Let me start by saying I know there are myriad questions like this, but I believe I have checked all the causes in previous questions and still have a problem.
My application is using Qt so my submission process doesn't go through Xcode. In the past I have not had much trouble submitting my application.
Here is my codesign command:
codesign --deep -f -s '3rd Party Mac Developer Application: Me' -v --entitlements Entitlements.plist MyApp.app
This appears to work, and if I use codesign to verify I get:
MyApp.app: valid on disk
MyApp.app: satisfies its Designated Requirement
Next up, I use productbuild to generate my .pkg file for submission via Application Loader.
productbuild --component MyApp.app /Applications --sign '3rd Party Mac Developer Installer: Me' MyApp.pkg
Note that I'm using 3rd Party Mac Developer type certificates with both commands and I'm using the Application certificate for codesign and the Installer certificate for productbuild.
When I submit MyApp.pkg to iTunesConnect via ApplicationLoader 3.1 I get:
ERROR ITMS-90239: "Invalid Signature. Code object is not signed at all. The binary at path [MyApp.app/Contents/MacOS/MyApp] contains an invalid signature. Make sure you have signed your application with a distribution certificate, not an ad hoc certificate or a development certificate.
Evidently my code object is signed, so the problem must be that it thinks I'm using an ad hoc or development certificate, but as you can see from the commands I used, that isn't the case.
Any ideas?
The solution, at least in my case was not to include Entitlements.plist in the application bundle. It should still be specified when invoking codesign, but it need not be present in the bundle.
The error message made that abundantly clear!