Good news, we were able to sign the DMG package along with all the executables, libraries and frameworks. (thanks to my colleague Chuck A.). Basically the process is:
- Extract the eula from the DMG
- Mount the DMG
- Fix up broken embedded frameworks
- Sign the app bundle with --deep
- Unmount the dmg
- Re-insert the eula
- Sign the DMG
That said, when starting the application, the verification process was still failing complaining that the identity of the developer cannot be confirmed which was surprising because command like
spctl -a -t exec -vv ./Slicer.app returned that the application was accepted.
It turns out that the libraries and executables bundled in the package still contain references to rpath referencing the build directories. This is causing the verification process to fail. Until now, this was not an issue because the library loader tries all paths until it finds a good one.
Inspecting the system log revealed error like this one:
Oct 24 23:50:08 factory-south CoreServicesUIAgent: Error -60005 creating authorization
Oct 24 23:50:24 factory-south CoreServicesUIAgent: File /Users/kitware/Desktop/Slicer.app/Contents/lib/Slicer-4.10/cli-modules/libACPCTransformLib.dylib failed on rPathCmd /Volumes/Dashboards/Stable/Slicer-4100-build/CTK-build/CMakeExternals/Install/lib/lib/Slicer-4.10/libMRMLCore.dylib
Oct 24 23:50:24 factory-south CoreServicesUIAgent: Fails dylib check
An internet search then revealed a similar error within Qt (that is now fixed), see https://bugreports.qt.io/browse/QTBUG-61413.
Later tomorrow, we will patch all libraries removing references to the build tree and re-sign.
Thanks for your patience,