Notarization of zip file results in inconsistent executable behavior

I have a custom bundle of command line executables and its dependent libraries. I packaged them in a zip. Codesigned all the "Mach-O" files; the notarization went fine.  The notarized zip is intended to be distributed via web, i.e. s3. When testing the zip downloaded from web, I see the dialog box about '"xyz" cannot be opened because the developer cannot be verified' for a handful of the executables.

What is interesting is that, some of the executables do not trigger the developer identity dialog box. It seems to be rather inconsistent. I double checked to ensure all these files are codesigned.

Does anybody have an idea what might be causing this issue?

The most common cause for this is that you’ve opted out of library validation. This causes Gatekeeper to be more stringent about checking the libraries important by your tool.

So, do any of your executables have the com.apple.security.cs.disable-library-validation set?

IMPORTANT Don’t look at your .entitlements file for this, but rather dump the entitlements in the code signature using:

Code Block
% codesign -d --entitlements :- /path/to/your/tool


Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Notarization of zip file results in inconsistent executable behavior
 
 
Q