Application terminated by gatekeeper on Apple silicon mac

I have a .NET 6 application that runs in the background. The installer is a .pkg file built using a third-party tool called "Packages". All .dylib and executable files are codesigned before packaging. The resulting .pkg file is notarized.

The app uses these entitlements:

  • com.apple.security.cs.allow-jit
  • com.apple.security.cs.allow-unsigned-executable-memory
  • com.apple.security.cs.allow-dyld-environment-variables
  • com.apple.security.cs.disable-library-validation

The app is built on a macbook Air 2015 running macOS 12.6 and it works without issues on that machine. On a macbook Pro M3 running macOS 14.6.1 the app fails to run even though the installation itself is successful.

The only logs that I was able to find are related to syspolicyd (4 warnings):

  • Unable to apply protection to app: 45, PST: (vuid: A78FF6C2-08D5-4DCC-B946-8836251AA0E7), (objid: 1873967), (team: (null)), (id: (null)), (bundle_id: (null))
  • Failed to register app bundle for protection: 45, PST: (vuid: A78FF6C2-08D5-4DCC-B946-8836251AA0E7), (objid: 1873967), (team: (null)), (id: (null)), (bundle_id: (null))
  • scan failed, finishing evaluation : PST: (vuid: A78FF6C2-08D5-4DCC-B946-8836251AA0E7), (objid: 1873967), (team: (null)), (id: (null)), (bundle_id: (null))
  • Terminating process due to Gatekeeper rejection: 95158, <private>

Unfortunately, verification commands such as

  • sudo codesign --verify --deep --strict -vvv MyApplication.App
  • spctl -a -vvv -t install MyApplicationInstaller.pkg

do not indicate any issues.

Are there any additional steps that need to be performed in order for my app to work properly on newer machines?

Answered by GrzegorzXopero in 825780022

I was able to solve it. Turns out that my app's executable is a "Unix Executable File" but it's treated as an .App because it's name is "MyApp.Test.App". Everything works fine after removing periods from the name.

What does syspolicy_check report?

ps I have a lot of info on how to track down weird trusted execution problems in Resolving Trusted Execution Problems. Nothing in your post rings any bells there, so it’s best to start with the basics.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Result of "syspolicy_check distribution":

App has failed one or more pre-distribution checks.

Codesign Error File: /Users/user/Documents/MyApp.pkg Severity: Fatal Full Error: File is not signed at all. Type: Notary Error

Notary Ticket Missing File: /Users/user/Documents/MyApp.pkg Severity: Fatal Full Error: A Notarization ticket is not stapled to this application. Type: Distribution Error

Seems odd as "pkgutil --check-signature" shows that the installer is both signed and notarized.

Written by GrzegorzXopero in 824911022
Seems odd as pkgutil --check-signature

Code signing and installer signing are very different things. That’s why there are separate Developer ID Application and Developer ID Installer signing identities.

syspolicy_check should fail with an error telling you this; I’ve filed a bug requesting that (r. 144773374).

In your case, you should install the package and then run syspolicy_check against the resulting app.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Written by DTS Engineer in 824927022
In your case, you should install the package and then run syspolicy_check against the resulting app.

App has failed one or more pre-distribution checks.

Notary Ticket Missing File: app/MyApp.App Severity: Fatal Full Error: A Notarization ticket is not stapled to this application. Type: Distribution Error

And that’s that? I was hoping for something more )-:

Note that that error is irrelevant in your case because you’ve notarised and stapled your installer package.

Earlier you wrote:

Written by GrzegorzXopero in 774247021
On … macOS 14.6.1 the app fails to run

What are the symptoms of that? Is the app blocked by Gatekeeper, resulting in the alert described by the Gatekeeper Basics section of Resolving Trusted Execution Problems? Or does the app start to run and then crash?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Unfortunately, that's the only info provided by syspolicy_check.

Written by DTS Engineer in 825015022
What are the symptoms of that? Is the app blocked by Gatekeeper, resulting in the alert described by the Gatekeeper Basics section of Resolving Trusted Execution Problems? Or does the app start to run and then crash?

It gets instantly killed. When trying to run it from the terminal, the only info i get is "killed".

There are no messages when double-clicking in Finder. It looks like something's happening in the Dock for about 0.1s. (like it's starting to make space for a new icon) but that's it.

Accepted Answer

I was able to solve it. Turns out that my app's executable is a "Unix Executable File" but it's treated as an .App because it's name is "MyApp.Test.App". Everything works fine after removing periods from the name.

Application terminated by gatekeeper on Apple silicon mac
 
 
Q