"codesign verify" is happy but spctl rejected ?

Code Signing General
edoftheditch
edoftheditch OP
Created Aug ’15
Replies 2
Boosts 0
Views 7.3k
Participants 2

When I use codesign with deep option to sign my app and includeded frameworks, codesign verifies as good.


codesign --verbose=4 --deep -s "Acme, Inc." ${appFolder} my-usb-ev-token

codesign --verify --verbose=4 ${appFolder}

...

...

...

app/TSR.app/Contents/PlugIns/printsupport/libcocoaprintersupport.dylib

--validated:/Users/edward3/Documents/projects/build-tsr-Desktop_Qt_5_5_0_clang_64bit-Release/tsr-app/TSR.app/Contents/PlugIns/printsupport/libcocoaprintersupport.dylib

/Users/edward3/Documents/projects/build-tsr-Desktop_Qt_5_5_0_clang_64bit-Release/tsr-app/TSR.app: valid on disk

/Users/edward3/Documents/projects/build-tsr-Desktop_Qt_5_5_0_clang_64bit-Release/tsr-app/TSR.app: satisfies its Designated Requirement


spctl --verbose --***** --type execute -v TSR.app/

TSR.app/: rejected

origin=Acme, Inc.


I am distributing my app in a dmg for distribution outside the Mac app store.


Any tips or suggestions on how to properly codesign is much appreciated,


-Ed

OS X 10.10.5

XCode 6.4

Replies  2
Boosts  0
Views  7.3k
Participants  2
edoftheditch
edoftheditch OP
Aug ’15 
spctl --verbose --assess --type execute -v TSR.app/
TSR.app/: rejected
origin=Acme, Inc.


codesign -dvv TSR.app/
Executable=/Users/edward3/Documents/projects/build-tsr-Desktop_Qt_5_5_0_clang_64bit-Release/tsr-app/TSR.app/Contents/MacOS/TSR
Identifier=com.acme.tsr
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=39347 flags=0x0(none) hashes=19e61+3 location=embedded
Signature size=4804
Authority=Acme, Inc.
Authority=DigiCert EV Code Signing CA (SHA2)
Authority=DigiCert High Assurance EV Root CA
Signed Time=Aug 24, 2015, 8:21:43 AM
Info.plist entries=15
TeamIdentifier=not set
Sealed Resources version=2 rules=12 files=39
Internal requirements count=1 size=96
0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
Aug ’15 
--deep
is almost never the right option for signing an app with nested code. You typically want to either have Xcode do this for you (which is what I recommend) or sign in multiple steps, signing nested code from the inside out.

As to you overall problem, AFAICT your shipping nested code in an unsupported place. Dynamic libraries, like 

libcocoaprintersupport.dylib
, should be in your Frameworks directory. See Table 3 of Technote 2206 OS X Code Signing In Depth.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
"codesign verify" is happy but spctl rejected ?
First post date Last post date
 
 
Q