I'm working on a distributing a Mac Application outside of the Mac App store using Developer ID signing. Things have been working previously, but in our last build, something has apparently changed which is causing Gatekeeper to reject the application when it is opened after a download from our servers.
We're using a production "Developer ID Application" certificate. As far as I've can tell we've followed the instructions in Distributing Applications Outside the Mac App Store to the letter.
The confusing part is that the following commands which are recommended for testing gatekeeper conformance all execute fine and indicate that nothing is wrong. The validation in the Xcode organizer also passes without complaint.
$ spctl -a -t exec -vv MyApp.app/
MyApp.app/: accepted
source=Developer ID
origin=Developer ID Application: Company Name (248C748VF9)
$ codesign --verify --deep --verbose MyApp.app/
MyApp.app/: valid on disk
MyApp.app/: satisfies its Designated Requirement
$ /Volumes/Signature\ Check/check-signature MyApp.app/
(c) 2014 Apple Inc. All rights reserved.
YES
One thing that has changed since our last build is that pieces of our code were refactored out into a new framework.
Update:
Through a binary search of the commit history and a healthy dose of trial and error I isolated the problem to a single commit where a new "Copy Files" phase was added to our main application to move an XPC service into the proper location. The XPC service was already being copied into a login item helper application. Removing the build phase in the main application fixes the problem, but unfortunately the main application does need the XPC service in order to function properly, so simply removing this phase isn't a viable solution.
