Problem:
I have a command line tool that is codesigned with a valid Developer ID Application certificate/identity (which expires in 2018)
When this command line tool is checked in its build folder with codesign -vvvvvvvvv, everything is OK:
mytool: valid on disk
mytool: satisfies its Designated Requirement
When this command line tool is checked in its installed location with codesign -vvvvvvvvv, there is a problem:
mytool: invalid signature (code or signature have been modified)
In architecture: x86_64
Now, the weird part:
- the md5 for the 2 instances are the same
- the sha-1 for the 2 instances are the same
- if I rename the instance in the installed location like this:
mv mytool mytool2
and then check with codesign -vvvvvvvv, everything is OK.
If I put back the old name and check it with codesign -vvvvvvvv, same problem about the invalid signature.
Note:
If the running process mytool (in the installed location) is checked with SecCodeCheckValidityWithErrors, an error is returned: -67061.
Of course, this error code is not documented.
Questions:
- What is the error code -67061 supposed to mean? The CFError returned by the function does not explain anything.
- How can an executable be OK with one name and not with another one from a codesigning perspective? I'm beginning to wonder if the tool is not incorrectly blacklisted by one of the hidden OS lists (but I can't remember right now the locations of these 2 files). At least, it's not by XProtect.
Environment:
Mac OS X 10.8.5