Signing a .app that wraps a shell script using OS X 10.11 fails to verify on 10.10 or below. I can sign on 10.10 and 10.9 and it verifies on 10.9, 10.10 and 10.11.
I've put two example apps and a script on [github][1] to show this. The two HelloWorld.app's vary only in the binary in Contents/MacOS/HelloWorld. One is a shell script, the other is compiled objective-c.
Signing works and verifies on 10.11 for both versions:
Shell Script version:
codesign -s "${signing_identity}" -v shell-script/HelloWorld.app
signed bundle with generic [liamsharp.helloworld]
codesign -vv shell-script/HelloWorld.app
shell-script/HelloWorld.app: valid on disk
shell-script/HelloWorld.app: satisfies its Designated Requirement
Objective-C version:
codesign -s "${signing_identity}" -v objective-c/HelloWorld.app
signed bundle with Mach-O thin (x86_64) [liamsharp.helloworld]
codesign -vv objective-c/HelloWorld.app
objective-c/HelloWorld.app: valid on disk
objective-c/HelloWorld.app: satisfies its Designated Requirement
But the shell script version fails to verify on 10.10 and 10.9:
codesign -vv shell-script/HelloWorld.app
shell-script/HelloWorld.app: invalid signature (code or signature have been modified)
I've got access to another 10.11 machine and the same issue occurs when it signs .app's. I've got access to a 10.9 machine, and that also fails to verify.
There is a difference in the _CodeSignature directory produced for the shell script .app.
Here's how it is when signed on 10.10:
CodeDirectory
CodeRequirements
CodeResources
CodeSignature
But when signed on 10.11 we get some extra files:
CodeDirectory
CodeRequirements
CodeRequirements-1
CodeResources
CodeSignature
CodeTopDirectory
Is there a magic option I'm missing for codesign to allow this to work? Or is there a bug?