Installer pkg built with Xcode 12.2 won't open in macOS 10.10 and 10.11


Jon Gotow
 

I've had similar problems when code-signing and notarizing an app using Xcode 12.2 on Big Sur.

On my DTK (Apple Silicon) machine running macOS 11.1 beta and Xcode 12.2, if I go through a standard build and notarization using the Xcode GUI, everything appears to be fine. The codesign and spctl commands report everything is fine when I run them on macOS 11 or 10.15 and the app launches as expected. However, on macOS 10.10, I get the error "the sealed resource directory is invalid" when I run spctl and the system refuses to launch the app, saying it's damaged.

However, if I build on my MacBook Pro running macOS 11.1 beta and Xcode 12 beta, the resulting app doesn't have any problems. I'll boot back into Big Sur and find out which Xcode 12 beta I'm running. In any case, I'm hesitant to update to Xcode 12.2 for fear my builds will no longer work on 10.10.

- Jon

On Dec 7, 2020, at 9:57 AM, Mark Allan <markjallan@gmail.com> wrote:

I have a script which Xcode runs as a post-action during the archive phase which takes my compiled app, and generates a signed .pkg installer file along with all the other elements of the app.

For the last few years this has worked fine, but for some reason I'm now unable to open the resulting pkg file on macOS 10.10 and 10.11. When I try to open the installer on the older OSes, I'm presented with the following error message:

Installer_signed.pkg can't be installed because its digital signature is invalid.
The package may have been corrupted or tampered with. Get a new copy of the package and try again.

The signature is valid and I can see this in macOS 11 and 10.15 when clicking the certificate icon in the upper right corner of the window, so I'm not sure what's going on.

Is anyone aware of any changes to pkgbuild and productbuild which might have caused this? The man pages don't reference anything new that might be relevant, so I'm stuck.


Alex Zavatone
 

Out of curiosity, do you have an older copy of the installer that works on those platforms?

You may be able to open it up and view the entitlements/config files and see the differences.

One option is to create a VM with one of those operating systems on it and install a version of Xcode that works on 10.10 and 10.11, then deliver these special case installers or create installers that work on that OS and see what the difference is.

I keep around old 50 GB VMWare images and old Xcode installers just in case.

Alex Zavatone

On Dec 7, 2020, at 3:21 PM, Mark Allan <markjallan@gmail.com> wrote:

Hey Ben,

Thanks for the suggestion. No I hadn't checked that tool...but I have now, and it says "YES" ie it's signed correctly, so unfortunately I'm no further forward.

Mark

On 7 Dec 2020, at 6:53 pm, Ben Kennedy <ben-groups@zygoat.ca> wrote:

Hey Mark,

I can't speak to what might be the problem, but I've been reading about code signing and notarization recently in an effort to better understand how it all works at a lower level, so I'm interested in what you find out.

TN2206 (https://developer.apple.com/library/archive/technotes/tn2206/_index.html) makes reference to using the `check-signature` tool (https://developer.apple.com/download/more/?=SignatureCheck) to validate package signatures. Have you tried that? Does it report anything useful?

-ben


On 7 Dec 2020, at 8:57 am, Mark Allan <markjallan@gmail.com> wrote:

Hi all,

I have a script which Xcode runs as a post-action during the archive phase which takes my compiled app, and generates a signed .pkg installer file along with all the other elements of the app.

For the last few years this has worked fine, but for some reason I'm now unable to open the resulting pkg file on macOS 10.10 and 10.11. When I try to open the installer on the older OSes, I'm presented with the following error message:

Installer_signed.pkg can't be installed because its digital signature is invalid.
The package may have been corrupted or tampered with. Get a new copy of the package and try again.

The signature is valid and I can see this in macOS 11 and 10.15 when clicking the certificate icon in the upper right corner of the window, so I'm not sure what's going on.

Is anyone aware of any changes to pkgbuild and productbuild which might have caused this? The man pages don't reference anything new that might be relevant, so I'm stuck.

Thanks
Mark













Jack Brindle
 

Which OS are you building on? There are reports of Big Sur builds having issues on early versions of the OS (pre Mojave, I believe).

Jack

On Dec 7, 2020, at 1:21 PM, Mark Allan <markjallan@gmail.com> wrote:

Hey Ben,

Thanks for the suggestion. No I hadn't checked that tool...but I have now, and it says "YES" ie it's signed correctly, so unfortunately I'm no further forward.

Mark

On 7 Dec 2020, at 6:53 pm, Ben Kennedy <ben-groups@zygoat.ca> wrote:

Hey Mark,

I can't speak to what might be the problem, but I've been reading about code signing and notarization recently in an effort to better understand how it all works at a lower level, so I'm interested in what you find out.

TN2206 (https://developer.apple.com/library/archive/technotes/tn2206/_index.html) makes reference to using the `check-signature` tool (https://developer.apple.com/download/more/?=SignatureCheck) to validate package signatures. Have you tried that? Does it report anything useful?

