OSX Gatekeeper stopping my application - macos

My application was working good before I added one library and a sub-project(both created by me). All are code signed with same value.
If I create a local DMG (using build-script) then it is getting installed on my system, also in other system. But the build taken from Anthill pro fails to pass the OSX Gatekeeper and shows "Un-Identified developer" issue.
What could be the issue that makes the same DMG to behave differently?

I recently dealt with an issue with using a build server to sign an application. It signed fine, but then when we distributed it through our website, our users were asked to "Move to Trash" by OSX. My scenario was a little different, as I was using Jenkins, but perhaps the problem is the same.
I solved the issue by elevating our jenkins user up to an admin, and then running codesign with sudo.
I think this has something to do with signing as a developer vs. signing for distribution. If you download a signed package and your application was signed without distribution privileges, the extended attribute "com.apple.quarantine" gets places on the app package (check it by opening terminal and typing 'xattr [path-to-package]')

Related

Jenkins script to sign Mac OS app requires entering admin user/password in GUI

We recently had to get a new signing certificate for building our Mac OS application and installer.
I was able to update our scripts to use the new certificate - but now the Mac is prompting us IN THE GUI to enter the admin user/password for every use of the certificate (I think - 4 times with our current setup).
The prompt dialog says:
macOS wants to make changes. Enter an administrator's name and password to allow this.
macOS wants to use the "System" keychain.
This is run as a Jenkins job, and before we updated the certificate, this didn't happen. The scripts just ran and the app was signed.
This is running on Mac OS 10.15.7
What do I have to do to allow Jenkins to do the signing without asking for the admin userid/password every time? (especially since it's asking in the Mac GUI, which, normally, nobody is using.)
Finally found the answer. The 2nd answer to this question worked for me:
security / codesign in Sierra: Keychain ignores access control settings and UI-prompts for permission

MacOS Notarize - Gatekeeper does not recognize notarized app

I have a MacOS app and want to distribute to beta users as DMG file outside AppStore.
I have read some articles about how to notarize an app and follow the steps to successfully notarize the DMG file without any problem.
My development machine runs on MacOS 10.14, and XCode version is 10.1.
However when I try to check the notarized DMG file on another testing machine which runs on MacOS 10.14.5 (by sending the file via AirDrop, or download from my website), I still see the popup from GateKeeper with message "'myApp.dmg' can’t be opened because Apple cannot check it for malicious software." on that machine.
It seems Gatekeeper does not work properly to check notarized DMG file. Is there anybody having the same problem and how to fix that?
Short answer
It could be due to an RPATH referencing a path outside the App bundle. Removing this RPATH would resolve the issue.
Inspecting log files
You can find extra information about the rejection (after trying to launch the blocked app) in the Console.app. Note that you should open the Console.app, before trying to open your blocked app, otherwise not all messages may be logged. You should look for process XprotectService in the logs of your device (i.e. choose your device in the left side bar of the Console.app). If the RPATH is indeed the problem, you should find a record like this:
XprotectService: [com.apple.xprotect:xprotect] File /path/to/your/executable/or/library failed on rPathCmd /rpath/causing/the/problem (rpath resolved to: (path not found), bundleURL: /path/to/your/bundle.app)
Inspecting these log files may give you a key to solve other issues too.
Note that I received the following information from an Apple engineer:
Gatekeeper does not inform users via UI about the specifics of the
error, though it is in the logs for developers to look at. The
notarization process is purely about a detecting malicious software
and does not replicate Gatekeeper enforcement. You still need to get
software notarized and test with Gatekeeper.
We are looking to provide better tooling for developers in the future
to pre-flight some of these common errors.
Contact Apple
If you are not able to solve your issue with the above information, you may want to contact Apple itself using the Feedback Assistant. They do not respond very quickly (~1-2 weeks), but the answers are rather to the point.

Failed to run Mac app after being installed by PackageMaker-based installer, Only fails on multiple user accounts machine

I have prepared mono app bundle. Then I used Apple's PackageMaker for making an installer.
The installer has post script which fixes some relative symbolic links inside the bundle folder after being installed in /Applications.
I've tested the installer on a fresh Mac machine with single admin user account. The installer succeeds and the installed application runs perfectly.
The problem is :
When I created another admin account on that machine. The installation succeeded, but the installed bundle's icon has an overly (stop or Blocked) icon!
And when I run my applications, it refuses and the flowing message pops up :
You can't open the application XYZ because it is not supported on this
type of Mac.
I knew it SHOULD be supported, as it was working on "this type of mac" !
tried to modify user/group and permissions for the bundle in PackageMaker window, but not luck.
Can you please clarify my confusion regarding this message and the suggested solution ?

How do I make Install4j sign everything?

