Codesigning and 10.10

Hello,

I have some trouble with the codesigning of my Applications., which I have o my homepage. With OS 10.9, there was no problem. But with 10.10 the Program starts after the download with a message that the program is not from a verified developer.

I have almost the same app for the MAS. This is wrapped App Wrapper. And there it works.

I sign my Program with the automation feature and the shell command "codesign -f -s ‘Developer ID Application: XXX’ ‘aaa’ with the automation feature of Xojo. aaa stand for the cubeSQL library and the App. So there are two steps.

Does some has a similar problem? And a resolution? Thanks.

[quote=153633:@Manfred Richter]Hello,

I have some trouble with the codesigning of my Applications., which I have o my homepage. With OS 10.9, there was no problem. But with 10.10 the Program starts after the download with a message that the program is not from a verified developer.

I have almost the same app for the MAS. This is wrapped App Wrapper. And there it works.

I sign my Program with the automation feature and the shell command "codesign -f -s ‘Developer ID Application: XXX’ ‘aaa’ with the automation feature of Xojo. aaa stand for the cubeSQL library and the App. So there are two steps.

Does some has a similar problem? And a resolution? Thanks.[/quote]

I wonder why you sign your app manually when you have App Wrapper. I have been signing all the executables I sell on my web sites (NOT MAS) with it since I got APW in 2013 and AW 2 in 2014, and never looked back.

did you recently download your certificates?
Not that they are too old.

Hello,

I create with one phase two versions one for the MAS and one for my homepage. So I use AppWrapper for the store and with a copy of the app I create the version for the homepage. Before signing it I have to change some Resources, so I need to code sign it twice.

And yes I checked the certificates, and they are valid. and not double in the keychain.

Use a different Identifier, for instance com.mylab.myapp and com.mylab.myapp1 and App Wrapper will let you create two different profiles, so you can sign each version.

Hi Manfred,
Pm a link to the application and I’ll take a look at it for you.

If you have App Wrapper 3, you can setup different actions depending on your target, so you have App Wrapper carry out different tasks for the App Store than for your own site.

Don’t you need to use the “–deep” option with codesign to properly sign the Xojo framework?

Like Michael suggested, try it with the --deep option.

Hello,

today I found the problem. The reason was the copying of the app from the MAS version to the download version I did it with cp -r. As I read in the thread with the Sparkle problem, I use now cp -R instead. And now it works fine.

Thank you for all ideas and the author in the sparkle thread,

What’s the difference between r and R for cp? I’m asking because I have issues when signing.

This manual page only says they’re synonyms for recursive. I too am curious about what the difference is.

Ideally if you’re going to use cp, use cp -a, so that you preserve the file meta data and don’t stuff your symbolic links.

You can use App Wrapper for distributing your applications outside of the App Store also, change the code signature and disable sandboxing (if you don’t want sandboxing).

Doesn’t cp -a preserve the user that has created the app? Need to try this…

I have been told long ago in the twelve steps program : “Easy does it”.

I have been doing that ever since I purchased App Wrapper Mini back in 2013 and never needed to codesign manually since :slight_smile:

Hello,

The difference is in handling the links. I copied the app to a new folder and renamed it. With -r was a problem signing the framework. And with -R it works. I think that the links in the framework folder are not correct copied. But I also don’t understandewhy the app worked with the wrong links.

@Manfred: are you sure? r is just a synonym for R and there is no difference. At least not according to the docs I read.

Hello,

I also thought that there is no difference. But in the thread, I told above it war described. And I checked some other sources. The difference is that with -r the original file of the link will be copied and with -R the link be changed to the new location. And with this change it works for me. And I checked it for all my programs. And also vice versa.

I use AppWrapper for my Apps for the MAS. And before using MAS I still used codesigning for my apps. So I didn’t have to change something. The problem occurred with 10.10 or a late update for 10.9. Maybe also with a new Xojo Version. I can’t reproduce it any more.

A little bit about the background. I create my apps for Windows, Linux and OS X. And for OS X there is a version for the MAS and a slightly different version for downloading from my homepage.

For OS X I create a version with Xojo and before using AppWrapper I copy the app to a new folder and a new name. This is done by the above command. The version for MAS is further processed my AppWrapper. The download version gets some additional files and a new name. And in the end it is signed. In the result I have four different version from one source.