Command Line Helper App Signatures

Christian_Wheel · September 10, 2023, 12:27am

Hi all, trying to figure out the best way to navigate this.

To be clear, this app is NOT for the MAS.

My application includes a command-line helper app. I include it in the Resources folder of my application bundle, then on first run, it gets copied to SpecialFolders.ApplicationData.Child(“MyApp”) and I set the Permissions to &o755 so it can be executed.

This works fine at first. However the helper app is written by a third-party and it self-updates every few weeks. Once it self-updates, the user gets the error that it can’t be run because Apple can not check it for malicious software (it has lost its signature and notarization).

What’s the best way to handle this?

Greg_O · September 10, 2023, 12:29am

Tell the third party to sign their damn app.

Christian_Wheel · September 10, 2023, 12:34am

Agreed that’s the best solution, but I can’t count on that happening.

Tim_Parnell · September 10, 2023, 12:43am

Can you ad hoc sign it with your app if you notice it changes?

Hmm I guess that would require the user have xcode though.

Christian_Wheel · September 10, 2023, 12:46am

I think it’s also the notarization that it’s missing that prevents it from running as well. Just a signature may not be enough.

Greg_O · September 10, 2023, 12:52am

The only other thing I can think of is to ask the developer is there’s a way to bypass the update mechanism on the command line (or ask them to add the feature) and then when a new version comes out, you put it in the next version of your app.

Sam_Rowlands · September 10, 2023, 1:12am

If you can disable the update system like @Greg_O suggests, this is a actually a good thing.

It means that you can then execute the helper from within your app bundle, but not from the Resources folder, the executable should be placed in the macOS, Helpers or Frameworks folder to meet the code signing guidelines. This also means that you set the permissions on the helper only once.