I have built my java application as .app bundle for mac os with simple script to run my jar file.
I have sign code with command codesign -s "My company" my-app
Verify with codesign --verbose=4 my-app and get
myapp: valid on disk
myapp: satisfies its Designated Requirement
Verify with spctl -a -t exec myapp
myapp.app: rejected
But i still can run myapp on mac machine without error message.
How can I make gatekeeper reject my app and show message as unidentified developer or something like that?. I have set gatekeeper only allow app from App Store, but gatekeeper not work
Related
A cross-platform QT application is built for macOS. This app works if I test this on the same machine. When I create a .dmg file, this also works on my machine. When I test this on another machine, I get the error:
You do not have permission to open the application "MYAPP".
How can I debug this to see what the problem is?
Steps I do to create the .dmg file:
Run qmake and make until I have MYAPP.app (release build)
binarycreator -c config/config.xml -p packages/ setup_MYAPP
This creates setup_MYAPP.app
codesign -s "Full common name of my Apple Distribution profile" setup_MYAPP.app
When I provide a meaningless name between quotes it throws an error, so I assume this went fine.
hdiutil create -format UDZO -srcfolder setup_MYAPP.app MYAPP.dmg
This creates MYAPP.dmg, and the installer refuses to run on another macbook.
Alternatively:
Run qmake and make until I have MYAPP.app (release build)
codesign -s "Full common name of my Apple Distribution profile" MYAPP.app
macdeployqt MYAPP.app/ -dmg -codesign="Full common name of my Apple Distribution profile" -appstore-compliant
This creates MYAPP.dmg, and the app refuses to run on another macbook.
OK, it seems the correct answer is "it's complicated".
I have not succeeded in creating an installer that I can share outside the MAC App Store. Apple has restricted this to the point at which I just give in to bureaucracy and to good looking but really extremely bad documentation.
Distribution outside the Mac App Store requires notarization since macOS 10.15.5: see https://developer.apple.com/news/?id=04102019a.
Notarization means signing the code and uploading it to Apple. Apple will perform some magic checks and list it in some internal database.
Notarization requires a Developer ID certificate: see https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721 This is different from a certificate you need for app development and App Store distribution (Why, Apple, why?)
To obtain a developer ID certificate you need to fill in the form at https://developer.apple.com/contact/kext, which is the same form used to be able to write kernel extensions. Kernel extensions. (Why, Apple, why?)
When Apple does not respond to your form submission, you need to poke them a few times. And after they denied your request, you can poke all you want, they likely have set up a vertical classification rule immediately thereafter.
But, should you have been able to get your hands on a precious developer ID certificate, these seem to be the steps to follow to successfully notarize your app:
> security unlock-keychain -p PASSWORD !/Library/Keychains/login.keychain-db
> codesign --timestamp="http://timestamp.apple.com/ts01" --options runtime --verbose=3 --force --deep --sign "NAME OF CERTIFICATE" PATH/TO/APP.app
> xcrun altool -u USER_EMAIL -p APP_SPECIFIC_PASSWORD -notarize-app -t osx --primary-bundle-id INVENT_YOUR_OWN_UNIQUE_ID -f PATH/TO/APP.app
The last run will return another ID, of the form abcdef01-2345-6789-abcd-ef0123456789 and you can use that ID to follow up on your notarization request:
> xcrun altool -u USER_EMAIL -p APP_SPECIFIC_PASSWORD --notarization-info abcdef01-2345-6789-abcd-ef0123456789
You will also get a mail with a link to the notarization results.
I didn't succeed in getting a go, and I'm giving in. I gave up. The next brave soul to run into this may be saved some time after reading this. Good luck, may you succeed where I failed!
There is a professor at the university I work at that has developed a MacOS application he needs to get signed so that it doesn't get blocked by MacOS when users try to run it. I've gotten his CSR and gotten an Apple Developer cert created for him (using the 'ad hoc' distribution option, which created a cert file named 'distribution.cer').
I've searched the Apple Developer site for information on how to sign the application using XCode, but I can't quite grasp the instructions, not being an XCode user or Apple dev.
From what I can gather, you can also sign an app from a terminal, is that correct? If so, does it only work with .pkg installers, or also pre-compiled applications (.app files)?
Code signing
Apple Certificates
Developer ID Application Certificate - sign a macOS application for distribution outside of the Mac App Store.
Developer ID Installer Certificate - sign an application's Installer Package (if any) for distribution outside of the Mac App Store.
Signing an app
On the command line in a Terminal:
codesign -f -o runtime --timestamp -s "Developer ID Application: YOUR NAME (TEAM_ID)" /path/to/bundle.app
Notarization
Be aware that since macOS 10.14.5 (Mojave), software signed with a new Apple developer certificate must be notarized. Code signing is no longer sufficient to bypass Gatekeeper.
