Permanent Eraser 2.6.2 and Gatekeeper

4th January 2014 | Permanent Eraser

Permanent Eraser 2.6.2 came out at the end of December 2013, fixing some issues related to Gatekeeper and the latest version of OS X — Mavericks. 2013 almost became the first year since the inception of Permanent Eraser that the app was not updated at least once. Since 2003, Permanent Eraser has received at least one or two yearly updates, sometimes even more, depending upon the development schedule. Looking forward to 2014, work on Permanent Eraser 2.7 will begin.

What's new in Permanent Eraser 2.6.2

One of the biggest fixes in Permanent Eraser 2.6.2 was to properly code sign the app so it would be identified by Gatekeeper as an app by a trusted source. The article Code Signing and Mavericks by Craig Hockenberry helped reveal some trouble areas to resolve. Even though Permanent Eraser 2.6.1 had been code signed, it was not validating properly with Gatekeeper. If I verified the code signature of the app, I saw the following results:

codesign --verify --verbose=4 Permanent\ Eraser\ 2.6.1.app
Permanent Eraser 2.6.1.app: valid on disk
Permanent Eraser 2.6.1.app: satisfies its Designated Requirement

Looks good so far. For the interest of it, I then tried verifying an earlier version of Permanent Eraser which had not been code signed.

codesign --verify --verbose=4 Permanent\ Eraser\ 2.6.0.app
Permanent Eraser 2.6.0.app: code object is not signed at all

Once again, this is returning the expected results. However, if I used the new spctl utility to verify Permanent Eraser in OS X 10.8+, I encountered a problem.

spctl --verbose=4 --assess --type execute Permanent\ Eraser\ 2.6.1.app
Permanent Eraser 2.6.1.app: rejected

spctl, which manages the system policy security, is a command line utility which first appeared in Mac OS X 10.7.3, but the security system known as Gatekeeper came to prominence with OS X 10.8 "Mountain Lion".

The solution was not to use the Mac Developer signing idenity to sign the app (which is used for signing an app for the Mac App Store), but to use the Developer ID Application one, instead. Now when I perform the appropriate checks in OS X Mavericks, everything is looking good.

codesign --verify --verbose=4 Permanent\ Eraser.app/
Permanent Eraser.app/: valid on disk
Permanent Eraser.app/: satisfies its Designated Requirement

spctl --verbose=4 --assess --type execute Permanent\ Eraser.app
../Permanent Eraser.app: accepted
source=Developer ID

Oddly enough, after signing this way in Snow Leopard, trying to verify the app returned this result:

codesign --verify --verbose=4 Permanent\ Eraser.app
Permanent Eraser.app: valid on disk
Permanent Eraser.app: does not satisfy its designated Requirement

However, since the other checks appear to be in proper working order on post-Snow Leopard systems, this looks to be the proper route to properly code sign the app and let it verify properly with Gatekeeper.

References: