notarized, identity cannot be confirmed

Hi, I'm trying to distribute an app..

With my Dev ID app cert I've succesfully signed and notarized the .app, then packed to dmg and signed and notarized it.

both stepled.


checking app with

spctl -a -v myApp.app


result:

myApp.app: accepted 
source=Notarized Developer ID


then checked the dmg

spctl -a -t open --context context:primary-signature -v my.dmg


result:

my.dmg: accepted
source=Notarized Developer ID


seems like everything is ok.


Now, according to this https://help.apple.com/xcode/mac/current/#/dev1cc22a95c I'm testing the launch behavior:

- uploaded dmg file to google drive, then downloaded.

- opened dmg and copied app to Applications folder.

- trying to run it and see the message "'myApp' can't be opened because the identity of developer cannot be confirmed."


Checking downloaded app from apps folder with spctl still says Notarized Developer ID.


Even checked it with check-signature tool, result:

(c) 2014 Apple Inc.  All rights reserved.
YES


also used advice from this forum(after gatekeeper message appeared):

log show --info --predicate "process =='XprotectService' and composedMessage contains 'rPathCommand'" --last 10m

result:

Filtering the log data using "process == "XprotectService" AND composedMessage CONTAINS "rPathCommand""
Skipping debug messages, pass --debug to include.
Timestamp                       Thread     Type        Activity             PID    TTL 
--------------------------------------------------------------------------------------------------------------------
Log      - Default:          0, Info:                0, Debug:             0, Error:          0, Fault:          0
Activity - Create:           0, Transition:          0, Actions:           0



What's wrong with it?


macOS Mojave 10.14.6

Replies

Hi


We had the exact same issue


Eport your notarized app from XCode and then


xcrun stapler staple pathtomynotarized.app


this should have been done by default by Apple

We have the same problem, with slight variation in our workflow:


Xcode signs the app for us, then dmg creation and notarization/stapling is run via scripts/commandline. We do not sign the dmg, only the app inside it is signed - which should be fine; we can still notarize and staple the dmg with success ("accepted", "Notarized Developer ID", "Ready for distribution", etc). Upload to a website and download via browser (Safari/Firefox), install from dmg, spctl then still says "accepted" and "Notarized Developer ID" for the app, but Gatekeeper apparently rejects it with dialog on app startup:


<app> cannot be opened because the developer cannot be verified.


Still no solution, reported to Apple.

We're running it all on macOS 10.15.2.

I should also clarify that the notarization result is success without any warnings/issues.

I responded over on your other thread.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"