Mac DMG oddity - signing and "damaged" applications

Question

My Gatekeeper settings are "App Store and Identified Developers"

I have a DMG with a signed app.

When I mount the DMG and run it locally, it works. when I upload the same DMG to our servers (via http), download it (via http), mount it, and try to run the app I get a popup saying my application is "damaged and can't be opened. You should move it to the Trash.

I have no idea what's going on. How can the same file run correctly locally, but when uploaded and downloaded it's corrupt? The server is fine, other parties in our company upload and download applications from it just fine.

Am I missing something?

Answer 1

I'm glad you found your problem. In case other people find this post searching about corrupted DMGs, I want to add another probable solution:

In addition to signing the .app bundle:

codesign -f -s "Developer ID Application: Your Dev ID Here" -v "Your App.app"

you should also sign the created DMG as well:

codesign -f -s "Developer ID Application: Your Dev ID Here" -v YourProgram.dmg

I didn't put quotation marks around the dmg file path because it's less likely that you have spaces in the dmg name. If you do, don't forget to escape them on the command line, or wrap your file path in quotes.

Answer 2

Open terminal and Run:

sudo xattr -rd com.apple.quarantine /Applications/xxx.app

and the "/Applications/xxx.app" MUST be the path of your app. For example, i wannt run PDF Expert and its path is "/Applications/PDF\ Expert.app". Then i should type this on my Terminal and ENTER:

sudo xattr -rd com.apple.quarantine /Applications/PDF\ Expert.app"