I've got an app that has to be build on an older version of the OS, but I codesign on 10.11 (or 10.10) to make it happy with the new version of the signatures. The app does not go to the app store but is distributed directly from my website.
On my 10.11.3 machine, I run the codesign:
codesign --deep --force -s "Developer ID Application: MY_NAME" --verbose=2 MyApp.app/
MyApp.app/: replacing existing signature
MyApp.app/: signed bundle with Mach-O thin (i386) [com.yadda.yadda]
All good well. I then check it:
codesign --verify --deep --verbose=4 --strict MyApp.app/
MyApp.app/: valid on disk
MyApp.app/: satisfies its Designated Requirement
spctl --verbose=4 --assess --type execute MyApp.app/
MyApp.app/: accepted
source=Developer ID
All seems good there, right? Yet, double-clicking on it gives the dreaded "unidentified developer" error message. Any ideas?
Craig