The short story: tested with a default Xcode command line tool that says "Hello World".
1) Build a command line tool on 10.11.3 and sign it with my Developer ID. Everything is fine.
2) Test it on 10.11.4 and spctl gives me an "obsolete resource envelope" error.
The deeper problem that this causes:
My app is built on 10.11.3. It is a prefPane with one command line tool and three app bundles (four helper tools) in it's bundle. I am getting GateKeeper warnings on 10.11.4 systems, but not on anything else. It is manually codesigned with my Developer ID... first the helper tool frameworks, then the helper tools themselves and then the prefPane. So everything is signed from the inside-out.
In terminal (on two different machines running 10.11.3) I get:
spctl -a -t exec -vv My.prefPane
/Volumes/Path/To/
source=Developer ID
origin=Developer ID Application: My Company, Inc.
codesign --verbose=4 --deep --strict My.prefPane
/Volumes/Path/To/
/Volumes/Path/To/
In terminal (on two different machines running 10.11.4) I get:
spctl -a -t exec -vv My.prefPane
/Volumes/Path/To/
source=obsolete resource envelope
origin=Developer ID Application: My Company, Inc.
codesign --verbose=4 --deep --strict My.prefPane
/Volumes/Path/To/
/Volumes/Path/To/
The codesign command is taken directly from what Xcode uses:
codesign --force --sign "Developer ID Application: My Company, Inc." --requirements "=designated => anchor apple generic and identifier \"com.mycompany.myproduct.helper\" and ((cert leaf[field.1.2.840.113635.100.6.1.9] exists) or (certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU] = \"MYAPPLE123\"))" --timestamp=none "$BASEPATH/My.prefPane/Contents/Resources/MyHelper.app"
When I run the above spctl terminal command on the helpers within the bundle on 10.11.4, the three helper app bundles are accepted but the command line tool is rejected with "obsolete resource envelope".
If I copy that command line tool to a 10.11.3 system and run spctl, it is accepted. I have spent more than a day on this and am at a loss as to what is happening. Any ideas?