Signed application still throws "unknown developer" alert on OSX

[PierBover]

• 6.4.1

• OSX 64

I'm packaging the app and signing it. Proof is on the Terminal I get the message:

Signing app (identity: Mac Developer: XXXXXXX)

But when opening the app on a different machine I still get the Gatekeeper alert that the app is from an unknown developer.

[develar]

Please check your app using https://itunes.apple.com/us/app/rb-app-checker-lite/id519421117?mt=12

[PierBover]

This is what I get. I have obfuscated the data.

Evaluating the application “XXXXXXX.app”.

The application was signed by “Apple Root CA”, “Mac Developer: XXXXXXX (XXXXXXXXX)”.
    The (unverified) signing-time is: Sep 9, 2016, 12:35:43 AM.
    The object code format is “app bundle with Mach-O thin (x86_64)”.
    The signature contains the Team ID XXXXXXXX”.
    Both bundle and signing identifiers are “XXXXXXXX”.
    The signature specifies implicit requirements. 
    The signature specifies resource rules (v1). 
    The signature specifies resource rules (v2). 
    Requirements and resources validate correctly.

The code signature has the UUID “XXXXXXXXX”.
    Executable code for x86_64 has the UUID “XXXXXXXXXXX”.

A signing-time snapshot of the application’s Info.plist was found. 
    Version 1.1.0 (1.1.0) XXXXXXXXX

The signature contains 3 certificates. 
    Certificate “Apple Root CA”: 
        Your keychain contains this trusted root certificate.
        Will expire on Feb 9, 2035.
    Certificate “Apple Worldwide Developer Relations Certification Authority”: 
        Will expire on Feb 7, 2023.
    Certificate “Mac Developer: XXXXXXX (XXXXXXXXX)”: 
        Will expire on Sep 7, 2017.
        SHA1 fingerprint: “XXXXXXX”.
        Team ID or Organizational Unit: XXXXXXXX”.
            This matches the Team ID contained in the signature.

The application is not sandboxed.

There are 4 embedded frameworks. 

11 auxiliary executables have been found. 
    11 executables are signed by  “Apple Root CA”, “Mac Developer: XXXXXXX (XXXXXXXXX)”. 
    One executable file has no executable permissions, but should.  

[develar]

Please see https://github.com/electron-userland/electron-builder/wiki/Code-Signing#how-to-export-certificate-on-macos

macOS app must be not signed using Mac Developer: cert. Only Developer ID Application: is valid.

[develar]

Do you use auto-discovery or CSC_LINK?

[PierBover]

I'm using auto discover.

I tried with CSC_LINK but I could never get it to work.

Where can I get the Developer ID Application? In Xcode the button is greyed out.

[PierBover]

@develar can you point me to a tutorial or article on how to get that Developer ID Application?

I've tried everything but in Xcode the button is greyed out and in the member center there is no option to get a Developer ID Application.

[PierBover]

I found the solution here:
https://developer.mozilla.org/en-US/docs/Mozilla/Signing_Mozilla_apps_for_Mac_OS_X

If the "Developer ID" radio button is greyed out you probably have a group account. These types of accounts only allow for the "Agent" role to create Developer IDs.

[PierBover]

Now the terminal shows (I hope) the correct message:

Signing app (identity: Developer ID Application: XXXXX (XXXXX))

[develar]

electron-builder should detect this situation and report clear error.

[TimNZ]

@develar Mate, thanks for the serious effort in creating electron-builder.
People may not say it but we appreciate it.

The documentation is very challenging.
Can you please look at co-ordinating the creation of a set of how to guides and example projects.

I can help with planning out what is needed and create them.
They can be super simple bullet point ordered lists!

I'm spending a LOT of time looking for answers and finding tidbits in issues and maybe someone did an article somewhere.

For example above you make it clear you can't use Developer Id for OS X signing but need
Developer Id. Which means I need to have a paid Apple Developer account, which is ok.

Even just starting with electron-builder and figuring out Config is the entry point for "build" in package.json was difficult..

Agains, thanks for your time. Please let me know how to help.
Having good guides will solve a lot of support pain.
You are presuming devs have all the required base knowledge, and going by the # of support issues, this is not correct.

The maker of electron-simple-updater and electron-simple-publisher has done a pretty good of simplifying auto updates for me.

[develar]

@TimNZ thanks for feedback. No need to replace "shit" to political correct word :) I understand you. We have one guide — quick setup. If it is not enough — feel free to send your version/suggestion. You don't have to prepare ready to merge version — draft is enough. I am blind here and only you, user, can help me. Just draft some guide idea and I will finish it.

[TimNZ]

Thanks. I'll do this in the next couple of weeks.
What I'll do a is newbie step by step guide incorporating what I've learnt, and go we go from there.

[jtoy]

@TimNZ where is it?