How can I achive Gatekeeper pass an app signed with a third-party certificate?
I have signed mine with the one I bought for the Windows version and if I have checked the "Mac App and identifier developers" option in System Preferences it can't be executed.
This is the command I executed for signing:
codesign --force --verify --verbose --sign "My cert" My.app
This is the command for verifying the signing:
codesign --verify --verbose=4 My.app
And this is the output:
My.app/: valid on disk
My.app/: satisfies its Designated Requirement
What am I doing wrong?
Thanks.
Gatekeeper does not accept third-party certificates, only Mac App Store and Apple Developer ID certs. The reason for this is that if Apple finds signed malware being distributed, they want to be able to revoke the certificate that was used to sign it; that's only possible if Apple owns the certificate authority that issued the signing cert. As a result, third-party certs are not considered trustworthy for Gatekeeper purposes.
BTW, the check you're doing with codesign -- verify only checks whether the signature matches the contents of the app, not whether it's considered a Gatekeeper-valid signature. For that, you want spctl -va My.app (although note that this checks it against your current Gatekeeper policy, so if you have Gatekeeper set to Mac App Store only, it'll report Developer ID-signed apps as "rejected").
Related
I am struggling for the past 2 weeks with publishing the .pkg.
If I execute codesign -dvv app-version.pkg
I get app-version.pkg: code object is not signed at all
Then I want to sign it with productsign --sign "3rd Party Mac Developer Installer: xxx (yyy)" ./app-version.pkg ./app-version-signed.pkg
The output is:
productsign: signing product with identity "3rd Party Mac Developer Installer: xxx (yyy)" from keychain /Users/<user>/Library/Keychains/login.keychain-db
productsign: adding certificate "Apple Worldwide Developer Relations Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to ./app-version-signed.pkg
When I check my codesign with codesign -dvv app-version-signed.pkg, I get the same result.
app-version-signed.pkg: code object is not signed at all
We are using electron-builder to build the pkg but the pkg is not signed yet. The app is signed with Developer ID application and 3rd Party Mac Developer Application.
Short answer: use pkgutil --check-signature instead of codesign -dvv.
Long answer: flat packages use a somewhat different signing format than other things, and you need to use different tools to sign them & check the signatures. Specifically, use productsign instead of codesign to sign them, and pkgutil instead of codesign to check the signature.
When you use codesign -dvv on a package, it's looking for its format of signature, and indeed there isn't one there.
I have created an apple developer account
Created a Certificate request from Keychain tool,Uploaded it and generated a certificate for Macos distribution
Downloaded the certificate,double clicked and installed it.
Build the .app package and used the codesign tool codesign --force --sign "Apple Development:Cool Developer(27HS88RR)" "mysupercoolapp.app"
Used the following command for verification codesign --verify --deep --strict --verbose=2 "mysupercoolapp.app" the ouput is Valid on Disk,Satisfies some requirement
Using the spctl tool for Gatekeeper verification spctl -a -t exec --vv "mysupercoolapp.app" --> Rejected
Is there some magic trick for gatekeeper to accept the app? I'm fed up of this,apple does not have proper documentation on codesigning a macOs app from xcode directly.
Please advice
My macOS app is codesigned and runs on some computers but on another it fails to run since Gatekeeper pops up "{App} can't be opened because the identity of the developer cannot be confirmed."
I want to detect this issue on the build machine before distributing a faulty .dmg, so I looked into Apple's docs on Checking Gatekeeper Conformance and Examining a Code Signature, which discuss codesign, spctl, and check-signature. What's confusing is that all of these tools report that the .app is signed by my developer account.
$ codesign -v --strict --deep --verbose=2 App.app
App.app: valid on disk
App.app: satisfies its Designated Requirement
$ codesign -d --deep --verbose=2 -r- App.app
Executable=/Applications/App.app/Contents/MacOS/App
Identifier=com.example.app
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=196 flags=0x0(none) hashes=3+3 location=embedded
Signature size=8539
Authority=Developer ID Application: Company, Inc. (XXXXXXXXXX)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Sep 22, 2016, 7:32:19 PM
Info.plist entries=21
TeamIdentifier=XXXXXXXXXX
Sealed Resources version=2 rules=12 files=10708
Nested=Frameworks/Squirrel.framework
Nested=Frameworks/App Helper NP.app
Nested=Frameworks/App Helper.app
Nested=Frameworks/App Helper EH.app
Nested=Frameworks/Mantle.framework
Nested=Frameworks/ReactiveCocoa.framework
Nested=Frameworks/Electron Framework.framework
Internal requirements count=1 size=172
designated => identifier "com.example.app" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = XXXXXXXXXX
$ spctl --assess -vv App.app
App.app: accepted
source=Developer ID
origin=Developer ID Application: Company, Inc. (XXXXXXXXXX)
$ check-signature App.app
(c) 2014 Apple Inc. All rights reserved.
