I have an app that customers download from the web. This downloaded app was working fine until 10.11.3, my users started seeing an error started with 10.11.4. I havent changed the signing process (or the bundle) between 10.11.3 and 10.11.4. The error that users see is : "MyApp" can't be opened because the identity of the developer cant be confimed.
After a bit of reading about this on Apple developer forums a bit more here are the results:
codesign results are successful
codesign --verbose=4 --deep --strict MyApp.app/
InstallForMacOSX.app/: valid on disk
InstallForMacOSX.app/: satisfies its Designated Requirement
More details on codesign:
codesign -dvvv MyApp.app
Format=bundle with generic
CodeDirectory v=20200 size=240 flags=0x0(none) hashes=1+4 location=embedded
Signature size=8926
Authority=Apple Root CA
Timestamp=Apr 13, 2016, 1:00:14 PM
Info.plist entries=2
Sealed Resources version=2 rules=12 files=1
Internal requirements count=2 size=224
spctl returns an error:This is the same error described in other threads.
spctl --raw -a -t exec -vv MyApp.app
InstallForMacOSX.app: rejected
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>assessment:authority</key>
<dict>
<key>assessment:authority:source</key>
<string>obsolete resource envelope</string>
<key>assessment:authority:weak</key>
<true/>
</dict>
<key>assessment:cserror</key>
<integer>-67002</integer>
<key>assessment:originator</key>
<string>Developer ID Application: My Company (390794875)</string>
<key>assessment:remote</key>
<true/>
<key>assessment:verdict</key>
<false/>
</dict>
</plist>
origin=Developer ID Application: My Company (390794875)
My questions are:
- Why do I see different results with spctl and codesign ?
- I checked and our bundle has not been changed since 10.9. Then why is this signed app failing only on 10.11.4 ? (I tried signing the app on 10.11.4, that didnt work either)
- After reading in detail throught https://developer.apple.com/library/mac/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG300
Here is what I am not sure how to do: "If you're told that only apps from the Mac App Store or registered developers can be installed, your app isn't Developer ID-signed. Use the Xcode Organizer to export a Developer ID-signed copy of your app and repeat the test."
- I have a unique workflow where I dont actually use a Xcode to sign the app, I have a script that signs that app right before it is shipped to the customers. I am not sure how to do this outside Xcode.