Signing dmg issue

Beatrix_Willius · May 25, 2017, 9:25am

This time it’s me with a $%&/ signing problem. Didn’t change computer, didn’t change anything. The app signs fine but when checking the dmg I get the following:

spctl --verbose=4 --assess --type execute /Users/beatrixwillius/Documents/Development/Mail\ Archiver/code\ current/Builds\ -\ max.rbp/MailArchiverX41.dmg
/Users/beatrixwillius/Documents/Development/Mail Archiver/code current/Builds - max.rbp/MailArchiverX41.dmg: code object is not signed at all

When I try to do the signing manually again I get:

beatrixwillius$ /usr/bin/codesign -f -s ‘Developer ID Application: Beatrix Willius (72695Z3887)’ /Users/beatrixwillius/Documents/Development/Mail\ Archiver/code\ current/Builds\ -\ max.rbp/MailArchiverX41.dmg
/Users/beatrixwillius/Documents/Development/Mail Archiver/code current/Builds - max.rbp/MailArchiverX41.dmg: replacing existing signature

Is the dmg now signed or is it not signed???

Beatrix_Willius · May 25, 2017, 9:27am

I forgot: everything is done on El Capitan.

Michel_Bujardet · May 25, 2017, 9:28am

Do yourself a favor, and get DMGCanvas to sign it for you automatically.

Beatrix_Willius · May 25, 2017, 9:33am

My workflow is with DropDMG which I don’t want to change. Anyways, any code signing needs to be done “somehow” and so calls under the hood the codesign command. Which only works if you pray to the correct gods it seems.

Beatrix_Willius · May 25, 2017, 9:34am

But DropDMG can do signing, too. I’ll try that.

Michel_Bujardet · May 25, 2017, 9:45am

Indeed, DropDMG does sign as well. I simply do not use it.

At any rate, given the numerous idiosyncrasies around macOS signing recently, it is probably way more comfortable letting someone else handle the under the hood signing.

I know with DMGCanvas I never had to worry about a thing.

You could also sign the DMG with App Wrapper.

Jeff_Tullin · May 25, 2017, 10:25am

I use that.
They have been very responsive this year too…

Beatrix_Willius · May 25, 2017, 11:03am

As expected the error is the same when signing directly with DropDMG. Do I need to do the dmg check differently? I just checked my older dmgs that should be signed. And they have the same error.

Beatrix_Willius · May 25, 2017, 11:11am

Not sure if this is a bug or a feature of the spctl command. Checking with codesign

codesign -v /Users/beatrixwillius/Documents/Development/Mail\ Archiver/code\ current/Builds\ -\ max.rbp/MailArchiverX41.dmg || echo UNSIGNED!

works fine.

I’ll have to enter the church of the Cthulu (spelling?) after all. Or I’ll do Voodoo for the puppets. Can I do those anonymously?

Michel_Bujardet · May 25, 2017, 11:25am

https://en.wikipedia.org/wiki/Cthulhu

I personally prefer Saint Isidore Of Seville, Saint Patron of programmers

Sam_Rowlands · May 25, 2017, 1:38pm

Gate Keeper checking of the signing can only be done on Sierra. App Wrapper can read the code signature from the DMG and whether it’s valid or not, but to check it against Gate Keeper requires Sierra.