My code-signed DMG is rejected by GateKeeper

Question

I am trying to distribute an application (itself code-signed) inside a code-signed DMG volume, signed by a self-signed code certificate (generated using the Keychain Certificate Assistant).

I’m on macOS Mojave and I am creating the DMG using the following procedure:

1. Create a new empty folder testsrc
2. Copy code-signed app bundle into the new folder

3. Run

   hdiutil create -volname test -srcfolder testsrc -ov -format UDBZ test.dmg
   

4. Code-sign the DMG:

   codesign -s keyid test.dmg
   

This succeeds (no error message, return code 0). Furthermore, trying to execute codesign again leads to the message “test.dmg: is already signed”. I can verify the signature:

codesign -vvvv -d test.dmg

Executable=/path/to/test.dmg
Identifier=test
Format=disk image
CodeDirectory v=20100 size=291 flags=0x0(none) hashes=1+6 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=73…
Hash choices=sha256
Page size=none
CDHash=73… (same as above)
Signature size=1760
Authority=keyid
Signed Time=12 Dec 2018 at 18:26:31
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=1 size=96

However, when I try to open the quarantined (downloaded from localhost) DMG, I get the usual Gatekeeper error message:

Furthermore, spctl -v -a -t open --context context:primary-signature test.dmg tells me: “test.dmg: rejected”.

Is this purely because my certificate is self-signed rather than being an Apple Developer ID Application certificate? Is there a way around it?

---

I’ve seen the answers in How to add codesigning to dmg file in mac but they assume that the above procedure should work.

Answer 1

Is this purely because my certificate is self-signed rather than being an Apple Developer ID Application certificate?

In a nutshell: yes.

After using the key from an Apple signed developer certificate, the error went away and the application now passes validation by Gatekeeper.