Codesigning weirdness on OS 10.8 and 10.9

Andrew_Dempsey · December 16, 2013, 5:32am

Hi all,

I have a desktop app I have developed for a client who’s employees are all using either OS 10.8 or 10.9. My app is codesigned with our apple developer certificate, including two helper apps inside the bundle.

When the client downloads the app to run on either version, the app causes no problems with Gatekeeper. It recognizes the code signing.

When the app is downloaded to Mountain Lion (10.8) and put on a USB flash drive, and run on a second computer running 10.9, Gatekeeper says it is from an unidentified developer. But running code sign -dvvv gets the following:

Daves-MacBook-Pro:~ davepars$ codesign -dvvv /Volumes/FV2FDE/InstallFDE.app
Executable=/Volumes/FV2FDE/InstallFDE.app/Contents/MacOS/InstallFDE
Identifier=net.trex.installfde
Format=bundle with Mach-O thin (i386)
CodeDirectory v=20100 size=16191 flags=0x0(none) hashes=803+3 location=embedded
Hash type=sha1 size=20
CDHash=a86ab7a2fed45d493e7a2410e93c5db7840474c6
Signature size=8536
Authority=Developer ID Application: Fluency Learning Apps LLC
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Dec 11, 2013, 4:26:51 AM
Info.plist entries=14
Sealed Resources version=2 rules=12 files=41
Internal requirements count=1 size=184

It would seem to me that simply putting the app on a USB flash drive shouldn’t mess with the code signature. Does anyone have any insights into this? I would be forever in your debt!

Christian_Schmitz · December 16, 2013, 6:55am

did you sign all the dylibs in the frameworks folders?

Sam_Rowlands · December 17, 2013, 1:33am

Is it a Windows formatted USB drive? If so, try zipping it first and then expanding on the target machine.

Jürg_Otter · December 17, 2013, 9:09am

Oh yes, we ran into CodeSigning-issues with that, too.
The reason are Ressource-Files (that get added by OS X on FAT-Volumes) such as “._image.png” - but since those files didn’t exist when code-signed… well, the CodeSigning-signature is still there, but the contents of the app is “modified” when being copied to a FAT-volume.

Here’s what we have filed as a “bugreport 14361139” to Apple back in July '12 - the case is still “open”…

Environment

USB-Stick: Formatted with MS-DOS Filesystem (FAT)
OS X 10.8.4: System Preferences → Privacy: Allow software from App Store and certified Developers

Steps to reproduce

Download TextWrangler_4.5.2.dmg from http://www.barebones.com/products/textwrangler/ (you need to download the file, it’s a code-signing issue!)
the .dmg gets saved to the local ‘Downloads’ folder
open the .dmg
Drag ‘TextWrangler’ to the USB-Stick
try to run TextWrangler by double-clicking the App on the USB-Stick

Expected Results:
TextWrangler will launch.

Actual Results:
OS X (GateKeeper) tells: ‘TextWrangler is damaged. Move to trash?’

Reason for the issue

In the App (copied to the USB-Stick), there are files such as:
/path-to/TextWrangler.app/Contents/Resources/._AboutTextWrangler.png

those “._”-files are not codesigned → Gatekeeper will refuse to run the app (saying that it’s damaged).

Andrew_Dempsey · December 18, 2013, 8:24pm

Thanks everyone. Christian all the dylibs are in fact signed. Sam and Jürg I will check that… thank you for the possible lead!