I used to distribute a Mac app signed with Developer ID internally. Now I sell this app through the Mac App Store. Is there any way to invalidate the old Developer ID signature, or prevent the old app from running? I'd like to stop the old version from being used, or at least stop it from being redistributed.
If your internal app has no way to update itself them you really can't do much.
What you can do is revoke your certificate and release a new version of your app on the Mac App Store. This still won't prevent the already installed app from running. Just that newer installs can be prohibited.
In your Mac app store version of the app make sure you have some upgrade logic. I.e., if the user has the older app and the newer one then the newer one should delete the older app.
I hope it helps.
Related
Is it necessary to notarize app before uploading to Apple App Store? I come across some article says that notarization is needed for non-app store distribution, while apple will run notarization before approving an app store version.
Anyone can confirm?
The reason I ask this question is because I notarized the app for outside Mac App Store distribution and it works fine. For the Mac app store build, I can upload and distribute it and it works fine on Mac, only have issue on Catalina(beta) when user try to open, see attached pic. Wonder if it's related to notarization.
Update: the issue was not due to notarization, but due to code signing. One of the node binary is not signed before uploading to MAS, maybe Catalina has a more strict rule checking it.
No, it's not required. Apps downloaded from the app store are not notarized. You can verify it using spctl command.
spctl -a -v /Applications/Pages.app
/Applications/Pages.app: accepted
source=Mac App Store
Gatekeeper will check notarization only if the app is downloaded from outside the App Store.
From Safely open apps on your Mac
When you install Mac apps, plug-ins, and installer packages from
outside the App Store, macOS checks the Developer ID signature and
notarization status to verify that the software is from an identified
developer and that it has not been altered.
Notarization is only required for distribution outside the Mac App Store. See Distribute outside the Mac App Store (macOS), which says:
In some cases, you may want to distribute an app outside of the Mac App Store [...] Users gain additional assurance if your Developer ID-signed app is also notarized by Apple.
The macOS User Guide has this to say:
App Store: [...] All the developers of apps in the Mac App Store are identified by Apple, and each app is reviewed before it’s accepted
App Store and identified developers: [...] Identified developers are registered with Apple and can optionally upload their apps to Apple for a security check. If problems occur with an app, Apple can revoke its authorization.
I'm a newbie in OSX Development. I built an application in which will be distributed outside the Mac App Store. I have all the other certificates and keys working except for the Developer ID (App and Installer) for production.
I know that this may sound stupid, but for what it's worth, I just wanna make sure.
Will my app still be considered Developer ID - signed if I exported it as a Mac Installer Package instead of selecting Export Developer ID-signed Application, when I install it to its destination devices? Will it be successfully installed or be rejected with GateKeeper-enabled devices?
I have been scratching my head for this since for some weird reason, I cannot add a new Distribution Developer-ID from the Dev Center. I was able to add a Developer ID earlier this week however, I ran into some issues with my private keys. As per suggested by Apple and many other developers, I revoked all the Developer IDs and private keys to start fresh. The problem now is that I can't add any new Developer ID (Distribution). I cannot add in both Dev Center and by requesting through Xcode 5.0.1. I'm stuck.
I have submitted a Bug Report to Apple, but who knows when they'll be able to resolve it.
So now, temporarily, since I don't have any choice (I guess), I'll use the Mac Installer Package, but the question is, will it work?
Any help would be very, very much appreciated.
I've done this recently and have created a third Xcode project configuration to Debug and Release called Archive, which is a copy of Release except the app is signed using the Mac App Distribution / Third Party Mac App Developer and, confusingly there is a third name used for this same certificate.
I then changed the Archive scheme to use the Archive configuration to build.
Before doing this I had errors on some Macs when signing with my Developer ID, in some cases they claimed the app was corrupted, and in other cases I got gatekeeper blocking the app, forcing me to override it in System Preferences > Security & Privacy.
I personally use xcodebuild (from Jenkins) to build the app for distribution to testers, which I package in a .dmg so they only need to drag it to /Applications or ~/Applications and I do all that using a script within the Jenkins configuration. Your experience may differ to mine if you are using the Xcode app instead.
I'm currently working on sandboxing some of my applications and it looks like I'll have to get rid of a few features just to satisfy the Mac App Store sandboxing (and other) rules.
Obviously users won't be happy about losing features and I fear they won't blame Apple for making stupid rules and we developers will have to bear the brunt of the anger.
In this vein, I'm thinking about building a system that means that if a user buys the Mac App Store version, s/he'll get the "normal" distribution version for free.
Since I have no idea what the email of the people buying my apps on the Mac App Store is and I don't want to have to handle such cases "by hand", I'd like to find a way of doing so automatically.
I've been thinking about just looking on the hard disk, finding an installed version of the program from the Mac App Store and then unlock the "distribution" version as well.
I'm just not certain whether this doesn't break Mac App Store rules..
is looking for the MAS receipt okay in terms of the MAS rules?
can I verify the MAS receipt using the same mechanism as is embedded in the MAS version of my program?
Is anybody else thinking along these lines?
Best regards,
Frank
I do something like this to enable Mac App Store customers to easily beta test new versions of my app downloaded from my website while still enforcing licensing. Upon startup of the MAS version of my app, I copy its receipt into /Library/Application Support/MyAppName/. Beta versions of the non-MAS version of my app include the same receipt validation code as the MAS version. They look for a receipt in the App Support folder, and validate it, running in licensed-mode if the receipt is valid.
I've been doing this since shortly after the launch of the Mac App Store, as have other developers with no problem. What you describe should be just fine.
Regular distributions of Xcode are now available exclusively from the OS X App Store, but (like many, I expect) my App Store account and developer accounts use different Apple IDs. All my previous installations of Xcode have used my developer account, and I also wonder if there are critical parts of the Xcode configuration (e.g. provisioning profiles, etc.) that rely on Xcode having been installed using the developer Apple ID.
Are there any undesirable consequences to simply installing Xcode from the App Store using my personal account? Or, should I (can I, must I) log in to the App Store using my developer Apple ID instead?
You can use whatever Apple ID you want to download Xcode from the Mac App Store. There's nothing special about what it downloads. You'll need to log in to the developer portal though to download beta versions.
You can download Xcode (and lots of other stuff) from Apple's developer downloads website.
I very much doubt, therefore, that it matters whether you got it from the Mac App Store or not.
I am wondering how to build the follwoing scenario:
- I have one app which can be bought in the Mac App Store
- Because this app cannot use sandboxing which will me soon mandatory, I won't be able to update it in the Mac App Store.
- I want to continue to provide updates to these users but it will be outside MAS updates
- How can I check if the application has been legally acquired ?
Thanks for your help
I do something like this to enable Mac App Store customers to easily beta test new versions of my app downloaded from my website while still enforcing licensing. Upon startup of the MAS version of my app, I copy its receipt into /Library/Application Support/MyAppName/. Beta versions of the non-MAS version of my app include the same receipt validation code as the MAS version. They look for a receipt in the App Support folder, and validate it, running in licensed-mode if the receipt is valid.
I believe that MAS receipts are tied to the machine used to buy/download the app, so your users won't be able to transfer receipts between computers. The way to attack this problem might be to issue regular licenses to users who successfully validate a MAS receipt on at least one machine. There's an opportunity for cheating here, but I don't think it's any different than the weaknesses inherent in whatever licensing scheme you use.