So if you are shipping software for the Mac, you really need to sign it. Apple fanboys will tell this is a sensible way for Apple to control software quality. Make your own mind up on that one. I have now managed to sign my table planner software, ready for its next release. I should have done it months ago. But I expected the process to be so tedious that it has taken me this long to get around to it. And it was every bit as mind-numbingly tedious as I expected trying to find a few useful nuggets amongst the acres of Apple documentation.
I found some useful stuff in blogs, but it was quite fragmented. So I have thrown together these notes in the hope that it saves someone else a few hours going round in circles.
- About the Code Signing Identity.
- Certificates and Keys?
- How to Show & Verify Code Signatures for Apps in Mac OS X;
Gatekeeper only accepts Apple certificates, so you have no choice. On the plus side, you do get other benefits, including downloading new OS upgrades for free. You need Mac OS X If you have an Apple Developer Connection subscription, you can download I found the upgrade from Request your Apple certificates and install them into your Keychain. You can do this from Xcode instructions here. You may need to upgrade Xcode to a recent version. I do this in a build shell script that automates the whole process of creating a.
Note that the form --name value without equal sign will not work as expected on options with optional values. OPTIONS The options are as follows: --all-architectures When verifying a code signature on code that has a universal "fat" Mach-O binary, separately verify each architecture con- tained. This is the default unless overridden with the -a --architecture option. The architecture can be specified either by name e.
- xcode - How to codesign an existing Mac OS X .app file for gatekeeper? - Stack Overflow;
- windows solitaire download for mac.
- how many calories in big mac uk;
This option applies only to Mach-O binary code and is ignored for other types. If the path uses the Mach-O format and contains no code of the given architecture, the command will fail. The default for verification is --all-architectures, to verify all architec- tures present. The default for display is to report on the native architecture of the host system. When signing, codesign will always sign all architectures contained in a universal Mach- O file.
This must be one of the names in the "Versions" directory of the bundle. If not specified, codesign uses the bundle's default version. Note that most frameworks delivered with the system have only one version, and thus this option is irrelevant for them. There is currently no facility for operating on all versions of a bundle at once. Increas- ing levels of verbosity produce more output.
The format is designed to be moderately easy to parse by simple scripts while still making sense to human eyes. In addition, the -r, --file- list, --extract-certificates, and --entitlements options can be used to retrieve additional information. The code being signed is not modi- fied and need not be writable. When verifying, designates a file containing a detached signature to be used for verification. Any embedded signature in the code is ignored. Beware that all signing options you specify will apply, in turn, to such nested content.
When verifying a bundle, specifies that any nested code content will be recursively verified as to its full content. By default, verification of nested content is limited to a shallow investiga- tion that may not detect changes to the nested code.
Self-signed Identities and Self-created Certificate Authorities
When displaying a signature, specifies that a list of directly nested code should be written to the display output. This lists only code directly nested within the subject; anything nested indirectly will require recursive application of the codesign command.
Writing to this system database requires elevated process privi- leges that are not available to ordinary users. Without this option, existing signatures will not be replaced, and the signing operation fails.
Codesign Digital Signatures in Mac OS
The pid arguments must denote running code pids etc. With verbose options, this also displays the individual dynamic validity sta- tus of each element of the hosting chain. If this option is omitted, the identifier is derived from either the Info. It is a very bad idea to sign different programs with the same identifier. During signing, specifies a set of option flags to be embedded in the code signature.
The value takes the form of a comma-separated list of names with no spaces. Alternatively, a numeric value can be used to directly specify the option mask CodeDirectory flag word. Pagesize must be a power of two. Chunks of pagesize bytes are separately signed and can thus be independently verified as needed.
As a special case, a pagesize of zero indicates that the entire code should be signed and verified as a single, possibly gigantic page. This option only applies to the main executable and has no effect on the sealing of associated data, including resources. See "specifying requirements" below.
Defaults will be applied to requirement types that are not explicitly specified; if you want to defeat such a default, specify "never" for that type. During display, indicates where to write the code's internal requirements. Use -r- to write them to standard output. If this option is omitted, the code is verified only for internal integrity and against its own designated requirement. Without the verbose option, no output is produced upon success, in the classic UNIX style. If no other options request a different action, the first -v encountered will be interpreted as --verify instead and does not increase verbosity.
If other actions sign, display, etc.
Talk:MacOS Application Development - RAD Studio
If this option is given, exit due to oper- ational errors is deferred until all path arguments have been considered. The exit code will then indicate the most severe failure or, with equal severity, the first such failure encoun- tered. Cryptographic signatures are still generated, actually using the given signing identity and triggering any access control checks normally, though the resulting signature is then discarded. If the data at path does not already begin with a suitable binary "blob" header, one is attached automatically.
When displaying a signature, extract any entitlement data from the signature and write it to the path given. Use "-" to write to standard output. By default, the binary "blob" header is returned intact; prefix the path with a colon ":" to automati- cally strip it off. If the signature has no entitlement data, nothing is written this is not an error. The prefix argument is appended with numbers 0, 1, Certificate 0 is the leaf signing certificate, and as many files are written as there are certificates in the signature. The files are in ASN. If prefix is omitted, the default prefix is "codesign" in the current directory.
This is useful for installer or patcher pro- grams that need to know what was changed or what files are needed to make up the "signature" of a program. The file given is appended-to, with one line per absolute path written. An argument of "-" single dash denotes standard output.
How to sign your Mac OS X App for Gatekeeper
Note that the list may be somewhat pessimistic - all files not listed are guaranteed to be unchanged by the signing process, but some of the listed files may not actually have changed. Also note that changes may have been made to extended attributes of these files. In effect, this will pass validation on code whose resources have been corrupted or inappropriately signed. On large programs, it will also substantially speed up static validation, since all the resources will not be read into memory. Obviously, the outcome of such a validation should be considered on its merits.
This can be used to break any matching ties if you have multiple similarly-named identities in several key- chains on the user's search list. Note that the standard key- chain search path is still consulted while constructing the cer- tificate chain being embedded in the signature. Note that filename will not be searched to resolve the signing identity's certificate chain unless it is also on the user's key- chain search list. If the implicit identifier contains a dot, it is used as-is. Typically, this is used to deal with com- mand tools without Info. If new data is specified explic- itly, it is preferred.
You still need to specify the -f --force option to enable overwriting signatures at all. If this option is absent, any old signature has no effect on the signing process.
Code Signing in Snow Leopard & Mac OS X:
This option takes a comma-separated list of names, which you may reasonably abbreviate: identifier Preserve the signing identifier --identifier instead of generating a default identifier. Note that all internal requirements are preserved or regenerated as a whole; you can- not pick and choose individual elements with this option.
For historical reasons, this option can be given without a value, which preserves all of these values as presently known. This use is deprecated and will eventually be removed; always specify an explicit list of preserved items. The argument is the path to a property list plist file containing scanning and qualification instruc- tions. See the code signing documentation for details. The server con- tacted is given by the URL value. If this option is given with- out a value, a default server provided by Apple is used. Note that this server may not support signatures made with identities not furnished by Apple.
If the timestamp authority service can- not be contacted over the Internet, or it malfunctions or refuses service, the signing operation will fail. If this option is not given at all, a system-specific default behavior is invoked. This may result in some but not all code signatures being timestamped. The special value none explicitly disables the use of timestamp services. Internal requirements and entitlements are embedded if requested.