Re: Codesign broken in 10.11.4
Re: Codesign broken in 10.11.4
- Subject: Re: Codesign broken in 10.11.4
- From: John Pannell <email@hidden>
- Date: Thu, 07 Apr 2016 08:25:37 -0600
I've seen quite a bit on my newsfeed regarding this...
http://mjtsai.com/blog/2016/03/31/gatekeeper-bug-in-mac-os-x-10-11-4/
https://www.noodlesoft.com/blog/2016/04/05/hazel-3-3-8-getting-past-the-gates/
https://forums.developer.apple.com/message/81349#81349
Haven't seen any workarounds yet - hope this helps!
John
On Thu, Apr 7, 2016, at 08:13 AM, Trygve Inda wrote:
> My app is built on 10.11.3. It is a prefPane with one command line tool
> and
> three app bundles (four helper tools) in it's bundle. I am getting
> GateKeeper warnings on 10.11.4 systems, but not on anything else.
>
> It is manually codesigned with my Developer ID... first the helper tool
> frameworks, then the helper tools themselves and then the prefPane. So
> everything is signed from the inside-out.
>
> In terminal (on two different machines running 10.11.3) I get:
>
> spctl -a -t exec -vv My.prefPane
>
> /Volumes/Path/To//My.prefPane: accepted
> source=Developer ID
> origin=Developer ID Application: My Company, Inc.
>
> codesign --verbose=4 --deep --strict My.prefPane
>
> /Volumes/Path/To//My.prefPane: valid on disk
> /Volumes/Path/To//My.prefPane: satisfies its Designated Requirement
>
>
> In terminal (on two different machines running 10.11.4) I get:
>
> spctl -a -t exec -vv My.prefPane
>
> /Volumes/Path/To//My.prefPane: rejected
> source=obsolete resource envelope
> origin=Developer ID Application: My Company, Inc.
>
> codesign --verbose=4 --deep --strict My.prefPane
>
> /Volumes/Path/To//My.prefPane: valid on disk
> /Volumes/Path/To//My.prefPane: satisfies its Designated Requirement
>
>
> The codesign command is taken directly from what Xcode uses:
>
> codesign --force --sign "Developer ID Application: My Company, Inc."
> --requirements "=designated => anchor apple generic and identifier
> \"com.mycompany.myproduct.helper\" and ((cert
> leaf[field.1.2.840.113635.100.6.1.9] exists) or (certificate
> 1[field.1.2.840.113635.100.6.2.6] exists and certificate
> leaf[field.1.2.840.113635.100.6.1.13] exists and certificate
> leaf[subject.OU] = \"MYAPPLE123\"))" --timestamp=none
> "$BASEPATH/My.prefPane/Contents/Resources/MyHelper.app"
>
>
> When I run the above spctl terminal command on the helpers within the
> bundle
> on 10.11.4, the three helper app bundles are accepted but the command
> line
> tool is rejected with "obsolete resource envelope".
>
> If I copy that command line tool to a 10.11.3 system and run spctl, it is
> accepted.
>
> I have spent more than a day on this and am at a loss as to what is
> happening.
>
> Any ideas?
>
>
>
>
> _______________________________________________
>
> Cocoa-dev mailing list (email@hidden)
>
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
>
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden