App can not be opened because it is from an unidentified developer

code-signingSecurity

Question:

Please note before reading this that: "Tell them to go to System preferences > Security & privacy and allow 3rd party applications to run. Is not an acceptable solve for this issue.

I have created an .app That has been signed with a valid Mac Developer certificate. Yet downloading it from the internet & running still throws the security prompt:

App can't be opened because it is from an unidentified developer

This is the codesign -vvv terminal dump for the .app:

Executable=/Users/me/Desktop/ADRA.app/Contents/MacOS/ADRA
Identifier=unity.Company.ADRA NSW 2016
Format=app bundle with Mach-O thin (i386)
CodeDirectory v=20200 size=178145 flags=0x0(none) hashes=5561+3 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha1=79ecf88721d6387749c1f6b10355c3683ef20eb2
CandidateCDHash sha256=0799e968a18a663a0c08d26d3fb7826017ce5a3a
Hash choices=sha1,sha256
CDHash=0799e968a18a663a0c08d26d3fb7826017ce5a3a
Signature size=4739
Authority=3rd Party Mac Developer Application: Company Pty Ltd (NH73TNDB28)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=20 Apr 2017, 2:46:12 PM
Info.plist entries=14
TeamIdentifier=NH73TNDB28
Sealed Resources version=2 rules=12 files=138
Internal requirements count=1 size=224

I don't understand why this does not pass Gatekeeper? Is there something missing? Does Apple require something further?

Update 1:

@TheDarkKnight has suggested that I am using the incorrect certificate to sign the .app. Looks as though they are correct, so I went to create a new Developer ID Application certificate but apparently because I am not an 'Agent' in the group account, so I now have to wait until the 'Agent' creates one for me – seems backwards, is there no other way around waiting for the 'Agent' to make this for me?

(in Xcode) If the "Developer ID" radio button is greyed out you probably have a group account. These types of accounts only allow for the "Agent" role to create Developer IDs. Contact the person who created your group Apple Developer Account if you get stuck here.

https://developer.mozilla.org/en-US/docs/Mozilla/Signing_Mozilla_apps_for_Mac_OS_X

Update 2:

So I finally got my new cert today, re-signed the .app, downloaded it from the server ran and STILL GOT THE ERROR MESSAGE. The authority seems to be correct now:

Executable=/Users/me/Downloads/ADRA.app/Contents/MacOS/ADRA
Identifier=com.company.adra
Format=app bundle with Mach-O thin (i386)
CodeDirectory v=20200 size=178133 flags=0x0(none) hashes=5561+3 location=embedded
Library validation warning=OS X SDK version before 10.9 does not support Library Validation
OSPlatform=36
OSSDKVersion=657408
OSVersionMin=656896
Hash type=sha256 size=32
CandidateCDHash sha1=90d2a54162d6d018bf4f7602d7707c8e8e522fc6
CandidateCDHash sha256=dadfe5203d1367ea776f9501025dbd4ce751ee30
Hash choices=sha1,sha256
Page size=4096
CDHash=dadfe5203d1367ea776f9501025dbd4ce751ee30
Signature size=8930
Authority=Developer ID Application: Company Pty Ltd (NH73TNDB28)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=10 May 2017, 3:36:51 pm
Info.plist entries=14
TeamIdentifier=NH73TNDB28
Sealed Resources version=2 rules=12 files=138
Internal requirements count=1 size=184

I am only signing the .app is there anything else that I have to do to make this work? Is there a time period I have to wait before this will work?

Update 3:

Now almost 1 month on from Update 2, this issue is still aparent, and so have placed a bounty.

Best Answer

Broadly speaking, when distributing apps outside the Mac App Store you need to:

  1. Set the signing identity to Developer ID
  2. Create your Developer ID certificates
  3. Create your app Archive
  4. Validate your app
  5. Export a Developer ID signed app
  6. Sign the installer package (not applicable in your case)
  7. Test the app's behaviour with Gatekeeper enabled and again with Gatekeeper disabled

Troubleshooting issues such as this can be tricky because it's easy to make assumptions about how much the OP (in this case you) knows, etc. From reading your question I'm going to assume the first three steps are taken care of.

So, let's start by double-checking how you're validating your app.

Validate your app

To validate a Developer ID-signed app, follow these steps:

  1. In Xcode go to Product > Archive
  2. The Archives organizer window will appear
  3. Select the archive for the app in question
  4. Click on the Validate button
  5. A dialogue box appears asking you to select a method for validation
  6. Select the Validate a Developer ID-signed Application option
  7. Click on Next
  8. In the next window select a team from the pop-up menu
  9. Click on Choose
  10. Click the Validate button

This will identify any validation issues. If any are found, this will be your problem (or at least part of it), so you will need to resolve this.

If no issues are found, then proceed below.

Export a Developer ID-signed app

  1. Still within the Archives organizer window, select the archive for the app in question
  2. Click on the Export button
  3. A dialogue box appears asking you to select a method for export
  4. Select the Export a Developer ID-signed Application option
  5. Click on Next
  6. In the next window select a team from the pop-up menu
  7. Click on Choose
  8. Click the Export button

Once your app is exported you should test with Gatekeeper enabled and again with Gatekeeper disabled.

Related Question