Due to the inclusion of Gatekeeper, you have to codesign your OS X apps (so your users won’t get a warning). It seems, though, that the only way to get it signed will involve paying the $99/year for a developer program. Is there a way to codesign an app for free?
The only way to get an app signed is to obtain a certificate from Apple for $99/year.
Related
I'm distributing my macOS app outside the App Store and so far I've never code-signed it. My app targets advanced users who know how to configure macOS to allow the app to run.
With the arrival of the Apple M1 computers, however, things have changed as code-signing seems to be mandatory now for native Apple Silicon apps. That's why I'd like to ask: Is it sufficient to sign my app using a self-signed certificate when distributing it outside the App Store? Will it be possible for users who download an app that was signed using a self-signed certificate to run that app?
I'd expect that Gatekeeper will probably block such an app first because it was signed using a self-signed certificate but will users be able to override Gatekeeper's veto in the security settings (as it was previously the case with non-signed apps)?
Or do all apps built for Apple Silicon have to be signed with an official Apple certificate? I'd like to avoid that because last time I checked this was $99 per year.
You can codesign with ad-hoc feature. codesign -s - -f /path/to/filename. This doesn't need certificate.
Apple seems to restrict some OS X APIs (e.g. sandboxing) to applications that are codesigned by a trusted certificate, e.g. one issued to members of the paid Mac Developer program.
How does OS X treat applications that are codesigned with a self-signed (or a development) certificate?
Will those features/APIs be available, and the only difference be that users with the default Gatekeeper settings cannot (easily) launch such an application?
Will they be treated just like unsigned apps in every way (entitlements and sandboxing disabled, warning for Gatekeeper users)?
Or will a self-signed certificate be considered an error, and the app will not launch at all regardless of the user's Gatekeeper settings?
AFAIK, apps that aren't code-signed with a certificate that Gatekeeper accepts, would be treated as unsigned. I don't know about access to specific features and API.
But you can make your self-signed cert acceptable to the Gatekeeper. If you sign your code using certificates that weren't issued by Apple, every machine you want to run that code as signed, would have to (a) have your certificate installed, and (b) have policies set via spctl command that tell the Gatekeeper to allow executing and/or installing code signed by that cert. This part has been tested and verified on Mavericks.
It is more difficult with kernel extensions. I'm still working on that. :-)
I have an application (installer, actually) that was built outside of Xcode which I have codesigned using the codesign utility, but when I try to install it after downloading the signed app, Gatekeeper complains that it comes from an unidentified developer. I have tried using the "3rd Party Mac Developer:..." identity, as well as my own "Mac Developer:..." identity; same result in either case. codesign (as far as I can tell) says all is well, so I'm thinking I'm either using the wrong identity (in which case my question is what I should use/make-to-use instead) or the signature is fine, but there is something that needs to be done w/ my developer account (in which case my question is what might that be).
According to Apple, and verified by me :), there is another set of identities specifically for signing apps to satisfy the intermediate security setting in Gatekeeper, but only a Team's Agent can get, which is why I wasn't getting them. My agent got them, I used them, and Gatekeeper is happy.
Scenario
I want to release an app for Mac OS X, but not on the AppStore. The app runs on 10.6 - 10.8 and up.
Problem
Apple requires all apps for Mac OS X 10.8+ to be signed by the developer to get past Gatekeeper. And unless I tell each user to temporarily disable and re-enable gatekeeper just for my app, according to this document and the Mountain Lion change log... my app won't be allowed to run.
From the wording on Apple's website, it sounds like I'll have to pay the $99.00 a year for the certificate. However, I do not want to pay the $99 - I'm not publishing to the AppStore!
Question
Is there any way I can get around paying the $99 for distribution on 10.8+? I know my app will work on 10.6 and 10.7, but according to Apple it won't be allowed to run on 10.8 without the certificate. Is that true? How can I distribute on 10.8+ (preferably a DMG) without a $99 distribution certificate? Thanks in advance!
Edit #1
DMG files are not authenticated by Gatekepper, only the app itself is.
OS X Lion 10.7.5+ also has Gatekeeper * angry face *
Apple currently provides no way to get around Gatekeeper without paying the $99 / year membership fee. To me, this seems unfair because it squishes out the smaller developers (but that's a discussion for elsewhere).
For a rather cumbersome workaround, one can include a ReadMe or note on the download page for their software to explain to users that they need to right click your app and then click 'Open' and then click confirm to run it. I have also found through experimenting that Gatekeeper does not run security checks on DMG files or the installation of files, only the execution / running of Apps. So one could include some kind of note in their DMG installer that told the user exactly how to install and run the app.
Hopefully Apple will provide a workaround for developers (possibly a cheaper solution for a limited membership) that distribute freeware and open source software.
You don't need to purchase membership. Just get a code signing certificate from any agency and sign your app with it. Then it will bypass the Gatekeeper check. Gatekeeper only checks whether the app is from identified developer or not.
I build an OSX app which is distributed as a DMG outside of the Mac App Store, and I'd like to continue to have it be that way once Gatekeeper enforcement begins.
From studying code signing documentation, it looks like the recommended approach is to get a "Developer ID" certificate and use that to codesign. However, you must be a registered OSX developer and pay Apple $99 each year. I already have a certificate from a recognized CA, and I would like to use it with codesign. I found documentation on how to do this, but I cannot tell whether Gatekeeper will allow applications signed using certs issued by other CAs, not Apple.
Does anyone know?
Gatekeeper only recognizes apps signed with Developer ID, not just any signature. See this which also explains how to test Gatekeeper functionality under Lion.
The point is that if Apple owns the certificate authority, they can revoke the certificate if your app turns out to be a trojan or something.