• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Codesign broken in 10.11.4
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Codesign broken in 10.11.4

  • Subject: Codesign broken in 10.11.4
  • From: Trygve Inda <email@hidden>
  • Date: Thu, 07 Apr 2016 07:13:16 -0700
  • Thread-topic: Codesign broken in 10.11.4
My app is built on 10.11.3. It is a prefPane with one command line tool and
three app bundles (four helper tools) in it's bundle. I am getting
GateKeeper warnings on 10.11.4 systems, but not on anything else.

It is manually codesigned with my Developer ID... first the helper tool
frameworks, then the helper tools themselves and then the prefPane. So
everything is signed from the inside-out.

In terminal (on two different machines running 10.11.3) I get:

spctl -a -t exec -vv My.prefPane

   /Volumes/Path/To//My.prefPane: accepted
   source=Developer ID
   origin=Developer ID Application: My Company, Inc.

codesign --verbose=4 --deep --strict My.prefPane

   /Volumes/Path/To//My.prefPane: valid on disk
   /Volumes/Path/To//My.prefPane: satisfies its Designated Requirement


In terminal (on two different machines running 10.11.4) I get:

spctl -a -t exec -vv My.prefPane

   /Volumes/Path/To//My.prefPane: rejected
   source=obsolete resource envelope
   origin=Developer ID Application: My Company, Inc.

codesign --verbose=4 --deep --strict My.prefPane

   /Volumes/Path/To//My.prefPane: valid on disk
   /Volumes/Path/To//My.prefPane: satisfies its Designated Requirement


The codesign command is taken directly from what Xcode uses:

codesign --force --sign "Developer ID Application: My Company, Inc."
--requirements "=designated => anchor apple generic and identifier
\"com.mycompany.myproduct.helper\" and ((cert
leaf[field.1.2.840.113635.100.6.1.9] exists) or (certificate
1[field.1.2.840.113635.100.6.2.6] exists and certificate
leaf[field.1.2.840.113635.100.6.1.13] exists and certificate
leaf[subject.OU] = \"MYAPPLE123\"))" --timestamp=none
"$BASEPATH/My.prefPane/Contents/Resources/MyHelper.app"


When I run the above spctl terminal command on the helpers within the bundle
on 10.11.4, the three helper app bundles are accepted but the command line
tool is rejected with "obsolete resource envelope".

If I copy that command line tool to a 10.11.3 system and run spctl, it is
accepted.

I have spent more than a day on this and am at a loss as to what is
happening.

Any ideas?




_______________________________________________

Cocoa-dev mailing list (email@hidden)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: Codesign broken in 10.11.4
      • From: Kevin Meaney <email@hidden>
    • Re: Codesign broken in 10.11.4
      • From: John Pannell <email@hidden>
  • Prev by Date: Re: iOS Hardware Keyboard Detection
  • Next by Date: Re: Codesign broken in 10.11.4
  • Previous by thread: Re: [NSWorkspace openURL:] - any way to avoid a new tab?
  • Next by thread: Re: Codesign broken in 10.11.4
  • Index(es):
    • Date
    • Thread