If you want to deliver a desktop application for Windows and/or OS X at some point you will need to get interested in code signing. Windows and OS X have some default security policies to prevent users from running software downloaded off the Internet if it has not been signed, so binary packages need to be signed!
- Code Sign Mac Os App Download
- Codesign Mac App
- Code Sign Mac Os Application
- Code Sign Mac Os Apps
- Code Mac Os App
For an unsigned application, under Windows, users only need to click “Yes” in a number of popups to get through the security check, which they are probably used to…
Yet under Mac OS X, unless the Security & Privacy settings are changed to allow applications downloaded from Anywhere (instead of Mac App Store and identified developers only) or they right / Ctrl click on the file, users simply won’t be able to launch the application! Apple fans will probably say this is a sensible way for Apple to control software quality. A valid certificate indeed shows that your software hasn’t been altered or corrupted and, if it turns out to be malware, Apple can revoke your certificate. Though one can also see it as a way for Apple to control Mac developers even more than it already does, while simultaneously extorting $99 per year from each and every one of them.
Code Sign Mac Os App Download
In any case, this could be a serious obstacle for Mac OS X users, so if you are shipping software for the Mac, you really need to sign it.
We’ve spent quite some time to understand code signing and figure out how to implement it for both operating systems in an automated way so that our continuous integration platform could handle it for the Nuxeo Drive application.
Let’s first have a look at the various warning or blocking popups you might have when installing an unsigned application.
Jan 18, 2019 While you don't strictly need to sign the app while developing, there's no escaping from code signing and joining the Apple Developer Program when you're planning to publish your app to the public via App Store. We believe that by eliminating the need for a Mac for code signing purposes allows more people to deliver their app to potential end.
Installing an Unsigned Application Under Windows
These popups are only warnings, but the “Unknown” aspect might be scary for some users.
Warning popup when opening the Nuxeo Drive .msi file
Warning popup at the end of Nuxeo Drive installation
Opening an Unsigned Application Under Mac OS X
This popup is blocking.
Blocking popup when opening the Nuxeo Drive application
Now let’s have a look at the various warning popups you should have when installing a signed application.
Installing a Signed Application Under Windows
Warning popup when opening the Nuxeo Drive .msi file
If you click on the Nuxeo link you can have the details of the code signing certificate, as in the screenshot below:
Nuxeo certificate details
Warning popup at the end of Nuxeo Drive installation
Opening a Signed Application Under Mac OS X
Warning popup when opening the Nuxeo Drive application
Code Signing Overview
Though there are several ways to sign an application, let’s have a look at the main principles.
Windows
Obtain a signing identity
You first need to get a signing identity delivered by a trusted certification authority like Comodo or VeriSign. Such a signing identity is generally made up of a certificate and a private key. The simplest is to create a PFX file from the certificate and private key using openssl under Linux (yes, you will always need a Linux box at some point - at least we didn’t find a better way…). Copy the PFX file to the Windows build machine as it will be directly used to sign the code.
Sign the code
Use the SignTool tool provided by the Windows SDK to sign your application.
Codesign Mac App
signtool sign /v /f '<certificate_path>certificate.pfx' /d 'Nuxeo Drive' /t http://timestamp.verisign.com/scripts/timstamp.dll nuxeo-drive-1.3.0204-win32.msi
/vVerbose/fPFX certificate file path. If the file is protected by a password, use the /p option to specify the password/dSigned content description, used as the msi program name/tURL of the timestamp server
Verify the code
signtool verify /v /pa nuxeo-drive-1.3.0204-win32.msi
Mac OS X
Obtain a signing identity
You first need to get a Developer ID account from Apple ($99 / year). Then generate a Certificate Signing Request (.csr) for Code Signing Certificates using openssl to get a Developer ID Application certificate from the Apple Developer Center. Finally import the certificate and private key generated along with the .csr into one of the keychains of your Mac OS X build machine.
Sign the code
Code Sign Mac Os Application
Use the codesign command line tool to sign your application.
codesign -s <identity> <code-path> -v
- The
<identity>can be named with any (case sensitive) substring of the certificate’s common name attribute, as long as the substring is unique throughout your keychains - The
<code-path>value may be a bundle folder or a specific code binary, for exampleNuxeo Drive.app -voption is for verbose
Verify the code
codesign -vv Nuxeo Drive.app
This checks that the code is actually signed, that the signature is valid, that all the sealed components are unaltered, and that the whole thing passes some basic consistency checks.
Code Sign Mac Os Apps
Getting more information about code signature
To display all details about the code signature such as the hash type, signature size or signing authority, use the following command:
codesign -d -vvv Nuxeo Drive.app
Test code signing using the spctl tool
spctl --assess --type execute Nuxeo Drive.app --verbose
If your application or package signature is valid, this tools exits silently with an exit status of 0. If the signature is invalid, this tool prints an error message and exits with a nonzero exit status.
In case of success this should output something like:
nuxeo-drive/dist/Nuxeo Drive.app: accepted
Code Mac Os App
source=Developer ID
That’s it, happy code signing!