I am trying to produce a code-signed installer package for distribution outside the Mac Store. My keychain contains the 5 certificates you get when joining the Apple Developer program yesterday. I have to use the command line "codesign" tool to do this. This requires great craft because codesign's default mechanism for hooking up with the correct certificate does not discriminate between certificates with similar "common names"--that they all begin with "3rd Party Mac Developer" creates confusion for codesign's default setting. There are ways to deal with this, however, if you study the documentation (codesign's man page and Apple's technical document, "Code Signing"). When I follow the various instructions carefully my attempt still fails. Here's my terminal command line input (note that my certificate id is X-ed out):
codesign -s "3rd Party Mac Developer Installer: Antony Nispel (XXXXXXXXXX)" -v /Users/antonywallacenispel/Desktop/SpellAware
_1.0/SpellAwareDistributionPackageStuff/SpellAware
Here is the result:
3rd Party Mac Developer Installer: Antony Nispel (XXXXXXXXXX): this identity cannot be used for signing code
And when I try the more restrictive request:
codesign -s -i "3rd Party Mac Developer Installer: Antony Nispel (XXXXXXXXXX)" -v /Users/antonywallacenispel/Desktop/SpellAware_1.0/SpellAwareDistributionPackageStuff/SpellAware
I get the following response:
-i: no identity found
I assure you that my "identity" (the comon name of my installer certificate) is correct.
I would appreciate any help.
The "Developer ID Installer" certificate is what you would use if not submitting to the AppStore.
Certificates Matter
These are the certificates you will need to use together for codesigning:
Developer ID Installer
Developer ID Application
3rd Party Mac Developer Installer (usually only used for the AppStore apps).
Apple Developer Codesigning Workflow Guide
In short, you have codesign your installer in a specific order with the correct codesigning certificate. I answered a similar question previously here.
Related
This is the first time I have ever tried to sign a kernel extension, so I am open to the possibility that I'm doing it wrong.
I requested a kernel signing certificate from Apple. I was required to fill out a form that demonstrated that I really needed to create an in-kernel driver, rather than a user space driver that talked to an IOUserClient.
$ sudo kextutil FL2000.kext/
Password:
Notice: /Library/Extensions/FL2000.kext has debug properties set.
Diagnostics for /Library/Extensions/FL2000.kext:
Code Signing Failure: code signature is invalid
Untrusted kexts are not allowed
ERROR: invalid signature for com.frescologic.FL2000, will not load
It doesn't load at boot - it needs to because it is a graphics driver.
$ codesign --verify -vvvv FL2000.kext/
FL2000.kext/: valid on disk
FL2000.kext/: satisfies its Designated Requirement
$ codesign --display -vvvv FL2000.kext/
Executable=/Library/Extensions/FL2000.kext/Contents/MacOS/FL2000
Identifier=com.frescologic.FL2000
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=1590 flags=0x0(none) hashes=44+3 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha1=83a0328f9af971484b7e30c8d04e68a96dee72c1
CandidateCDHash sha256=cd6c72d17f00d2eed36078eece6a5b536c482772
Hash choices=sha1,sha256
Page size=4096
CDHash=cd6c72d17f00d2eed36078eece6a5b536c482772
Signature size=4693
Authority=Mac Developer: Michael Crawford (YU8CSARZFD)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Nov 10, 2017, 1:10:07 PM
Info.plist entries=20
TeamIdentifier=444JK52Q93
Sealed Resources version=2 rules=13 files=2
Internal requirements count=1 size=184
Help me O Stackoverflow-Wan. You're my only hope!
I should have spotted this in your codesign output, but your comments make it clear: the problem is with the certificate you are using. Apple issues 4 kinds of Mac codesigning certificates:
"Mac Developer" certificates are for signing apps destined for the Mac App Store during the development phase. This is the type of certificate you appeared to be trying to use for signing a kext. This won't work. It will sign it OK, but kextd etc. won't accept the signature.
"Developer ID Application" certificates are for signing apps which will be distributed outside the App Store. A special variant of this type of certificate includes the certificate extension "( 1.2.840.113635.100.6.1.18 )" - only with this extension, it becomes possible to sign kexts such that they are accepted by macOS.
"Developer ID Installer" certificates are for signing Installer .pkg files/bundles. If you are distributing an app via a DMG or ZIP file, you shouldn't need this, but if you need an installer, possibly because what you're distributing isn't an app, but a kext or system service, then you should create an installer package and sign that with such a certificate.
"Mac Distribution" certificates are what you use to sign the build of an app before submitting it to the Mac App Store. These are also irrelevant to kext signing.
Presumably for security reasons, certificate types 2-4 are only issued to Team Agents in an Apple Developer account. Lowly developers are only given "Mac Developer" certificates, which are intended to be purely temporary, so they're not very security-relevant.
So to summarise, your problem is that you're using a "Mac Developer" certificate to sign a kext. You need to use a "Developer ID Application" certificate instead, specifically one that was issued after the development team was granted kext signing privileges by Apple. If you haven't applied for kext signing privileges, you can do so using this form. (It sounds like you have done so previously, but I'm pointing it out for the benefit of people in the same situation who might stumble across this in the future.)
Our company develops our application for both Mac OS X and Windows. We have an existing purchased code signing certificate from a non-Apple authority we use to ID our Windows installers. We distribute both our DMGs & MSIs through our own company website.
The code signing guide for Mountain Lion's new Gatekeeper feature seems to imply that a non-Apple issued standard certificate would work, though I could be misinterpreting what "third-party" means in this case:
Note: Apple uses the industry-standard form and format of code signing
certificates. Therefore, if your company already has a third-party
signing identity that you use to sign code on other systems, you can
use it with the OS X codesign command...
