![]() The -strict option currently checks the validity of symlinks. That’s completely reasonable: those symlinks could just as easily point to something a lot more damaging than a non-existent directory. The framework has symlinks to paths on a Mac that I doubt Andy Matuschak uses anymore. Gatekeeper rejected the app because I’m using Sparkle 1.5b6. $ ls -ls amework/Versions/Current/Resources/fr.lproj/fr.lprojĨ 1 craig staff 84 Jul 22 12:31 amework/Versions/Current/Resources/fr.lproj/fr.lproj > /Users/andym/Development/Build Products/Release/amework/Resources/fr.lproj $ ls -ls amework/Versions/Current/Resources/fr_CA.lprojĨ 1 craig staff 84 Jul 22 12:31 amework/Versions/Current/Resources/fr_CA.lproj I dug around in the application package contents and saw the following: This seemed unlikely since the frameworks are code signed during the copy build phase and our automated build process creates a ZIP archive just after the app bundle is created. Gatekeeper is rejecting xScope because it thinks some files in Sparkle have been modified after the code signature was generated. In subcomponent: /Users/craig/Downloads/xScope.app/Contents/Frameworks/ameworkįile modified: …/amework/Versions/Current/Resources/fr.lproj/fr.lprojįile modified: …/amework/Versions/Current/Resources/fr_CA.lproj XScope.app: unknown error -67003=fffffffffffefa45 prepared:/Users/craig/Downloads/xScope.app/Contents/Frameworks/amework/Versions/Current/. $ codesign -verbose=4 -deep -strict xScope.app The -deep option checks any embedded code (such as the Sparkle framework.) Note that -strict is a new option in El Capitan (so new, that it’s not documented yet): The functional equivalent to spctl -a is the following codesign command. According to the man page, “This is useful … to access newly invented assessment aspects that spctl does not yet know about.”) In El Capitan, the cause is more stringent code signature checks. In the past, this has been caused by a change to the signature version number (from 1 to 2). This is a sign that there’s a problem with the code signature. When I ran the spctl tool on El Capitan, I saw an “obsolete resource envelope” error: (If you’re one of those people that claims that “Radar never works”, then that last paragraph just proved you wrong.) The change in El Capitan has the potential to affect a lot of developers ( including the big guys), so it’s time to share what I learned. ![]() This led to feedback from Apple that helped me understand why Gatekeeper rejected my app. I quickly filed a Radar about the problem. As the author of a tool used by so many early adopters, I often get the job of figuring out what’s new with code signing. Users/craig/Downloads/xScope.app: acceptedĬlearly there is something new with Gatekeeper in El Capitan. ![]() I had tested the build on Yosemite, and it passed without any problems: After releasing a update for xScope with fixes for El Capitan, I launched the app on a fresh install of the OS and was greeted by this dialog:
0 Comments
Leave a Reply. |