Once you have the Developer ID Application cert in your keychain, this is an example of a simple build script to sign your application:
[code]dim certName as string = “Exact name of your Developer ID Application certificate in your keychain”
dim bundlePath as string = CurrentBuildLocation + “/” + CurrentBuildAppName.ReplaceAll(" “,”\ ") + “.app”
dim command as string = "xattr -rc " + bundlePath
Call DoShellCommand(command)
You can test your application against gatekeeper to see if the signing was successful with the following command in terminal:
spctl -a -v -v /path/to/your/application
If you are going to distribute the application via the internet, then you’ll want to put your application into a DMG and sign that as well with a similar command to the build script:
codesign -s "Exact name of your Developer ID Application certificate in your keychain" /path/to/your/dmg
If I can give you extreemly good advice, put some very small money into AppWrapper. It helps you with making a fully, compliance code sign app for AppStore and outside.
The above commands in this thread are pretty basic and it will not cover permissions issues, correct plist, entitlements, temporally entitlements, container migration, clean up, verifying, …
The OP has clearly stated thas MAS or Sandboxing is not required. So it is pretty basic.
Of course - we all agree that AppWrapper is excellent for MAS/Sandboxing and it’s very convenient even for the simplest use-case.
There are developers out there that want to have full control over the process themselves. Or some company rules don’t allow for 3rd party products being involved. Or other reasons…
Then the Xojo Documentation: Mac Code Signing or examples such as the Post Build Script are helpful (and maybe all that’s needed).
We’re in a lucky situation to have a choice, so we can pick what we prefer (or have to do)
I hear that loud and clear. But I always like to know how things work or don’t work as the case may be. I enjoy solving the puzzle. For a while anyway.
iMac27:Mac OS X (Cocoa Intel) dm$ spctl -a -v -v Hello_Certified_World.app
Hello_Certified_World.app: accepted
source=Developer ID
origin=Developer ID Application: Duane Mitchell (6A9######)
Sorry I missed that the first time. Thanks for your help. For my needs right now this is all I hope I need.
I’m going to review all this and try to get it down to just the steps needed. I may have gotten the file path wrong the first time I tried to test it against Gatekeeper.
Nope.[quote=359602:@Jared Feder]If it complains about “resource fork, Finder information, or similar detritus not allowed” then you need to run this first:
xattr -rc /path/to/your/application[/quote]
Technically this only solves one of the 5 reasons that I’m aware of and as Apple don’t publish what can cause this, there are potentially more.
[quote=359556:@Jared Feder]command = “codesign -s “”” + certName + “”" " + bundlePath
Call DoShellCommand(command)[/quote]
Running this line fails because the Keychain is not getting a login. It asks for the Keychain login when running the line in Terminal. I looked around and I don’t see anyway to supply a login or even a workaround. I’m running High Sierra. Perhaps past OX versions worked for this build script. Not working here.
Yes I have looked at it and it is quite a piece of work. Thanks for sharing it. Needs more time than I can give it now but it is the logical next step in this learning process. I’m about done with this phase.
[quote=359795:@Jared Feder]It should ask you if you want to save your keychain login information when you run it from terminal.
That is what worked for me. I am still running Sierra, however, so something may have changed.[/quote]
Yes it does ask for it in terminal and I did choose the “Always Allow” option. But then I run the Build again and it does not get signed.
I just took a closer look at the code from @Jürg Otter
Does the build script work if you unlock your login keychain before building your application?
Open Keychain Access and click the lock in the upper left, then enter your password.
I’m asking for both of us really, so that I have the info when I end up going to High Sierra.