Signing dmg issue

This time it’s me with a $%&/ signing problem. Didn’t change computer, didn’t change anything. The app signs fine but when checking the dmg I get the following:

spctl --verbose=4 --assess --type execute /Users/beatrixwillius/Documents/Development/Mail\ Archiver/code\ current/Builds\ -\ max.rbp/MailArchiverX41.dmg
/Users/beatrixwillius/Documents/Development/Mail Archiver/code current/Builds - max.rbp/MailArchiverX41.dmg: code object is not signed at all

When I try to do the signing manually again I get:

beatrixwillius$ /usr/bin/codesign -f -s ‘Developer ID Application: Beatrix Willius (72695Z3887)’ /Users/beatrixwillius/Documents/Development/Mail\ Archiver/code\ current/Builds\ -\ max.rbp/MailArchiverX41.dmg
/Users/beatrixwillius/Documents/Development/Mail Archiver/code current/Builds - max.rbp/MailArchiverX41.dmg: replacing existing signature

Is the dmg now signed or is it not signed???

I forgot: everything is done on El Capitan.

Do yourself a favor, and get DMGCanvas to sign it for you automatically.

My workflow is with DropDMG which I don’t want to change. Anyways, any code signing needs to be done “somehow” and so calls under the hood the codesign command. Which only works if you pray to the correct gods it seems.

But DropDMG can do signing, too. I’ll try that.

Indeed, DropDMG does sign as well. I simply do not use it.

At any rate, given the numerous idiosyncrasies around macOS signing recently, it is probably way more comfortable letting someone else handle the under the hood signing.

I know with DMGCanvas I never had to worry about a thing.

You could also sign the DMG with App Wrapper.

I use that.
They have been very responsive this year too…

As expected the error is the same when signing directly with DropDMG. Do I need to do the dmg check differently? I just checked my older dmgs that should be signed. And they have the same error.

Not sure if this is a bug or a feature of the spctl command. Checking with codesign

codesign -v /Users/beatrixwillius/Documents/Development/Mail\ Archiver/code\ current/Builds\ -\ max.rbp/MailArchiverX41.dmg || echo UNSIGNED!

works fine.

I’ll have to enter the church of the Cthulu (spelling?) after all. Or I’ll do Voodoo for the puppets. Can I do those anonymously?

I personally prefer Saint Isidore Of Seville, Saint Patron of programmers :wink:

Gate Keeper checking of the signing can only be done on Sierra. App Wrapper can read the code signature from the DMG and whether it’s valid or not, but to check it against Gate Keeper requires Sierra.