How do I make Install4j sign everything? - macos

How do I change what files are signed by install4j's codesigning on Mac OS X?
Specifically, none of my application's files (including its jar file) are signed. This defeats the purpose of code signing entirely. So, I would like to fix this.
I would also like to do the same on Windows, but it's possible that this is already handled correctly (I have not yet checked).

The purpose of signing not that everything that can be signed in any way is actually signed.
Windows reduces UAC dialogs and shows them with a different warning level if executables are signed. Each launcher that requests elevated privileges has to be signed so that includes the installer, the uninstaller and possibly your launchers.
Mac OS X has a "gatekeeper" that checks if an application bundle that was downloaded from the internet is signed. If not, it will not allow you to run it directly. That's why the installer application bundle has to be signed. Gatekeeper is not concerned with any application bundles that are installed by the installer, so they are not signed by default. This is mostly a good thing, since otherwise you would not be able to modify the Info.plist files of your launchers after the installation.
If you use entitlements for gaining access to specific features on Mac OS X your launchers need to be signed as well. You can specify an entitlements file on the "Executable info->Mac OS X options" step of the launcher wizard, and select "Sign installed launchers" on the "Installer options" step of the Mac OS X media file wizard.
install4j is not concerned with signing JAR files. If you need this feature for some reason, you have to do this in your build process.

#Ingo, it is also true that launcher signing is required for certain restricted functions an application may need (e.g. opening a network socket). I also think I should mention the "Sign installed launchers" on the "Installer options" step is not available on the "Mac OS X single bundle" media type, so users will need to choose another media type if they require launching signing.
This wasn't clear in the documentation, so hopefully this comment can save someone some time.

Related

How to generate an installer package for Mac app?

How can I create a single installer package for an OS X binary as well as a few configuration and script files?
Final folders should look like this:
Any help would be appreciated. Thanks.
Installers are great if you want various things to be placed in different spots – app here, documentation there, support files over here, etc. They're also great for providing configurability of the installation experience (optional extras), or hand-holding for an unusual type of installation that the user might not otherwise understand, or extra work (configuration scripts, permissions modifications, authentication, compatibility checking, etc.) that need to run during the installation process. There is nothing wrong with installers, contrary to the answer from #d00dle, although there is also nothing wrong with distributing your app through the App Store, or as a dmg.
For setting up your own installers, I highly recommend a program called Packages (http://s.sudre.free.fr/Software/Packages/about.html). I am in no way connected to it, but I use it to build the installer for an app that I work on. It greatly smoothes the process of making a complex installer, and has an excellent GUI interface.
There's also macOS Installer Builder, which is a CLI you can use to create an installer wizard for your .pkg: https://github.com/KosalaHerath/macos-installer-builder
macOS does not normally use installers. Applications are packaged in app containers with the extension .app. This container is "executable" but you're also able to dig in and see what is inside. This is also the format distributed through App Store.
You can create .pkg or .dmg "installers" if necessary, however this is clearly not something apple aims to be standard. I would advise to use the .app pattern and any scripts needed should be self contained and executed on first run.
You can use .dmg to distribute your application outside of App Store (this is still fairly normal).
macOS also includes a terminal program called productbuild that builds a product archive for the macOS Installer or the Mac App Store. Enter man productbuild into the Terminal on a Mac for the manual page.

OSX Gatekeeper stopping my application

My application was working good before I added one library and a sub-project(both created by me). All are code signed with same value.
If I create a local DMG (using build-script) then it is getting installed on my system, also in other system. But the build taken from Anthill pro fails to pass the OSX Gatekeeper and shows "Un-Identified developer" issue.
What could be the issue that makes the same DMG to behave differently?
I recently dealt with an issue with using a build server to sign an application. It signed fine, but then when we distributed it through our website, our users were asked to "Move to Trash" by OSX. My scenario was a little different, as I was using Jenkins, but perhaps the problem is the same.
I solved the issue by elevating our jenkins user up to an admin, and then running codesign with sudo.
I think this has something to do with signing as a developer vs. signing for distribution. If you download a signed package and your application was signed without distribution privileges, the extended attribute "com.apple.quarantine" gets places on the app package (check it by opening terminal and typing 'xattr [path-to-package]')

Installers and productbuild on OSX for Mac App Store

I have a product that I would like to distribute on the Mac App Store. For context, this is a Qt (5.3) app written in C++ on OSX 10.9 with Xcode 5.1.1. I have two questions:
1) When I use productbuild like such:
productbuild --component /path/to/my/Program.app /Applications Product-Installer.pkg
I get the Product-Installer.pkg as expected (this took some effort since the man pages made no mention that the bundle has to be signed before this will work) but when I run the installer, I do not see my app in /Applications. Even though the installer says it installed successfully, I am unable to find any evidence that Program.app was installed anywhere on my system. I am wondering if there is something I'm missing, similar to how not signing the bundle caused productbuild to give me a "The component [component] is not a bundle error?
2) My program has configuration files and I'm not sure what the best way is to handle these on install. For example, in the Windows-world, I would just install a config.ini file (for example) into the user's data folder during install. However, the way the docs read regarding Mac Store Apps, my take is that that's really not done...? I'm wondering then if the best way to handle this is to just generate the config.ini upon the first run of the app? How is this typically handled with App Store apps?
Thank you!
2) you would install them in the Application Support directory in your sandbox container.
Typically the configuration is called User Defaults and implemented with CFPreferences in plain old C or NSUserDefaults with Objective C. You would ship your UserDefaults.plist inside your package/bundle and register it on each launch of the app with registerDefaults:.

Application with multiple executables appears signed but triggers firewall warning

I'm working on a QT app for OS X that uses multiple executables. We sign the .app by signing each executable within the .app, then signing the whole .app with the "-f" option. This is the procedure Apple recommended when we contacted them.
However, each time our app starts, the user is prompted with a warning that our application wants to connect to the internet. This warning is repeated every time the application is restarted, even if the user chooses to grant it access.
Any suggestions for where our process could be going wrong would be useful. For what it's worth, all executables and the .app itself have valid signatures according to codesign.

Application updates in Mac OS X

To provide application updates in Windows, we can simply download the installer and run it. Applications are installed in %PROGRAMFILES% and shortcuts are placed in various places. Keys and values are added to the registry to provide an entry in the system's Programs list.
To provide application updates in Linux, we can use the system's package manager.
How do you provide application updates in Mac OS X? I think in general you simply drag .app bundles to /Applications? Does the system provide any sort of registry other than "look in /Applications folder"? Should the general flow of updating simply involve downloading an opening a DMG file, prompting the user to drag the new application bundle into /Applications? Will copying an app bundle to a folder delete the existing bundle before copying, or does it act like a normal folder (e.g. add and replace existing files)? I'd just like some general information on how I know go about implementing a 'check for updates' feature consistent with what's expected for a Mac OS X application.
It sounds like you should look into Sparkle.
In my experience as a Mac user (not a Cocoa dev), it's become the de facto standard for self-updating apps, save for a few monoliths like Microsoft Office and Adobe CS.

Resources