A colleague of mine signed an application we're working on. Trying to open it from finder, I get an error message
“‹Name›” can’t be opened because it is from an unidentified developer
(or the local translation of this). On console I read
CoreServicesUIAgent[‹pid›]: Error -60005 creating authorization
But if I run codesign on the code, it seems to check out just fine:
$ codesign -vv .
.: valid on disk
.: satisfies its Designated Requirement
So it seems the bundle got signed correctly. To get more details:
$ codesign -dvv .
Executable=…
Identifier=…
Format=app bundle with Mach-O universal (i386 x86_64)
CodeDirectory v=20200 size=440 flags=0x0(none) hashes=8+3 location=embedded
Signature size=4731
Authority=3rd Party Mac Developer Application: ‹Name› (‹TeamID›)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=21.07.2016, ‹Time›
Info.plist entries=25
TeamIdentifier=‹TeamID›
Sealed Resources version=2 rules=12 files=1164
Internal requirements count=1 size=208
So from the Authority=
lines I'd conclude that the certificate chain could be verified as well, and it does lead back to Apple. How is that “unidentified”?
From this post I learned about spctl
, but it doesn't provide much information either:
$ spctl --assess -vvvv .
.: rejected
origin=3rd Party Mac Developer Application: ‹Name› (‹TeamID›)
How can I get more information as to why exactly the app fails to load?
Best Answer
While formulating the question, I tried various combinations of keywords and eventually found Difference between “Mac Developer” and “3rd Party Mac Developer Application” on Stack Overflow, which led to developer documentation on Maintaining Certificates which in turn writes this:
So apparently this form of code signing is suitable only for submission for the App Store, but not for stand-alone distribution. That took quite a while to work out, so I hope this Q&A will help others avoid that time.