-ben


On 7 Dec 2020, at 8:57 am, Mark Allan <markjallan@gmail.com> wrote:

Hi all,

I have a script which Xcode runs as a post-action during the archive phase which takes my compiled app, and generates a signed .pkg installer file along with all the other elements of the app.

For the last few years this has worked fine, but for some reason I'm now unable to open the resulting pkg file on macOS 10.10 and 10.11. When I try to open the installer on the older OSes, I'm presented with the following error message:

Installer_signed.pkg can't be installed because its digital signature is invalid.
The package may have been corrupted or tampered with. Get a new copy of the package and try again.

The signature is valid and I can see this in macOS 11 and 10.15 when clicking the certificate icon in the upper right corner of the window, so I'm not sure what's going on.

Is anyone aware of any changes to pkgbuild and productbuild which might have caused this? The man pages don't reference anything new that might be relevant, so I'm stuck.

Thanks
Mark













Mark Allan
 

Hey Ben,

Thanks for the suggestion. No I hadn't checked that tool...but I have now, and it says "YES" ie it's signed correctly, so unfortunately I'm no further forward.

Mark

On 7 Dec 2020, at 6:53 pm, Ben Kennedy <ben-groups@zygoat.ca> wrote:

Hey Mark,

I can't speak to what might be the problem, but I've been reading about code signing and notarization recently in an effort to better understand how it all works at a lower level, so I'm interested in what you find out.

TN2206 (https://developer.apple.com/library/archive/technotes/tn2206/_index.html) makes reference to using the `check-signature` tool (https://developer.apple.com/download/more/?=SignatureCheck) to validate package signatures. Have you tried that? Does it report anything useful?

-ben


On 7 Dec 2020, at 8:57 am, Mark Allan <markjallan@gmail.com> wrote:

Hi all,

I have a script which Xcode runs as a post-action during the archive phase which takes my compiled app, and generates a signed .pkg installer file along with all the other elements of the app.

For the last few years this has worked fine, but for some reason I'm now unable to open the resulting pkg file on macOS 10.10 and 10.11. When I try to open the installer on the older OSes, I'm presented with the following error message:

Installer_signed.pkg can't be installed because its digital signature is invalid.
The package may have been corrupted or tampered with. Get a new copy of the package and try again.

The signature is valid and I can see this in macOS 11 and 10.15 when clicking the certificate icon in the upper right corner of the window, so I'm not sure what's going on.

Is anyone aware of any changes to pkgbuild and productbuild which might have caused this? The man pages don't reference anything new that might be relevant, so I'm stuck.

Thanks
Mark









Ben Kennedy
 

Hey Mark,

I can't speak to what might be the problem, but I've been reading about code signing and notarization recently in an effort to better understand how it all works at a lower level, so I'm interested in what you find out.

TN2206 (https://developer.apple.com/library/archive/technotes/tn2206/_index.html) makes reference to using the `check-signature` tool (https://developer.apple.com/download/more/?=SignatureCheck) to validate package signatures. Have you tried that? Does it report anything useful?

-ben

On 7 Dec 2020, at 8:57 am, Mark Allan <markjallan@gmail.com> wrote:

Hi all,

I have a script which Xcode runs as a post-action during the archive phase which takes my compiled app, and generates a signed .pkg installer file along with all the other elements of the app.

For the last few years this has worked fine, but for some reason I'm now unable to open the resulting pkg file on macOS 10.10 and 10.11. When I try to open the installer on the older OSes, I'm presented with the following error message:

Installer_signed.pkg can't be installed because its digital signature is invalid.
The package may have been corrupted or tampered with. Get a new copy of the package and try again.

The signature is valid and I can see this in macOS 11 and 10.15 when clicking the certificate icon in the upper right corner of the window, so I'm not sure what's going on.

Is anyone aware of any changes to pkgbuild and productbuild which might have caused this? The man pages don't reference anything new that might be relevant, so I'm stuck.

Thanks
Mark





Mark Allan
 

Hi all,

I have a script which Xcode runs as a post-action during the archive phase which takes my compiled app, and generates a signed .pkg installer file along with all the other elements of the app.

For the last few years this has worked fine, but for some reason I'm now unable to open the resulting pkg file on macOS 10.10 and 10.11. When I try to open the installer on the older OSes, I'm presented with the following error message:

Installer_signed.pkg can't be installed because its digital signature is invalid.
The package may have been corrupted or tampered with. Get a new copy of the package and try again.

The signature is valid and I can see this in macOS 11 and 10.15 when clicking the certificate icon in the upper right corner of the window, so I'm not sure what's going on.

Is anyone aware of any changes to pkgbuild and productbuild which might have caused this? The man pages don't reference anything new that might be relevant, so I'm stuck.

Thanks
Mark