如何调试OSX代码签名拒绝? [英] How to debug OSX code signing rejection?
问题描述
我正在为OSX签名install4j安装程序,但是OSX拒绝了它.系统日志仅报告它被拒绝,而spctl仅报告它被拒绝,没有解释.如何确定为什么拒绝呢?
I'm signing an install4j installer for OSX, however OSX is rejecting it. The system log only reports that it was rejected, and spctl only reports that it was rejected, with no explanation. How can I determine why it was rejected?
推荐答案
我假设您是在谈论 Gatekeeper 在下载后不允许运行您的应用程序吗? Gatekeeper的规则不是基于拒绝应用程序的规则列表,而是基于接受应用程序的可能规则列表,并且如果您的应用程序不匹配任何一个或那些规则.这使得难以记录例如为什么您的应用程序被拒绝,原因是它与任何允许规则都不匹配".现在,如果您知道希望对它应用哪个允许"规则,则可以尝试以此为基础对其进行调试,但是Gatekeeper本身并不知道这一点,因此并没有太大帮助.
I presume you're talking about Gatekeeper not allowing your app to run after it's downloaded? Gatekeeper's rules aren't based on a list of rules to reject an app, they're based on a list of possible rules to accept an app, and if your app doesn't match any or those rules. This makes it hard to log e.g. why your app was rejected beyond "it didn't match any of the allow rules". Now, if you know which "allow" rule you expected to apply to it, you can try to debug it based on that, but Gatekeeper itself doesn't know this and hence isn't much help.
我假设您希望根据确定的开发人员"规则允许您的应用?如果是这样,那么可以进行一些测试来查找明显的问题:首先,运行codesign -vv --deep-verify /path/to/yourapp.app,并确保它打印磁盘上有效"并满足其指定要求"(并且不会出现任何错误)-如果不是,则表明签名或应用程序内容有问题.
I'm assuming you want your app to be allowed under the "identified developer" rule? If so, there are a couple of tests to look for obvious problems: first, run codesign -vv --deep-verify /path/to/yourapp.app, and make sure it prints "valid on disk" and "satisfies its Designated Requirement" (and doesn't give any errors) -- if not, something's wrong with the signature or the contents of the app.
第二次,运行codesign -dvv /path/to/yourapp.app,并确保它列出的数据包括:
Second, run codesign -dvv /path/to/yourapp.app, and make sure it the data it lists includes:
Authority=Developer ID Application: [Your name/company here]
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Sealed Resources version=2 rules=[something] files=[something]
如果权限"列表与此不同,则您使用了错误的证书对其进行签名.如果Sealed Resources版本为1或未列出,则您使用OS X的旧版本对其进行了签名,而最新版本将拒绝签名格式.
If the Authority list is different from that, you used the wrong certificate to sign it. If the Sealed Resources version is 1 or not listed, you signed it with an old version of OS X, and recent versions will reject the signature format.
这篇关于如何调试OSX代码签名拒绝?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
