Improved detection if signature was missing

@scriptingosx: Wandering if we should just detect if Team IDs match anyway, and continue the installation no matter the gatekeeper setting for allowing App Store apps only.
Update CHANGELOG.md
2026-03-08 05:31:53 +00:00 · 2022-04-11 09:02:00 +02:00 · 2022-04-07 20:16:11 +02:00 · 2022-04-07 20:06:17 +02:00
2 changed files with 16 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,5 @@
+- if `spctl`-check is `rejected` then we now show an error that it can be due to Gatekeepr only allowing apps from App Store only. Installomator requires that all identified developers are accepted as well.
+
 ## v9.1

 **Note**: Both Google and Mozilla recommend using the pkg installers instead of the dmg downloads for managed deployments. So far, Installomator has provided labels for both. (`googlechrome` and `googlechromepkg` or `firefox` and `firefoxpkg`, respectively) Since there are problems with the dmg downloads, a future release of Installomator will _disable_ the `firefox` and `googlechrome` dmg labels. You should switch to using the respective pkg labels instead.
--- a/fragments/functions.sh
+++ b/fragments/functions.sh
@@ -425,6 +425,13 @@ installAppWithPath() { # $1: path to app to install in $targetDir

    if [[ $appVerifyStatus -ne 0 ]] ; then
    #if ! teamID=$(spctl -a -vv "$appPath" 2>&1 | awk '/origin=/ {print $NF }' | tr -d '()' ); then
+        if [[ "$(echo $appVerify | head -1 | grep -oi rejected)" = "rejected" ]]; then
+            if [[ "$(echo $appVerify | tail -1)" = "source=no usable signature" ]]; then
+                printlog "Gatekeeper check rejected. No usable signature." ERROR
+            else
+                printlog "Gatekeeper check rejected. Could be that gatekeeper settings only accept App Store apps." ERROR
+            fi
+        fi
        cleanupAndExit 4 "Error verifying $appPath error:\n$logoutput" ERROR
    fi
    printlog "Debugging enabled, App Verification output was:\n$logoutput" DEBUG
@@ -578,6 +585,13 @@ installFromPKG() {

    if [[ $spctlStatus -ne 0 ]] ; then
    #if ! spctlout=$(spctl -a -vv -t install "$archiveName" 2>&1 ); then
+        if [[ "$(echo $spctlOut | head -1 | grep -oi rejected)" = "rejected" ]]; then
+            if [[ "$(echo $spctlOut | tail -1)" = "source=no usable signature" ]]; then
+                printlog "Gatekeeper check rejected. No usable signature." ERROR
+            else
+                printlog "Gatekeeper check rejected. Could be that gatekeeper settings only accept App Store apps." ERROR
+            fi
+        fi
        cleanupAndExit 4 "Error verifying $archiveName error:\n$logoutput" ERROR
    fi
Author	SHA1	Message	Date
Søren Theilgaard	07efbb394f	Improved detection if signature was missing @scriptingosx: Wandering if we should just detect if Team IDs match anyway, and continue the installation no matter the gatekeeper setting for allowing App Store apps only.	2022-04-11 09:02:00 +02:00
Søren Theilgaard	93844fdad9	Update CHANGELOG.md	2022-04-07 20:16:11 +02:00
Søren Theilgaard	27aa86b279	Extra log for spctl rejected	2022-04-07 20:06:17 +02:00