Starting with OS X 10.10 existing code signing method doesn’t work. If you have application signed for 10.9 and application works without problems, with 10.10 you will get following error:
How to verify application sign status from command line:
codesign -dvvv /Applications/APP.app
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=239848 flags=0x0(none) hashes=11986+3 location=embedded
Hash type=sha1 size=20
Authority=Developer ID Application: Inventic s.r.o. (6BYV46LH6T)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=03 Feb 2015 17:38:21
Sealed Resources version=1 rules=4 files=44
Internal requirements count=1 size=300
As it’s seems from the verification output, application is correctly signed but OSX doesn’t accept it. Another way how to verify application sign status is via spctl command:
spctl --assess --type execute --verbose Skipper.app/
source=obsolete resource envelope
We have some error at least. Now it’s necessary to find out what is wrong. We can try one more test:
codesign -v Skipper.app/
Skipper.app/: resource envelope is obsolete (version 1 signature)
where we dest little bit more details. All these errors we get only on 10.10 mac, not on 10.9 or older.
After another investigation I found following article. The most important part is:
“Important: For your apps to run on updated versions of OSX they must be signed on OS X version 10.9 or later and thus have a version 2 signature.”
Another post about this topic is in felix-schwarz.org blog.
So ,it’s bad. We need to update our build machine to 10.9 or at least create new “sign machine” and make sure that everything will work as expected.