4

We have a Mono Mac app which is distributed outside of AppStore signed by Developer Id certificate. Gatekeeper accepts the app on OS X 10.9 (tested on 10.9.4), but it fails to accept on 10.10 DP 7.

The output of some troubleshooting commands on 10.10 DP 7:

mactesters-Mac-mini:myapp 1 mactester$ spctl --assess -v ./myapp.app
./myapp.app: rejected
source=obsolete resource envelope

mactesters-Mac-mini:myapp 1 mactester$ codesign -v myapp.app
myapp.app: resource envelope is obsolete (custom omit rules)

mactesters-Mac-mini:myapp 1 mactester$ codesign -dv myapp.app/
Executable=/Volumes/myapp 1/myapp.app/Contents/MacOS/myapp.sh
Identifier=com.Company.myapp
Format=bundle with generic
CodeDirectory v=20100 size=145 flags=0x0(none) hashes=1+3 location=embedded
Signature size=8531
Timestamp=03 Sep 2014 16:55:21
Info.plist entries=32
TeamIdentifier=not set
Sealed Resources version=2 rules=5 files=813
Internal requirements count=2 size=224
mactesters-Mac-mini:myapp 1 mactester$

The output for the same application on 10.9:

macadmins-iMac:myapp mactester$ spctl --assess -v ./myapp.app
./myapp.app: accepted
source=Developer ID

macadmins-iMac:myapp mactester$ codesign --verify --deep --verbose=4 ./myapp.app
./myapp.app: valid on disk
./myapp.app: satisfies its Designated Requirement

macadmins-iMac:myapp mactester$ codesign -dv myapp.app
Executable=/Volumes/myapp/myapp.app/Contents/MacOS/myapp.sh
Identifier=com.Company.myapp
Format=bundle with generic
CodeDirectory v=20100 size=145 flags=0x0(none) hashes=1+3 location=embedded
Signature size=8531
Timestamp=03 Sep 2014 16:54:50
Info.plist entries=32
TeamIdentifier=not set
Sealed Resources version=2 rules=5 files=813
Internal requirements count=2 size=224

The code signing commands used are not containing the --resource-rules flag:

codesign -v --force --sign 'dev id...' /Volumes/myapp/myapp.app/Contents/MonoBundle/libMonoPosixHelper.dylib
codesign -v --force --sign 'dev id...' /Volumes/myapp/myapp.app

What does custom omit rules mean? How this problem can be resolved?

phantasm
  • 105
  • 1
  • 6
  • Did you get this problem fixed? I just stumbled upon it today and am having trouble finding resources on this – A O Sep 12 '14 at 18:12
  • Just a guess: The problem might be the dylib in a nonstandard location. [Tech Note 2206](https://developer.apple.com/library/mac/technotes/tn2206/_index.html) lists the standard places for nested code. – JWWalker Sep 13 '14 at 15:38
  • @JWWalker Thanx for the hint. I'll update the post once we have investigated this. – phantasm Sep 15 '14 at 13:45

1 Answers1

1

The "custom omit rules" error is due to using the --resource-rules flag during signing. This flag has been deprecated for some time and it's no longer accepted by Gatekeeper as of OSX 10.9.5. You can safely remove it, though, version 2 signatures are backwards compatible and can even work with OSX 10.6 (I have tested that).

Iraklis
  • 11
  • 2
  • This does not provide an answer to the question. To critique or request clarification from an author, leave a comment below their post - you can always comment on your own posts, and once you have sufficient [reputation](http://stackoverflow.com/help/whats-reputation) you will be able to [comment on any post](http://stackoverflow.com/help/privileges/comment). – evanwong Sep 11 '14 at 15:34
  • I can't add a comment to their post due to my low reputation. – Iraklis Sep 11 '14 at 15:44
  • @lrakis Thanks for the contribution but this is SO policy, and that's why there is a Comment privilege. – evanwong Sep 11 '14 at 16:08
  • @evanwong Thanks for the heads-up, I turned this into an actual answer and provided some more info, I hope it's ok now. – Iraklis Sep 11 '14 at 16:18
  • @evanwong: In my opinion, the original version of this answer was OK as an answer. The fact that it contained a question mark indicated that it involved a bit of guesswork, not that it was primarily a question. – JWWalker Sep 11 '14 at 17:09
  • I have added the code signing commands to the post. --resource-rules was not used – phantasm Sep 12 '14 at 16:07