I just discovered this wonderful bug. Apparently “hdiutil makehybrid” is stripping code signatures in some cases.
I first verify the code signature on an App (a build of Emacs, in this case)—there are no errors:
$ codesign --verify _dmg-build/Emacs.app/ $
I then use “hdiutil makehybrid” to create a disk image out of the directory.
$ hdiutil makehybrid -hfs -hfs-volume-name "Emacs Test" -hfs-openfolder _dmg-build _dmg-build -o /tmp/tmp.dmg
I then mount the created image and run try to verify the signature again—but this time it fails!
$ open /tmp/tmp.dmg $ codesign --verify /Volumes/Emacs\ Test/Emacs.app/ /Volumes/Emacs Test/Emacs.app/: code object is not signed at all In subcomponent: /Volumes/Emacs Test/Emacs.app/Contents/MacOS/bin-i386-10_5/grep-changelog
Investigating further, I use “xattr” to list the extended attributes on the “grep-changelog” file. First, the good file:
$ xattr _dmg-build/Emacs.app/Contents/MacOS/bin-i386-10_5/grep-changelog com.apple.cs.CodeDirectory com.apple.cs.CodeRequirements com.apple.cs.CodeSignature
And now the bad file:
$ xattr /Volumes/Test\ Emacs/Emacs.app/Contents/MacOS/bin-i386-10_5/grep-changelog com.apple.FinderInfo
Yup, all the code signature stuff is completely gone! (The “FinderInfo” stuff is OK, it’s just there as a side effect of mounting the disk image).
I’m not exactly sure how to fix this. Apple recently changed code signing requirements so that 10.9.5 now requires deep signatures (way to change something fundamental in a point release, guys). Also the only thing that correctly makes the deep signatures is Xcode 6 which was released only about 1 week before 10.9.5 was released (way to give advanced warning, guys).
2014-10-03 Update:
I filed a bug with Apple and they suggested I use “hdiutil create -srcfolder” instead of “makehybrid“. This does copy the extended attributes correctly. I had originally not used “create” for two reasons: It didn’t have the “-hfs-openfolder” option and the man page claims that only “makehybrid” makes optimally small filesystems. Turns out that “create -srcfolder” automatically does the same thing as “makehybrid -hfs-openfolder” (though it is not documented in the man page) and in practice the resulting .dmgs are just as small or smaller. Problem solved!