Apple's notary service requires you to:
Enable code-signing for all of the executables you distribute.
Enable the Hardened Runtime capability for your application and command line targets (include -o runtime option when running the codesign tool).
Use a “Developer ID” application, kernel extension, or installer certificate for your code-signing signature.
Include a secure timestamp with your code-signing signature (include the --timestamp option when running the codesign tool).
Don’t include the com.apple.security.get-task-allow entitlement with the value set to any variation of true.
Link against the macOS 10.9 or later SDK.
Step 1 - Create a disk image
Create a disk image of the app by opening a Terminal and running the following command:
hdiutil create -volname MyApp -srcfolder /path/to/MyApp.app -ov -format UDBZ MyApp.dmg
Step 2 - Code sign the disk image
Code sign the disk image by opening a Terminal and running the following command:
codesign -s "Developer ID Application: YOUR NAME (TEAM ID)" --timestamp MyApp.dmg
Step 3 - Generate an app-specific password
Generate an app-specific password, refer to this Apple Support article. Note: this is a password that will be specific to the notarization application (xcrun altool) and not to the application being notarized. You therefore only need to do this once, but make sure you copy the generated password and save it somewhere.
Step 4 - Upload disk image to notary service
Note: When you notarize the container disk image, altool also notarizes the application inside, so you can skip the step of notarizing the application itself.
Upload the disk image file to the Apple notary service by opening a Terminal and running the following command:
xcrun altool --notarize-app --primary-bundle-id "<your identifier>" -u "<your email>" -p "<app-specific pwd>" -t osx -f /path/to/MyApp.dmg
The primary-bundle-id helps you keep track of automated correspondence from the notarization service. The value you give doesn’t need to match the bundle identifier of the submitted app or have any particular value. It only needs to make sense to you. The notarization service includes the value whenever it emails you regarding the given altool submission.
If the upload is successful you should receive output similar to the following:
No errors uploading 'MyApp.dmg'.
RequestUUID = 3af4e56f-162b-75bc-827f-7233f92bf20c
Step 5 - Check the notarization process
The notarization process generally takes less than 15 minutes, so you may want to check its progress from time to time by opening a Terminal and running the following command:
xcrun altool --notarization-history 0 -u "<your email>" -p "<app-specific pwd>"
When the notarization process completes successfully the above command will return information similar to the following:
Notarization History - page 0
Date RequestUUID Status Status Code Status Message
------------------------- ------------------------------------ ------- ----------- ----------------
2019-12-08 06:24:03 +0000 3af4e56f-162b-75bc-827f-7233f92bf20c success 0 Package Approved
You should also receive an email from Apple similar to the following for a successful notarization:
Dear <First_Name>,
Your Mac software has been notarized. You can now export this software and distribute it directly to users.
Bundle Identifier: com.example.MyApp.001
Request Identifier: 3af4e56f-162b-75bc-827f-7233f92bf20c
For details on exporting a notarized app, visit Xcode Help or the notarization guide.
Best Regards,
Apple Developer Relations
Step 6 - Staple the ticket to the disk image
The notarization process produces a ticket that tells Gatekeeper that your application is notarized. After notarization completes successfully, the next time any user attempts to run your application on macOS 10.14 or later, Gatekeeper will find the ticket online. This includes users who downloaded your application before notarization.
After step 5 receives the "Package Approved" status message, you should also attach the ticket to the disk image file using the stapler tool, so that future distributions include the ticket. This ensures that Gatekeeper can find the ticket even when a network connection is not available.
To staple the ticket to the disk image file, open a Terminal and run the following command:
xcrun stapler staple /path/to/MyApp.dmg
If the command completes successfully, the output should be similar to:
Processing: /Path/to/MyApp.dmg
Processing: /Path/to/MyApp.dmg
The staple and validate action worked!
Step 7 - Verify notarization of the disk image
To verify the notarization of the disk image, open a Terminal and run the following command:
spctl -a -vv -t install MyApp.dmg
A successful verification of the notarization process should produce output similar to the following:
MyApp.dmg: accepted
source=Notarized Developer ID
origin=Developer ID Application: <Developer Name> (<TEAM_ID>)
Step 8 - Verify notarization of the application
To verify the notarization of the application, install the application, open a Terminal and run the following command:
spctl -a -vv /Applications/MyApp.app
A successful verification of the notarization process should produce output similar to the following:
/Applications/MyApp.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: <Developer Name> (<TEAM_ID>)
Important: test the application by putting it in the Applications directory. It's treated differently by the Gatekeeper when in the "installed" location.
Alternatively, the Apple-recommended way to verify the notarization of an application is to open a Terminal and run the following command:
xcrun stapler validate MyApp.app
A successful verification of the notarization process should produce output similar to the following:
Processing: MyApp.app
The validate action worked!
