Downloaded Script application can't be opened as it's damaged


I notarized my Enhanced Applet successfully with “SD Notary 1.2.1”. Then I created a zip file with “Create Sparkle Appcast File 1.0.1”. Everything seems to be fine until I upload the zip to my server. After downloading and extracting the Applet I can’t run it anymore. macOS says it is damaged and I should move it the bin. Codesign give’s me this output:

% codesign -dv --verbose=4 /Users/***/Downloads/***.app 
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=3954 flags=0x10000(runtime) hashes=114+5 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha1=9c364ccc92333018bb335866644b315c1ab0ec2d
CandidateCDHashFull sha1=9c364ccc92333018bb335866644b315c1ab0ec2d
CandidateCDHash sha256=3a8d45f16cadb80ab9c867f8742db4918271a214
CandidateCDHashFull sha256=3a8d45f16cadb80ab9c867f8742db4918271a21423596a816f18de49f0e09272
Hash choices=sha1,sha256
Page size=4096
Signature size=9032
Authority=Developer ID Application: ***
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=21. Oct 2019 at 13:04:31
Info.plist entries=44
Runtime Version=10.15.0
Sealed Resources version=2 rules=13 files=24
Internal requirements count=1 size=200

What do you see with spctl --assess --type exec -vv ? Before and after?

It says in both cases: a sealed resource is missing or invalid

I’m seeing something similar here, and I’m wondering if the servers are having a hiccup.

I can see that all the binaries are being signed, but the LogFileURL is full of warnings that the signatures are invalid, do not include a secure timestamp, or don’t have the hardened runtime enabled. Regardless, it’s saying Package Approved and The staple and validate action worked!. It doesn’t make a lot of sense.

I’m going to try again tomorrow.

@Tekl it looks like there’s an issue with the enhanced drop in the current version. I’ll post more when I know more.

So this issue should be fixed in 7.0.10.

Thanks, I’ll try it later this week. Cheers