Codesigning weirdness on OS 10.8 and 10.9

Hi all,

I have a desktop app I have developed for a client who’s employees are all using either OS 10.8 or 10.9. My app is codesigned with our apple developer certificate, including two helper apps inside the bundle.

When the client downloads the app to run on either version, the app causes no problems with Gatekeeper. It recognizes the code signing.

When the app is downloaded to Mountain Lion (10.8) and put on a USB flash drive, and run on a second computer running 10.9, Gatekeeper says it is from an unidentified developer. But running code sign -dvvv gets the following:

Daves-MacBook-Pro:~ davepars$ codesign -dvvv /Volumes/FV2FDE/InstallFDE.app
Executable=/Volumes/FV2FDE/InstallFDE.app/Contents/MacOS/InstallFDE
Identifier=net.trex.installfde
Format=bundle with Mach-O thin (i386)
CodeDirectory v=20100 size=16191 flags=0x0(none) hashes=803+3 location=embedded
Hash type=sha1 size=20
CDHash=a86ab7a2fed45d493e7a2410e93c5db7840474c6
Signature size=8536
Authority=Developer ID Application: Fluency Learning Apps LLC
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Dec 11, 2013, 4:26:51 AM
Info.plist entries=14
Sealed Resources version=2 rules=12 files=41
Internal requirements count=1 size=184

It would seem to me that simply putting the app on a USB flash drive shouldn’t mess with the code signature. Does anyone have any insights into this? I would be forever in your debt!

did you sign all the dylibs in the frameworks folders?

Is it a Windows formatted USB drive? If so, try zipping it first and then expanding on the target machine.

Oh yes, we ran into CodeSigning-issues with that, too.
The reason are Ressource-Files (that get added by OS X on FAT-Volumes) such as “._image.png” - but since those files didn’t exist when code-signed… well, the CodeSigning-signature is still there, but the contents of the app is “modified” when being copied to a FAT-volume.

Here’s what we have filed as a “bugreport 14361139” to Apple back in July '12 - the case is still “open”…

Environment


  1. USB-Stick: Formatted with MS-DOS Filesystem (FAT)
  2. OS X 10.8.4: System Preferences -> Privacy: Allow software from App Store and certified Developers

Steps to reproduce


  1. Download TextWrangler_4.5.2.dmg from http://www.barebones.com/products/textwrangler/ (you need to download the file, it’s a code-signing issue!)
  2. the .dmg gets saved to the local ‘Downloads’ folder
  3. open the .dmg
  4. Drag ‘TextWrangler’ to the USB-Stick
  5. try to run TextWrangler by double-clicking the App on the USB-Stick

Expected Results:
TextWrangler will launch.

Actual Results:
OS X (GateKeeper) tells: ‘TextWrangler is damaged. Move to trash?’

Reason for the issue


In the App (copied to the USB-Stick), there are files such as:
/path-to/TextWrangler.app/Contents/Resources/._AboutTextWrangler.png

those “._”-files are not codesigned -> Gatekeeper will refuse to run the app (saying that it’s damaged).

Thanks everyone. Christian all the dylibs are in fact signed. Sam and Jürg I will check that… thank you for the possible lead!