the identity of the developer cannot be confirmed

[alex-zhang]

trafficstars

hi, all

i need codesign app with 'Develop ID Application' certificate. first i set the the Certificate's Trust to 'Use System Defaults' codesign will fine pass, and i verifying it with 'spctl -a -vvvv' and it's also fine, but when i download the app from my local test webserver and the os's gatekeeper promote the error 'the identity of the developer cannot be confirmed'

later i set the Certificate's Trust of Item 'Code Signing' to 'Always Trust' and it's will in cli with ' nested code is modified or invalid'.

anyone can help me, thks.

[sethlu]

Hi @alex-zhang, would you mind having a go with the following command?

$ spctl --assess --type execute --verbose <app>

I can't come up with any causes so far but spctl should tell verbosely how the issue might be caused.

[sethlu]

This may be a duplicate of https://github.com/electron-userland/electron-builder/issues/559 addressing the issue "nested code is modified or invalid".

[nantas]

@sethlu Hi there,

Thanks a lot for the great tool.

I have the same problem, I tried your verifying command:

$ spctl --assess --type execute --verbose <app>

The result:

spctl --assess --type execute --verbose ./dist/CocosCreator.app
./dist/CocosCreator.app: accepted
source=Developer ID

But if I download my app from a test web server it's still rejected by Gatekeeper, saying the identity of the developer cannot be confirmed.

[nantas]

I found that the signed app file is alright, but as soon as I created a dmg file to contain the app file, and download the dmg file from web server. Gatekeeper will reject the app file copied from disk image. Anyone know how to deal with this?

[sethlu]

@nantas thanks for using electron-osx-sign. I think this question may be similar to https://github.com/electron-userland/electron-osx-sign/issues/119; however, I believe here the app packaging is completed without issues. I am not very sure where the issue with dmg validation comes from if the app bundle is signed correctly. @develar do you have any advice?

[nantas]

I can verify that electron-osx-sign did its job perfectly.

If I zip the app file and upload it to web server and download, gatekeeper will have no complain.

If I create a dmg file contains the app, once downloaded from web server, gatekeeper says cannot confirm developer identity.

According to this blog post: http://macinstallers.blogspot.tw/2016/09/codesign-guide-changes-for-macos-sierra.html

It's recommended to codesign dmg as well, but I tried without luck, problem stays.

Sorry to post this issues here since it's not electron-osx-sign's fault. Just wondering if anyone encounter this before?

[sethlu]

@nantas thanks for the information on the changes introduced in macOS Sierra. 😸 I will read through the article tomorrow and propose some changes for electron-osx-sign to, for example, allow signing dmg files for distribution.

[develar]

@nantas do you use electron-builder? If not, could you please try to use it? It sign and create DMG for you in one step.

@sethlu yes, since sierra DMG should be signed, but I forgot to implement it (since it is not required).

[sethlu]

@nantas I have just read the technical doc from Apple Developer (https://developer.apple.com/library/prerelease/content/technotes/tn2206/_index.html) and I think that adding a feature to allow passing a dmg file for signing in electron-osx-sign will be quite useful for macOS ^10.11.5