Signed abc.pkg passes spctl control and fails check-signature control. Consequences of the check-signature tool failure?

Question

We have created an abc.pkg installer which contains two different packages; a def.mpkg(bundle style) and a ghi.pkg(flat package). The installer supports OS version 10.5 and above. We have digitally signed the abc.pkg installer and based on Apple's documentation we simulated Gatekeeper's behavior.

The signed abc.pkg passes the spctl control:

spctl -a -v --type install abc.pkg

returns:

abc.pkg:accepted
source: Developer ID

which based on the documentation mentioned previously means that Gatekeeper will accept our package's signature, but fails the check-signature control:

./check-signature ~/path_to_the_installer/abc.pkg

returns:

(c) 2014 Apple Inc. All rights reserved.
/path_to_the_installer/abc.pkg: code object is not signed at all
NO

which means that the signature doesn't meet Gatekeeper requirements.

We have tested abc.pkg installer on a Mac OS X 10.6 and on a Mac OS X 10.10 and the installation was successful both times.

What exactly means that abc.pkg doesn't meet Gatekeeper's requirements and which are the consequences of the check-signature tool failure?

Shouldn't we see Apple's warning:

"abc.pkg" is from an unidentified developer. Are you sure you want to open it?

Answer 1

You can use the verbose option of check-signature to get more information; it should tell you what bit of the signature is unacceptable. I was having an issue where both spctl and check-signature would pass, but the app would still fail to launch. Using OSX's console, you can see a system message posted when the app/package fails to launch to determine the exact cause of the failure.

In my case the issue was that the app trying to load a library that was unsigned, outside of its resources, and therefore rejected. I used the terminal otool command to check dependencies, and the install_name_tool to redirect any libraries that were referencing an external library. I had a signed version of the library in the app's resources, and once I redirected the reference to it, the app opened without a hitch.