Do I Codesign with Two Certs on OSX? - macos

On OSX Cocoa application development, do I codesign with two certs or one? (Note, I'm not planning on distributing my app in the Apple AppStore, but from a website.) See, Apple says I need an organizational developer ID to sign my OSX app. Okay, fine, but Chrome and IE browsers like those expensive Symantec EV codesigning certs, at least for Windows apps, more so than other less-expensive EV codesigning certs. (Our tests have shown we get approved by Chrome and IE only with the expensive Symantec EV certs, not the cheaper ones, if wanting to distribute our applications from a website.
So, if indeed I need to code sign with two certs, can you explain the command line process for installing these? Also, note that my application is a little odd and I need to know which items I must codesign. See, in my application, I have:
The setup app is a compiled, custom .app with a binary inside that loads the GUI. I assume I have to codesign both?
The application it installs is a GUI-based .app (Cocoa app) that also contains a couple console executables inside the Resources folder. I assume that I have to codesign the .app and the console executables too?

The certs that Symantec is offering for your web site are probably quite helpful if you were distributing a Windows app, but Apple has developed a solution of its own in Gatekeeper which I strongly recommend using.
As long as you code sign the app with Gatekeeper when you build it with Xcode, you can distribute it on the web and just about any Mac will be able to open it without issue, regardless of browser they're using.

Related

Can Apple Silicon apps be signed with a self-signed certificate when distributing them outside the App Store?

I'm distributing my macOS app outside the App Store and so far I've never code-signed it. My app targets advanced users who know how to configure macOS to allow the app to run.
With the arrival of the Apple M1 computers, however, things have changed as code-signing seems to be mandatory now for native Apple Silicon apps. That's why I'd like to ask: Is it sufficient to sign my app using a self-signed certificate when distributing it outside the App Store? Will it be possible for users who download an app that was signed using a self-signed certificate to run that app?
I'd expect that Gatekeeper will probably block such an app first because it was signed using a self-signed certificate but will users be able to override Gatekeeper's veto in the security settings (as it was previously the case with non-signed apps)?
Or do all apps built for Apple Silicon have to be signed with an official Apple certificate? I'd like to avoid that because last time I checked this was $99 per year.
You can codesign with ad-hoc feature. codesign -s - -f /path/to/filename. This doesn't need certificate.

Distributing Mac app outside App Store. How should I sign it?

I have a Mac app which can't be sandboxed due to using Apple Events and therefore it can't be released through the Mac App Store.
I've made a website, added a payment gateway and everything seems to be ok but I keep getting feedback from testers who can't open the app even with the right mouse button method.
First it was the raw app from Xcode without any kind of signing, after that I tried exporting after archiving using my developer certificate, the I even notarized the app with Apple but still there are people who can't open the app (even though they was able to use it before signing).
Currently I'm using the Mac App Distribution certificate (no provisioning profile). Is this correct? Should I use "Mac Installer", "Mac developer", "Apple developer", "Apple distribution"… why is this so confusing?
You should use the Developer ID Application certificate to distribute a Mac app outside the Mac App Store that does not use an installer. Most Mac apps do not use an installer.
Apple provides a decent explanation of the different certificates when you create a new certificate from Apple's Certificates, Identifiers, and Profiles page. To keep people reading this from having to go there, I'll explain them now.
The Developer ID Installer certificate is for distributing Mac apps outside the App Store that use an installer to install the app.
The Mac Development certificate is for signing development versions of a Mac app.
The Mac App Distribution certificate is for distributing a Mac app on the App Store that does not use an installer. The Mac Installer Distribution certificate is for distributing a Mac app on the App Store that uses an installer.
In Xcode 11, Apple added the Apple Development and Apple Distribution certificates so people could sign their apps for all Apple platforms with one certificate. These certificates are for apps that will end up on the App Store.

Distribute App Outside the Mac App Store

I'm a newbie in OSX Development. I built an application in which will be distributed outside the Mac App Store. I have all the other certificates and keys working except for the Developer ID (App and Installer) for production.
I know that this may sound stupid, but for what it's worth, I just wanna make sure.
Will my app still be considered Developer ID - signed if I exported it as a Mac Installer Package instead of selecting Export Developer ID-signed Application, when I install it to its destination devices? Will it be successfully installed or be rejected with GateKeeper-enabled devices?
I have been scratching my head for this since for some weird reason, I cannot add a new Distribution Developer-ID from the Dev Center. I was able to add a Developer ID earlier this week however, I ran into some issues with my private keys. As per suggested by Apple and many other developers, I revoked all the Developer IDs and private keys to start fresh. The problem now is that I can't add any new Developer ID (Distribution). I cannot add in both Dev Center and by requesting through Xcode 5.0.1. I'm stuck.
I have submitted a Bug Report to Apple, but who knows when they'll be able to resolve it.
So now, temporarily, since I don't have any choice (I guess), I'll use the Mac Installer Package, but the question is, will it work?
Any help would be very, very much appreciated.
I've done this recently and have created a third Xcode project configuration to Debug and Release called Archive, which is a copy of Release except the app is signed using the Mac App Distribution / Third Party Mac App Developer and, confusingly there is a third name used for this same certificate.
I then changed the Archive scheme to use the Archive configuration to build.
Before doing this I had errors on some Macs when signing with my Developer ID, in some cases they claimed the app was corrupted, and in other cases I got gatekeeper blocking the app, forcing me to override it in System Preferences > Security & Privacy.
I personally use xcodebuild (from Jenkins) to build the app for distribution to testers, which I package in a .dmg so they only need to drag it to /Applications or ~/Applications and I do all that using a script within the Jenkins configuration. Your experience may differ to mine if you are using the Xcode app instead.

