Gategkeeper rejecting my notarized app

Question

Created Oct ’22

Replies 4

Boosts 0

Views 1.1k

Participants 2

I have MacOS bundle application which I've signed, packed into dmg and notarized. When I upload and download the dmg, copy the app somewhere, it is rejected by gatekeeper: “my” cannot be opened because the developer cannot be verified. or “check-signature” cannot be opened because it is from an unidentified developer. Tested on Monterey and High Sierra.

In past it worked, but my HDD crashed so I had to install OS and whole development environment again so now I'm trying with different xcode version (13.4.1) and some 3rd party c++ libraries are newer, but basically layout of the application is the same and also code signing post build script which calls codesign inside out.

In the Contents/MacOS folder my application contains nested bundle app. When I omit that nested bundle and notarize the app, gatekeeper is happy, but I need that nested application.

When I verify dmg, or extracted application, there is no problem:

spctl -a -t exec -vvv my.app 
my.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: my company (L….)

spctl -a -t exec -vvv my.app/Contents/MacOS/nested.app
my.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: my company (L….)

codesign --verify --deep --strict -v my.app
my.app: valid on disk
my.app: satisfies its Designated Requirement

I've also tried check-signature tool (ironically it is not notarized)

./check-signature my.app .my.dmg 
(c) 2014 Apple Inc. All rights reserved.
my.app: YES
my.dmg: YES

I've also checked the logs, I've found nothing suspicious. Mounting the DMG:

assessment granted for my.dmg by Notarized Developer ID
com.apple.message.domain: com.apple.security.assessment.outcome2
com.apple.message.signature2: bundle:UNBUNDLED
com.apple.message.signature3: my.dmg
com.apple.message.signature5: UNKNOWN
com.apple.message.signature4: 3
com.apple.message.signature: granted:Notarized Developer ID

Some log from finder about opening the app, then this from syspolicyd:

assessment granted for .app by Developer ID
com.apple.message.domain: com.apple.security.assessment.outcome2
com.apple.message.signature2: bundle:com.my
com.apple.message.signature3: .app
com.apple.message.signature5: 1.0
com.apple.message.signature4: 1
com.apple.message.signature: granted:Developer ID

I've followed advices from other threads from this forum, but I cannot figure out anything. Any idea what else can I do to see what exactly is the problem? Thank you.

Boost

Answer 1

DTS Engineer OP

Apple

Oct ’22

I have a hierarchy of posts, rooted at Resolving Trusted Execution Problems, that explains how to investigate issues like this. I recommend that you start with Resolving Gatekeeper Problems Caused by Dangling Load Command Paths. This is by far the most common cause of this problem. If that doesn’t resolve the issue, start at the top and let us know what you uncover.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1

Answer 2

Radom OP

Oct ’22

thank you for reply. I could not find logs from XprotectService, I'm not sure I've checked the right place, I was looking in the Console utility. I went through my dylibs and executables manually and I've found dangling LC_RPATH pointing to their build path at developer machine in some dylibs, but I guess it was not used, since the app could run on testing VM when gatekeeper was overridden. But removing this LC_RPATH partially helped, because after notarization now gatekeeper is happy at my developer machine with Monterey 12.3.1, but it still does not pass gatekeeper at my VM (10.13.6).

0

Answer 3

DTS Engineer OP

Apple

Oct ’22

Accepted Answer

but it still does not pass gatekeeper at my VM (10.13.6).

Well, there’s a bunch of other posts in the Resolving Trusted Execution Problems hierarchy that might help here. But let’s start with some basics.

I've found dangling LC_RPATH

The fact that you needed to do that suggests that you have library validation disabled. Why is that?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

Radom OP

Oct ’22

I've found one of my binaries had library validation disabled which is not necessary, so I've removed it and it still didn't help (also older version of my app had it the same with no problem). Finally I've found the problem when I searched the logs using command line instead of using the console utility. The console utility does not show the XprotectService logs which shows there is problem with libcrypto.dylib loading from libssl.dylib. Both libraries had the LC_RPATH set to value "@rpath". It seems to be no problem in Monterey, but High Sierra's gatekeeper does not like that. It is strange, because I've just compiled openssl from source and I don't remember that I would set the rpath like that. I've just removed the LC_RPATH and now it works so thank you for your help.

0