Code signing and Sparkle

I’m really struggling with getting Sparkle working with my app. At the moment, I think I’ve got everything working, except the app’s signature. The current issue is this: I need to be able to code sign my app. (It’s not going in the App Store, but it needs to be code signed anyway.)

Currently, I’m signing my app using:

codesign -s signature_name /path/to/my/app

This had been working fine, but fails when I have added Sparkle to the Frameworks folder inside the app with the following message:

/path/to/app/ code object is not signed at all
In subcomponent: /path/to/app/

If I try signing first, then adding Sparkle to the Frameworks folder, it appears to have worked, but the signature fails to validate, as I would expect it to.

Any ideas?

How do you sign your components? You need to sign from the inside out (plugins, Xojo framework, Sparkle and then your app).

Well, as I said, like this:

codesign -s signature_name /path/to/my/app

This has been working just fine. I’ve never needed to sign the Xojo framework or MBS plugins individually. However, I’m open to trying it if you could explain how I would go about signing from the inside out.

I’ve done some more research, and found some hints that this may be a result of using an older version of Sparkle. It sounds like Sparkle 1.5b6 or older will not codesign properly… but newer versions of Sparkle don’t support 32-bit apps, which is all Xojo is currently able to create!

How are other people handling this? Simply not signing my app isn’t an option.

I just built a 32-bit version of Sparkle 1.6.1 (I think… not sure I did it right), and the problem still exists.

I’ve tried a bunch of things I found online, including:

codesign -f -s cert_name /path/
codesign -f -s cert_name /path/
codesign -f -s cert_name /path/

This doesn’t work, though. It fails on the second step:

/path/ bundle format is ambiguous (could be app or framework)

I also tried replacing that second step with:

codesign -f -s cert_name /path/

That works without errors, but then the third step still fails with exactly the same error message as shown in my first message above.

I’ve found my solution! For the record, I was using “cp -r” in a build script to copy the Sparkle.framework into my app. It turns out, this messes up the symlinks in the framework, and that causes the signing to fail. Using “cp -R” instead fixed that problem.

Here’s the current code from my build script, which seems to be working perfectly:

[code] dim cmds(), s, appPath, frameworksPath as String

// set up
appPath = CurrentBuildLocation+"/"""+CurrentBuildAppName+""".app"
frameworksPath = appPath+"/Contents/Frameworks/"

// prepare the commands
cmds.Append “cd “”$PROJECT_PATH”"" // Move to the project folder
cmds.Append "cp -R Sparkle.framework " + frameworksPath + “Sparkle.framework/”
cmds.Append "codesign -f -s cert_name " + appPath + “/Contents/Frameworks/Sparkle.framework/Versions/A”
cmds.Append "codesign -f -s cert_name " + appPath

s = DoShellCommand (Join (cmds, “;”))
if s <> “” then
print "App build failed: "+s

If you want to copy without messing up the symlinks, investigate the “ditto” command.

Also, code-signing has evolved significantly in 10.9.5 / 10.10, you now need to sign every bit of executable code in your framework.