How to test and debug gatekeeper spctl check? codesign passed

I need step by step instructions to debug why spctl command rejects -- I am on 10.15.7. Appreciate if anyone can shed some light on this with pointer/documentation?

Forcing me to do something on Xcode is not what I am looking for, please.

I am sure with Catalina -- new rules have formed around Gatekeeper spctl command to assess the security posture of the apps installed or developed.

Now coming to our app, it gets rejected by spctl -- unknown, but codesign passes the app. Need a systematic troubleshooting guide or instruction set. Thanks in advance,

sh-3.2
spctl -a -t exec --ignore-cache  -vv /Applications/MyApp.app
====
/Applications/MyApp.app: rejected
origin=3rd Party Mac Developer Application: MyOrg (MYORGDEVID)
=====

sh-3.2
codesign -dvv --strict /Applications/MyApp.app

=====
Executable=/Applications/MyApp.app/Contents/MacOS/MyApp
Identifier=com.MyApp.SubID
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=1285 flags=0x10000(runtime) hashes=31+5 location=embedded
Signature size=9134
Authority=3rd Party Mac Developer Application: MyOrg (MYORGDEVID)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Timestamp=Nov 2, 2020 at .... PM
Info.plist entries=15
TeamIdentifier=MYORGDEVID
Runtime Version=10.14.0
Sealed Resources version=2 rules=13 files=309
Internal requirements count=1 size=212
====


sh-3.2
codesign -vv --strict  /Applications/MyApp.app
===
/Applications/MyApp.app: valid on disk
/Applications/MyApp.app: satisfies its Designated Requirement 
===

spctl --raw -a -t exec -vv /Applications/MyApp.app
=====
/Applications/MyApp.app: rejected
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" ".../>
<plist version="1.0">
<dict>
            <key>assessment:authority</key>
            <dict>
                        <key>assessment:authority:flags</key>
                        <integer>0</integer>
            </dict>
            <key>assessment:originator</key>
            <string>3rd Party Mac Developer Application: MyOrg  (MYORGDEVID)</string>
            <key>assessment:remote</key>
            <true/>
            <key>assessment:verdict</key>
            <false/>
</dict>
</plist>
origin=3rd Party Mac Developer Application: MyOrg  (MYORGDEVID)
===========
Up vote post of soft_tech Down vote post of soft_tech
1.4k views
Posted by
soft_tech
Reply
Add a Comment

Replies

What happens if you use a Developer ID certificate?
Posted by
Etresoft
Up vote reply of Etresoft Down vote reply of Etresoft
Add a Comment
Thanks for replying back...

===================

What happens if you use a Developer ID certificate?
===============

As per apple developer portal on appstore we need to use specific certificates (below) depending on whether this app is distributed outside appstore or not. See below, I quoted from apple store connect.

This app shall be distributed via appstore (not outside) of apple channel -- As such we chose and created certs
starting with the word "Mac" below (certs categories).

Wow, this made me thinking, wouldn't it be that, until the app is in the appstore officially, the gatekeeper thinks this is
outside app? Meaning, until we install it via appstore, the gatekeeper would think this is coming from external --Internet, or via USB.

Am I thinking correctly?

If the above is true, then, when we test for spctl on the app bundle which is now at pre-publish stage (not yet in appstore, but going thru review), it always requires "Developer ID Application" based signing-->
This certificate (Developer ID Application) is used to code sign your app for distribution outside of the Mac App Store.

But we used Mac Dev cert for signing the code as it is intended for distribution via appstore.

Does this make sense? If this is case, I will bring appstore review team to make a note of this thread.

Thanks in anticipation.

========Description of various certs and sign purpose from Appstore Connect ==========

Developer ID Application
This certificate is used to code sign your app for distribution outside of the Mac App Store.

Developer ID Installer
This certificate is used to sign your app's Installer Package for distribution outside of the Mac App Store.

Mac Development
Sign development versions of your Mac app.

Mac App Distribution
This certificate is used to code sign your app and configure a Distribution Provisioning Profile for submission to the Mac App Store.

Mac Installer Distribution
This certificate is used to sign your app's Installer Package for submission to the Mac App Store

===========
Posted by
soft_tech
Up vote reply of soft_tech Down vote reply of soft_tech
Add a Comment 
Code Block  
sh-3.2
spctl -a -t exec --ignore-cache  -vv /Applications/MyApp.app
====
/Applications/MyApp.app: rejected
origin=3rd Party Mac Developer Application: MyOrg (MYORGDEVID)
=====


I’m not sure what the problem is here. This app is signed with a Mac App Store distribution signing identity (3rd Party Mac Developer Application: TTT, where TTT identifies your team). You can’t run such an app on your Mac, which is why Gatekeeper is rejecting it. The only thing you can do with a distribution-signed app is upload it to the App Store.

If you want to run the app locally you have two options:

  • Sign it with a Developer ID signing identity (Developer ID Application: TTT).

  • Sign it with an Apple Development signing identity (Apple Development: TTT or the older Mac Developer: TTT) along with a provisioning profile that authorises it to run on your Mac.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment
Thanks Eskimo. We are on the same page and validated our understanding on the right cert usage. Good day.
Posted by
soft_tech
Up vote reply of soft_tech Down vote reply of soft_tech
Add a Comment

Am I thinking correctly? 

I doubt it.

Developer ID is for distribution outside of the Mac App Store. There is no such thing as "interim" distribution or anything. It is Mac App Store, using Apple's download and licensing ecosystem, or Developer ID, using your own download and licensing system.

If you are targeting the Mac App Store, then don't worry about Developer ID at all.

However, if you do intend to distribute the software yourself using Developer ID, then don't spend too much time with codesign and spctl. Those may be useful debugging tools, but, in most cases, you shouldn't bother. Just build your app in Xcode, archive, and update. Wait 5 minutes. You'll get a notification that your app is notarized. Then, you can "export" your notarized app from the organizer. Zip up that app and post it on your web site. Then download it and try to run. That is the one and only way to test notarization.
Posted by
Etresoft
Up vote reply of Etresoft Down vote reply of Etresoft
Add a Comment

If you are targeting the Mac App Store, then don't worry about Developer ID at all. 

Yes, that's what it boils down to; ignore Dev ID and spctl. As we are indeed targeting Mac AppStore only. All the deduction has now converged to this above fact. Thanks and Good day.
Posted by
soft_tech
Up vote reply of soft_tech Down vote reply of soft_tech
Add a Comment

If you are targeting the Mac App Store, then don't worry about
Developer ID at all.

It’s not uncommon for folks targeting the Mac App Store to use Developer ID for their beta test programme. Given the lack of TestFlight on the Mac, that’s an important option (although one not without its drawbacks).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment
Thanks Eskimo. Our app has been on beta testing for over a year (yes!) before we decided to make it official via Mac Appstore.
I surely see the value of Testflight, for next app :). It depends. Good day.
Posted by
soft_tech
Up vote reply of soft_tech Down vote reply of soft_tech
Add a Comment