I have signed an OSX app with a Developer ID, and put it into a dmg, and it verifies both with codesign and with spctl, but it fails spctl validation when moved to the Applications folder (after download from a web page). What am I doing wrong...?

My app consists of an executable "MyAppName" (C++ and Objective-C built with xcodebuild) and an icon "MyAppName.icns", such that the folder tree of my signed app is:

my_user_name@my-mbp:~$ find /Applications/MyAppName.app -type f

/Applications/MyAppName.app/Contents/_CodeSignature/CodeResources

/Applications/MyAppName.app/Contents/Info.plist

/Applications/MyAppName.app/Contents/MacOS/MyAppName

/Applications/MyAppName.app/Contents/Resources/MyAppName.icns

I am code signing it with:

codesign -f --keychain <keychain path> -s "Developer ID Application: <name>" /path/to/MyAppName.app

If I download and mount the DMG I have created containing this, I can run:

my_user_name@my-mbp:~$ codesign --verify --verbose --deep /Volumes/MyAppName/MyAppName.app

/Volumes/MyAppName/MyAppName.app: valid on disk

/Volumes/MyAppName/MyAppName.app: satisfies its Designated Requirement

my_user_name@my-mbp:~$ spctl --assess --type execute -v /Volumes/MyAppName/MyAppName.app

/Volumes/MyAppName/MyAppName.app: accepted

source=Developer ID

However, if I copy the application to the /Applications/ folder (either through the GUI or the command line (e.g. with "cp -r MyAppName.app /Applications/") then the result changes:

my_user_name@my-mbp:~$ codesign --verify --verbose --deep /Applications/MyAppName.app

/Applications/MyAppName.app: valid on disk

/Applications/MyAppName.app: satisfies its Designated Requirement

my_user_name@my-mbp:~$ spctl --assess --type execute -v /Applications/MyAppName.app

/Applications/MyAppName.app: a sealed resource is missing or invalid

This obviously causes GateKeeper to claim that the application is damaged and should be moved to the trash when it is double-clicked on in the GUI.

The files themselves are all identical between the two locations:

my_user_name@my-mbp:~$ find /Applications/MyAppName.app -type f -exec md5 \{\} \;

MD5 (/Applications/MyAppName.app/Contents/_CodeSignature/CodeResources) = 55c201fd8611fb32a2b35e4c0c9a4e95

MD5 (/Applications/MyAppName.app/Contents/Info.plist) = 803e7573564518e8782ebe8bacd774d6

MD5 (/Applications/MyAppName.app/Contents/MacOS/MyAppName) = d4b6f786f5ca1001b2a16b645ace3719

MD5 (/Applications/MyAppName.app/Contents/Resources/MyAppName.icns) = e112c876a4a85efe87e9f2000b40f668

my_user_name@my-mbp:~$ find /Volumes/MyAppName/MyAppName.app -type f -exec md5 \{\} \;

MD5 (/Volumes/MyAppName/MyAppName.app/Contents/_CodeSignature/CodeResources) = 55c201fd8611fb32a2b35e4c0c9a4e95

MD5 (/Volumes/MyAppName/MyAppName.app/Contents/Info.plist) = 803e7573564518e8782ebe8bacd774d6

MD5 (/Volumes/MyAppName/MyAppName.app/Contents/MacOS/MyAppName) = d4b6f786f5ca1001b2a16b645ace3719

MD5 (/Volumes/MyAppName/MyAppName.app/Contents/Resources/MyAppName.icns) = e112c876a4a85efe87e9f2000b40f668

The com.apple.quarantine attribute is correctly set on both versions (since it was downloaded from the internet).

I am a little stuck as to what is different about having my app in the /Applications/ folder. Please could someone enlighten me as to what I have done wrong...