I am developing an application that runs on OSX and uses the NEVPNManager for IKEv2 connections introduced in El Capitan. In order to setup/activate a VPN connection it requires the "Personal VPN" entitlement.
If I sign my application with a Development certificate it works as expected on my machine, or on others if they bypass Gatekeeper. However if I sign it with a Developer ID certificate the app fails to start. codesign -vvv and spctl -a say that there's nothing wrong with it's signature but in the system.log file I see this when I try to run the app.
Nov 19 11:00:01 taskgated[562]: no application identifier provided, can't use provisioning profiles [pid=22401]
Nov 19 11:00:01 taskgated[562]: killed com.myorg.myapp[pid 22401] because its use of the com.apple.developer.networking.vpn.api entitlement is not allowed (error code -67050)
Could the Personal VPN capability be forbidden for use outside the Mac App Store? If so it makes no sense as it does not use any Apple service.
UPDATE:
After talking to someone at Apple, it has become clear that the Personal VPN feature is not allowed to be used outside the App Store, thus it cannot be used along with a Developer ID certificate. Here is the list of which feature is allowed for which kind of code signing [the list here]
I know this question is old, but I wanted to provide an update. As of macOS 10.12 and XCode 8, Mac Apps signed with a Developer ID are allowed outside the Mac App Store. Apps signed in this way will run on both 10.11 and 10.12 without issue. This was a change I requested at WWDC 2016, which was implemented. You will see that the list OP linked to has been updated.
Related
I'm distributing my macOS app outside the App Store and so far I've never code-signed it. My app targets advanced users who know how to configure macOS to allow the app to run.
With the arrival of the Apple M1 computers, however, things have changed as code-signing seems to be mandatory now for native Apple Silicon apps. That's why I'd like to ask: Is it sufficient to sign my app using a self-signed certificate when distributing it outside the App Store? Will it be possible for users who download an app that was signed using a self-signed certificate to run that app?
I'd expect that Gatekeeper will probably block such an app first because it was signed using a self-signed certificate but will users be able to override Gatekeeper's veto in the security settings (as it was previously the case with non-signed apps)?
Or do all apps built for Apple Silicon have to be signed with an official Apple certificate? I'd like to avoid that because last time I checked this was $99 per year.
You can codesign with ad-hoc feature. codesign -s - -f /path/to/filename. This doesn't need certificate.
Is it necessary to notarize app before uploading to Apple App Store? I come across some article says that notarization is needed for non-app store distribution, while apple will run notarization before approving an app store version.
Anyone can confirm?
The reason I ask this question is because I notarized the app for outside Mac App Store distribution and it works fine. For the Mac app store build, I can upload and distribute it and it works fine on Mac, only have issue on Catalina(beta) when user try to open, see attached pic. Wonder if it's related to notarization.
Update: the issue was not due to notarization, but due to code signing. One of the node binary is not signed before uploading to MAS, maybe Catalina has a more strict rule checking it.
No, it's not required. Apps downloaded from the app store are not notarized. You can verify it using spctl command.
spctl -a -v /Applications/Pages.app
/Applications/Pages.app: accepted
source=Mac App Store
Gatekeeper will check notarization only if the app is downloaded from outside the App Store.
From Safely open apps on your Mac
When you install Mac apps, plug-ins, and installer packages from
outside the App Store, macOS checks the Developer ID signature and
notarization status to verify that the software is from an identified
developer and that it has not been altered.
Notarization is only required for distribution outside the Mac App Store. See Distribute outside the Mac App Store (macOS), which says:
In some cases, you may want to distribute an app outside of the Mac App Store [...] Users gain additional assurance if your Developer ID-signed app is also notarized by Apple.
The macOS User Guide has this to say:
App Store: [...] All the developers of apps in the Mac App Store are identified by Apple, and each app is reviewed before it’s accepted
App Store and identified developers: [...] Identified developers are registered with Apple and can optionally upload their apps to Apple for a security check. If problems occur with an app, Apple can revoke its authorization.
How to share mac desktop application on mountain lion to limited user without using Mac App store?
Can anyone tell me the procedure?
Thanks in advance.!
Compress your application in finder.
Upload to cloud(Dropbox, Sugarsync,IDrive,crashPlane) and share.
The correct way to do this is:
1) In the Apple Developer Portal, under "Certificates and Identifiers" ensure that your developers (and their Mac UUID's are all added to the portal
2) Download their corresponding profiles and make sure that they're installed on their development mac's (the ones which you registered under devices)
3) In Xcode, when you build an app for development testing, make sure that you're code-signing as "Mac Developer"
Once this is done, check that it's code-signed properly by dropping to terminal and testing it (this example I'll check the Apple Mail app):
04:31 $ spctl -vvvv -a /Applications/Mail.app
/Applications/Mail.app: accepted
source=Apple System
origin=Software Signing
If that passed, then it's free to distribute to your development team. In this case, it's not a developer app, but in the case of a developer app it'll appear as:
04:34 $ spctl -vvvv -a ./SomeApp.app
./SomeApp.app: accepted
source=Mac Developer
origin=Mac Developer: Your Details (TEAMID12345)
From here you can zip it up and email it to your development team to run on their machines.
I build an OSX app which is distributed as a DMG outside of the Mac App Store, and I'd like to continue to have it be that way once Gatekeeper enforcement begins.
From studying code signing documentation, it looks like the recommended approach is to get a "Developer ID" certificate and use that to codesign. However, you must be a registered OSX developer and pay Apple $99 each year. I already have a certificate from a recognized CA, and I would like to use it with codesign. I found documentation on how to do this, but I cannot tell whether Gatekeeper will allow applications signed using certs issued by other CAs, not Apple.
Does anyone know?
Gatekeeper only recognizes apps signed with Developer ID, not just any signature. See this which also explains how to test Gatekeeper functionality under Lion.
The point is that if Apple owns the certificate authority, they can revoke the certificate if your app turns out to be a trojan or something.
I started some days ago a small Mac app for Mac OS X Lion. I've never uploaded a Mac app before, so this is the very first time.
This is what I've already done:
Created App ID
Created Certificate
Installed Certificate
Created a Production Provisioning Profile
Changed the App ID to my generated one
Created a new Configuration based on "Release"
Changed its Code Signing to 3rd Party Mac Developer Application
Selected the "Production"-Configuration which I created for the Archive-Scheme
Archived the Application
Now I wanted to "Share" the Application. Xcode (4.1 btw) said to me, there were no valid signing identities. Does I need to add an Entitlement.plist like in iOS? Have I forgotten something?
Update:
I just figured out, that I have to sign my app twice. I've still selected "3rd Party Mac Developer Application" but I can't select the Installer cert while submitting my app.
Have you installed the WWDR intermediate certificate? I just had the exact same problems and my issue was that the intermediate certificate was not installed on my machine. Granted, nowhere does Apple explicitly say you need it installed, more like suggestions. But, you do need it. You can find it here, or by going to Developer Certificate Utility under the Mac Developer Center.
I got it to work. I deleted my App and created it new.
I didn't create a new Configuration, and I only changed the Code Signing Indentity of the Target to 3rd Party Mac Developer Application. After this, I archived the app and then I was able to select the installer cert.