I came across a strange behavior when signing OSX application for distribution outside the apple store.
After the application was built, the app package was signed with Developer ID Application certificate.
Running spctl -a -vvvv $app; returned successfully accepted.
Built the pkg installer for the signed application with WhiteBox Packages http://s.sudre.free.fr/Software/Packages/about.html
Product signed the .pkg with Developer ID Installer certificate
Checked .pkg with spctl -a -vvvv --type install $installer, again it accepts it.
Installed the application from pkg, and checked the .app with spctl -a -vvvv $app; which was then rejected.
Could it be that using WhiteBox Packages somehow modifies the .app package during the installation?
FWI Here's how I'm signing the application:
# First parameter is app location
function sign_app(){
codesign --force --verify --verbose --sign "$identity" "${1}/Contents/Frameworks/crash_inspector";
codesign --force --verify --verbose --sign "$identity" "${1}/Contents/Frameworks/nwjs Framework.framework";
codesign --force --verify --verbose --sign "$identity" "${1}/Contents/Frameworks/nwjs Helper EH.app";
codesign --force --verify --verbose --sign "$identity" "${1}/Contents/Frameworks/nwjs Helper NP.app";
codesign --force --verify --verbose --sign "$identity" "${1}/Contents/Frameworks/nwjs Helper.app";
codesign --force --verify --verbose --sign "$identity" "${1}/Contents/Icon";
codesign --force --verify --verbose --sign "$identity" "$1";
codesign -vvv -d $1;
spctl -a -vvvv $1;
}
# First parameter package location, second parameter - signed package output location
function sign_installer(){
productsign --sign "$installerID" $1 $2;
spctl -a -vvvv --type install $2;
}
For some strange reason, it seems that when you add an icon (folder format) to the Content root, sign it, build a package and install it, the signature is removed. Not including the icon folder in the content root, solved my problem.