Mac OS – app can’t be opened because the identity of the developer cannot be confirmed.

Starting with OS X 10.10 existing code signing method doesn’t work. If you have application signed for 10.9 and application works without problems, with 10.10 you will get following error:

2015-02-05_1003

How to verify application sign status from command line:

codesign -dvvv /Applications/APP.app

Executable=/Applications/Skipper.app/Contents/MacOS/Skipper
Identifier=com.skipper.Skipper
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=239848 flags=0x0(none) hashes=11986+3 location=embedded
Hash type=sha1 size=20
CDHash=98839e7aa72de4105ac5ad8a2612682ba3bca53f
Signature size=4237
Authority=Developer ID Application: Inventic s.r.o. (6BYV46LH6T)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=03 Feb 2015 17:38:21
Info.plist entries=10
TeamIdentifier=not set
Sealed Resources version=1 rules=4 files=44
Internal requirements count=1 size=300

As it’s seems from the verification output, application is correctly signed but OSX doesn’t accept it. Another way how to verify application sign status is via spctl command:

spctl --assess --type execute --verbose Skipper.app/

Skipper.app/: rejected
source=obsolete resource envelope

We have some error at least. Now it’s necessary to find out what is wrong. We can try one more test:

codesign -v Skipper.app/
Skipper.app/: resource envelope is obsolete (version 1 signature)

where we dest little bit more details. All these errors we get only on 10.10 mac, not on 10.9 or older.

After another investigation I found following article. The most important part is:

“Important: For your apps to run on updated versions of OSX they must be signed on OS X version 10.9 or later and thus have a version 2 signature.”

Another post about this topic is in felix-schwarz.org blog.

So ,it’s bad. We need to update our build machine to 10.9 or at least create new “sign machine” and make sure that everything will work as expected.

Additional links

How to sign your Qt Mac OS X App for Gatekeeper

Starting from Mac os 10.8 apple applications requires certificate. Without that certificate (or without additional system tweaks described here on our product support page: http://support.orm-designer.com/5/macos-mountain-lion-10-8-unidentified-developer ) user will se following message:

"OrmDesigner2" can't be opened because it is from an unidentified developer.
MacOS unidentified developer in ORM Designer

Solution

To solve this error message it’s necessary to do following steps:

  1. Register in Apple developer program and pay $99 per year
  2. Download and install developer certificate
  3. Sign whole application
  4. Test it!

1) Register on Developer.apple.com

You need to create registration here: https://developer.apple.com/. It’s necessary to fill info about contact person and company. After that, your registration will be reviewed by apple team and if everything will be OK, your registration will be approved.

2) Use Apple site to generate certificates

Open https://developer.apple.com/account/overview.action ,choose Certificates,  Click Add. Than select certificate parameters suitable for your need. In my case it was Mac Development and  Developer ID.

Now you need to install this certificate to your developer machine. Simply double-click on certificate and let system to import it. You can check that certificate is imported in Go->Utilities->Keychain Access->login. Now search for “Developer ID Application: XXXX”

MacOS certificate

Note: In my case when I transfer certificate to several developer machines I need to migrate also other Apple certificates. Without that my certificate wasn’t a valid.

3) Sign your application

Now you need to sign your application including all plugins and frameworks inside app bundle. After you sing your app, you can’t do any changes in the bundle. So as first run your deploy as usual and as last step do app singing.

For ORM Designer sign script looks like this:

#go to deploy directory
cd $StarkDeploy.directory$/deploy

#sign app
codesign --force --verify --verbose --sign "Developer ID Application: Inventic s.r.o." ./OrmDesigner2.app

#sign all *.dylib files
find OrmDesigner2.app -name *.dylib | xargs -I $ codesign --force --verify --verbose --sign "Developer ID Application: Inventic s.r.o." $

#sign all Qt* frameworks
find OrmDesigner2.app -name Qt* -type f | xargs -I $ codesign --force --verify --verbose --sign "Developer ID Application: Inventic s.r.o." $

4) Test it!

As last step it’s necessary to test that sign process was successful. As first you can try following command line to validate  it:

codesign -vvv -d OrmDesigner2.app

#RESULT:
Executable=/OrmDesigner2/DeployFiles/macos64/deploy/OrmDesigner2.app/Contents/MacOS/OrmDesigner2
Identifier=com.orm-designer.OrmDesigner2
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=174478 flags=0x0(none) hashes=8717+3 location=embedded
Hash type=sha1 size=20
CDHash=5a491e16f7dcca15b44af4XXXX1a2d2dcc786518
Signature size=4237
Authority=Developer ID Application: Inventic s.r.o. (6BYV46LH6T)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=6 Jun 2013 23:16:08
Info.plist entries=10
Sealed Resources rules=4 files=27
Internal requirements count=1 size=212

Now when you checked that App is correctly signed, it’s time to try it on clean computer where no security policy changes was made. Upload your app and execute it.

If you don’t see annoying screen “Can’t execute application from unidentified developer”, you win ;-).

External links

How to transfer certificate: 

How to import:

Apple links