macoscodesigndmg

Why is my code signed dmg is blocked by Chrome and Gatekeeper in Mac?


I code signed a dmg file and had it uploaded to google cloud storage. The file is not deemed as threatening in my Mac but in other Macs chrome browser blocks the download of the file regarding it as a malware. Upon trying to install the dmg in any Mac other than the one used to code sign it, Gatekeeper blocks the installation. Unsigned version of the dmg works just fine and is not regarded as malware neither by chrome or Gatekeeper. I'm pretty noob in this regard. I could not find out any reason behind it.

I followed this SO question to code sign the dmg. When I inspected it with the following command -

spctl -a -t open --context context:primary-signature -v path/to/dmg

Ouput of the above command is -

path/to/dmg: accepted
source=Developer ID

Solution

  • Assuming you have a valid Developer ID certificate issued by Apple, check out Notarizing Your App Before Distribution.

    Beginning in macOS 10.14.5, all new or updated kernel extensions and all software from developers new to distributing with Developer ID must be notarized in order to run. Beginning in macOS 10.15, notarization is required by default for all software.

    Before you deploy your software, you must now also send it to Apple for notarization. If you made your Developer ID very recently, Gatekeeper will not run your code signed software without an attached notarization ticket.

    Apple has good instructions on how to do so from the command-line at Customizing the Notarization Workflow (be sure the use the --timestamp and -o runtime options with the codesign command).

    If you do not have an Apple Developer account (and are using, say, a self-signed certificate), you'll have get one before code signing, notarizing and distributing your software. Once you have your account, see Maintain Signing Assets for instructions on how to get the Apple-issued certificates on your Keychain.