Apple's changes to app signing could leave some apps blocked by Gatekeeper (Updated)
Heads up for developers: you'll want to take a close look at the changes that have been introduced in the latest Mavericks and Yosemite developers previews. According to prerelease notes for OS X 10.9.5 and Yosemite Developer Preview 5, changes are coming to signed apps. Some developers will have to re-sign their apps, and submit an update to the Mac App Store to keep from being tagged by Gatekeeper as having an invalid signature. Gatekeeper blocks apps with invalid signatures from running.
Beginning with OS X version 10.9.5, there will be changes in how OS X recognizes signed apps. Version 1 signatures created with OS X versions prior to Mavericks will no longer be recognized by Gatekeeper and are considered obsolete.
If your team is using an older version of OS X to build your code, re-sign your app using OS X version 10.9 or later using the codesign tool to create version 2 signatures. Apps signed with version 2 signatures will work on older versions of OS X.
If your app is on the Mac App Store, submit your re-signed app as an update.
This could cause issues for users as Mac apps they've come to rely on suddenly get flagged by Gatekeeper, though this will mostly affect third party apps downloaded from outside the Mac App Store. If you're a developer still working in OS X 10.8 or older, your apps will fail to launch in 10.9.5 or Yosemite until you update and re-sign the app. Otherwise, users will have to change their security settings or right click on your app and then select "Open" from the context menu to have your app work on their machine.
The good news is that apps developed with Mavericks will still run on older versions of OS X. This change will only affect developers who are still working in older versions of OS X and their users who have updated.
Update: 6:31PM ET
Apple has sent the following message to developers explaining what they need to avoid being caught by the app signing changes.
With the release of OS X Mavericks 10.9.5, the way that OS X recognizes signed apps will change. Signatures created with OS X Mountain Lion 10.8.5 or earlier (v1 signatures) will be obsoleted and Gatekeeper will no longer recognize them. Users may receive a Gatekeeper warning and will need to exempt your app to continue using it. To ensure your apps will run without warning on updated versions of OS X, they must be signed on OS X Mavericks 10.9 or later (v2 signatures).
If you build code with an older version of OS X, use OS X Mavericks 10.9 or later to sign your app and create v2 signatures using the codesign tool. Structure your bundle according to the signature evaluation requirements for OS X Mavericks 10.9 or later. Considerations include:
Signed code should only be placed in directories where the system expects to find signed code.
Resources should not be located in directories where the system expects to find signed code.
The --resource-rules flag and ResourceRules.plist are not supported.
Make sure your current and upcoming releases work properly with Gatekeeper by testing on OS X Mavericks 10.9.5 and OS X Yosemite 10.10 Developer Preview 5 or later. Apps signed with v2 signatures will work on older versions of OS X.
