The Shape of Everything
A website mostly about Mac stuff, written by Gus Mueller
» Acorn
» Twitter
» Maybe Pizza?
» Code
» Archive
January 16, 2017

I spent more time this morning than I care to admit trying to suss out a code signing issue for Acorn when launching for the first time on 10.10. Here's my little story, and maybe you'll figure things out faster than I did.

Direct builds of Acorn were failing to pass through Gatekeeper on 10.10, but the exact same build worked fine on 10.12.

Running /usr/bin/codesign --verify was telling me something was wrong, but not what. However if I resigned my "bad" copy of Acorn using codesign on 10.10, then it passed through Gatekeeper without a hitch.

I was confused. So I went back through previous builds of Acorn (I keep copies of every in-progress beta build) to find where exactly the problem started showing up, and it occurred when I upgraded my build script from Xcode 7.3.1 to 8.2. I still didn't understand why codesign would be failing though, since that is run via a script against the final build, outside of Xcode's usual build process.

I pinged some friends for ideas and Daniel Jalkut suggested I try codesign --verify, but this time with the --deep option included. The extra argument pointed out the exact bundle in Acorn which was causing things to fail on 10.10. It was an Automator bundle.

I opened up that Automator project in Xcode and noticed right away that its deployment target was empty, which means it'll get whatever that version of Xcode thinks is right. In Xcode 8.2 that probably means 10.12, not 10.10.

Whoops.

There are a handful of Automator projects for Acorn, and I'm lazy and didn't want to check them all. Instead I chose to add the option MACOSX_DEPLOYMENT_TARGET=10.10 to xcodebuild when compiling those projects, and all was good.

Here's what I think was going on.

When codesign on 10.12 was run against the Automator actions, it checked to see what the deployment target was and signed the bundles in a way that wasn't compatible with 10.10. However, if I explicitly set the deployment target to 10.10, then codesign (running on 10.12) would then sign the bundles in a different way which was compatible with 10.10.

I think. I could be wrong. Maybe I should be substituting 10.11 in there for for 10.12 or 10.10. But it's all working now.

Anyway, thanks Daniel. And future Gus should remember the --deep option. (P.S.: The full command Daniel gave me was:
codesign --verify --deep --strict --verbose=2 Acorn.app)