3

I'm trying to codesign my macOS screensaver project to get rid of the "unidentified developer" warning message. Both Apple's documentation and this person on Apple's forums say that you should use the "Developer ID Application" signing certificate to do it. But that doesn't appear to work for me.

When I follow Apple's instructions on how to test for proper signatures the response I get is as follows:

Screensaver.saver: rejected (the code is valid but does not seem to be an app)

My signing settings look like this:

enter image description here

I'm not sure what else I should try at this point. Mostly I'm worried about the rumor future mac apps will have to be signed/notarized and what does that means for screensavers?

Brad Root
  • 483
  • 5
  • 14

2 Answers2

6

Here are additional notarization notes:

You can’t notarize the .saver directly, but you can in a round-about-way notarize a ZIP file, which is how I distribute my screen saver. Here are the steps I use for my simple saver, your mileage will undoubtably vary:

  1. /usr/bin/codesign -f -o runtime --timestamp --sign “insert Developer ID Installer certificate identifier here” XYZZY.saver
  2. compress the code signed .saver e.g. XYZZY.saver.zip
  3. /usr/bin/xcrun altool --verbose --notarize-app --primary-bundle-id “insert identifier here" -u “xyzzy@plugh.com" -p “insert app-specific PW for your Apple ID here" -t osx -f XYZZY.saver.zip
  4. Aside: store the App-specific password in your keychain and reference it from the command line like this:
    • /usr/bin/xcrun altool --store-password-in-keychain-item "AC_PASSWORD" -u xyzzy@plugh.com -p “insert App-specific PW from Apple here”
  5. wait for notarization, check status like this:
    • /usr/bin/xcrun altool --notarization-history 0 -u “xyzzy@plugh.com" -p "@keychain:AC_PASSWORD”
  6. While you can notarize a ZIP archive, you can’t staple the notarization ticket to it directly. Instead, run stapler against each individual item that you originally added to the archive. Then create a new ZIP file containing the stapled items for distribution.
    • /usr/bin/xcrun stapler staple XYZZY.saver
    • Re-zip the saver and distribute
pabugeater
  • 76
  • 1
  • 2
  • I can't understand this line: Instead, run stapler against each individual item that you originally added to the archive – Ahmadreza Mar 05 '20 at 13:21
  • 2
    My ZIP file contains a single item, the saver module XYZZY.saver, thus I run the stapler command once: /usr/bin/xcrun stapler staple XYZZY.saver. If you have more than one item in the archive then run the stapler command for every item, then recreate the archive. – pabugeater Mar 05 '20 at 21:45
  • OK I will try that, so after level #5 I should unzip my XYZZY.saver.zip & staple it with that command line & zip it again!, then how to distribute it?, could you guide me a little for distribution? – Ahmadreza Mar 06 '20 at 03:52
  • When I check the notarizations, I get Package Invalid! – Ahmadreza Mar 06 '20 at 05:46
  • 2
    I did NOT unzip the archive. Simply staple each *original* item that was included in the zip archive. Then re-create the archive, overwriting what you notarized. At least that is what I did. The saver module, even though it's really a folder (package), counts as a single "file". Then "distribute" the notarized saver by simply giving it to folks, say, by storing on a server and advertising its URL. – pabugeater Mar 07 '20 at 00:39
  • Can confirm that this seems to work. I followed that advice, and tested on a fresh VM with brand new install of macOS Catalina. The screensaver installed without as much as a prompt. Thanks @pabugeater for detailed on point instructions. – Bigos Trismegistos Apr 15 '20 at 20:58
  • Thanks for this! Much better than my package solution. With noting for others: I had to use a "Developer ID Application" certificate, not the "Developer ID Installer" certificate. – Brad Root Apr 26 '20 at 19:00
  • This post was incredibly helpful for me. You can see an example of it here using the new `xcrun notarytool` command https://github.com/TehNrd/Apple-Logo-Screensaver/blob/main/buildsign.sh – TehNrd Apr 30 '23 at 00:00
4

Just in case someone else stumbles in here...

For now I've realized that a good way around this is to create an installer package and then sign that following Apple's instructions.

I ended up using some free software called Packages to create the installer. After building the installer, I copied it to another folder and used the following command to sign it.

/usr/bin/productsign --sign "<Name of Developer ID Installer Cert in Keychain>" source.pkg destination-signed.pkg

Hope this helps someone out there. As far as I can tell this gets around the unidentified developer warning.

Brad Root
  • 483
  • 5
  • 14