Launching our code-signed application after downloading its .dmg over the web (HTTPS) using Chrome or Firefox shows that the app "can't be opened because it is from an unidentified developer".
This is surprising because the app is correctly code-signed and is working fine on multiple Macs already. When opening the exact same image and launching the application directly from my local file system (i.e. not downloaded via the web) everything is fine, as expected - no warnings or errors.
Does the .dmg or .app inside get modified or treated diferently by the OS if it is downloaded over the web? If so, how can we deliver a code-signed app over the internet?