Signing code for OS X application bundle

Question

I am porting a .NET application to OS X using the Mono Framework. The application works fine, and we have everything done except for packaging. I am packaging a standalone Mono build inside the bundle to avoid dependencies, and using this tool for the job: https://github.com/OutOfOrder/MonoKickstart

The bundle structure we are using is like this:

OurApp.app
  \-Contents
      +-Info.plist
      +-MacOS
      |   +-osx   - native libraries for osx
      |   +-mono  - mono config files
      |   \ ...  - the OS X kickstart binaries, the .exe file, C# .dlls
      \-Resources/
          \-icon.icns

The bundle runs fine when OS X's Gatekeeper functionality is set off, but when trying to sign it to get it run always, I run into problems...

$ codesign -s "3rd Party Mac Developer Application: Our Certificate" --force --deep --verbose OurApp.app
OurApp.app: bundle format unrecognized, invalid, or unsuitable
In subcomponent: OurApp.app/Contents/MacOS/mono/4.0

All right, I'll remove the mono directory temporarily just to see if it proceeds then:

$ codesign -s "3rd Party Mac Developer Application: Our Certificate" --force --deep --verbose OurApp.app
OurApp.app: signed bundle with Mach-O universal (i386) [org.ourcompany.ourapp]

Success! Or so do I think, but when I'll try to run the app, it still says it's still blocked by Gatekeeper. And when I run

spctl -a -v OurApp.app
OurApp.app/: rejected

So what gives? It says it signed the bundle, and using the --deep parameter, it should've signed all the libraries and such, if I understood right. What should I do to make this work?

Update:

Tried to sign the files one by one with this.

 codesign -s "3rd Party Mac Developer Application: Our Certificate" --force --verbose OurAppExecutable.bin

But it refused to do it, because of the "subcomponents" (Even if I'm not using --deep).

I finally got it to sign it by moving everything else but the actual binary file to Resources folder, and then signing the binary file, and then the app bundle.

But yet, it says:

spctl -a -v OurApp.app
OurApp.app/: rejected
source=No Matching Rule

Any further insights?

Answer 1

I got this to work afterwards. The trick was to keep just the one and only executable file in the MacOS dir, and have everything else in the Resources dir. This way we didn't need to sign all the other things.

Another blunder - not the source of this problem, but of an another one - was that we were trying to sign it with a wrong kind of certificate. "3rd Party Mac Developer Application" is apparently used for App Store submissions. The name is kind of misleading, so it's easy to mess that up. More info: Difference between “Mac Developer” and “3rd Party Mac Developer Application”

Answer 2

I'm not sure if --deep is supposed to work or not, but it's not what we use in Xamarin Studio when codesigning Xamarin.Mac projects. What we do is codesign each native library individually and then codesign the app bundle itself.

Hope that helps.

Update: This may be the problem:

OurApp.app: bundle format unrecognized, invalid, or unsuitable
In subcomponent: OurApp.app/Contents/MacOS/mono/4.0

The problem might be that MonoKickStart is not generating correct Mac executables?