I just got an alert from Apple about changes they’re making to Gatekeeper starting with Mavericks 10.9.5 that affect code signing, and I thought other users who are still maintaining older apps might want to know.
Here’s the relevant change:
“Mavericks signatures record nested code by its code signature and embed that information in the (outer) signature’s resource envelope, recursively. This means that when a code signature is created, all nested code must already be signed correctly or the signing attempt will fail.”
I have a Universal app (Intel & PowerPC) that is built using RealStudio 2011 R2, the last RS version that supports PowerPC (I’m working on a newer version with Xojo 2014r2, but it’s not ready yet).
I have been using AppWrapper to code sign the universal app, but AppWrapper doesn’t sign nested code resources. So to keep up with the 10.9.5 changes, I use the Terminal codesign command as usual but I add the --deep option. This signs all of the nested code resources within the application bundle, including the RS runtime and plugin library code.
Example: codesign -s “MyDeveloperID” --deep MyAppPathAndName
Without the --deep option, Yosemite rejects the app, and I expect Mavericks 10.9.5 will also. With it, Yosemite’s GateKeeper is happy.