I have an application (installer, actually) that was built outside of Xcode which I have codesigned using the codesign utility, but when I try to install it after downloading the signed app, Gatekeeper complains that it comes from an unidentified developer. I have tried using the "3rd Party Mac Developer:..." identity, as well as my own "Mac Developer:..." identity; same result in either case. codesign (as far as I can tell) says all is well, so I'm thinking I'm either using the wrong identity (in which case my question is what I should use/make-to-use instead) or the signature is fine, but there is something that needs to be done w/ my developer account (in which case my question is what might that be).
According to Apple, and verified by me :), there is another set of identities specifically for signing apps to satisfy the intermediate security setting in Gatekeeper, but only a Team's Agent can get, which is why I wasn't getting them. My agent got them, I used them, and Gatekeeper is happy.
Related
On OSX Cocoa application development, do I codesign with two certs or one? (Note, I'm not planning on distributing my app in the Apple AppStore, but from a website.) See, Apple says I need an organizational developer ID to sign my OSX app. Okay, fine, but Chrome and IE browsers like those expensive Symantec EV codesigning certs, at least for Windows apps, more so than other less-expensive EV codesigning certs. (Our tests have shown we get approved by Chrome and IE only with the expensive Symantec EV certs, not the cheaper ones, if wanting to distribute our applications from a website.
So, if indeed I need to code sign with two certs, can you explain the command line process for installing these? Also, note that my application is a little odd and I need to know which items I must codesign. See, in my application, I have:
The setup app is a compiled, custom .app with a binary inside that loads the GUI. I assume I have to codesign both?
The application it installs is a GUI-based .app (Cocoa app) that also contains a couple console executables inside the Resources folder. I assume that I have to codesign the .app and the console executables too?
The certs that Symantec is offering for your web site are probably quite helpful if you were distributing a Windows app, but Apple has developed a solution of its own in Gatekeeper which I strongly recommend using.
As long as you code sign the app with Gatekeeper when you build it with Xcode, you can distribute it on the web and just about any Mac will be able to open it without issue, regardless of browser they're using.
I have developed a qt mac app (not using xcode, soi do not have any xcode project) that will be distributed outside the app store.
I have successfully signed it with my developer ID certificate and if i use the following commands:
spctl --assess MyAppBundle.app
and
codesign -d -vvvvvv MyAppBundle.app
I get fine results.
The problem is that if i download it from internet (e.g. DropBox) i get the warning "the file was downloaded from internet are you sure you want to open it"
Is there a way to avoid this warning? from what i gathered from the forum it should be possible.
Btw please note that the application passes the GateKeeper on the target computer so the actual signing seems to be working and being accepted (Gatekeeper is on default configuration: mac store and identified developers)
Apple seems to restrict some OS X APIs (e.g. sandboxing) to applications that are codesigned by a trusted certificate, e.g. one issued to members of the paid Mac Developer program.
How does OS X treat applications that are codesigned with a self-signed (or a development) certificate?
Will those features/APIs be available, and the only difference be that users with the default Gatekeeper settings cannot (easily) launch such an application?
Will they be treated just like unsigned apps in every way (entitlements and sandboxing disabled, warning for Gatekeeper users)?
Or will a self-signed certificate be considered an error, and the app will not launch at all regardless of the user's Gatekeeper settings?
AFAIK, apps that aren't code-signed with a certificate that Gatekeeper accepts, would be treated as unsigned. I don't know about access to specific features and API.
But you can make your self-signed cert acceptable to the Gatekeeper. If you sign your code using certificates that weren't issued by Apple, every machine you want to run that code as signed, would have to (a) have your certificate installed, and (b) have policies set via spctl command that tell the Gatekeeper to allow executing and/or installing code signed by that cert. This part has been tested and verified on Mavericks.
It is more difficult with kernel extensions. I'm still working on that. :-)
Scenario
I want to release an app for Mac OS X, but not on the AppStore. The app runs on 10.6 - 10.8 and up.
Problem
Apple requires all apps for Mac OS X 10.8+ to be signed by the developer to get past Gatekeeper. And unless I tell each user to temporarily disable and re-enable gatekeeper just for my app, according to this document and the Mountain Lion change log... my app won't be allowed to run.
From the wording on Apple's website, it sounds like I'll have to pay the $99.00 a year for the certificate. However, I do not want to pay the $99 - I'm not publishing to the AppStore!
Question
Is there any way I can get around paying the $99 for distribution on 10.8+? I know my app will work on 10.6 and 10.7, but according to Apple it won't be allowed to run on 10.8 without the certificate. Is that true? How can I distribute on 10.8+ (preferably a DMG) without a $99 distribution certificate? Thanks in advance!
Edit #1
DMG files are not authenticated by Gatekepper, only the app itself is.
OS X Lion 10.7.5+ also has Gatekeeper * angry face *
Apple currently provides no way to get around Gatekeeper without paying the $99 / year membership fee. To me, this seems unfair because it squishes out the smaller developers (but that's a discussion for elsewhere).
For a rather cumbersome workaround, one can include a ReadMe or note on the download page for their software to explain to users that they need to right click your app and then click 'Open' and then click confirm to run it. I have also found through experimenting that Gatekeeper does not run security checks on DMG files or the installation of files, only the execution / running of Apps. So one could include some kind of note in their DMG installer that told the user exactly how to install and run the app.
Hopefully Apple will provide a workaround for developers (possibly a cheaper solution for a limited membership) that distribute freeware and open source software.
You don't need to purchase membership. Just get a code signing certificate from any agency and sign your app with it. Then it will bypass the Gatekeeper check. Gatekeeper only checks whether the app is from identified developer or not.
I build an OSX app which is distributed as a DMG outside of the Mac App Store, and I'd like to continue to have it be that way once Gatekeeper enforcement begins.
From studying code signing documentation, it looks like the recommended approach is to get a "Developer ID" certificate and use that to codesign. However, you must be a registered OSX developer and pay Apple $99 each year. I already have a certificate from a recognized CA, and I would like to use it with codesign. I found documentation on how to do this, but I cannot tell whether Gatekeeper will allow applications signed using certs issued by other CAs, not Apple.
Does anyone know?
Gatekeeper only recognizes apps signed with Developer ID, not just any signature. See this which also explains how to test Gatekeeper functionality under Lion.
The point is that if Apple owns the certificate authority, they can revoke the certificate if your app turns out to be a trojan or something.