产品Mac应用程序不安装在不是我的计算机 [英] Productsigned Mac app not installing in computers that are not mine

问题描述

我有一个Mac应用程序，我已经使用终端上的'productsign'命令签名

  productsign  - 第三方Mac开发商安装程序：我的公司（dasdfjkaj）InstallerUnsigned.pkg InstallerSigned.pkg 
 
 productsign：使用第三方Mac开发人员安装程序：我的公司（dasdfjkaj）从keychain / me / Library / Keychains / login.keychain 
 productsign：添加中间证书Apple Worldwide开发人员关系认证中心
 productsign：已签署的产品归档文件InstallerSigned.pkg 
  
 
 
 
然后我运行了命令
  spctl -a -v-install install InstallerSigned.pkg 
 InstallerSigned.pkg：accepted 
  
也检查签名
  pkgutil --check-signature InstallerSigned.pkg 
软件包InstallerSigned.pkg：
状态：由苹果颁发的开发人员证书签署
证书链：
 1.第三方Mac开发人员安装程序：我的公司（dasdfjkaj）
 2. Apple全球开发人员关系认证中心
 3. Apple Root CA 
  
当我从我的机器运行安装程序（Gatekeeper设置为 Mac应用商店和识别开发人员）它运行正常。它也安装正确，当我下载了相同的pkg后，我部署到我的网站。 
 
 
 
但是...当我在另一台机器上下载pkg时，它无法安装。它无法识别我的开发者ID。当我在失败的机器上运行spctl命令时，我得到
  spctl -a -v --type install InstallerSigned.pkg 
 InstallerSigned.pkg：rejected 
  
有人知道为什么它在我自己的机器上运行良好，当pkg在另一台机器上运行时失败？我真的很想出来：/ 
 
 
 
编辑：
这是我在
  spctl --list --type execute 
 3 [Apple系统] P0允许执行
锚点苹果
 4 [Mac App Store] P0允许执行
 anchor apple generic and certificate leaf [field。< I removed this>] exists 
 5 [开发者ID] P0允许执行
锚点苹果通用和证书1 [字段< I removed this> ;]存在并且证书叶[字段。< I removed this>]存在
 7 [GKE] P0 allow execute [（gke）] 
 cdhash H< I removed this> 
 10 [GKE] P0 allow execute [（gke）] 
 cdhash H< I removed this> 
 14 [GKE] P0 allow execute [（gke）] 
 cdhash H< I removed this> 
 15 [GKE] P0 allow execute [（gke）] 
 cdhash H< I removed this> 
 18 [GKE] P0 allow execute [（gke）] 
  
 
 
解决方案
 
证书重要
 
 
 
这些是您需要一起使用以进行代码签名的证书：
 
 
 
 
 
 开发者ID安装程序 
 
 
 
 开发者ID应用 
 
 
 
 
 
 第三方Mac开发人员安装程序（通常只用于AppStore应用程式）。
 
 
 
 
 
 
 
 
开发人员ID安装程序证书是您在未提交到AppStore时将使用的证书。对于具体指定部分的代码，您需要使用开发人员ID应用证书。 
 
 
 
   Apple开发人员编号工作流程指南  
 
I have a Mac app which I have signed using the 'productsign' command from the terminal 
productsign --sign "3rd Party Mac Developer Installer: My company (dasdfjkaj)" InstallerUnsigned.pkg InstallerSigned.pkg

productsign: signing product with identity "3rd Party Mac Developer Installer: My company (dasdfjkaj)" from keychain /Users/me/Library/Keychains/login.keychain
productsign: adding intermediate certificate "Apple Worldwide Developer Relations Certification Authority"
productsign: Wrote signed product archive to InstallerSigned.pkg
I then ran the assess command 
spctl -a -v --type install  InstallerSigned.pkg
InstallerSigned.pkg: accepted
I also checked the signature
pkgutil --check-signature InstallerSigned.pkg 
Package "InstallerSigned.pkg":
Status: signed by a developer certificate issued by Apple
   Certificate Chain:
    1. 3rd Party Mac Developer Installer: My company (dasdfjkaj)
    2. Apple Worldwide Developer Relations Certification Authority
    3. Apple Root CA
When I run the installer from my machine (with Gatekeeper set to "Mac App store and identified developers") it runs fine. It also installed properly when I downloaded the same pkg after I deployed it to my website. 

But... when I download the pkg in another machine it fails to install. It does not recognize my developer ID. When I run the spctl command on the failed machine, I get
spctl -a -v --type install  InstallerSigned.pkg
InstallerSigned.pkg: rejected
Does anyone know why this it runs fine on my own machine but fails when the pkg runs on another machine? I am all out of ideas really :/

EDIT:
This is what I get when
spctl --list --type execute
3[Apple System] P0 allow execute
    anchor apple
4[Mac App Store] P0 allow execute
    anchor apple generic and certificate leaf[field.<I removed this>] exists
5[Developer ID] P0 allow execute
    anchor apple generic and certificate 1[field.<I removed this>] exists and certificate leaf[field.<I removed this>] exists
7[GKE] P0 allow execute [(gke)]
    cdhash H"<I removed this>"
10[GKE] P0 allow execute [(gke)]
    cdhash H"<I removed this>"
14[GKE] P0 allow execute [(gke)]
    cdhash H"<I removed this>"
15[GKE] P0 allow execute [(gke)]
    cdhash H"<I removed this>"
18[GKE] P0 allow execute [(gke)]

解决方案
Certificates Matter

These are the certificates you will need to use together for codesigning:


Developer ID Installer 
Developer ID Application


3rd Party Mac Developer Installer (usually only used for the AppStore apps).



The "Developer ID Installer" certificate is what you would use if not submitting to the AppStore. For codesigning portions specifically, you need to use the "Developer ID Application" certificate. 

Apple Developer Codesigning Workflow Guide

                        
这篇关于产品Mac应用程序不安装在不是我的计算机的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！