Our app is weakly linked to a framework from a third-party vendor:
/Library/KeyAccess/KeyAccess.app/Contents/SharedFrameworks/KeyAccess.framework/KeyAccess
Our app is signed using our developer ID certificate with:
--options runtime
--timestamp
--entitlements ourApp.entitlements
Since the 3rd party framework is signed with a different developer ID, the entitlement file requests and disables library validation:
https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_cs_disable-library-validation?language=objc
We have verified the code signature using the following commands:
codesign --verify --strict --verbose ourApp.app
codesign -dvv ourApp.app
spctl -vvv --assess --type exec --ignore-cache --no-cache ourApp.app
No issues are reported.
We generate a dmg we code sign that too, then successfully notarize the dmg and staple the report.
When viewing the log provided during notarization no issues are shown, all binary content has been properly signed.
Unfortunately, if the dmg is downloaded from an online source we get a Gatekeeper warning indicating the developer cannot be verified. If we omit the entitlement (which will result in not being able to use the 3rd party framework, but the application will otherwise run) the Gatekeeper dialog disappears.
Since this issue appeared only after we upgraded from Qt 5 to Qt 6, we created a small test app that just shows a "Hello World" message. In this case inclusion of the entitlement is not a problem until we attempt to pull in a trivially simple framework that we ship within the application bundle (QNtp.framework). We cannot find any code within this tiny library that e.g. uses a private API or anything else suspicious. If we bake the QNtp code into the test application directly instead no Gatekeeper warning is shown.
Is there some way to get a report on WHY Gatekeeper is rejecting the code signature and notarization of the sample or our full app? Unfortunately tools like Max Inspect and Taccy have not yet revealed the cause of the issue.
let myEmail = "w" + "stokes" + "@snapgene.com"