问题
I have a Mac app which I have signed using the 'productsign' command from the terminal
productsign --sign "3rd Party Mac Developer Installer: My company (dasdfjkaj)" InstallerUnsigned.pkg InstallerSigned.pkg
productsign: signing product with identity "3rd Party Mac Developer Installer: My company (dasdfjkaj)" from keychain /Users/me/Library/Keychains/login.keychain
productsign: adding intermediate certificate "Apple Worldwide Developer Relations Certification Authority"
productsign: Wrote signed product archive to InstallerSigned.pkg
I then ran the assess command
spctl -a -v --type install InstallerSigned.pkg
InstallerSigned.pkg: accepted
I also checked the signature
pkgutil --check-signature InstallerSigned.pkg
Package "InstallerSigned.pkg":
Status: signed by a developer certificate issued by Apple
Certificate Chain:
1. 3rd Party Mac Developer Installer: My company (dasdfjkaj)
2. Apple Worldwide Developer Relations Certification Authority
3. Apple Root CA
When I run the installer from my machine (with Gatekeeper set to "Mac App store and identified developers") it runs fine. It also installed properly when I downloaded the same pkg after I deployed it to my website.
But... when I download the pkg in another machine it fails to install. It does not recognize my developer ID. When I run the spctl command on the failed machine, I get
spctl -a -v --type install InstallerSigned.pkg
InstallerSigned.pkg: rejected
Does anyone know why this it runs fine on my own machine but fails when the pkg runs on another machine? I am all out of ideas really :/
EDIT: This is what I get when
spctl --list --type execute
3[Apple System] P0 allow execute
anchor apple
4[Mac App Store] P0 allow execute
anchor apple generic and certificate leaf[field.<I removed this>] exists
5[Developer ID] P0 allow execute
anchor apple generic and certificate 1[field.<I removed this>] exists and certificate leaf[field.<I removed this>] exists
7[GKE] P0 allow execute [(gke)]
cdhash H"<I removed this>"
10[GKE] P0 allow execute [(gke)]
cdhash H"<I removed this>"
14[GKE] P0 allow execute [(gke)]
cdhash H"<I removed this>"
15[GKE] P0 allow execute [(gke)]
cdhash H"<I removed this>"
18[GKE] P0 allow execute [(gke)]
回答1:
Certificates Matter
These are the certificates you will need to use together for codesigning:
- Developer ID Installer
Developer ID Application
- 3rd Party Mac Developer Installer (usually only used for the AppStore apps).
The "Developer ID Installer" certificate is what you would use if not submitting to the AppStore. For codesigning portions specifically, you need to use the "Developer ID Application" certificate.
Apple Developer Codesigning Workflow Guide
来源:https://stackoverflow.com/questions/21295255/productsigned-mac-app-not-installing-in-computers-that-are-not-mine