<app name> cannot be opened because the developer cannot be verified

Code Signing General
AndreasHtw2 OP
Created Mar ’20
Replies 8
Boosts 0
Views 2.3k
Participants 3

Hi Apple experts! I could need some help please 🙂


We build our C++ app with Xccode 10.3 on macOS 10.15.1. We let Xcode sign it with Developer ID Application, hardened runtime is set. We build a DMG with "DropDMG" which also signs the DMG file for us. Then we upload it to notarization, staple the DMG, copy it to our web server, download it with Safari, open the DMG, move the app to /Applications, double click and get the error message:


"<app name> cannot be opened because the developer cannot be verified.

macOS cannot verify that this app is free from malware."


Any idea where I could find more information about why Gatekeeper does not like our app?


Here are some details about the app:


$ spctl --assess --verbose=4 --type execute "/Applications/<app name>.app"

/Applications/<app name>.app: accepted

source=Notarized Developer ID


$ spctl -a -t exec -vv "/Applications/<app name>.app"

/Applications/<app name>.app: accepted

source=Notarized Developer ID

origin=Developer ID Application: <company name> (<ID>)


$ codesign -d --entitlements :- "/Applications/<app name>.app"

Executable=/Applications/<app name>.app/Contents/MacOS/<app name>

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>com.apple.security.cs.allow-dyld-environment-variables</key>

<true/>

<key>com.apple.security.cs.disable-library-validation</key>

<true/>

</dict>

</plist>


$ codesign -vv --deep-verify "/Applications/<app name>.app"

/Applications/<app name>.app: valid on disk

/Applications/<app name>.app: satisfies its Designated Requirement


$ codesign --verify -vvvv -R='anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.1] exists and (certificate leaf[field.1.2.840.113635.100.6.1.2] exists or certificate leaf[field.1.2.840.113635.100.6.1.4] exists)' "/Applications/<app name>.app"

/Applications/<app name>.app: valid on disk

/Applications/<app name>.app: satisfies its Designated Requirement

test-requirement: code failed to satisfy specified code requirement(s)


The app bundle contains a folder /Contents which contains:

files:

Info.plist

PkgInfo

CodeResources

folders:

MacOS

Resources

_CodeSignature

data

default_data

data and default_data are sub-folders which contain 2 GB of app data


Any help will be much appreciated. Thanks!

Answered by AndreasHtw2 in 411375022

With the help of the Apple tech support, we found the simple reason of the problems: testing on the dev machine gave me wrong results 😟


I'm using a VM now for testing. I download the game from our server to the VM. Gatekeeper accepts the bundle, I install the app and start it, and Gatekeeper accepts the app, too.

Testing same download again on my dev Mac: Gatekeeper warns "macOS cannot verify that this app is free from malware."

Solution: test on a clean system.
Many thanks to the Apple tech support!

Replies  8
Boosts  0
Views  2.3k
Participants  3
AndreasHtw2 OP
Mar ’20

I just rebuild the whole project with data and default_data folders moved to /Resources - still the same problem 😟


otool -L "/Applications/<app name>.app"


/usr/lib/libiconv.2.dylib (compatibility version 7.0.0, current version 7.0.0)

/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration (compatibility version 1.0.0, current version 963.255.3)

/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 1575.17.0)

/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa (compatibility version 1.0.0, current version 23.0.0)

/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit (compatibility version 1.0.0, current version 275.0.0)

/System/Library/Frameworks/Security.framework/Versions/A/Security (compatibility version 1.0.0, current version 58286.255.3)

/System/Library/Frameworks/AGL.framework/Versions/A/AGL (compatibility version 1.0.0, current version 1.0.0)

/System/Library/Frameworks/OpenAL.framework/Versions/A/OpenAL (compatibility version 1.0.0, current version 1.0.0)

/System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox (compatibility version 1.0.0, current version 492.0.0)

/System/Library/Frameworks/GLUT.framework/Versions/A/GLUT (compatibility version 1.0.0, current version 1.0.0)

/System/Library/Frameworks/OpenGL.framework/Versions/A/OpenGL (compatibility version 1.0.0, current version 1.0.0)

/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices (compatibility version 1.0.0, current version 946.0.0)

/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices (compatibility version 1.0.0, current version 50.1.0)

/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)

/usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 400.9.4)

/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.250.1)

/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit (compatibility version 45.0.0, current version 1671.60.107)

/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1575.17.0)

/System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics (compatibility version 64.0.0, current version 1265.9.0)

0
john daniel OP
Mar ’20

Having data in resources usually isn't the problem. The problem is having code in resources.

Review console messages when you try to run your app for the first time inside a VM.

0
DTS Engineer OP
Apple
Mar ’20

Any idea where I could find more information about why Gatekeeper does not like our app?

I have some suggestions on this thread.

Also, why are you disabling library validation? Library validation actually makes it harder to pass Gatekeeper. If you can re-enable library validation, you should do that, then test on the current 10.15.4 beta to see how things go there.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
AndreasHtw2 OP
Mar ’20

I tried it with and without "Library validation", that did not change it. But I found that I had the entitlement file and the plist file copied in the "Copy Resource Files" build phase. I removed these two files, and also enabled library validation. Now it worked!
IMHO it's bad design that there is no validation tool for developers to simulate the GateKeeper.

0
DTS Engineer OP
Apple
Mar ’20

I’m glad you got this resolved.

IMHO it's bad design that there is no validation tool for developers to simulate the GateKeeper.

That would make a fine enhancement request.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
AndreasHtw2 OP
Mar ’20

Unfortunately, today's build was "malicious content" again 😟

I changed only two things:

- the build number

- activated "strip all symbols"

0
AndreasHtw2 OP
Mar ’20

I gave my feedback here: FB7631918

0
AndreasHtw2 OP
Mar ’20
Accepted Answer

With the help of the Apple tech support, we found the simple reason of the problems: testing on the dev machine gave me wrong results 😟


I'm using a VM now for testing. I download the game from our server to the VM. Gatekeeper accepts the bundle, I install the app and start it, and Gatekeeper accepts the app, too.

Testing same download again on my dev Mac: Gatekeeper warns "macOS cannot verify that this app is free from malware."

Solution: test on a clean system.
Many thanks to the Apple tech support!

0
&lt;app name&gt; cannot be opened because the developer cannot be verified
First post date Last post date
 
 
Q