Starting with OS X 10.10 existing code signing method doesn’t work. If you have application signed for 10.9 and application works without problems, with 10.10 you will get following error:
How to verify application sign status from command line:
codesign -dvvv /Applications/APP.app Executable=/Applications/Skipper.app/Contents/MacOS/Skipper Identifier=com.skipper.Skipper Format=bundle with Mach-O thin (x86_64) CodeDirectory v=20100 size=239848 flags=0x0(none) hashes=11986+3 location=embedded Hash type=sha1 size=20 CDHash=98839e7aa72de4105ac5ad8a2612682ba3bca53f Signature size=4237 Authority=Developer ID Application: Inventic s.r.o. (6BYV46LH6T) Authority=Developer ID Certification Authority Authority=Apple Root CA Signed Time=03 Feb 2015 17:38:21 Info.plist entries=10 TeamIdentifier=not set Sealed Resources version=1 rules=4 files=44 Internal requirements count=1 size=300
As it’s seems from the verification output, application is correctly signed but OSX doesn’t accept it. Another way how to verify application sign status is via spctl command:
spctl --assess --type execute --verbose Skipper.app/ Skipper.app/: rejected source=obsolete resource envelope
We have some error at least. Now it’s necessary to find out what is wrong. We can try one more test:
codesign -v Skipper.app/ Skipper.app/: resource envelope is obsolete (version 1 signature)
where we dest little bit more details. All these errors we get only on 10.10 mac, not on 10.9 or older.
After another investigation I found following article. The most important part is:
“Important: For your apps to run on updated versions of OSX they must be signed on OS X version 10.9 or later and thus have a version 2 signature.”
Another post about this topic is in felix-schwarz.org blog.
So ,it’s bad. We need to update our build machine to 10.9 or at least create new “sign machine” and make sure that everything will work as expected.
Additional links
- http://stackoverflow.com/questions/25760651/why-application-with-version-2-envelope-working-on-os-x-10-9-not-accepted-by-gat
- http://stackoverflow.com/questions/25152451/are-mac-app-store-code-sign-resource-envelopes-always-version-1
- https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html
Leave a Reply