Login/Register
Validating macOS apps that pass codesign, spctl, and check-signature but fail to run "because the identity of the developer cannot be confirmed"
Asked Answered
macoscode-signing-certificateosx-gatekeeper
A

1

12

My macOS app is codesigned and runs on some computers but on another it fails to run since Gatekeeper pops up "{App} can't be opened because the identity of the developer cannot be confirmed."

I want to detect this issue on the build machine before distributing a faulty .dmg, so I looked into Apple's docs on Checking Gatekeeper Conformance and Examining a Code Signature, which discuss codesign, spctl, and check-signature. What's confusing is that all of these tools report that the .app is signed by my developer account.

$ codesign -v --strict --deep --verbose=2 App.app
App.app: valid on disk
App.app: satisfies its Designated Requirement

$ codesign -d --deep --verbose=2 -r- App.app
Executable=/Applications/App.app/Contents/MacOS/App
Identifier=com.example.app
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=196 flags=0x0(none) hashes=3+3 location=embedded
Signature size=8539
Authority=Developer ID Application: Company, Inc. (XXXXXXXXXX)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Sep 22, 2016, 7:32:19 PM
Info.plist entries=21
TeamIdentifier=XXXXXXXXXX
Sealed Resources version=2 rules=12 files=10708
Nested=Frameworks/Squirrel.framework
Nested=Frameworks/App Helper NP.app
Nested=Frameworks/App Helper.app
Nested=Frameworks/App Helper EH.app
Nested=Frameworks/Mantle.framework
Nested=Frameworks/ReactiveCocoa.framework
Nested=Frameworks/Electron Framework.framework
Internal requirements count=1 size=172
designated => identifier "com.example.app" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = XXXXXXXXXX

$ spctl --assess -vv App.app
App.app: accepted
source=Developer ID
origin=Developer ID Application: Company, Inc. (XXXXXXXXXX)

$ check-signature App.app
(c) 2014 Apple Inc.  All rights reserved.
YES

The Certificates, Identifiers & Profiles website shows unexpired "Developer ID Application" and "Developer ID Installer" certificates under my account. I've never revoked any Mac signing certificates. I've also checked that CFBundlePackageType in the app's Info.plist is set to APPL.

What is going on here?

Update: Upgrading the Mac from El Capitan to Sierra resolved the issue. I'd still be interested to learn what the issue could have been in case there are users out there encountering it.

Achondroplasia answered 30/9, 2016 at 2:45 Comment(3)
Which setting is gatekeeper set to?Rosenwald
It's set to accept apps from Mac App Store and Identified Developers. Upgrading from El Capitan to Sierra magically fixed the issue, maybe was a bug with OS X.Achondroplasia
I've seen this behaviour before and restarting the machine fixes it, so I would agree that it's a bug in OS X.Coonan
S
10

In my case this message came up, when an embedded third party framework had a bad run path setting: LD_RUNPATH_SEARCH_PATHS in build settings did reference something that it was not allowed to.

Apple documents this here https://developer.apple.com/library/content/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG207

If an app uses @rpath or an absolute path to link to a dynamic library outside of the app, the app will be rejected by Gatekeeper.

And they even state:

Neither the codesign nor the spctl tool will show the error. The error will only appear in the system log.

The solution was to modify the third party framework to something standard like this:

$(inherited) @executable_path/../Frameworks @loader_path/Frameworks

Smythe answered 8/6, 2017 at 15:0 Comment(1)
and https://mcmap.net/q/1010902/-gatekeeper-quarantine-issue-with-certificate gives good background information.Smythe

© 2022 - 2024 — McMap. All rights reserved.