Codesigning help

I’m not ready to “cry uncle” (to give up, for those not use to U.S. phrases) but I am finding codesigning on the Mac to be bewildering. I am sure it will all make sense once I have done it a couple of times, but right now I am lost in the sea of information they have posted in the Mac Developer area. I have an active, paid Mac developer account (and iOS account as well for that matter). Just a couple of quick questions that will hopefully point me in the right direction:

  1. I read the easiest way to get Apple Developer is to use XCode. Does this still apply for someone that is using just Xojo?
  2. Is it a long process form start to finish? Can I reasonably expect to get everything done in a 4 week time frame? I have no idea what layers I will peel back here. I am a single developer for an App outside of the MAS.
  3. What type do I need – Mac development, Mac App distribution, Mac Installer, Developer ID distribution,…?

I am hoping that there is a much shorter overview outside of all the docs on Thanks for any push in the right direction.

maybe you get access to Xojo developer magazine. I think in the archives are articles about that including step by step help:

Thanks Christian, I have an active subscription to the magazine. I’ll look through my archives.

Merv - Don’t walk, run (another US phrase) over to this site
link text
and download Sam Rowland’s App Wrapper 3. It will handle all of the details for you. Once I have an app ready for wrapping, it takes me about 5 minutes using App Wrapper to prepare it for submission to the MAS. On the few occasions where I encountered problems, Sam was more than helpful with advice.

Thanks, Roger. Coincidently, I own App Wrapper 3 as a few weeks ago. But I was not aware that it handled codesigning. I thought you had to do all that at the command line then App Wrapper bundled it up for the MAS. Right now I just need to keep GateKeeper from complaining, not really interested in selling in the MAS at this time.

Back to my original question #2. Given where I am at, is this a 1 day, 1 week, 1 month issue? Will I be waiting on Apple to approve anything for me in order to proceed?

If your app is already written, 4 weeks should be plenty of time.
You need a day or two for the payment contracts to be sorted out. And after submission you can check for an average wait time.

Yes, App Wrapper handles codesigning.
No. You can satisfy Gatekeeper without any input from Apple. Just use App Wrapper to sign your exe. You can choose to sandbox or not if not submitting to MAS

Tim, I think you missed [quote]not really interested in selling in the MAS at this time[/quote] in Merv’s reply.

Correct, maybe look at the MAS next year. So (roughly) how long to get a certificate and get the App codesigned so that GateKeeper is A-OK with the program? I’ll certainly do the investigation, but just wanted a rough idea of what kind of time frame we were talking about.

So it looks like something I could try tonight? I hate to be so dense guys, but the information at the Apple Developer site is a bit overwhelming.

One evening. Go to: and follow the prompts to get your certificates.
There is nothing to be “approved” in getting a cert. Although I have found the Apple Site very un-user friendly. Good luck

Thanks, Roger. The certificate is what it is looking for in App Wrapper, so I’ll head off to your link. Thanks for the help and I have my marching orders for tonight.

Codesigning an OS X app made with Xojo can be as simple as getting a Developer ID Application certificate and the Command Line Tools for Xcode from Apple and then issuing the following command in Terminal.

codesign --deep --sign "Developer ID Application" /PathTo/

You’ll need a Developer account with Apple and there are plenty of small steps to achieve each of the bigger steps but once you have your certificate and command line tools installed, codesiging your app is one command.

Preparing for the Mac App Store is more work but something that App Wrapper automates to a great degree.

Best of luck with getting your app codesigned and deployed. :slight_smile:

The “deep” option is deprecated. You need to sign the Xojo framework, the plugins and then the app itself.

Does App Wrapper take care of that? If so, I can’t imagine not using it as the tool of choice.

Yes. App Wrapper does anything and everything needed. You would be well inspired to use it, instead of reinventing the wheel that Sam so painfully, but efficiently, has been pushing for quite a while with constant success…

I would not go back to command line for an empire.

Where is it documented that the –deep option is deprecated?

On OS X 10.10.1 with the most recent Command Line Tools for Xcode, there is no indication of deprecation when using it or in man codesign when run from Terminal. The OS X Man Page also shows it as a valid option.

Yes, I used App Wrapper last night and I thought it went well, although a user I had try it, said it didn’t work. Still had to hold control key down to start the App. He didn’t move the previous version to the trash first though, he said he just replaced it (using a DMG drag-drop install). Does that matter? Probably something I don’t have set up right in App Wrapper, although it says it is wrapped and verified. I use 1 external plugin, maybe that is the issue somehow? Will investigate tonight.

@Frederick Roller: That was for Yosemite or just before. A bit of Googling gave me, which says:

My experience is to answer both questions with yes.
It took some days to complete the download of the certificate using XCode.
I also use AppWrapper to Codesign my applications (and to add Apple-compatible HTML based Help files created with Freeway Pro).

I’ve read that before but all of our Xojo Apps, even those with Xojo helper Apps rolled into the application bundle, satisfy Gatekeeper and the SignatureCheck tool. The latter of the two is available to Apple Developers and designed specifically to check signatures of both application bundles and installer packages. That said, we do sign our Xojo helper Apps prior to rolling them into the application bundles and then sign the application bundles. In all cases we use the --deep option with 100% success.