When signing our application dmg for distribution with the Developer ID Application certificate. The signature is not accepted on other mac machines other than the signing machine.
When using codesign as follows, the machine on which I sign our installer DMG returns the spctl check that the signature is accepted. When copying the DMG file onto another machine and running the spctl command. "Rejected; No Usable Signature" is returned. The Developer ID Certification Authority is in the System Roots on both machines Keychains.
STEPS TO REPRODUCE
The command I run on Yosemite Build Machine is:
codesign --force --verbose --verify --sign "Developer ID Application" "OurAppNamePlaceholder.dmg"
The output to this is:
“signed generic”
The signature check command is:
spctl --assess --verbose OurAppNamePlaceholder.dmg
which outputs:
“accepted
Source=Developer ID”
I then copy the DMG to the High Sierra test machine and run:
spctl --assess --verbose OurAppNamePlaceholder.dmg
which outputs
"rejected"
"no usable signature"
PLATFORM AND VERSION
OS X
Our build machine on which the signing occurs is:
OS X Yosemite (10.10.5)
The machine that I am testing that gatekeeper does not pop-up as unidentified developer is:
macOS High Sierra (10.13.6)
The Developer ID Certification Authority is in the System Roots on both machines Keychains.