How do I change what files are signed by install4j's codesigning on Mac OS X?
Specifically, none of my application's files (including its jar file) are signed. This defeats the purpose of code signing entirely. So, I would like to fix this.
I would also like to do the same on Windows, but it's possible that this is already handled correctly (I have not yet checked).
The purpose of signing not that everything that can be signed in any way is actually signed.
Windows reduces UAC dialogs and shows them with a different warning level if executables are signed. Each launcher that requests elevated privileges has to be signed so that includes the installer, the uninstaller and possibly your launchers.
Mac OS X has a "gatekeeper" that checks if an application bundle that was downloaded from the internet is signed. If not, it will not allow you to run it directly. That's why the installer application bundle has to be signed. Gatekeeper is not concerned with any application bundles that are installed by the installer, so they are not signed by default. This is mostly a good thing, since otherwise you would not be able to modify the Info.plist files of your launchers after the installation.
If you use entitlements for gaining access to specific features on Mac OS X your launchers need to be signed as well. You can specify an entitlements file on the "Executable info->Mac OS X options" step of the launcher wizard, and select "Sign installed launchers" on the "Installer options" step of the Mac OS X media file wizard.
install4j is not concerned with signing JAR files. If you need this feature for some reason, you have to do this in your build process.
#Ingo, it is also true that launcher signing is required for certain restricted functions an application may need (e.g. opening a network socket). I also think I should mention the "Sign installed launchers" on the "Installer options" step is not available on the "Mac OS X single bundle" media type, so users will need to choose another media type if they require launching signing.
This wasn't clear in the documentation, so hopefully this comment can save someone some time.

Can't validate and submit an App to the Mac App Store

I've done codesigning and submitting for iOS apps countless times. This time it struck me with the Mac App Store. I'm repeatedly getting the same error message:
"My Name" is a valid identity. However,
you do not have the associated package identity.
I've recognized this 2 topics here on stack overflow:
mas-code-signing-identity-private-key and mac-app-package-identity-not-installed
Nothing inside there solved the problem for me.
Thats how I (most reliably) reproduce this message:
I clean up all my certificates and private keys starting with "Mac Developer" or "3rd Party Mac Developer". Of course also the expired ones.
Revoking all the stuff inside the Mac certification portal.
Create App-ID (did it only once)
Create new certificate for Mac Development. I can only assume that this is comparable to the debugging certificates for iOS development.
Create new certificate for Mac App. Once again I can only assume that this could be something similar to a distribution certificate in iOS-development.
For completion reasons create a new certificate/profile for my system.
Create a production provisioning profile. I can only assume that this might be equivalent to an iOS distribution profile.
I then download all the certificate mess and install it properly. Some go into the Keychain, others got into the Preferences and XCode.
For making sure I restart XCode or even the whole Mac (doesn't change the frustrating outcome anyway).
I go to the project build settings and select the production provisioning profile, because I assume "production" is equivalent to "distribution". Changing the codesigning identity in the target build settings doesn't work either. While Apple claims in it's documentation that for App Store submission the signing identity has to be changed in the project build settings.
I run an archive build.
I select the archive in the organizer and click validate.
This error message appears:
"My Name" is a valid identity. However,
you do not have the associated package identity.
I can't find any pointer to what the term "package identity" actually means. What is most frustrating to me is that this terminology mess in Apples documentation concerning the code signing and submission process appears not very clear and precise to me. At least not as clear and precise as the documentation for the same process concerning iOS App submission (which is using completely different terminology).
Probably I understood something wrong? Thanx for any help or pointer in advance.
OK, I have some important pointers (additional to Apples documentation) for people stumbling over similar issues.
The error message is totally misleading.
Don't take every word in Apples documentation too seriously.
For solving the issue, 2 points have been most significant:
Additional to all the other profile-mess you need 2 certificates for submission to the Mac App Store (contrary to the same process for iOS App Store submission). Both have to be installed together with their corresponding public and private key pairs.
Mac App
Mac Installer
The codesigning needs to be set on the build target, not the project. I don't remember where but this was described wrong side around in one of Apples documentations.
Eventually my submission worked by keeping to those 2 points.
There is an additional issue with Keychain & XCode.
When Xcode uses a certificate, they want one and only one certificate in your keychain. If you have an expired one, as well as a valid one, Xcode often fails the operation.
So you look at your keychain using Keychain Access, and do not see an expired certificate. It is still there! The default setting for Keychain Access hides expired certificates. Goto the View menu and select Show Expired Certificates. Delete all the expired ones, they are not good for anything.
Quit Keychain Acces and Relaunch Xcode. Xcode often requires a relaunch when adding/deleting certificates.
At that point, the Archive Validate process worked for me.
This is what it was for me as well.
Just want to clarify, you absolutely need both Mac App Distribution and Mac Installer Distribution certificates. Thanks Jacque for your explanation above. It should look like this:
Yes the problem is Mac Installer Distribution certificate.
The easiest way to have everything fixed and loose all the troubles just go to Xcode->Window->Organizer->Devices and then on the lower right corner press on Refresh and log in with your account... xcode will generate and download all the certificates and provisioning profiles needed.

Resources