如何调试OSX代码签名拒绝？

Question

I'm signing an install4j installer for OSX, however OSX is rejecting it. The system log only reports that it was rejected, and spctl only reports that it was rejected, with no explanation. How can I determine why it was rejected?

Answer 1

I presume you're talking about Gatekeeper not allowing your app to run after it's downloaded? Gatekeeper's rules aren't based on a list of rules to reject an app, they're based on a list of possible rules to accept an app, and if your app doesn't match any or those rules. This makes it hard to log eg why your app was rejected beyond "it didn't match any of the allow rules". Now, if you know which "allow" rule you expected to apply to it, you can try to debug it based on that, but Gatekeeper itself doesn't know this and hence isn't much help.

I'm assuming you want your app to be allowed under the "identified developer" rule? If so, there are a couple of tests to look for obvious problems: first, run codesign -vv --deep-verify /path/to/yourapp.app , and make sure it prints "valid on disk" and "satisfies its Designated Requirement" (and doesn't give any errors) -- if not, something's wrong with the signature or the contents of the app.

Second, run codesign -dvv /path/to/yourapp.app , and make sure it the data it lists includes:

Authority=Developer ID Application: [Your name/company here]
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Sealed Resources version=2 rules=[something] files=[something]

If the Authority list is different from that, you used the wrong certificate to sign it. If the Sealed Resources version is 1 or not listed, you signed it with an old version of OS X, and recent versions will reject the signature format.