Hi,
On macOS, after self-update, .sublime-package files loose their code signature related extended attributes i.e. : com.apple.cs.Code(Directory|Requirements|Requirements-1|Signature)
As a consequence, the .app code signature is no longer valid.
This doesn’t block Sublime Merge launch since the quarantine extended attributes are gone too, so LaunchServices will not apply Developer ID restrictions.
The issue appeared during the last two minor updates.
Changing .app bundle owner and group to root:admin before self-update may be required to trigger the issue.
This is most certainly the case for Sublime Text too.
Steps to reproduce:
-
download and install outdated Sublime Merge application bundle ;
-
check Security Assessment:
$ spctl --assess --verbose Sublime\ Merge.app
Sublime Merge.app: accepted
source=Developer ID -
self update to current Sublime Merge version ;
-
check Security Assessment:
$ spctl --assess --verbose Sublime\ Merge.app
Sublime Merge.app: rejected
source=no usable signature
Kindly please consider improving self-update process to keep extended attributes.
Thanks!