Thank you for your reply, @eskimo.
Please find the answers to the questions below.
> Are you seeing this on 10.14.6? What about 10.15 beta?
Yes, this issue is only seen with macOS Catalina (10.15 - all beta versions)
> How are you launching your “terminal application”?
There are three ways by which I tried to run the application:
- Double-clicking on the application. This will throw out the error pop-up mentioned in the initial message - "<my_app_name> can't be opened because the identity of the developer cannot be confirmed".
- Right click on the application, then select "Open" from the pop-up which will be shown. This will actually open the terminal and run the application, and will actually work as expected
- From a terminal window, by using "./diagnose". This will produce a similar result as #1, with the expection that the pop-up shown will have the option to "Move to Trash".
The use for this application in itself is more based on option #3. Our customers will embed this application in their product, and when there is a need to run a diagnostic on the device, will simply run automically this app.
> How is it packaged? And how does it reference these libraries?
It is not packaged in any way. The tool is provided as a zip archive, that contains the command line tool (diagnose), as well as 5 dylibs.
The diagnose tool will explicitly link to one of the 5 dylibs and, then, this dylib will explicitly link to the other 4. The loading structure would look similar to the following:
diagnose (dlopen libapi.dylib, using an absolute path)
|
-- libapi.dylib (dlopen lib1.dylib, lib2.dylib, etc., using an absolute path)
|
-- lib1.dylib
-- lib2.dylib
-- lib3.dylib
-- lib4.dylib
All binaries (diganose + libs) are signed using the same Apple certificate, and then sent to notarization (which is successful), in a zip package that contains all of them.
One other thing to mention, because I don't want to create any confusion regarding to the type of the application: the diagnose is a simple C++ command line app, created and compiled with Xcode 9.x, then signed with Xcode 10, in order to enable runtime hardening. The Xcode 9.x is required for compiling becuase it still offers the option to bundle the 32-bit version of the app, that is required by some of the customers.