If you are facing any problems on MacOS Sierra (10.12) related to codesigning, it might be one of the cases mentioned below. Check out the common problems and how to fix them to be fully compliant with MacOS Sierra-
Problem: Application launched from dmg is not working properly after downloading dmg from web.
Solution: Starting with MacOS Sierra, running a newly-downloaded app from a disk image, archive, or the Downloads directory will cause Gatekeeper to isolate that app at an unspecified read-only location in the filesystem. This will prevent the app from accessing code or content using relative paths.
Sign your disk images so that Gatekeeper can verify it when it is mounted for the first time.
----------------------------------------------------------------------------------------------------------------------
Problem: How can I sign a dmg file?
Solution: Disk images can be signed using the codesign tool on MacOS 10.11.5 and later. This allows the entire disk image to be validated by Gatekeeper the first time it is mounted.
Gatekeeper will validate the contents of the disk image as well.
Disk images should only be signed with your Developer ID Application identity.
----------------------------------------------------------------------------------------------------------------------
Problem: How can I verify the signature of my dmg file?
Solution: On MacOS Sierra and later, spctl can be used to assess a disk image's signature, like this:
$ spctl -a -t open --context context:primary-signature -v MyImage.dmg
/Users/me/Downloads/MyImage.dmg: accepted
source=Developer ID
----------------------------------------------------------------------------------------------------------------------
Problem: Can I sign ISO images?
Solution: No, there is no provision for signing these. Preferably, do not ship apps using ISO images.
----------------------------------------------------------------------------------------------------------------------
Problem: Is it possible to resign a dmg that is already signed?
Solution: A disk image signed on OS X 10.11.5 or 10.11.6 may not be able to be re-signed. In this situation, the operation will appear to succeed, but the signature will be invalid. If you encounter this condition, sign a new (unsigned) copy of the image on MacOS Sierra or later.
----------------------------------------------------------------------------------------------------------------------
Problem: Does Gatekeeper verify my app everytime it is launched?
Solution: On MacOS Sierra and later, Gatekeeper will check your app every time it's launched if it is run from the location where it was downloaded. If it is copied to some other directory (like /Applications), then the checks are not repeated again.
----------------------------------------------------------------------------------------------------------------------
References/Useful links:
https://developer.apple.com/library/prerelease/content/technotes/tn2206/_index.html
https://macinstallers.blogspot.in/2014/08/codesign-mavericks-yosemite-commands.html
Problem: Application launched from dmg is not working properly after downloading dmg from web.
Solution: Starting with MacOS Sierra, running a newly-downloaded app from a disk image, archive, or the Downloads directory will cause Gatekeeper to isolate that app at an unspecified read-only location in the filesystem. This will prevent the app from accessing code or content using relative paths.
Sign your disk images so that Gatekeeper can verify it when it is mounted for the first time.
----------------------------------------------------------------------------------------------------------------------
Problem: How can I sign a dmg file?
Solution: Disk images can be signed using the codesign tool on MacOS 10.11.5 and later. This allows the entire disk image to be validated by Gatekeeper the first time it is mounted.
Gatekeeper will validate the contents of the disk image as well.
Disk images should only be signed with your Developer ID Application identity.
----------------------------------------------------------------------------------------------------------------------
Problem: How can I verify the signature of my dmg file?
Solution: On MacOS Sierra and later, spctl can be used to assess a disk image's signature, like this:
$ spctl -a -t open --context context:primary-signature -v MyImage.dmg
/Users/me/Downloads/MyImage.dmg: accepted
source=Developer ID
----------------------------------------------------------------------------------------------------------------------
Problem: Can I sign ISO images?
Solution: No, there is no provision for signing these. Preferably, do not ship apps using ISO images.
----------------------------------------------------------------------------------------------------------------------
Problem: Is it possible to resign a dmg that is already signed?
Solution: A disk image signed on OS X 10.11.5 or 10.11.6 may not be able to be re-signed. In this situation, the operation will appear to succeed, but the signature will be invalid. If you encounter this condition, sign a new (unsigned) copy of the image on MacOS Sierra or later.
----------------------------------------------------------------------------------------------------------------------
Problem: Does Gatekeeper verify my app everytime it is launched?
Solution: On MacOS Sierra and later, Gatekeeper will check your app every time it's launched if it is run from the location where it was downloaded. If it is copied to some other directory (like /Applications), then the checks are not repeated again.
----------------------------------------------------------------------------------------------------------------------
References/Useful links:
https://developer.apple.com/library/prerelease/content/technotes/tn2206/_index.html
https://macinstallers.blogspot.in/2014/08/codesign-mavericks-yosemite-commands.html
