Gatekeeper refuses validly signed application

Question

I am trying to publish a signed application, but when downloading it through internet, gatekeeper complains:

Furthermore, the help page says that the app has been tampered with:

Which is actually not true, here is my signing/packaging procedure:

codesign --deep --force --verify -s "Developer ID Application: Nanolive SA (GMLD8K8WH3)" Steve/Steve.app
hdiutil create -volname Steve -srcfolder Steve -ov -format UDZO Steve.dmg
codesign -s "Developer ID Application: Nanolive SA (GMLD8K8WH3)" Steve.dmg

The whole procedure works without a problem, and as you can see, I don't change the package between the signature and the creation of the dmg.

I went through this whole document and I think everything is correct: https://developer.apple.com/library/archive/technotes/tn2206/_index.html

Furthermore, I went through everything in the Checking Gatekeeper Conformance section:

Checking the dmg:

$ spctl -a -t open --context context:primary-signature -v Steve.dmg
Steve.dmg: accepted
source=Developer ID

Using codesign:

$ codesign --verify --deep --strict --verbose=2 Steve.app
--prepared:/Volumes/Steve/Steve.app/Contents/MacOS/ffmpeg
--validated:/Volumes/Steve/Steve.app/Contents/MacOS/ffmpeg

<snip a lot of validated libs>

--prepared:/Volumes/Steve/Steve.app/Contents/Frameworks/libvtkRenderingAnnotation-7.1.1.dylib
--validated:/Volumes/Steve/Steve.app/Contents/Frameworks/libvtkRenderingAnnotation-7.1.1.dylib
Steve.app: valid on disk
Steve.app: satisfies its Designated Requirement

using the check-signature tool:

$ /Volumes/Signature\ Check/check-signature Steve.app
(c) 2014 Apple Inc.  All rights reserved.
YES
$ /Volumes/Signature\ Check/check-signature Steve.app/Contents/Frameworks/*
(c) 2014 Apple Inc.  All rights reserved.
Steve.app/Contents/Frameworks/QtConcurrent.framework: YES

<snip a lot of YES>

Steve.app/Contents/Frameworks/qwt: YES

And lastly using spctl:

spctl -a -t exec -vv Steve.app
Steve.app: accepted
source=Developer ID
origin=Developer ID Application: Nanolive SA (GMLD8K8WH3)

The command line tells me everything is 100% correct, but I still can't launch the app from the user interface because I'm missing something, somewhere, that the command line won't tell me.

Please note that when I bypass the quarantine using the command line, the app launches properly, which implies that I don't have any missing library as far as I'm aware.

The build server runs OSX High Sierra 10.13.6

Thank you for your time and help!

Answer 1

An rpath Problem

I was able to solve the issue thanks to some external help.

When opening the Console application, I was seeing this message, which comes from the XProtectService, which is apparently the real reference in terms of GateKeeper

default    11:00:31.445713 +0200    XprotectService    File /Volumes/Steve 2/Steve.app/Contents/MacOS/Steve failed on rPathCmd /Users/example/tmp/buildSteve/QtConcurrent.framework/Versions/5/QtConcurrent

Which means that the issue was actually some bad rpath. The rpath is used to find and load frameworks needed by an application.

I wrote a python script to recursively fix the rpath, and now it works.

The script changes the executable's rpath using Apple's install_name_tool. This is not something user's should ever need to do and is exclusively something for an application's developer to fix before deployment.