Testing a Mac App on Registered Devices

I have a Cocoa Mac App that I don't know if it will on the Mac AppStore.
The application is still in development, and I want few persons to be able to launch it on their devices while the app gets new features.
The situation is the following :
I have a Mac Developer Certificate
Devices are registered in the Mac Member Center.
Every time they launch the app, GateKeeper complain the app doesn't come from the Mac AppStore, nor is provided by a identified developer, no matter if I sign the app or not.
So I tried to sign it and a provisioning profile is embedded into the app. If I don't sign it nothing embedded.
I should mention that the app has a Spotlight importer and QuickLook generator bundled into it.
I didn't find any clear explanation on how to resolve this issue in the Apple documentation, and most (if not all) blog posts, or articles on the Internet are about iPhone apps, not Mac ones (the process/requirements seems to be different on the two platforms).
The documentation is unclear on if all testers should be team members (which seems crazy because some of them aren't developers and don't have Xcode installed).
Can someone provide a clear step-by-step explanation on how to do that ?
Or maybe a article/blog post link or tips ?
Edit :
Here are screenshots of the app bundle structure and plug-in structure :
Everything seems to be right.
The way I obtained that is : I didn't set "Code Signing Identity" build setting, but rather archived the app, and exported it specifying code signing identity at that time.
Edit :
More and more curious, when I run codesign command in the terminal, codesign -vvv MyApp.app, the output tends to suggests that all is rightly done :
MyApp.app: valid on disk
MyApp.app: satisfies its Designated Requirement
Interpreting this question as essentially:
"how do I beta test Mac App Store apps" ?
Apple hasn't yet published an official workflow in the App Distribution Guide, but the following process works:
Tester sends "System Information utility > Hardware tab > Hardware UUID" to developer
Developer updates dev provisioning profile to include the hardware UUID
Developer uses Xcode Organizer Archives tab, Distribute > "Save as Mac Application", then select the updated development signing identity.
Developer sends newly built app to the tester
Note: The development identities have yellow caution ! icons during the re-signing process but they can still be used.
Not only does this avoid the GateKeeper prompt, but the development provisioning profile is also needed for any store technologies you might be using to work during testing, e.g. iCloud, GameCenter, etc.

Bypass Gatekeeper in Mac OS X Apps without a Mac Developer Membership

Scenario
I want to release an app for Mac OS X, but not on the AppStore. The app runs on 10.6 - 10.8 and up.
Problem
Apple requires all apps for Mac OS X 10.8+ to be signed by the developer to get past Gatekeeper. And unless I tell each user to temporarily disable and re-enable gatekeeper just for my app, according to this document and the Mountain Lion change log... my app won't be allowed to run.
From the wording on Apple's website, it sounds like I'll have to pay the $99.00 a year for the certificate. However, I do not want to pay the $99 - I'm not publishing to the AppStore!
Question
Is there any way I can get around paying the $99 for distribution on 10.8+? I know my app will work on 10.6 and 10.7, but according to Apple it won't be allowed to run on 10.8 without the certificate. Is that true? How can I distribute on 10.8+ (preferably a DMG) without a $99 distribution certificate? Thanks in advance!
Edit #1
DMG files are not authenticated by Gatekepper, only the app itself is.
OS X Lion 10.7.5+ also has Gatekeeper * angry face *
Apple currently provides no way to get around Gatekeeper without paying the $99 / year membership fee. To me, this seems unfair because it squishes out the smaller developers (but that's a discussion for elsewhere).
For a rather cumbersome workaround, one can include a ReadMe or note on the download page for their software to explain to users that they need to right click your app and then click 'Open' and then click confirm to run it. I have also found through experimenting that Gatekeeper does not run security checks on DMG files or the installation of files, only the execution / running of Apps. So one could include some kind of note in their DMG installer that told the user exactly how to install and run the app.
Hopefully Apple will provide a workaround for developers (possibly a cheaper solution for a limited membership) that distribute freeware and open source software.
You don't need to purchase membership. Just get a code signing certificate from any agency and sign your app with it. Then it will bypass the Gatekeeper check. Gatekeeper only checks whether the app is from identified developer or not.

Resources