YES
The Certificates, Identifiers & Profiles website shows unexpired "Developer ID Application" and "Developer ID Installer" certificates under my account. I've never revoked any Mac signing certificates. I've also checked that CFBundlePackageType in the app's Info.plist is set to APPL.
What is going on here?
Update: Upgrading the Mac from El Capitan to Sierra resolved the issue. I'd still be interested to learn what the issue could have been in case there are users out there encountering it.
In my case this message came up, when an embedded third party framework had a bad run path setting: LD_RUNPATH_SEARCH_PATHS in build settings did reference something that it was not allowed to.
Apple documents this here https://developer.apple.com/library/content/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG207
If an app uses #rpath or an absolute path to link to a dynamic library
outside of the app, the app will be rejected by Gatekeeper.
And they even state:
Neither the codesign nor the spctl tool will show the error. The error
will only appear in the system log.
The solution was to modify the third party framework to something standard like this:
$(inherited) #executable_path/../Frameworks #loader_path/Frameworks
I've tried to sign my kext using the command:
sudo codesign -s "MyCert" -f MyKext.kext
I've created the certificate using the certificate assistance, with type "codesign".
But if I validate the kext using:
kextutil -tn MyKext.kext
The following error is displayed:
Code Signing Failure: code signature is invalid
So, how to codesign a kext using an self signed certificate?
You can't use a self-signed certificate, essentially. If you aren't already a member, you need to join the Mac Developer Program, and then apply for a kext Developer ID (you'll need to state a reason, and it will take some weeks to be approved or denied) which gives you the required certificate.
During development or if you're not planning to distribute your kext, you can also continue using unsgned kexts. Yosemite (10.10) requires the kernel boot argument kext-dev-mode=1 to accept these.
I have a Mac app which I have signed using the 'productsign' command from the terminal
productsign --sign "3rd Party Mac Developer Installer: My company (dasdfjkaj)" InstallerUnsigned.pkg InstallerSigned.pkg
productsign: signing product with identity "3rd Party Mac Developer Installer: My company (dasdfjkaj)" from keychain /Users/me/Library/Keychains/login.keychain
productsign: adding intermediate certificate "Apple Worldwide Developer Relations Certification Authority"
productsign: Wrote signed product archive to InstallerSigned.pkg
I then ran the assess command
spctl -a -v --type install InstallerSigned.pkg
InstallerSigned.pkg: accepted
I also checked the signature
pkgutil --check-signature InstallerSigned.pkg
Package "InstallerSigned.pkg":
Status: signed by a developer certificate issued by Apple
Certificate Chain:
1. 3rd Party Mac Developer Installer: My company (dasdfjkaj)
2. Apple Worldwide Developer Relations Certification Authority
3. Apple Root CA
When I run the installer from my machine (with Gatekeeper set to "Mac App store and identified developers") it runs fine. It also installed properly when I downloaded the same pkg after I deployed it to my website.
But... when I download the pkg in another machine it fails to install. It does not recognize my developer ID. When I run the spctl command on the failed machine, I get
spctl -a -v --type install InstallerSigned.pkg
InstallerSigned.pkg: rejected
Does anyone know why this it runs fine on my own machine but fails when the pkg runs on another machine? I am all out of ideas really :/
EDIT:
This is what I get when
spctl --list --type execute
3[Apple System] P0 allow execute
anchor apple
4[Mac App Store] P0 allow execute
anchor apple generic and certificate leaf[field.<I removed this>] exists
5[Developer ID] P0 allow execute
anchor apple generic and certificate 1[field.<I removed this>] exists and certificate leaf[field.<I removed this>] exists
7[GKE] P0 allow execute [(gke)]
cdhash H"<I removed this>"
10[GKE] P0 allow execute [(gke)]
cdhash H"<I removed this>"
14[GKE] P0 allow execute [(gke)]
cdhash H"<I removed this>"
15[GKE] P0 allow execute [(gke)]
cdhash H"<I removed this>"
18[GKE] P0 allow execute [(gke)]
Certificates Matter
These are the certificates you will need to use together for codesigning:
Developer ID Installer
Developer ID Application
3rd Party Mac Developer Installer (usually only used for the AppStore apps).
The "Developer ID Installer" certificate is what you would use if not submitting to the AppStore. For codesigning portions specifically, you need to use the "Developer ID Application" certificate.
Apple Developer Codesigning Workflow Guide