The .app signing, which wraps the shell script using OS X 10.11, is not checked at 10.10 or lower. I can subscribe to 10.10 and 10.9 and it checks 10.9, 10.10 and 10.11.
I showed two sample applications and a script on github to show this. The two HelloWorld.apps differ only in binary format in the contents of / MacOS / HelloWorld. One is a shell script, the other is compiled by objective-c.
Signing works and verifies 10.11 for both versions:
Shell version of the script:
codesign -s "${signing_identity}" -v shell-script/HelloWorld.app signed bundle with generic [liamsharp.helloworld] codesign -vv shell-script/HelloWorld.app shell-script/HelloWorld.app: valid on disk shell-script/HelloWorld.app: satisfies its Designated Requirement
Objective-C version:
codesign -s "${signing_identity}" -v objective-c/HelloWorld.app signed bundle with Mach-O thin (x86_64) [liamsharp.helloworld] codesign -vv objective-c/HelloWorld.app objective-c/HelloWorld.app: valid on disk objective-c/HelloWorld.app: satisfies its Designated Requirement
But the shell version of the script does not check 10.10 and 10.9:
codesign -vv shell-script/HelloWorld.app shell-script/HelloWorld.app: invalid signature (code or signature have been modified)
I have access to another 10.11 machine, and the same problem occurs when it signs .app. I have access to a 10.9 machine, and this also fails to verify.
There is a difference in the _CodeSignature directory created for the script.app. Shell.
Here's how to do it when signing 10.10:
CodeDirectory CodeRequirements CodeResources CodeSignature
But when signing 10.11 we get a few additional files:
CodeDirectory CodeRequirements CodeRequirements-1 CodeResources CodeSignature CodeTopDirectory
Is there a magical option that I'm missing for the code to make this work? Or is there a mistake?