Our app .dmg file was successfully code signed. We then revised the app and created a new .dmg.
Running codesign gave an "app is already signed" message. Then running codesign -dv said "code object is not signed at all"
Older solutions said to use -f to force signing, but that is no longer an option.
I’ve seen problems like this before. In one case it was because the developer was passing multiple subcommands to the codesign command. That is, they were passing in --sign (aka -s) and --verify (aka -v) to the same codesign invocation, and that caused weird issues. And the solution was to stop doing that (-:
However, the most common cause is that the app doesn’t follow the rules in Placing content in a bundle or you’re not following the steps to sign nested code in Creating distribution-signed code for macOS. Consider this example:
% mkdir -p MyTrue.app/Contents/MacOS
% cp /usr/bin/true MyTrue.app/Contents/MacOS/MyTrue
% cp /usr/bin/false MyTrue.app/Contents/MacOS/MyFalse
% codesign --remove-signature MyTrue.app/Contents/MacOS/MyFalse
% codesign --remove-signature MyTrue.app/Contents/MacOS/MyTrue
% codesign -s - MyTrue.app
MyTrue.app: code object is not signed at all
In subcomponent: /Users/quinn/Test/MyTrue.app/Contents/MacOS/MyFalse
This bundle structure is correct but signing fails because I’m signing code in the wrong order. When you sign nested code, you have to do that from the inside out.
As to what’s happening in your specific case, that’s hard to say. If the resources above don’t help, I’d be happy to dig into your situation. Just post some concrete steps to reproduce the problem and a link to where I can download the app you’re trying to sign.
IMPORTANT When posting links, consider tip 14 in Quinn’s Top Ten DevForums Tips.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"