<app name> cannot be opened because the developer cannot be verified

Hi Apple experts! I could need some help please 🙂


We build our C++ app with Xccode 10.3 on macOS 10.15.1. We let Xcode sign it with Developer ID Application, hardened runtime is set. We build a DMG with "DropDMG" which also signs the DMG file for us. Then we upload it to notarization, staple the DMG, copy it to our web server, download it with Safari, open the DMG, move the app to /Applications, double click and get the error message:


"<app name> cannot be opened because the developer cannot be verified.

macOS cannot verify that this app is free from malware."


Any idea where I could find more information about why Gatekeeper does not like our app?


Here are some details about the app:


$ spctl --assess --verbose=4 --type execute "/Applications/<app name>.app"

/Applications/<app name>.app: accepted

source=Notarized Developer ID


$ spctl -a -t exec -vv "/Applications/<app name>.app"

/Applications/<app name>.app: accepted

source=Notarized Developer ID

origin=Developer ID Application: <company name> (<ID>)


$ codesign -d --entitlements :- "/Applications/<app name>.app"

Executable=/Applications/<app name>.app/Contents/MacOS/<app name>

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>com.apple.security.cs.allow-dyld-environment-variables</key>

<true/>

<key>com.apple.security.cs.disable-library-validation</key>

<true/>

</dict>

</plist>


$ codesign -vv --deep-verify "/Applications/<app name>.app"

/Applications/<app name>.app: valid on disk

/Applications/<app name>.app: satisfies its Designated Requirement


$ codesign --verify -vvvv -R='anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.1] exists and (certificate leaf[field.1.2.840.113635.100.6.1.2] exists or certificate leaf[field.1.2.840.113635.100.6.1.4] exists)' "/Applications/<app name>.app"

/Applications/<app name>.app: valid on disk

/Applications/<app name>.app: satisfies its Designated Requirement

test-requirement: code failed to satisfy specified code requirement(s)


The app bundle contains a folder /Contents which contains:

files:

Info.plist

PkgInfo

CodeResources

folders:

MacOS

Resources

_CodeSignature

data

default_data

data and default_data are sub-folders which contain 2 GB of app data


Any help will be much appreciated. Thanks!

Up vote post of AndreasHtw2 Down vote post of AndreasHtw2
2k views
Posted by
AndreasHtw2
Reply
Add a Comment

Accepted Reply

With the help of the Apple tech support, we found the simple reason of the problems: testing on the dev machine gave me wrong results 😟


I'm using a VM now for testing. I download the game from our server to the VM. Gatekeeper accepts the bundle, I install the app and start it, and Gatekeeper accepts the app, too.

Testing same download again on my dev Mac: Gatekeeper warns "macOS cannot verify that this app is free from malware."

Solution: test on a clean system.
Many thanks to the Apple tech support!

Posted by
AndreasHtw2
Up vote reply of AndreasHtw2 Down vote reply of AndreasHtw2
Post marked as solved
Add a Comment

Replies

I just rebuild the whole project with data and default_data folders moved to /Resources - still the same problem 😟


otool -L "/Applications/<app name>.app"


/usr/lib/libiconv.2.dylib (compatibility version 7.0.0, current version 7.0.0)

/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration (compatibility version 1.0.0, current version 963.255.3)

/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 1575.17.0)

/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa (compatibility version 1.0.0, current version 23.0.0)

/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit (compatibility version 1.0.0, current version 275.0.0)

/System/Library/Frameworks/Security.framework/Versions/A/Security (compatibility version 1.0.0, current version 58286.255.3)

/System/Library/Frameworks/AGL.framework/Versions/A/AGL (compatibility version 1.0.0, current version 1.0.0)

/System/Library/Frameworks/OpenAL.framework/Versions/A/OpenAL (compatibility version 1.0.0, current version 1.0.0)

/System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox (compatibility version 1.0.0, current version 492.0.0)

/System/Library/Frameworks/GLUT.framework/Versions/A/GLUT (compatibility version 1.0.0, current version 1.0.0)

/System/Library/Frameworks/OpenGL.framework/Versions/A/OpenGL (compatibility version 1.0.0, current version 1.0.0)

/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices (compatibility version 1.0.0, current version 946.0.0)

/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices (compatibility version 1.0.0, current version 50.1.0)

/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)

/usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 400.9.4)

/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.250.1)

/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit (compatibility version 45.0.0, current version 1671.60.107)

/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1575.17.0)

/System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics (compatibility version 64.0.0, current version 1265.9.0)

Posted by
AndreasHtw2
Up vote reply of AndreasHtw2 Down vote reply of AndreasHtw2
Add a Comment

Having data in resources usually isn't the problem. The problem is having code in resources.

Review console messages when you try to run your app for the first time inside a VM.

Posted by
john daniel
Up vote reply of john daniel Down vote reply of john daniel
Add a Comment

Any idea where I could find more information about why Gatekeeper does not like our app?

I have some suggestions on this thread.

Also, why are you disabling library validation? Library validation actually makes it harder to pass Gatekeeper. If you can re-enable library validation, you should do that, then test on the current 10.15.4 beta to see how things go there.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

I tried it with and without "Library validation", that did not change it. But I found that I had the entitlement file and the plist file copied in the "Copy Resource Files" build phase. I removed these two files, and also enabled library validation. Now it worked!
IMHO it's bad design that there is no validation tool for developers to simulate the GateKeeper.

Posted by
AndreasHtw2
Up vote reply of AndreasHtw2 Down vote reply of AndreasHtw2
Add a Comment

I’m glad you got this resolved.

IMHO it's bad design that there is no validation tool for developers to simulate the GateKeeper.

That would make a fine enhancement request.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Unfortunately, today's build was "malicious content" again 😟

I changed only two things:

- the build number

- activated "strip all symbols"

Posted by
AndreasHtw2
Up vote reply of AndreasHtw2 Down vote reply of AndreasHtw2
Add a Comment

I gave my feedback here: FB7631918

Posted by
AndreasHtw2
Up vote reply of AndreasHtw2 Down vote reply of AndreasHtw2
Add a Comment

With the help of the Apple tech support, we found the simple reason of the problems: testing on the dev machine gave me wrong results 😟


I'm using a VM now for testing. I download the game from our server to the VM. Gatekeeper accepts the bundle, I install the app and start it, and Gatekeeper accepts the app, too.

Testing same download again on my dev Mac: Gatekeeper warns "macOS cannot verify that this app is free from malware."

Solution: test on a clean system.
Many thanks to the Apple tech support!

Posted by
AndreasHtw2
Up vote reply of AndreasHtw2 Down vote reply of AndreasHtw2
Post marked as solved
Add a Comment