I've successfully signed Unix apps manually in the past. Today (after signing the new agreement) I can get it to replace the existing signature but it says "rejected" when I check it.
Here are the commands I'm using:
michaelleahy@Michaels-Mini ~ % sudo codesign --force --deep --options runtime --sign "Developer ID Application: Bookup Corp. (6J8PUT****)” /Users/michaelleahy/Documents/theapp /Users/michaelleahy/Documents/theapp: replacing existing signature michaelleahy@Michaels-Mini ~ % spctl -a -vvvv -t install /Users/michaelleahy/Documents/theapp /Users/michaelleahy/Documents/theapp: rejected source=Unnotarized Developer ID origin=Developer ID Application: Bookup Corp. (6J8PUT****)
Here is a command (issued right after the one above) showing an older signed app is accepted:
michaelleahy@Michaels-Mini ~ % spctl -a -vvvv -t install /Users/michaelleahy/Documents/olderapp /Users/michaelleahy/Documents/olderapp: accepted source=Notarized Developer ID origin=Developer ID Application: Bookup Corp. (6J8PUT****)
What might I be missing? Something changed since the last time I signed an app.
spctl is not a great way to check whether a program will run. Rather, I recommend that you do an end-to-end test, as explained in Testing a Notarised Product.
Oh, and two minor things. First, when you run an assessment with spctl you have to pass in the correct assessment type via the -t option. install is not correct for command-line tools. You want to use exec.
Second, I noticed you’re signing code with sudo. That’s something we specifically recommend against. See Creating distribution-signed code for macOS. In many cases it’ll work, but it also send you off into the errSecInternalComponent weeds.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"