Code Signing for Sierra

Hi. Is it okay to use App Wrapper on El Capitan to package and sign your app and then DMGCanvas on El Capitan to package it into a DMG and sign the dmg or do you have to do it all on Sierra for it to pass Sierra gatekeeper and other security tests? If I do it all on El Capitan, what’s the best way to test it is all valid for Sierra?

I do this all the time. It works great.

You can sign it all on El Capitan (I do).
To test that a disk image signature will pass Gate Keeper validation on Sierra you will need to check it’s signature on Sierra.

Just had a 64-bit app that was signed on El Cap accepted to the MAS yesterday.

Thanks. And congrats Roger!

How do you test for a valid signature on Sierra?

You can use App Wrapper to test the signature, you only need to be on Sierra for the system to provide the information to App Wrapper as El Capitan just cannot.

After wrapping an app, I always UL it to my site then DL it on my El Cap, my Sierra, and any others machines I can get my hands on. I always want to test a new user’s experience.

Roger’s method is also very important because only downloading from an external location will cause the quarantine bit to be set until the cert is verified. Simply copying the DMG/PKG from one machine to another in your local environment won’t set that flag in every situation.

Yes indeed, good advice for sure. Can App Wrapper check the signature of dmg as well as app or do you have to do that via terminal?

AppWrapper can check disk image signatures, but again, only on Sierra.