Is it possible to use this non-Apple certificate, and if so, how could it be incorporated using the command line "codesign" command?
Cannot take credit for this, but the blunt answer is:
NO
I just spent a good three days converting certificates and searching the internets to find these:
http://successfulsoftware.net/2012/08/30/how-to-sign-your-mac-os-x-app-for-gatekeeper/
http://www.panic.com/blog/2012/02/about-gatekeeper/
http://arstechnica.com/apple/2012/02/developers-gatekeeper-a-concern-but-still-gives-power-users-control/
No.
The reason it will not work is: To pass through GateKeeper, you need a code signing certificate which is signed with your Apple Developer ID. This is not the same as a regular code signing certificate issued to your company. Only Apple issues Apple Developer IDs. (Or at least, at the time of this writing.)
This is very confusing because:
The company we bought the code signing certificate from specifically claimed it works with MacOS. But what they meant was we could sign Apple code technically speaking. But passing GateKeeper is different. (Unclear marketing to say the least.)
At this time, there are unclear Apple docs which talk about signing code with 3rd party certificates. Ex: https://developer.apple.com/library/mac/documentation/security/conceptual/CodeSigningGuide/Procedures/Procedures.html
However, while you can sign the code, it does not pass GateKeeper! Again, this may refer to either internal corporate application use, or it may just be out of date.
Gatekeeper only recognises Apple digital certificates. Windows only recognises Comodo, Verisign and a few other signing authorities. So you need to buy a Comodo (or similar) certificate for Windows and pay $99 per year for the Apple developer program so you can get an Apple certificate as well. It is rather annoying, to say the least.
I build an OSX app which is distributed as a DMG outside of the Mac App Store, and I'd like to continue to have it be that way once Gatekeeper enforcement begins.
From studying code signing documentation, it looks like the recommended approach is to get a "Developer ID" certificate and use that to codesign. However, you must be a registered OSX developer and pay Apple $99 each year. I already have a certificate from a recognized CA, and I would like to use it with codesign. I found documentation on how to do this, but I cannot tell whether Gatekeeper will allow applications signed using certs issued by other CAs, not Apple.
Does anyone know?
Gatekeeper only recognizes apps signed with Developer ID, not just any signature. See this which also explains how to test Gatekeeper functionality under Lion.
The point is that if Apple owns the certificate authority, they can revoke the certificate if your app turns out to be a trojan or something.
1, I already download the "Apple Worldwide Developer Relations Certification Authority",and add it into my keychain.
2, My team leader already had created two Cers for Mac App store developing, I download and add it into my keychain.
3, I used two methods to sign my add, but failed all.
First, add code sign section in my .xcodeproj(3.2.5).
Second, I used script:
productbuild --component ./bin/MAS_Release/MyApp.app /Applications --sign "3rd Party Mac Developer Application: My Company Co., Ltd." --product ./src/MyApp/MyApp-Info.plist MyApp.pkg
But it failed with information:
Code Signing Identity '3rd Party Mac Developer Application: My Company Co., Ltd.' does not match any valid, non-expired, code-signing certificate in your keychain.
I observed that my certifications in keychain don't have small trangle.
how make the small trangle absence?(when I'am importing the Cers from my Agent, it don't have the trangle absence)
If you were trying to code sign app on the machine that is not the one generated CSR request. You need export and import the private key also from original mac's keychain to the current mac.
I have built an OSX application, it builds and runs using Xcode no problem, I have signed the code and done all the pre-submission things required by Apple. However, when I try to Validate my application in Organizer (or Submit), I get this nasty error: "The operation could not be completed. No other information is available about the problem."
The Bundle Identifier was registered on Apple's website and it matches the one I provide in the applications .plist file. I can't even think of a way to find a problem.
I ran the installer check on the bundle, and this is what I got. Perhaps the problem is with the bundle? However, according to the apple instructions, I can't add Installer Signing Certificate until I am in the submission process.
installer: Warning: PMBundle.pkg is not signed for store submission
installer: Installation Check: Passed
installer: Volume Check: Passed
installer: Bundle com.xxx.yyy will be relocated to /Users/xxx/Library/Application Support/Developer/Shared/Archived Applications/4612642F-468C-49B8-9331-A148DF9E20E6.apparchive/yyy.app
installer: Starting install
installer: Install 0.0% complete
installer: Install 9.1% complete
installer: Install 100.0% complete
installer: Finished install
(I shortened bundle id to 'com.xxx.yyy' and app name to 'yyy' in the example)
Any ideas would greatly help.
I had this error because i didn't have both the code signing certificates; 3rd Party Mac Developer Application and 3rd Party Mac Developer Installer.
Open keychain, click certificates in the left panel and check you have both certificates, if you don't download them both form the Mac Dev Center, if you do then check that in your release configuration in Xcode that the code sign field is set to 3rd Party Mac Developer Application.
You then need to open organiser, find your app and when you share it to test it code sign it with the 3rd Party Mac Developer Installer certificate. Make sure you manually click the drop down menu and choose the certificate because there's a bug which doesn't register your code signing value and then doesn't sign your code.
Should solve your problem.
All the best, Sami.
I ran into a different cause, which I'll tack on for posterity: you have to have the iOS development tools installed in order to submit to the Mac App Store, even if you aren't doing any iOS development.
I was trying to save a little disk space in my 10.6 support partition by leaving them out. Didn't work.