Cannot verify app with spctl after successfully codesigning

Question

Created Sep ’20

Replies 5

Boosts 0

Views 2.6k

Participants 3

I'm trying to sign my app but after signing and running a few commands, I'm completely lost.

After signing, I check the result by running:

Code Block spctl -a -vv ~/MyApp.app

Unfortunately, I only get

Code Block /Users/rwardrup/Desktop/MyApp.app: rejected
origin=Apple Distribution: Robert Wardrup (##########)

Additionally, if I run

Code Block codesign -vv --deep-verify

I get

Code Block /Users/rwardrup/Desktop/MyApp.app: valid on disk
/Users/rwardrup/Desktop/MyApp.app: satisfies its Designated Requirement

The app runs as expected and everything, I just can't get spctl to give a satisfactory answer. I'm signing everything by running this in my script:

Code Block find ~/Desktop/MyApp.app/Contents/Resources/* | xargs -I $ codesign -f --verify --sign "##########" $
find ~/Desktop/MyApp.app -name "*.dylib" | xargs -I $ codesign -f --verify --sign "##########" $
find ~/Desktop/MyApp.app -name "*.framework" | xargs -I $ codesign -f --verify --sign "##########" $
codesign -f --sign "##########" --options runtime --timestamp --verbose --entitlements MyApp-Entitlements.plist ~/Desktop/MyApp.app

Where could I be going wrong? Are there any other commands I can run that would give me more information to go on?

I also Removed everything in the Frameworks, PlugIns, and Resources directories and signed it again. The only thing remaining is the binary in the MacOS directory and the Info.plist, and spctl still says rejected.

EDIT: Additionally, I started a new project in Xcode and tried signing the default blank window that is generated when you first start a project and that is still rejected.

Boost

Answer 1

Etresoft OP

Sep ’20

Why are you doing this? What are you trying to do?

The "Apple Distribution" certificate is something that is only used to sign an app before distributing via the Mac App Store. Normally Xcode manages this and does all the signing for you. If you are building an app and feel the need to do something (other than git) on the command line, then, in most cases, you are doing something horribly wrong.

Whether or not you can run the app locally is irrelevant.

Since I don't know what you are trying to do, it is difficult to give you a straightforward answer. I can state with some certainty that you probably shouldn't be doing any of this.

0

Answer 2

minorsecond OP

Sep ’20

Error

0

Answer 3

minorsecond OP

Sep ’20

I wrote the app in C++ and didn't use Xcode for this project otherwise I would have done it the simple way.

I did some more testing last night and everything did work correctly if I used the Developer ID certificate to sign, and then notarize using xcrun. The spctl didn't reject it in that case. So, if signed using the 3rd Party Mac Developer Application certificate, will spctl return rejected if the app wasn't installed from the App Store?

I was trying to run spctl because I read somewhere that I need to do so in order to check that everything was in order before submission. I may have misread though.

Pardon my questions. This is complicated and I really wish I had used Xcode.

0

Answer 4

DTS Engineer OP

Apple

Sep ’20

So, if signed using the 3rd Party Mac Developer Application
certificate, will spctl return rejected if the app wasn't installed
from the App Store?

Development signing identities should only be used for local development. If you attempt to distribute a development-signed build, you will run into problems. To start, the notary service won’t accept them, so you won’t be able to notarise.

If you want to distribute independently:

Sign with a Developer ID signing identity.
Then notarise.

I was trying to run spctl because I read somewhere that I need to do
so in order to check that everything was in order before submission.

That doesn’t make a lot of sense. You can use spctl to check after you’ve notarised, and that might be helpful, but my recommendation is that you test your Gatekeeper compatibility using the technique described in Testing a Notarised Product. It’s a much more reliable check.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 5

Etresoft OP

Sep ’20

I wrote the app in C++ and didn't use Xcode for this project otherwise I would have done it the simple way.

Xcode can do C++. If you are trying to deploy via the Mac App Store, then you must have some sort of GUI. I'm guessing this is Yet Another Qt Question, amiright?

Technically speaking, I'm sure you could write a Qt app in Xcode and then make use of many of Xcode's built-in features. I don't know if that would be an easier path at this point, however.

I was trying to run spctl because I read somewhere that I need to do so in order to check that everything was in order before submission.

I can't provide too much help on this point because I would never attempt to deploy an App Store binary using a 3rd party environment. I can tell you that you are confusing yourself by mixing up Developer ID with Mac App Store issues. That are completely separate. You may need to do some kind of preflight step of checking the signature of your installer before you upload with ApplicationLoader? You just have to focus on doing that strictly for Mac App Store apps and keep Developer ID complications out of it. I'm not sure if spctl is ever going to give you a reasonable answer. When you submit to the Mac App Store, Apple re-signs everything. If you keep searching, you may be able to find some recent instructions on how to do this for 3rd-party Mac App Store submissions.

This is complicated and I really wish I had used Xcode.

You can't do anything about the past. What's done is done and you'll never get those days back. How much time and effort from your future do you want to continue to sink into that hole?

0