Gatekeeper blocks command line tool after signing and notarization

Question

Created Jun ’24

Replies 3

Boosts 0

Participants 3

I have signed and notarized a single executable file command line tool developed outside Xcode, and distributed outside of the App store by way of a download from a website as follows below, but nevertheless gatekeeper blocks running the tool with the usual message, just like without signing or notarization.

If I remove the com.apple.quarantine xattr, the tool runs as it should without gatekeeper interference, as expected.

I have browsed countless posts here, with similar issues, but in the end I can't find what's wrong with the process.

From what I gather, as long as the target Mac is connected to the Internet, stapling should not be required (I do understand I can't staple a single file executable command line tool), although Gatekeeper would be expected to complain in the case of the first run being done without Internet connection.

The certificate is a "Developer Id Application" certificate, installed and valid on the machine doing the signing.

It is unclear to me what the distinction is between "Developer Id Application" and "Developer Id Installer" certificates, but it's confusing that using -t install with spctl will actually accept the app.

The app is open source and available on GitHub (although the full distribution packaging is done in a separate build environment with some additional logic). The app used below as the target for signing and notarization is available to download from https://www.axantum.com/ in a .tar.gz archive.

Here follows a log of commands and output:

XecretsCli.plist: (This was necessary to add to the signing to avoid corruption of the executable by the code signing)

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> <key>com.apple.security.cs.disable-library-validation</key> <true/> <key>com.apple.security.cs.disable-executable-page-protection</key> <true/> </dict> </plist>

codesign -s GCXRMT5SQC -f --timestamp -s 0CF6800E595AA6DE9EBB905066619A9BFDD17A77 --entitlements XecretsCli.plist -o runtime XecretsCli

codesign -d -vvv --entitlements :- XecretsCli

Executable=/Users/svante/Downloads/XecretsCli-Osx-2.3.567 3/XecretsCli Identifier=XecretsCli Format=Mach-O thin (x86_64) CodeDirectory v=20500 size=271478 flags=0x10000(runtime) hashes=8473+7 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b2 CandidateCDHashFull sha256=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b20c9e3c17e107f08c7ae75c5a Hash choices=sha256 CMSDigest=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b20c9e3c17e107f08c7ae75c5a CMSDigestType=2 CDHash=d3a8216fcb22b4a4af7bd0157ecc3d2b6be9f9b2 Signature size=8987 Authority=Developer ID Application: Axantum Software AB (GCXRMT5SQC) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=Jun 20, 2024 at 13:26:05 Info.plist=not bound TeamIdentifier=GCXRMT5SQC Runtime Version=13.1.0 Sealed Resources=none Internal requirements count=1 size=172 Warning: Specifying ':' in the path is deprecated and will not work in a future release <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>com.apple.security.cs.allow-jit</key><true/><key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/><key>com.apple.security.cs.disable-executable-page-protection</key><true/><key>com.apple.security.cs.disable-library-validation</key><true/></dict></plist>

codesign -v -vvv --strict --deep XecretsCli

XecretsCli: valid on disk XecretsCli: satisfies its Designated Requirement

zip XecretsCli.zip XecretsCli adding: XecretsCli (deflated 63%)

xcrun notarytool submit "XecretsCli.zip" --keychain-profile "Notarize" --wait

Conducting pre-submission checks for XecretsCli.zip and initiating connection to the Apple notary service... Submission ID received id: e5990902-3101-42de-a1a6-b9ea40b944b8 Upload progress: 100.00% (12.4 MB of 12.4 MB)
Successfully uploaded file id: e5990902-3101-42de-a1a6-b9ea40b944b8 path: /Users/svante/Downloads/XecretsCli-Osx-2.3.567 3/XecretsCli.zip Waiting for processing to complete. Current status: Accepted........ Processing complete id: e5990902-3101-42de-a1a6-b9ea40b944b8 status: Accepted

spctl -a -vvv XecretsCli XecretsCli: rejected (the code is valid but does not seem to be an app) origin=Developer ID Application: Axantum Software AB (GCXRMT5SQC)

spctl -a -vvv -t install XecretsCli XecretsCli: accepted source=Notarized Developer ID origin=Developer ID Application: Axantum Software AB (GCXRMT5SQC)

Trying to run the executable:

"XecretsCli" can't be opened because the identity of the developer cannot be confirmed.

Your security preferences allow installation of only apps from the App Store and identified developers.

Chrome downloaded this file today at 10:37.

OK

Boost

Answer 1

Security Engineer OP

Apple

Jun ’24

Could you provide a copy of the app and a sysdiagnose from your Mac after reproducing the issue?

0

Answer 2

Xecrets OP

Jun ’24

Absolutely. How is this best done? It's an executable file (i.e. typically blocked as an attachment), and I don't really want to publish a sysdiagnose publically.

0

Answer 3

DTS Engineer OP

Apple

Jun ’24

How are you running this tool? From within Terminal? Or by double clicking it in the Finder?

If it’s the latter, you’re hitting the issue described in the Tool Blocked by Gatekeeper section of Resolving Gatekeeper Problems.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1