I have created an apple developer account
Created a Certificate request from Keychain tool,Uploaded it and generated a certificate for Macos distribution
Downloaded the certificate,double clicked and installed it.
Build the .app package and used the codesign tool codesign --force --sign "Apple Development:Cool Developer(27HS88RR)" "mysupercoolapp.app"
Used the following command for verification codesign --verify --deep --strict --verbose=2 "mysupercoolapp.app" the ouput is Valid on Disk,Satisfies some requirement
Using the spctl tool for Gatekeeper verification spctl -a -t exec --vv "mysupercoolapp.app" --> Rejected
Is there some magic trick for gatekeeper to accept the app? I'm fed up of this,apple does not have proper documentation on codesigning a macOs app from xcode directly.
Please advice
I am porting a .NET application to OS X using the Mono Framework. The application works fine, and we have everything done except for packaging. I am packaging a standalone Mono build inside the bundle to avoid dependencies, and using this tool for the job: https://github.com/OutOfOrder/MonoKickstart
The bundle structure we are using is like this:
OurApp.app
\-Contents
+-Info.plist
+-MacOS
| +-osx - native libraries for osx
| +-mono - mono config files
| \ ... - the OS X kickstart binaries, the .exe file, C# .dlls
\-Resources/
\-icon.icns
The bundle runs fine when OS X's Gatekeeper functionality is set off, but when trying to sign it to get it run always, I run into problems...
$ codesign -s "3rd Party Mac Developer Application: Our Certificate" --force --deep --verbose OurApp.app
OurApp.app: bundle format unrecognized, invalid, or unsuitable
In subcomponent: OurApp.app/Contents/MacOS/mono/4.0
All right, I'll remove the mono directory temporarily just to see if it proceeds then:
$ codesign -s "3rd Party Mac Developer Application: Our Certificate" --force --deep --verbose OurApp.app
OurApp.app: signed bundle with Mach-O universal (i386) [org.ourcompany.ourapp]
Success! Or so do I think, but when I'll try to run the app, it still says it's still blocked by Gatekeeper. And when I run
spctl -a -v OurApp.app
OurApp.app/: rejected
So what gives? It says it signed the bundle, and using the --deep parameter, it should've signed all the libraries and such, if I understood right. What should I do to make this work?
Update:
Tried to sign the files one by one with this.
codesign -s "3rd Party Mac Developer Application: Our Certificate" --force --verbose OurAppExecutable.bin
But it refused to do it, because of the "subcomponents" (Even if I'm not using --deep).
I finally got it to sign it by moving everything else but the actual binary file to Resources folder, and then signing the binary file, and then the app bundle.
But yet, it says:
spctl -a -v OurApp.app
OurApp.app/: rejected
source=No Matching Rule
Any further insights?
I'm not sure if --deep is supposed to work or not, but it's not what we use in Xamarin Studio when codesigning Xamarin.Mac projects. What we do is codesign each native library individually and then codesign the app bundle itself.
Hope that helps.
Update: This may be the problem:
OurApp.app: bundle format unrecognized, invalid, or unsuitable
In subcomponent: OurApp.app/Contents/MacOS/mono/4.0
The problem might be that MonoKickStart is not generating correct Mac executables?
I got this to work afterwards. The trick was to keep just the one and only executable file in the MacOS dir, and have everything else in the Resources dir. This way we didn't need to sign all the other things.
Another blunder - not the source of this problem, but of an another one - was that we were trying to sign it with a wrong kind of certificate. "3rd Party Mac Developer Application" is apparently used for App Store submissions. The name is kind of misleading, so it's easy to mess that up. More info: Difference between “Mac Developer” and “3rd Party Mac Developer Application”
I am trying to submit the Mac app outside the app store. I take the build from Xcode 4.5 and use the following code for code-signing. But neither of them are working.
codesign --force -s "3rd Party Mac Developer Application: My Company" -v <path to my .app file>
//signed bundle with Mach-O thin (x86_64) [com.CompanyNama.AppName]
It gives rejected when verifying.
codesign --force --sign "Developer ID Application: My Company" <path to my .app file>
It gives rejected, source=No Matching Rule/source=Developer ID when verifying.
I use the following command for verifying,
sudo spctl -a -v
What I am doing wrong? Which one we should use when code-signing .app file?
You need to replace "Developer ID Application: My Company" with an actual certificate name. Find the production certificate you want to use in Apple's developer portal. Make sure that it's also in your OS X keychain including the private key. Copy the name and replace "Developer ID Application: My Company"
I am not sure about the source=No Matching Rule part, but I was getting rejected, because my Gatekeeper was switched to accept "Mac App store" apps only. After changing it to "Mac App store and identified developers" the check passed.