My Gatekeeper settings are "App Store and Identified Developers"
I have a DMG with a signed app.
When I mount the DMG and run it locally, it works. when I upload the same DMG to our servers (via http), download it (via http), mount it, and try to run the app I get a popup saying my application is "damaged and can't be opened. You should move it to the Trash.
I have no idea what's going on. How can the same file run correctly locally, but when uploaded and downloaded it's corrupt? The server is fine, other parties in our company upload and download applications from it just fine.
Am I missing something?
Figured out the problem after lot of tries.
In my case: The Pop Message - damaged application came due to libraries were missing. I Had created .app file using QT. To generate dmg i was using deploymacqt command tool. deploymacqt tool creates dynamic libraries inside .app, so basically if we codesign before creating dmg, this alter will manipulate code sign. So the proper fix is.
# Create dmg using
deploymacqt <yourapp.app> -dmg
# Open resulted dmg file, copy <yourapp.app> to different folder(let's say /Documents/<yourapp.app>)
# Codesign the /Documents/<yourapp.app> using
codesign --deep --force --verify --verbose --sign "Developer ID Application: <developerid>" <yourapp.app>
# Verify using
codesign --verify --verbose=4 <yourapp.app>
* you should see something like this
<yourapp.app>: valid on disk
<yourapp.app>: satisfies its Designated Requirement
# Now create again the dmg file using [dropdmg](https://c-command.com/dropdmg/) application, download, install dropdmg. set the cofiguration preferences with your developer id certificate in signing option.
# drag and drop <yourapp.app> to dropdmg app, wait for creation of dmg to complete. voila you have now successfully created dmg with proper developer id certification.
# verify resulted dmg again using
codesign --verify --verbose=4 <yourapp.dmg>
# you can also verify with gatekeeper
spctl -a -t exec -vv <yourapp.dmg>