3

I'm trying to sign my Java application in OSX using codesign. I've paid my $100 ransom to Apple and obtained my code signing certificate. I then used codesign like this to force it to sign my app previously created using the osxappbundle Maven plugin:

codesign -f -s "Peter Brewer" FHAES.app

This seems to have done the job as when I try to verify the signature by doing:

codesign --display --verbose=4 FHAES.app

...I get the following response:

Executable=/Applications/FHAES.app/Contents/MacOS/JavaApplicationStub
Identifier=FHAES
Format=bundle with Mach-O universal (i386 x86_64)
CodeDirectory v=20100 size=174 flags=0x0(none) hashes=3+3 location=embedded
Hash type=sha1 size=20
CDHash=de2cd9909fcc4bfab1f690c518a6c6c3b3097372
Signature size=4311
Authority=Mac Developer: Peter Brewer (N35745G8TD)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Jan 10, 2014, 4:46:57 PM
Info.plist entries=10
Sealed Resources version=2 rules=12 files=2
Internal requirements count=1 size=164

Unless I misunderstand, this seems to indicate it has been signed successfully with a certificate authorized by Apple. However when I then try to launch the application I get the usual "can't be opened because it is from an unidentified developer" error.

Can anyone tell me what I'm doing wrong?

On a related note if anyone could please implement codesign in Linux I'd be eternally grateful. I despise Apple for breaking my one click cross-platform build system even more than I do for blackmailing me in to paying for their certificate!

tshepang
  • 12,111
  • 21
  • 91
  • 136
PeteBrew
  • 434
  • 2
  • 14

1 Answers1

5

Following hours of poking my eyeballs out at developer.apple.com I have finally found the information I needed. The entire Apple ecosystem is pushing developers to use Xcode and 'their way of doing things' and requires continued investment in Apple hardware and software. For instance the tutorial videos can only be viewed on a recent Mac (i.e. newer than the 2.5 year old system I have access to). But anyway - I won't use SO to vent my frustrations.

The reason my previous attempts failed was because I was using the wrong sort of Apple certificate. The certificate described above is one that is used to sign an app which is then sent to Apple who resign it ready for release through the App store. As I don't intend to 'sell' my open source application through Apple, I need another type of certificate called a Developer ID certificate to enable me to distribute my application on my own website.

To get your Developer ID certificate you need to set up a provisioning profile, register a development machine and jump through various other hoops on the Apple developer website. Once you have this certificate installed on your machine you can sign on the command line by doing codesign -f -s "Developer ID" myapp.app

When I run codesign --display --verbose=4 myapp.app it reports that the Authority value now begins with 'Developer ID...' rather than 'Mac Developer...'. This is what is required for GateKeeper not to give your users coronaries.

PeteBrew
  • 434
  • 2
  • 14
  • 1
    I didn't realize until reading this, that a different certificate must be used for distribution outside of the App Store vs. in the App Store. Thanks. For those interested, I have helped edit a set of steps to prepare a Qt app for distribution on OS X: http://stackoverflow.com/q/20909341/368896 – Dan Nissenbaum Jan 15 '14 at 12:27