Successfully notarized app rejected by gatekeeper

Codesigning app with hardened runtime (no exceptions), packing it into a dmg (unsigned) and notarizing/stapling the dmg. Xcode 11.2, macOS 10.15.2.

All steps of codesigning and notarization/stapling are successful, without any warnings or issues.

Upload of dmg to website, download through browser and installing the app from dmg.

Still after this, spctl says:

my.app/: accepted

source=Notarized Developer ID

origin=Developer ID Application: Qlucore AB (3HJ98U983V)


But when I try to start the same app, I get a dialog saying:

<app> cannot be opened because the developer cannot be verified.


Any suggestions on how to move the investigation forward would be much appreciated.

Up vote post of moonmartin Down vote post of moonmartin
2.5k views
Posted by
moonmartin
Reply
Add a Comment

Accepted Reply

Successfully notarized app rejected by gatekeeper

Notarising your app is necessary to pass Gatekeeper, but it’s not sufficient. Gatekeeper has its own array of checks, and it’s easy to trip over one of those checks even though your notarisation is copacetic.

Unfortunately it’s not always easy to work out what Gatekeeper is grumpy about. I’ve posted some hints on this thread.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

Successfully notarized app rejected by gatekeeper

Notarising your app is necessary to pass Gatekeeper, but it’s not sufficient. Gatekeeper has its own array of checks, and it’s easy to trip over one of those checks even though your notarisation is copacetic.

Unfortunately it’s not always easy to work out what Gatekeeper is grumpy about. I’ve posted some hints on this thread.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Thank you for the linked tips! This is really useful info, and I think hints of this dimension should be much more visible in the official pages, like maybe one of these:

https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution

https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/resolving_common_notarization_issues


Our problem turned out to be Xprotect service that logged "Error" about useless/misleading embedded LC_RPATH settings in a couple of our .dylibs bundled in the app. This never showed as a problem in any other way, since the correct search paths are there too, so our app could execute fine anyway (in developer build).


The bundled dylib is 3rd party, so we ended up having to fix it before bundling with


install_name_tool -delete_rpath ...


(That makes me wonder, is it ever a good idea to have LC_RPATH settins at all on dylibs? Shouldn't that always be set on executables only?)


Also, the error message in the GUI dialog from Gatekeeper is really, really bad - misleading.


BR,

Martin

Posted by
moonmartin
Up vote reply of moonmartin Down vote reply of moonmartin
Add a Comment

I’m glad to hear you got this sorted out.

Also, the error message in the GUI dialog from Gatekeeper is really, really bad - misleading.

I don’t think you’ll see much movement on that front. From an end user’s perspective, the message is pretty reasonable. It doesn’t help developer’s much, but that’s not its purpose.

You could certainly filing an enhancement request for Gatekeeper to log more actionable errors when it rejects an app.

And speaking of enhancement requests:

I think hints of this dimension should be much more visible in the official pages

That’d make a fine ER as well.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

rpath was exactly the problem I was having! Thanks!

Posted by
vpicaver
Up vote reply of vpicaver Down vote reply of vpicaver
Add a Comment
Hi !
I've been stuck on the same issue for one week now.
My app and dmg are notarized and signed, spctl returns the "accepted" message, but my clients still cannot open the app without forcing it.
I've already tried updating all the RPATH without success (not sure if I'm doing it correctly though).
How could I get an error log telling me what's wrong ? I'm sure it's just a small correction to do but I have no clues!

Really hope there is a solution to this!
Posted by
PopGorn
Up vote reply of PopGorn Down vote reply of PopGorn
Add a Comment
Given that you’ve ruled out the root cause of the issue that started this thread (a rogue rpath entry), I recommend that you start a new thread about this (make sure to tag it with Gatekeeper so that I see it).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment