signing mac app with Developer ID certificate that includes timestamp

Recent changes to Xcode seem to have all builds including an Archive disabling the timestamp (--timestamp=none) when singing an application. It is expected that one use the Organizer and Export the application from there choosing "Export a Developer ID-signed Application". Problem is that when I do so spctl (and Gatekeeper) reject the application:


# spctl -a -t exec -vv <hidden>.app
<hidden>.app: rejected
origin=Developer ID Application: <hidden> INC


It gives no reason. And codesign seems to believe there is no problem:


# codesign --verify --strict --verbose <hidden>.app
<hidden>.app: valid on disk
<hidden>.app: satisfies its Designated Requirement


My application is rather complex; however, previous to Xcode 8? when this all changed my application was being signed correctly during the Archive step. I can find no information about why spctl rejected the app.


Is there any way to get additional information why it is failing?

Is there a way to force the Archive step to once again sign my app and include a timestamp?

Replies

Did you ever find a solution to this? I'm running into the same problem (codesign saying "valid on disk", spctl rejecting my app). Used to work fine on El Capitan with Xcode 7, not anymore on macOS Sierra and Xcode 8 (I made no changes to the project).

I just noticed that spctl is only rejecting my Developer ID-signed app on my development machine. On a fresh install of macOS Sierra it is accepted. Same for El Capitan. Maybe it's an issue with another certificate on my dev machine? Did you try to verify your build on a fresh install of macOS?