spctl says rejected for signed flat package

Question

I have a flat package, signed by a Apple supplied Developer Id, and spctl rejects itThe TOC in the xar file is proper looking and has a valid XML signature in it (best I can tell).  Certificate chain is elided here, but matches the output from pkgutil.xar --dump-toc&#x3D;- -f foo.pkg&lt;?xml version&#x3D;"1.0" encoding&#x3D;"UTF-8"?&gt;&lt;xar&gt;&lt;toc&gt;  &lt;checksum style&#x3D;"sha1"&gt;   &lt;size&gt;20&lt;/size&gt;   &lt;offset&gt;0&lt;/offset&gt;  &lt;/checksum&gt;  &lt;creation-time&gt;2013-10-29T18:23:23&lt;/creation-time&gt;  &lt;signature style&#x3D;"RSA"&gt;   &lt;offset&gt;20&lt;/offset&gt;   &lt;size&gt;256&lt;/size&gt;   &lt;KeyInfo xmlns&#x3D;"http://www.w3.org/2000/09/xmldsig#"&gt;    &lt;X509Data&gt;     &lt;X509Certificate&gt;...&lt;/X509Certificate&gt;    &lt;/X509Data&gt;   &lt;/KeyInfo&gt;  &lt;/signature&gt;  &lt;x-signature style&#x3D;"CMS"&gt;   &lt;offset&gt;276&lt;/offset&gt;   &lt;size&gt;6144&lt;/size&gt;   &lt;KeyInfo xmlns&#x3D;"http://www.w3.org/2000/09/xmldsig#"&gt;    &lt;X509Data&gt;     &lt;X509Certificate&gt;...&lt;/X509Certificate&gt;    &lt;/X509Data&gt;   &lt;/KeyInfo&gt;  &lt;/x-signature&gt;  &lt;file id&#x3D;"1"&gt;   &lt;name&gt;Bom&lt;/name&gt;   &lt;type&gt;file&lt;/type&gt;   &lt;inode&gt;39991802&lt;/inode&gt;   &lt;deviceno&gt;16777218&lt;/deviceno&gt;   &lt;mode&gt;0644&lt;/mode&gt;   &lt;uid&gt;0&lt;/uid&gt;   &lt;user&gt;root&lt;/user&gt;   &lt;gid&gt;0&lt;/gid&gt;   &lt;group&gt;wheel&lt;/group&gt;   &lt;atime&gt;2013-10-29T18:01:47Z&lt;/atime&gt;   &lt;mtime&gt;2013-10-29T18:01:47Z&lt;/mtime&gt;   &lt;ctime&gt;2013-10-29T18:01:48Z&lt;/ctime&gt;   &lt;FinderCreateTime&gt;    &lt;time&gt;1970-01-01T00:00:00&lt;/time&gt;    &lt;nanoseconds&gt;0&lt;/nanoseconds&gt;   &lt;/FinderCreateTime&gt;   &lt;data&gt;    &lt;extracted-checksum style&#x3D;"sha1"&gt;afb0b9dc0fe87477290b8551c1cf038c6bf7d3eb&lt;/extracted-checksum&gt;    &lt;archived-checksum style&#x3D;"sha1"&gt;2aa56353d6d0e2c4eed9bc45f2541b19b17532e3&lt;/archived-checksum&gt;    &lt;encoding style&#x3D;"application/x-gzip"/&gt;    &lt;size&gt;37717&lt;/size&gt;    &lt;offset&gt;6420&lt;/offset&gt;    &lt;length&gt;1907&lt;/length&gt;   &lt;/data&gt;  &lt;/file&gt;  &lt;file id&#x3D;"2"&gt;   &lt;name&gt;PackageInfo&lt;/name&gt;   &lt;type&gt;file&lt;/type&gt;   &lt;inode&gt;39991816&lt;/inode&gt;   &lt;deviceno&gt;16777218&lt;/deviceno&gt;   &lt;mode&gt;0644&lt;/mode&gt;   &lt;uid&gt;0&lt;/uid&gt;   &lt;user&gt;root&lt;/user&gt;   &lt;gid&gt;0&lt;/gid&gt;   &lt;group&gt;wheel&lt;/group&gt;   &lt;atime&gt;2013-10-29T18:01:48Z&lt;/atime&gt;   &lt;mtime&gt;2013-10-29T18:01:48Z&lt;/mtime&gt;   &lt;ctime&gt;2013-10-29T18:01:48Z&lt;/ctime&gt;   &lt;FinderCreateTime&gt;    &lt;time&gt;1970-01-01T00:00:00&lt;/time&gt;    &lt;nanoseconds&gt;0&lt;/nanoseconds&gt;   &lt;/FinderCreateTime&gt;   &lt;ea id&#x3D;"0"&gt;    &lt;name&gt;com.apple.TextEncoding&lt;/name&gt;    &lt;extracted-checksum style&#x3D;"sha1"&gt;34bb265cb6732969f269ccc90fea5d662e9e0ea5&lt;/extracted-checksum&gt;    &lt;archived-checksum style&#x3D;"sha1"&gt;d433dacc26ca2c81f30c25e807dc170e6680aad9&lt;/archived-checksum&gt;    &lt;encoding style&#x3D;"application/x-gzip"/&gt;    &lt;size&gt;15&lt;/size&gt;    &lt;offset&gt;8625&lt;/offset&gt;    &lt;length&gt;23&lt;/length&gt;   &lt;/ea&gt;   &lt;data&gt;    &lt;extracted-checksum style&#x3D;"sha1"&gt;8ddffdeaf0c9d56f1ac7a545f9065b8c0a0c253b&lt;/extracted-checksum&gt;    &lt;archived-checksum style&#x3D;"sha1"&gt;a0e202b915ac2b741e8b4eb4b6c34ad2025e576e&lt;/archived-checksum&gt;    &lt;encoding style&#x3D;"application/x-gzip"/&gt;    &lt;size&gt;549&lt;/size&gt;    &lt;offset&gt;8327&lt;/offset&gt;    &lt;length&gt;298&lt;/length&gt;   &lt;/data&gt;  &lt;/file&gt;  &lt;file id&#x3D;"3"&gt;   &lt;name&gt;Payload&lt;/name&gt;   &lt;type&gt;file&lt;/type&gt;   &lt;inode&gt;39991803&lt;/inode&gt;   &lt;deviceno&gt;16777218&lt;/deviceno&gt;   &lt;mode&gt;0644&lt;/mode&gt;   &lt;uid&gt;0&lt;/uid&gt;   &lt;user&gt;root&lt;/user&gt;   &lt;gid&gt;0&lt;/gid&gt;   &lt;group&gt;wheel&lt;/group&gt;   &lt;atime&gt;2013-10-29T18:01:47Z&lt;/atime&gt;   &lt;mtime&gt;2013-10-29T18:01:48Z&lt;/mtime&gt;   &lt;ctime&gt;2013-10-29T18:01:48Z&lt;/ctime&gt;   &lt;FinderCreateTime&gt;    &lt;time&gt;1970-01-01T00:00:00&lt;/time&gt;    &lt;nanoseconds&gt;0&lt;/nanoseconds&gt;   &lt;/FinderCreateTime&gt;   &lt;data&gt;    &lt;extracted-checksum style&#x3D;"sha1"&gt;8c82d6335d52c388475c710b3da67dfc037aeb57&lt;/extracted-checksum&gt;    &lt;archived-checksum style&#x3D;"sha1"&gt;8c82d6335d52c388475c710b3da67dfc037aeb57&lt;/archived-checksum&gt;    &lt;size&gt;6074987&lt;/size&gt;    &lt;offset&gt;8648&lt;/offset&gt;    &lt;encoding style&#x3D;"application/octet-stream"/&gt;    &lt;length&gt;6074987&lt;/length&gt;   &lt;/data&gt;  &lt;/file&gt;  &lt;file id&#x3D;"4"&gt;   &lt;name&gt;Scripts&lt;/name&gt;   &lt;type&gt;file&lt;/type&gt;   &lt;inode&gt;39991814&lt;/inode&gt;   &lt;deviceno&gt;16777218&lt;/deviceno&gt;   &lt;mode&gt;0644&lt;/mode&gt;   &lt;uid&gt;0&lt;/uid&gt;   &lt;user&gt;root&lt;/user&gt;   &lt;gid&gt;0&lt;/gid&gt;   &lt;group&gt;wheel&lt;/group&gt;   &lt;atime&gt;2013-10-29T18:01:48Z&lt;/atime&gt;   &lt;mtime&gt;2013-10-29T18:01:48Z&lt;/mtime&gt;   &lt;ctime&gt;2013-10-29T18:01:48Z&lt;/ctime&gt;   &lt;FinderCreateTime&gt;    &lt;time&gt;1970-01-01T00:00:00&lt;/time&gt;    &lt;nanoseconds&gt;0&lt;/nanoseconds&gt;   &lt;/FinderCreateTime&gt;   &lt;data&gt;    &lt;extracted-checksum style&#x3D;"sha1"&gt;b2e862d97d79b2a78433f07b29685e0293e0239b&lt;/extracted-checksum&gt;    &lt;archived-checksum style&#x3D;"sha1"&gt;b2e862d97d79b2a78433f07b29685e0293e0239b&lt;/archived-checksum&gt;    &lt;size&gt;180&lt;/size&gt;    &lt;offset&gt;6083635&lt;/offset&gt;    &lt;encoding style&#x3D;"application/octet-stream"/&gt;    &lt;length&gt;180&lt;/length&gt;   &lt;/data&gt;  &lt;/file&gt;&lt;/toc&gt;&lt;/xar&gt;Looking at the contents, very simple flat package:$ xar -t  -f foo.pkgBomPackageInfoPayloadScriptsAnd lastly, pkgutil is happy, spctl (and the Installer of course) are not:$ sudo spctl --assess --type install -v foo.pkgfoo.pkg: rejected$ /usr/sbin/pkgutil --check-signature foo.pkgPackage "foo.pkg":   Status: signed by a developer certificate issued by Apple   Certificate Chain:    1. 3rd Party Mac Developer Installer: TiVo, Inc (4BLW75E6S3)       SHA1 fingerprint: 1C 22 36 8E 43 E6 6D 42 CE 9F 63 B2 74 C7 23 C6 16 CF AC 10       -----------------------------------------------------------------------------    2. Apple Worldwide Developer Relations Certification Authority       SHA1 fingerprint: 09 50 B6 CD 3D 2F 37 EA 24 6A 1A AA 20 DF AA DB D6 FE 1F 75       -----------------------------------------------------------------------------    3. Apple Root CA       SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60Nothing inside the package is signed.Any ideas where I look next?

