I have a dmg with application inside it. I have purchased apple developer license and i have succeeded in signing the dmg using developer certificate. I checked the dmg it is signed and accepted success by Gatekeeper. I have used Sierra 10.12.5 to coding
I then copied and ran the installer and app.
But Running the App throws can't be opened because it is from unidentified developer.
Running the App throws unidentifed developer
codesign --verify --deep --verbose=2 MyQt.app
MyQt.app: code object is not signed at all
In architecture: x86_64
Is it possible to codesign dmg and recursively all content inside including the App?
You should sign .app with Developer ID certificate
You can generate it at developer.apple.com if you are a Team
codesign --force --deep -s DeveloperIDCertificate --keychain pathToKeychain YourApp.app
--force will replica your previous signature
--deep will recursively sign your content
-s DeveloperIDCertificate will sign app by identity. It should be like this: -s 123C3FF2VA
--keychain is argument for keychain database folder, for Sierra usually it's /Users/username/Library/Keychains/login.keychain-db
Related
After uploading our app for shipping to the Mac App Store, we always receive a messange from apple with this issue, but i cant find a good answer how to solve it: "ITMS-90284: Invalid Code Signing - The executable 'com.xy.xy.pkg/Payload/xy.app/Contents/MacOS/xy' must be signed with the certificate that is contained in the provisioning profile."
I changed and renewed the certs but no chance to solve it.
Im using latest catalina macOS. Not using Xcode for code signing, using terminal as this is a unreal game: codesign -f -v -s "3rd Party Mac Developer Application:" --entitlements entitlements.plist xy.app/ and for packaging: productbuild --component xy.app/ /Applications --sign "3rd Party Mac Developer Installer:" xy.pkg
thank you for ideas
the explantion to this error: My embedded.provisionprofile cert file was not for "3rd Party Mac Developer".
For all those with a similar problem or error Message, its quite simple: just preview the embedded.provisionprofile if the "3rd Party Mac Developer" is listed below - if not, it will throw out this error.
You need to go to "profiles" + (new Profile) and select "Distribution/Mac App Store". Here the right "3rd Party Mac Dev" Cert with your Bundle id for the app will be generated.
I'm packaging my application for the Mac App Store, using the following command
xcrun altool --upload-app --file MyApp.??? --type osx <credentials>
I see on some examples they are using MyApp.zip as the file, and some it is MyApp.pkg.
altool does not seem happy with simply MyApp.app as a zip file, keeps throwing a lot of errors about the Info.plist which are not accurate.
The most success I've had so far is using productbuild to create a pkg, but now it is demanding that I sign it with my "3rd Party Mac Developer Installer" certificate.
Is it required that you create a signed PKG to deploy to the Mac App Store with altool, or are there any alternatives?
The answer seems to be, Yes, a PKG is required.
It's not well documented, but it would appear that the Mac App Store uses the PKG to install your application upon delivery.
You must create the following:
PKG for delivery
signing certificate for the Mac App
signing certificate for the Mac Installer.
Here's an example of a script that's working for me.
codesign -vfs "3rd Party Mac Developer Application: MyGreatCompany (XXXXXXXX)" MyApp.app
xcrun productbuild --component MyApp.app /Applications/ myapp.unsigned.pkg
xcrun productsign --sign "3rd Party Mac Developer Installer: MyGreatCompany (XXXXXXXX)" myapp.unsigned.pkg myapp.pkg
xcrun altool --upload-app --file myapp.pkg --type osx
I am trying to codesign an OSX application, i success in that. I can able to sandbox my application using --entitlements. But my issue is I have distribution Application certificate and distribution installer certificate. I signed using both of this. But i can't able to install that in my local machine because its for appstore. I need to set my provisioning profile to None so that i can install it manually and check the app. Is there any way to change this. My command is
codesign --entitlements "${ENTITLEMENTS_PATH}" --sign "$APP_SIGN_ID" --deep --force --verbose=2 "${DIST_APP_WITH_PATH}"
Use a Developer ID Application cert to sign items for use outside the app store.
