I have developed an app in mac osx.
the app runs properly locally.
Now I'm trying to distribute the app internally with other peers. ( without having to go thru the app store )
I created a self signing cert.
I installed the cert and add it to trusted ( it is a ROOT cert )
I then signed the app with my self signing certificate.
all is good. the app still runs properly locally after being signed ( I verified that it is indeed signed )
My next step was to upload the signed app to s3. after downloading the app. the os security settings prevented the launch of the downloaded app - ( unidentified developer) - this is the same machine that has the cert installed..
so I'm not sure why I still receive the unidentified developer error? my assumption is if I the cert is present ( and trusted ) in the target machine - the os should allow the app to go through.
is this assumption is incorrect - if so what values does the self sign add ( I guess nothing ) . if it is not true , I maybe have the wrong cert ?
You receive the error after downloading your .app because whatever you used to download it (your web browser?) has set the quarantine attribute, which forces Gatekeeper to kick in. You can read more here.
Gatekeeper is looking for a "developer" certificate, one that is issued by Apple (and has the Apple Root CA as it's root certificate). It's not just checking that the root CA is trusted.
e.g. codesign -dvvvv /Applications/Google\ Chrome.app/
Authority=Developer ID Application: Google, Inc. (EQHXZ8M8AV)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Your self-signed certificate is not an Apple-issued developer certificate, so Gatekeeper won't recognize it.
Related
I have created an electron app. Now I want to sign code for both windows and mac platform. But I have only go daday pfx certificate.I successfully signed code using pfx certificate from go daday in windows platform. So,Can I sign an electron app on macos platform using go daday certificate?
You can sign a macOS app with a GoDaddy code-signing certificate, but it probably won't do what you want. Here's what Apple's developer documentation says (with my emphasis added):
Note: Apple uses the industry-standard form and format of code signing
certificates. Therefore, if your company already has a third-party
signing identity that you use to sign code on other systems, you can
use it with the macOS codesign command. Similarly, if your company is
a certificate issuing authority, contact your IT department to find
out how to get a signing certificate issued by your company. However,
while these valid certificates allow you to sign your code, you can
only distribute through the App Store or through the Developer ID
program when you sign with a certificate issued by Apple.
So, the question is: how is your application going to be distributed to users' computers?
If it's sold through Apple's App Store, you need to become an Apple Developer, get a Mac App Distribution certificate from Apple, and sign the app with that before submitting it to Apple.
If it's distributed outside Apple's App Store (e.g. via web download), then you also need to become an Apple developer, get a Developer ID certificate, and use that to sign it. If you don't sign it with the right kind of certificate, Gatekeeper will prevent users from opening the app unless they go through a special procedure to trust the app.
Either way, you need to join the Apple Developer program, and use an Apple-issued code signing certificate to sign the macOS version of your app.
I am running a local development website. The certificate securing it is issued by my own internal certificate authority. I have added the certificate authority to the MacOS keychain and marked it as trusted.
This used to work. Over the weekend, it stopped working. I would love to say that I've changed nothing, but obviously something has changed. Nothing specific comes to mind (perhaps a Chrome auto-update after a restart?)
I am on Chrome Version 59.0.3071.115 (Official Build) (64-bit)
I have checked the local site with Opera and Firefox and it loads securely as intended. (I have added the CA cert to the respective trusted roots for each browser). Safari works well too. Only Chrome is giving me grief.
If I look at the developer tools, the security panel is sending mixed messages. It says the cert is valid, but complains that the page is not secure. It is not possible to view the cert:
#dorian is right. The issue is explained in https://bugs.chromium.org/p/chromium/issues/detail?id=715969 . It was not the TeleText string bug that is described in the beginning. Rather, it was that I had generated a version 1 SSL cert, while it should have been a version 3 cert.
Instructions for creating version3 certs with OpenSSL:
Creating an x509 v3 user certificate by signing CSR
Apple seems to restrict some OS X APIs (e.g. sandboxing) to applications that are codesigned by a trusted certificate, e.g. one issued to members of the paid Mac Developer program.
How does OS X treat applications that are codesigned with a self-signed (or a development) certificate?
Will those features/APIs be available, and the only difference be that users with the default Gatekeeper settings cannot (easily) launch such an application?
Will they be treated just like unsigned apps in every way (entitlements and sandboxing disabled, warning for Gatekeeper users)?
Or will a self-signed certificate be considered an error, and the app will not launch at all regardless of the user's Gatekeeper settings?
AFAIK, apps that aren't code-signed with a certificate that Gatekeeper accepts, would be treated as unsigned. I don't know about access to specific features and API.
But you can make your self-signed cert acceptable to the Gatekeeper. If you sign your code using certificates that weren't issued by Apple, every machine you want to run that code as signed, would have to (a) have your certificate installed, and (b) have policies set via spctl command that tell the Gatekeeper to allow executing and/or installing code signed by that cert. This part has been tested and verified on Mavericks.
It is more difficult with kernel extensions. I'm still working on that. :-)
I have my executable binary signed using codesign command and verify successfully on my development machine where my private key and signing certificate are in the keychain. However when I copy my executable to my testing machine and try to do "codesign -dvvv", it returns code object is not signed. My signing certificate is issued by VeriSign root ca. The CA is installed on my testing machine but I am not able to verify executable. Am I missing something?
Yes, you are missing something.
The "Gatekeeper" code signing in Mac OS X only honors signatures which chain back to Apple's CA through developer certificates issued by Apple as part of the Mac OS X developer program. A Verisign code signing certificate is not an acceptable substitute.
1, I already download the "Apple Worldwide Developer Relations Certification Authority",and add it into my keychain.
2, My team leader already had created two Cers for Mac App store developing, I download and add it into my keychain.
3, I used two methods to sign my add, but failed all.
First, add code sign section in my .xcodeproj(3.2.5).
Second, I used script:
productbuild --component ./bin/MAS_Release/MyApp.app /Applications --sign "3rd Party Mac Developer Application: My Company Co., Ltd." --product ./src/MyApp/MyApp-Info.plist MyApp.pkg
But it failed with information:
Code Signing Identity '3rd Party Mac Developer Application: My Company Co., Ltd.' does not match any valid, non-expired, code-signing certificate in your keychain.
I observed that my certifications in keychain don't have small trangle.
how make the small trangle absence?(when I'am importing the Cers from my Agent, it don't have the trangle absence)
If you were trying to code sign app on the machine that is not the one generated CSR request. You need export and import the private key also from original mac's keychain to the current mac.