Production OS X app won't run on some systems: "unidentified developer"

Question

Created Jun ’15

Replies 6

Boosts 0

Views 1k

Participants 2

I was putting the final touches on my production build scripts when I discovered that the apps I'm producing won't run on some machines.

My final build target builds that products for distribution (DEPLOYMENT_POSTPROCESSING=YES, Target=Deployment). These are then packaged in a disk image.

I can open the disk image on my computer and run all of the apps. Note that some of the app bundles include privileged helper tools that must be correctly signed, and apparently they are because they get installed.

I then copy the disk image to three other test systems (OS X 10.7, 10.9, and 10.10) and try to run them there. None of the apps will launch. I get a message that they are from an "unidentified developer". (Note that all of these systems, including mine, only allow App Store and identified apps to be launched.)

If I perform a codesign --verify or codesign --display -r- and dump the signing information for the apps, everything looks like it's been signed. (If I do the same to an Apple app like Numbers, I get a very similar output.)

So I'm not sure what's going on, but it's put a big cramp in my testing. 😟

Boost

Answer 1

JamesB OP

Jul ’15

Update: I logged out of my developer accounts in Xcode, cleaned the project, restarted everything, logged back in, and rebuilt the projects.

Now the apps will run on my development system (10.10) and two test systems (10.7 and 10.8), but not on two other test systems (both 10.10). Same message: "app is from an unidentified developer."

codesign reports that both apps are signed.

0

Answer 2

JamesB OP

Jul ’15

This just keeps getting weirder and weirder.

I went back to the Code Signing Guide and found the csctl command. According to the docs, this command will tell you if a signed executable is suitable for a given purpose. I executed this command and got a "rejected" result:

$ spctl --assess --type execute /Volumes/Distribution Disk Image/MyApp.app
/Volumes/Distribution Disk Image/MyApp.app: rejected

This happens on all of my systems (all versions), yet on three systems the OS will still let me launch and install the app (which includes installing a privileged helper tool). While this seems inconsistent, I'm going to ignore that anomoly for now.

So clearly, there's something about my code signature that OS X doesn't like, but I can't find any tools that will tell me what the problem is or why it's being rejected. The only thing unusual about my Xcode project settings is that I had to add the --deep option to the signing tool phase because my app is bundled with embedded frameworks and a privileged helper tool. Note that two other apps, produced in the same build, do not have this option, they don't contain any embedded frameworks or executables, and they're failing too.

Any suggestions on where to look next or what to look for?

0

Answer 3

bob133 OP

Jul ’15

The "app is from unidentified developer" message is from the Gatekeeper/Developer ID subsystem, an administrator-level security feature added in OS X 10.8 and configurable in the Security and Privacy pane of System Preferences. Look in the General tab for "Allow apps downloaded from:" with three security levels: (1) App Store only, (2) App Store and identified developers (the default setting), and (3) anywhere. You could disable the security feature on your test Macs, but that's not an ideal solution. A better, but still temporary, solution is to right-click on the app in the Finder and choose "Open" from the context menu—you'll get the ability to override Gatekeeper just this once while maintaining protection. Of course, the ideal situation is to configure your code signature so that you're recognized as an "identified developer." Here's how to do this:

1. Archive your app.

2. In the Archives organizer, select your most recent build.

3. Click Export in the right-side sidebar.

4. Choose the second item: "Export a Developer ID-signed Application"

5. Follow the onscreen directions to sign and export your build.

You are in the Apple Developer Program, right? If not, then you won't be able to access the Developer ID signing resources and will be stuck with the workaround techniques.

0

Answer 4

JamesB OP

Jul ’15

bob133,

I know all of that. As I stated, all of my systems are set to allow apps from the App Store and identified developers.

Of course, the ideal situation is to configure your code signature so that you're recognized as an "identified developer."

Yes, that's what I'm trying to do...

0

Answer 5

JamesB OP

Jul ’15

OK, I seemed to have made some headway.

After patiently going through the process of setting up code signing for all twenty of my targets, I found that Xcode—at some point in the recent past—decided to change the General > Identity > Signing settings for my application targets from "Developer ID" to "Mac App Store", so none of my app bundle targets were being signed for ad hoc distribution.

I fixed that, but now my bundled helper won't install because its credintials don't match the app signature any more. *sigh* But at least I'm on the right track....

0

Answer 6

bob133 OP

Jul ’15

Did my directions make sense? I'm sorry if they were unclear…

Wait a minute—didn't you say you've got a custom installer? There's a way to use Developer ID with those, but I haven't had to look into the more advanced stuff because my app is a self-contained package. Have you looked at the Apple documentation?

0