We've made a game with Unity 5, which runs without any problems on Mac OSX. But for the Mac OSX App Store from Apple, the game must be codesigned.
I've done that a lot of times in the past and there I didn't have problems. But I have made a clean install of OSX on the Mac a few weeks ago. I installed all the certificates and they seem to work. But I can't check in the terminal, which codesign commands I used in the past, and there maybe the problem...
In Unity I build the app with the Mac Appstore Validation.
Then I edit the info.plist, add the icons, create the entitlements-file (do all which was listed in several documents) and go to the terminal.
There I type in the directory of the app:
chmod -R a+xr “APPNAME.app"
codesign -f -v -s "3rd Party Mac Developer Application: COMPANY-NAME" "APPNAME.app/Contents/Frameworks/MonoEmbedRuntime/osx/libmono.0.dylib"
codesign -f --deep -s '3rd Party Mac Developer Application: COMPANY-NAME' --entitlements "APPNAME.entitlements" "APPNAME.app"
productbuild --component "APPNAME.app" /Applications --sign "3rd Party Mac Developer Installer: COMPANY-NAME" "APPNAME.pkg"
Everything works fine, even with the libmono.0.dylib. There I get the result that the existing codesigning will be replaced. I am not sure, but I had in mind, that we have codesigned 3 lines in the past, but we didn't have used any more Frameworks or Plugins now.
Then I test the pkg. I install it and was asked about the login-details and I login with a iTunesConnect testuser-account. The app will be installed and when I try to run it, it will be closed after a few seconds. Then something curious happens. I must login again with the testuser and after that the game starts without problem (without trying to start it again!)
I upload the pkg with the ApplicationLoader 3.1 (3.6 didn't work, because it says to me, that I can't submit an IPA-file, even it is a pkg, a lot have that problem and use an old version of the loader) and that worked too. But I got the result of Apple with the rejection: "...launched app and immediately stopped from launching." So they can't start it.
When I check the codesigned app with spctl -a -t exec -vv <APPNAME> I got the result:
<APPNAME>: rejected
...
But I didn't know where I've done the mistake?!
Does anyone has an idea of what I am doing wrong?
You mean in the savety case to recreate the certificates? I am sure, that I have done that when setup the Mac new, but if there can't happen any wrong, I can do it again for going sure...
Edit: I've created new certificates for that mac and try to codesign again. When I make the check with spctl -a -t exec -vv <APPNAME> I got the rejected again.
For the Mac OSX App Store I only need the certificates
3rd Party Mac Developer Application
3rd Party Mac Developer Installer
Mac OS Developer
And in the certificates (dev area at developer.apple.com) I have additional:
Mac App Distribution
Mac Installer Distribution
I have a plug-in which according to the guidelines need not be signed but I also have pkg installer(which installs the plug-in) which has to be signed. So I signed both my plug-in and pkg file, to be on the safer side. Since there is no check for plug-ins I haven't seen any issues. But I have issues with my pkg installer. I signed by pkg installer on 10.6.8 so that I can reuse it on 10.5, 10.6, 10.7 and 10.8. I used the following command
productsign --sign "Developer ID Installer: My Company" /Volumes/code/MyInstaller.pkg "/Volumes/code/My Installer.pkg"
The logs displayed by productsign was encouraging
productsign: signing product with identity "Developer ID Installer: My Company" from keychain /Users/vishveshk/Library/Keychains/login.keychain
productsign: adding intermediate certificate "Developer ID Certification Authority"
productsign: Wrote signed product archive to /Volumes/code/My Installer.pkg
When I checked it on 10.8 using
sudo spctl -a -v My Installer.pkg
The result was bad
My Installer.pkg: rejected
source=no usable signature
I signed my plug-in on the same machine and it seems to be working fine. Am I doing anything wrong? Any insights on this will be useful.
I ran into the same problem. The issue is that your spctl command line is wrong. According to Apple's documentation here, you need to specify the type, like so:
spctl -a -v --type install MyPackageName.pkg
Chances are that your signed package works fine under Mountain Lion. It was just the problematic command line that misled you into thinking that there was a signature problem.