gatekeeper codesign rejected

I was able to sign my app using the codesign utility. But when I run “spctl -a -t exec -vv”, I’m getting the following response:

[quote]rejected
origin=Mac Developer: Christian Schmitz (AC4MQK4WSK)[/quote]

I have no idea who this is. I googled it and it looks like it has something to do with MBS. How do I resolve this?

Thank you!

You’ve been around here and not heard of Christian? He’s the publisher of the MonkeyBread Software plugins – either ask him here @Christian Schmitz or at https://www.mbsplugins.de/

you need to sign

  • all framework dylibs from plugin
  • the xojo framework
  • the whole app

with three calls to codesign utility.

…yes, or just wait until he answers :wink:

Okay, thank you!

Is there a published doc on this anywhere? I’m not sure how to sign those things individually.

…which doesn’t take long!

[quote=197356:@Christian Schmitz]you need to sign

  • all framework dylibs from plugin
  • the xojo framework
  • the whole app

with three calls to codesign utility.[/quote]

Or maybe even 4 separate calls? https://forum.xojo.com/23569-codesign-deep-internal-error-unloading-bundle-cfbundle/p1#p196334 (not clear to me if you need to sign the Xojo framework Version separate from the outer wrapper or not, but it probably doesn’t hurt)

I suggest taking a look at AppWrapper 3 - not free but it is worth every little cent. Best money a Xojo dev can spend.

Actually, trying it is free, and you can experiment for yourself.

I have been using it for years. Saved me a ton of Aspirin :wink:

http://ohanaware.com

Agreed, assuming s/he is doing Mac builds :stuck_out_tongue:

I believe it has to be Mac, since Gatekeeper is OS X, and the error reports a Mac Developer.

FWIW, on PC I use KSign provided for free by http://codesigning.ksoftware.net/ and never had any issue.

Michel, just a quick question, is signing an application on Windows fairly painless like it was for OSX? With some help here on the Forums, I was able to get everything (Apple certificates, XCode installed, App Wrapper, etc…) setup in pretty much one day fort he Mac. I’ve never signed any Windows apps in the past, but it is becoming a necessity nowadays. Is the process similar? Or has this possibly been spelled in another thread?

I believe it has been covered in the forum, but could not really remember where or when. With KSign, it is an extremely simple process. You get your signing certificate from a third party. Prices vary widely, but Comodo which is sold at KSoftware is I believe the best deal. $89 year, which is pretty much the same as Apple. It can climb up to $599 with Verisign but it will not do better for the regular signing.

Once you have your certificate, you extract the PFX file (KSoftware will tell you how to collect the certificate) from the computer you have used to order. For years I have been doing that on the Mac. Then under Windows, you use KSign to sign the EXE and the installer. It works very simply : select the files to add them into the list of files to sign and click a button. That’s it.

I know Bob Keeney and Christophe de Vocht are using the same solution, and probably several others. Today distributing unsigned software triggers the nasty equivalent of Gatekeeper which, under Windows 10, does exactly the same, namely refuses to launch the app. If you are serious about distributing software and want to minimize support request, you should sign your executables IMO.

Yes, for Windows I use KSign. It is very easy to use.
That said, the verification procedure can take a long time. In my case +1 week with several mails going up and down including a lot of personal documents (ID, Electricity bills, Driving license, … ) just to prove who you really are. Eventually, after one week they called me up to say my signing certificate was approved.
So be prepared to have some patience when buying a Windows signing certificate for the first time. :slight_smile:

[quote=197519:@Christoph De Vocht]Yes, for Windows I use KSign. It is very easy to use.
That said, the verification procedure can take a long time. In my case +1 week with several mails going up and down including a lot of personal documents (ID, Electricity bills, Driving license, … ). Eventually, after one week they called me up to say my signing certificate was approved.
So be prepared to have some patience when buying this for the first time. :-)[/quote]

It cannot be worse than Verisign. They required all that, plus a certified copy of my passport, plus a signed contract attesting I was going to use their certificate for lawful purposes, signed by the same authority that certifies the passport copy. Then they frowned because the contract had been translated in French. At that point I wrote a very angry letter to their CEO with a copy to Microsoft and canceled the order. Soon after I noticed Microsoft had added Digicert to the possible sources for Authenticode.

Anyway, that was necessary to get listed in the Windows Store. Since soon Desktop apps should be accepted in that store without that requirement with the Bridge program, I will wait for that to resume work on my Windows project.

That was my point…

We use kSign as well, and it is very easy to use - highly recommend it.

Thanks guys, and especially Michel for spelling it all out. I’ll check into it this week. With Windows 10 coming down the pike, it looks like it is a necessity going forward.

I already have a valid pfx certificate for my company
Could i use it for my desktop xojo application avoiding gatekeepeer problem?

[quote]I already have a valid pfx certificate for my company
Could i use it for my desktop xojo application avoiding gatekeepeer problem?[/quote]
Not if you are on a Mac.
It has to be Apples way no or nothing.
developer subscription and certs.

Hi @Jeff Tullin could you list me step by step what to do? I don’t need at the moment Mac Os Store only download from my website