Starting with OS X 10.10 existing code signing method doesn’t work. If you have application signed for 10.9 and application works without problems, with 10.10 you will get following error:
How to verify application sign status from command line:
codesign -dvvv /Applications/APP.app Executable=/Applications/Skipper.app/Contents/MacOS/Skipper Identifier=com.skipper.Skipper Format=bundle with Mach-O thin (x86_64) CodeDirectory v=20100 size=239848 flags=0x0(none) hashes=11986+3 location=embedded Hash type=sha1 size=20 CDHash=98839e7aa72de4105ac5ad8a2612682ba3bca53f Signature size=4237 Authority=Developer ID Application: Inventic s.r.o. (6BYV46LH6T) Authority=Developer ID Certification Authority Authority=Apple Root CA Signed Time=03 Feb 2015 17:38:21 Info.plist entries=10 TeamIdentifier=not set Sealed Resources version=1 rules=4 files=44 Internal requirements count=1 size=300
As it’s seems from the verification output, application is correctly signed but OSX doesn’t accept it. Another way how to verify application sign status is via spctl command:
spctl --assess --type execute --verbose Skipper.app/ Skipper.app/: rejected source=obsolete resource envelope
We have some error at least. Now it’s necessary to find out what is wrong. We can try one more test:
codesign -v Skipper.app/ Skipper.app/: resource envelope is obsolete (version 1 signature)
where we dest little bit more details. All these errors we get only on 10.10 mac, not on 10.9 or older.
After another investigation I found following article. The most important part is:
“Important: For your apps to run on updated versions of OSX they must be signed on OS X version 10.9 or later and thus have a version 2 signature.”
Another post about this topic is in felix-schwarz.org blog.
So ,it’s bad. We need to update our build machine to 10.9 or at least create new “sign machine” and make sure that everything will work as expected.