How to code sign mac app on osx

Question

I have created an app on osx 10.9 using python 2.7 so not using xcode. I code signed it with certificate but when checked with spctl command, it is showing rejected.

Commands are:

codesign -s "3rd Party Mac Developer Application: Cloud Inc" -v -f /Applications/Cloud/logout.app/Contents/Frameworks/Python.framework/Versions/2.7
codesign -s "3rd Party Mac Developer Application: Cloud Inc" -v -f --entitlements /Users/Cloud/Desktop/app.entitlements /Applications/Cloud/logout.app/Contents/MacOS/python
codesign -s "3rd Party Mac Developer Application: Cloud Inc" -v -f --entitlements /Users/Cloud/Desktop/app.entitlements /Applications/Cloud/logout.app/Contents/MacOS/logout 
codesign -s "3rd Party Mac Developer Application: Cloud Inc" -v -f --entitlements /Users/Cloud/Desktop/app.entitlements /Applications/Cloud/logout.app
spctl --assess --type execute /Applications/Cloud/logout.app
/Applications/Cloud/logout.app: rejected

My info.plist file is:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>CFBundleDevelopmentRegion</key>
    <string>English</string>
    <key>CFBundleDisplayName</key>
    <string>logout</string>
    <key>CFBundleExecutable</key>
    <string>logout</string>
    <key>CFBundleIconFile</key>
    <string>cc.icns</string>
    <key>CFBundleIdentifier</key>
    <string>com.cloud.macapp.logout</string>
    <key>CFBundleInfoDictionaryVersion</key>
    <string>6.0</string>
    <key>CFBundleName</key>
    <string>logout</string>
    <key>CFBundlePackageType</key>
    <string>APPL</string>
    <key>CFBundleShortVersionString</key>
    <string>4.4</string>
    <key>CFBundleSignature</key>
    <string>CC4B</string>
    <key>LSApplicationCategoryType</key>
    <string>public.app-category.reference</string>
    <key>CFBundleVersion</key>
    <string>4.4</string>
    <key>LSHasLocalizedDisplayName</key>
    <false/>
    <key>NSAppleScriptEnabled</key>
    <false/>
    <key>NSHumanReadableCopyright</key>
    <string>Copyright © 2014 Cloud, Inc.</string>
    <key>NSMainNibFile</key>
    <string>MainMenu</string>
    <key>NSPrincipalClass</key>
    <string>NSApplication</string>
    <key>PyMainFileNames</key>
    <array>
        <string>__boot__</string>
    </array>
    <key>PyOptions</key>
    <dict>
        <key>alias</key>
        <false/>
        <key>argv_emulation</key>
        <false/>
        <key>emulate_shell_environment</key>
        <false/>
        <key>no_chdir</key>
        <false/>
        <key>prefer_ppc</key>
        <false/>
        <key>site_packages</key>
        <false/>
        <key>use_faulthandler</key>
        <false/>
        <key>use_pythonpath</key>
        <false/>
        <key>verbose</key>
        <false/>
    </dict>
    <key>PyResourcePackages</key>
    <array>
    </array>
    <key>PyRuntimeLocations</key>
    <array>
        <string>@executable_path/../Frameworks/Python.framework/Versions/2.7/Python</string>
    </array>
    <key>PythonInfoDict</key>
    <dict>
        <key>PythonExecutable</key>
        <string>/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python</string>
        <key>PythonLongVersion</key>
        <string>2.7.8 (default, Jul  7 2014, 20:30:57) 
[GCC 4.2.1 (Apple Inc. build 5664)]</string>
        <key>PythonShortVersion</key>
        <string>2.7</string>
        <key>py2app</key>
        <dict>
            <key>alias</key>
            <false/>
            <key>template</key>
            <string>app</string>
            <key>version</key>
            <string>0.8</string>
        </dict>
    </dict>
</dict>
</plist>

And app.entitlements file is :

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
</dict>
</plist>

Please check info.plist and app.entitlements and command, suggest some remedies to resolve this rejected thing which checking with spctl.

Answer 1

I think Apple documentation is a little lacking in this area.

From what I understand, the "3rd Party Mac Application Developer" certificate is mentioned in Apple's docs as allowing access to certain services, although they don't state specifically what those services are in that document, but expect its these - iCloud Storage, In-App Purchase, Game Center, Push Notifications.

The "3rd Party..." certificates are for submitting applications and installers to Apple's App Store, where Apple will add their own certificate once it has been accepted.

In contrast, the "Developer ID..." certificates are for deployment outside of the app store.

The spctl tool is a command line tool for controlling the security assessment policy subsystem and ties in with Gatekeeper.

As signing with a "3rd Party..." certificate is meant for sending to Apple for the Store and they will strip the certificate and re-sign with their own, I've have concluded from my research that spctl will only return accepted with either an Apple Store, or a Developer ID certificate.

Reading this post, seems to confirm this too.

Note that a Developer ID certificate can only be obtained by the Team Agent.