
First post date Last post date
 
 
Q