Wednesday, January 8, 2014

codesign Lies

Marcel Weiher:

Just had a case of codesign telling me my app was fine, just for the same app to be rejected by GateKeeper. The spctl tool fortunately was more truthful, but didn’t really say where the problem was.

To verify that my apps are signed properly before deployment, my Makefile includes these two lines:

spctl --status | grep "assessments enabled"
spctl --assess --type execute -v "${APP_PACKAGE}"

1 Comment RSS · Twitter

Internet at my current location is too unreliable for “codesign --deep” (and it’s also just painfully slow since upgrading to 10.9) so I switched to signing the individual frameworks and plug-ins but even with “spctl” reporting “accepted” there is a problem on first run when the app has the quarantine flag set (it will report that the app is broken).

I am now using “--deep” but with “--timestamp=none” (to avoid having it fail). My application bundle has a helper tool, so that might be what was causing the behavior.

Leave a Comment