Applications that are distributed on on unsigned disk images or .zip archives are subject to App Translocation (Gatekeeper Path Randomization), which can prevent the application from working because it is effectively running from a read-only location. This mechanism is enforced even when the application itself is signed, depending on the distribution mechanism.
In order to bypass App Translocation, you must distribute your application on a Signed DMG.
Signing a DMG requires a Developer ID signing certificate from the Apple Developer Program ($99/year). Once the signing certiciate is obtained, the process is very simple.
- Create a DMG containing the application
- Use codesign from a terminal to sign the DMG:
codesign --force --sign "Developer ID Application: YourCertificateID" /path/to/my.dmg
- Verify the signature from the Terminal using spctl:
spctl -a -t open --context context:primary-signature -v /path/to/my.dmg
- Distribute the Signed DMG