Code signing app

Is there a way to tell which items inside your DMG are not code signed?

I create the DMG and it installs find in the Applications, but if I upload to our website and download it from there, when I attempt to run the APP, it says it’s damaged.

Also, any good resources that explain how to code sign all the items inside your DMG?

I would say that using the pair AppWrapper to proper sign/notarize things, and DMG Canvas to sign/notarize your DMG, you should not have such problem.


You run a command

spctl -a -v -t install test.dmg

with the path to the dmg.
it should output something like

test.dmg: accepted
source=Notarized Developer ID

1 Like

It looks like that only will verify that it’s been notarized, but not code signed?

if not notarized, but signed, it will show this:

test.dmg: rejected
source=Unnotarized Developer ID

Excellent, we don’t need it notarized, just code signed and that’s the response I got.

Thank you for your help.

Sorry, follow up question. We have code signing in an application that we wrote and it appears to be working correctly; however, just for clarification and because the developer that wrote that app is no longer employed with us, what exactly do you need to code sign in your app?

Code signing without notarisation doesn’t do anything these days. You still get the dialog “app can contain malicious code”.

You need a developer account, you download the certificates. And then you need to enter the name of the certificate into Xojo and the app you are making the dmg with.

You need to sign any binary code inside the app bundle and then sign the whole bundle.


  • (if it exists)

Even better, get yourself a copy of AppWrapper and have it do all the relevant parts. It’ll even do the notarization.


Beatrix, you stated “you need to enter the name of the certificate into XOJO and the app you are making”. How do you do that?

Go to the Sign build step:

For macOS, look at macOS in the Build Settings part of the navigator pane, expend that, and click on Sign.

Decided to take the excellent advice from this forum.

Downloaded and purchased AppWrapper and when setting up code sign, it says that I am “missing private key required for signing”. Not exactly sure how to get a private key for my certificates?

Rick, I deleted and recreated all the certificates (Mac Development, Developer ID Installer, and Developer ID Application) with a new CSR that I created on my computer. I then added them to Keychain and yet AppWrapper still says I’m missing a private key. Any ideas how to correct this issue?

Yes, use Xcode to manage your certificates.

1 Like

As Thomas R. mentioned, do not manage the certificates manually,
but use XCode to manage them.

Just FYI, the problem with using Xcode is that it likes to create some certificates that are not compatible with Xojo… specifically wildcard certs.

It is possible to get this to work and manage them yourself (that’s how I do it) and get some diagnostics using my Profile Triage app which is available on my website.

Going back to your question though… usually the reason the private key is missing is that you didn’t store it in your keychain the first time you downloaded it. After that, the only thing you can download is the public key, and you can’t sign with that. The remedy is to delete the key and create a new one from scratch.

I also suggest reading my blog post about this…