Downloaded DMG created with DropDMG cannot be opened on some 10.14.5 Macs

Hi,

we encountering the following problem.

We have created a code signed DMG with layout and license. The DMG containes a notarized app.
On some computers the customers, mainly with 10.14.5, have the problem that the DMG cannot be opened. A message something like this:
The DMG could not be opened because Apple could not scan it for malicious code.
I have only the German message here, so the above could not be exactly the English one, but is similar.

Is this a specific problem with 10.14.5 or is this because we´ve added a license to the DMG and this is maybe preventing the scan for malicious code.

The DMG can of course be opened by right clicking and selecting Open, but we would prefer that the users do not have to do it that way.

Any ideas?

Regards,
Matthias

macOS 10.14.5 added an undocumented requirement that if the disk image is code signed, it is not enough for it to contain a notarized app. You need to notarize the .dmg itself using altool. This is explained more in the DropDMG manual. If macOS finds that it’s not notarized, it will show that error message about being unable to check for malware—even though you’ve already uploaded your app to Apple’s notarization server.

Dear Michael,

thanks for you explanation. I was not clear enough, please excuse. The dmg was already notarized. I did not mention it, because i thought notarizing a DMG will just notarize the app inside of it. But anyway.

These are the steps we did to create and notarzie

  1. code sign the app
  2. create and code sign DMG from the app using
  3. notarized the DMG using altool
  4. ran stapler to staple the DMG and app inside
  5. all went through w/o problems

checking the dmg using
xcrun stapler validate <path_to_dmg> returns “The validate action worked!”

checking the app on the dmg also returns “The validate action worked!”

But as already written, some Macs do not want to open/mount the DMG with the described warning message.

I will now setup some test VMs. But if you have an other idea that is more than welcomed.

Regards,
Matthias

It does (just no the reverse).

If stapler validates the dmg, but other Macs don’t like it, that sounds like something to report to Apple. I’ve seen that happen a few times with macOS 10.15 betas, though not 10.14.5.

I was able to replicate this problem on 2 test machines (1x physical, 1xVM) with 10.14.5. I´ve updated both to 10.14.6 and the problem has gone.

Maybe this is really just 10.14.5 related.

Thanks.

Regards,
Matthias