After the latest email detailing changes on the gatekeeper for 10.10 beta 5 and 10.9.5 , I went and immediately verified my app with the recommended method from TN2206 . To my surprise, since I used no resource rules and built it on Mavericks, it failed:
$ spctl -a -t exec -v /Applications/MyApp.app/
/Applications/MyApp.app/: rejected
source=obsolete resource envelope
Then, I went on to check the submitted binary inside the Xcode archive, which was promptly rejected, but without the "obsolete resource envelope" warning. I suppose that's because it's signed by the submission certificate.
$ spctl -a -t exec -v Products/Applications/MyApp.app/
Products/Applications/MyApp.app/: rejected
Later on, I checked the resource envelopes themselves:
$ codesign -d -v /Applications/MyApp.app/
Executable=/Applications/MyApp.app/Contents/MacOS/MyApp
Identifier=my.app.id
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=14108 flags=0x200(kill) hashes=697+5 location=embedded
Signature size=4169
Info.plist entries=34
TeamIdentifier=not set
Sealed Resources version=1 rules=5 files=82
Internal requirements count=1 size=220
Then the submitted app:
$ codesign -d -v Products/Applications/MyApp.app/
Executable=/Users/jorgepeixotovasquez/Library/Developer/Xcode/Archives/2014-07-09/myapp 09-07-14 00.34.xcarchive/Products/Applications/MyApp.app/Contents/MacOS/myApp
Identifier=my.app.id
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=14123 flags=0x0(none) hashes=697+5 location=embedded
Signature size=4393
Signed Time=09/07/2014 00:34:08
Info.plist entries=34
TeamIdentifier=F2XAAD6WWR
Sealed Resources version=2 rules=12 files=85
Internal requirements count=1 size=220
As you can see, the Mac App Store downloaded app has only a version 1 resource envelope, even with the submission of a version 2 one. To be sure, I checked my /Application folder and found out that every app I downloaded from the Mac App Store also had a version 1 envelope, even Apple's ones.
Does anyone know whether that's normal, i.e., if the Mac App Store, when re-signing the app, only adds version one envelopes?
Moreover, will that cause problems?
Will that be fixed by Apple?
After that fix, should I resubmit my app?
Code signing is a macOS security technology that you use to certify that an app was created by you. Once an app is signed, the system can detect any change to the app—whether the change is introduced accidentally or by malicious code.
The version designator (1 or 2) is more in relation to what version of OS X was used build and sign the code.
(Code signatures containing version 1 or version 2 resource envelopes are also known as version 1 signatures or version 2 signatures, respectively)
< OS X v10.9 (version 1)
--resource-rules
) to control which files in a bundle should be sealed by a code signature. (deprecated for 10.9+) OS X v10.9+ (version 2)
To determine which version of resource envelope a code signature has, use codesign -dv
:
$ codesign -dv My.app/
[...]
Sealed Resources version=2 rules=15 files=53
[...]
Changes in OS X 10.9.5 and Yosemite Developer Preview 5
OS X version 10.9.5+ changes
For OS X version 10.9 or later:
--resource-rules
flag or ResourceRules.plist
. (your app will be rejected)To ensure your current and upcoming releases work properly with Gatekeeper, test on OS X version 10.10 (Seed 5 or later) and OS X version 10.9.5.
spctl will only accept Developer ID-signed apps and apps downloaded from the Mac App Store by default. It will reject apps signed with Mac App Store development or distribution certificates.
Use spctl
on your app like this:
$ spctl -a -t exec -vv Foo.app
This is the output if your app's signature will be accepted:
Foo.app: accepted
source=Developer ID
➣ source may also be Mac App Store.
If your app's signature only has an obsolete version 1 resource envelope, you'll see this:
Foo.app: rejected
source=obsolete resource envelope
Note: It is necessary to sign code while running OS X Mavericks to get a version 2 signature. The actual code signing machinery is part of the operating system, not the codesign tool. It will not work to copy the codesign tool from Mavericks to an older OS X version.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With