Search code examples
macososx-maverickscode-signingmac-app-storeosx-yosemite

Are Mac App Store code sign resource envelopes always version 1?

After the latest email detailing changes on the gatekeeper for 10.10 beta 5 and 10.9.5 , I went and immediately verified my app with the recommended method from TN2206 . To my surprise, since I used no resource rules and built it on Mavericks, it failed:

$ spctl -a -t exec -v /Applications/MyApp.app/
/Applications/MyApp.app/: rejected
source=obsolete resource envelope

Then, I went on to check the submitted binary inside the Xcode archive, which was promptly rejected, but without the "obsolete resource envelope" warning. I suppose that's because it's signed by the submission certificate.

$ spctl -a -t exec -v Products/Applications/MyApp.app/
Products/Applications/MyApp.app/: rejected

Later on, I checked the resource envelopes themselves:

$ codesign -d -v  /Applications/MyApp.app/
Executable=/Applications/MyApp.app/Contents/MacOS/MyApp
Identifier=my.app.id
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=14108 flags=0x200(kill) hashes=697+5 location=embedded
Signature size=4169
Info.plist entries=34
TeamIdentifier=not set
Sealed Resources version=1 rules=5 files=82
Internal requirements count=1 size=220

Then the submitted app:

$ codesign -d -v  Products/Applications/MyApp.app/
Executable=/Users/jorgepeixotovasquez/Library/Developer/Xcode/Archives/2014-07-09/myapp 09-07-14 00.34.xcarchive/Products/Applications/MyApp.app/Contents/MacOS/myApp
Identifier=my.app.id
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=14123 flags=0x0(none) hashes=697+5 location=embedded
Signature size=4393
Signed Time=09/07/2014 00:34:08
Info.plist entries=34
TeamIdentifier=F2XAAD6WWR
Sealed Resources version=2 rules=12 files=85
Internal requirements count=1 size=220

As you can see, the Mac App Store downloaded app has only a version 1 resource envelope, even with the submission of a version 2 one. To be sure, I checked my /Application folder and found out that every app I downloaded from the Mac App Store also had a version 1 envelope, even Apple's ones.

Does anyone know whether that's normal, i.e., if the Mac App Store, when re-signing the app, only adds version one envelopes?
Moreover, will that cause problems?
Will that be fixed by Apple?
After that fix, should I resubmit my app?

Solution

  • This is indeed a bug. A opened a radar it was closed as a duplicate, which is open.