gatpy · Answer

Hello, I have the same problem: I build, sign executables and installer with both Application and Installer certificates delivered by Apple, but my install is still rejected by Gatekeeper on other computers. I was first building and signing on Snow Leopard with Xcode 4.2, then updated to Mavericks with Xcode 4.6.3 and still have this problem.This guy seems to have the same problem too: http://www.copyquery.com/productsigned-mac-app-not-installing-in-computers-that- are-not-mine/Do you have any solution?

BananaSlug · Answer

I&#x27;m also having this problem. I signed a flat .pkg using my 3rd Party Mac Developer Installer certificate and the payload app with 3rd Party Mac Developer Application certificates apparently with success as confirmed by pkgutil --check-signature test (similar to output displayed by Gatby&#x27;s comment, above)Moreover, when I attempt to install my payload on my computer after logging into to another user account for testing it works with no warnings from Gatekeeper. Nevertheless assessing the package installer using:     "spctl --assess --verbose&#x3D;4" returns this message:      "Install Packages Test.pkg: rejected source&#x3D;no usable signature"I am hoping there is something wrong with the spctl assessment. Can anyone confirm this?

gatpy · Answer

I finally found what was the problem: I&#x27;m still testing my app, so it&#x27;s not on the AppStore yet. Therefore the "3rd Party XXX certificates" don&#x27;t work because they are production/distribution certificates, not development. I had to get the "Developer ID XXX certificates" instead. However I couldn&#x27;t manage to get them from the developer.apple.com portal, they&#x27;re (currently? maybe a bug...) not listed. The only way to get them is to use Xcode 5, go to Preferences &gt; Accounts.There is a confusion about Mac certificates, dixit here: http://lists.apple.com/archives/xcode-users/2012/Oct/msg00286.htmlIt&#x27;s well documented: https://developer.apple.com/library/mac/documentation/IDEs/Conceptual/AppDistrib utionGuide/DistributingApplicationsOutside/DistributingApplicationsOutside.htmlI admit it is, BUT it&#x27;s overcomplicated and confusing: Why "Developer ID", what does that mean? Why is there a "Mac Developer" certificate generated with the "Developer ID" ones but doesn&#x27;t seem to be used for anything? Why can&#x27;t we get these "Developer ID" certificates from the web portal?Well nevermind, I hope this will help you.

BananaSlug · Answer

Thanks gatby for quick feedback, although I am more confused then ever. If I understand correctly, my "third-party" certificates are only for production/testing purposes (whatever that means) and will not provide the Gatekeeper security clearance for apps—both those intended to be distributed through the App Store and those to be distributed outside the store (which is my scenario). Therefore I cannot use the command line to get Gatekeeper clearance on my application nor its delivery package until I attain those specific certificates ("Developer ID Installer", and "Developer ID Application"). Apparently Xcode 5 has access to these since it did sign my application archive successfully. Nevertheless, I may wish to use the command line to code sign my apps in the future, moreover, it&#x27;s imperative that I attain the "Developer ID Installer" certificate and install it in my keychain so I can secure my delivery package. You helpfully state that there is no way to download those certificates from the Mac Developer portal, so that I have to access them from the X code 5 developer application. I can see when I go into my account and select &#x27;view details&#x27; button, the five desired certificates listed. By selecting one of these (you can only select one) I can export, say the "Developer ID Installer" certificate to my desktop and then try to import this to my keychain. Unfortunately, I find that this fails without an error panel. Moreover, when I try to open certificate file from my desktop, it prompts me for my developer password and thereafter simply fails to open—as if exporting the certificate from X code creates a bogus certificate file. Perhaps you can help me on how to get those certificates into my keychain? I can&#x27;t tell you how angry I am at Apple for their apparent neglect of clear process when it comes to distribution outside the App Store context (for which I have no choice).

BananaSlug · Answer

OK. I was able to download the correct certificates from the Mac Development portal unlike gatby. Although I still was confused in how to import these into keychain. It turns out I probably already have them in there (although it&#x27;s impossible to know by the outword appearance of the downloaded certificate files on my desktop). That&#x27;s most likely why nothing showed or transpired when I tried to import them. There&#x27;s nothing worse than trying to look for something you already got, but don&#x27;t know it&#x27;s there. Arghhh!