Mac Desktop Code Signing Ad Hoc

Once you have the Developer ID Application cert in your keychain, this is an example of a simple build script to sign your application:

[code]dim certName as string = “Exact name of your Developer ID Application certificate in your keychain”
dim bundlePath as string = CurrentBuildLocation + “/” + CurrentBuildAppName.ReplaceAll(" “,”\ ") + “.app”

dim command as string = "xattr -rc " + bundlePath
Call DoShellCommand(command)

command = “codesign -s “”” + certName + “”" " + bundlePath
Call DoShellCommand(command)[/code]

You can test your application against gatekeeper to see if the signing was successful with the following command in terminal:

spctl -a -v -v /path/to/your/application

If you are going to distribute the application via the internet, then you’ll want to put your application into a DMG and sign that as well with a similar command to the build script:

codesign -s "Exact name of your Developer ID Application certificate in your keychain" /path/to/your/dmg

I hope that helps.

If I can give you extreemly good advice, put some very small money into AppWrapper. It helps you with making a fully, compliance code sign app for AppStore and outside.

The above commands in this thread are pretty basic and it will not cover permissions issues, correct plist, entitlements, temporally entitlements, container migration, clean up, verifying, …

The OP has clearly stated thas MAS or Sandboxing is not required. So it is pretty basic.
Of course - we all agree that AppWrapper is excellent for MAS/Sandboxing and it’s very convenient even for the simplest use-case.

There are developers out there that want to have full control over the process themselves. Or some company rules don’t allow for 3rd party products being involved. Or other reasons…
Then the Xojo Documentation: Mac Code Signing or examples such as the Post Build Script are helpful (and maybe all that’s needed).

We’re in a lucky situation to have a choice, so we can pick what we prefer (or have to do) :slight_smile:

I hear that loud and clear. But I always like to know how things work or don’t work as the case may be. I enjoy solving the puzzle. For a while anyway.

I get an error on the testing. Message is.

rejected source=no usable signature

Thinking it might be this I tried all 3 variations of what is listed in the Keychain.

Developer ID Application: Duane Mitchell (6A9######)
Duane Mitchell (6A9######))
Duane Mitchell

The first variation of the certificate name is the correct one.

Try signing the application manually in terminal and see what error you get:

codesign -s "Developer ID Application: Duane Mitchell (6A9######)" /path/to/your/application

If it complains about “resource fork, Finder information, or similar detritus not allowed” then you need to run this first:

xattr -rc /path/to/your/application

I get this error.

Hello_Certified_World.app: resource fork, Finder information, or similar detritus not allowed

Run this first:

xattr -rc /path/to/your/application

iMac27:Mac OS X (Cocoa Intel) dm$ spctl -a -v -v Hello_Certified_World.app Hello_Certified_World.app: accepted source=Developer ID origin=Developer ID Application: Duane Mitchell (6A9######)

OK! Progress. Could it be done now?

Yep! That’s a successful code signing.

Sorry I missed that the first time. Thanks for your help. For my needs right now this is all I hope I need.

I’m going to review all this and try to get it down to just the steps needed. I may have gotten the file path wrong the first time I tried to test it against Gatekeeper.

Nope.[quote=359602:@Jared Feder]If it complains about “resource fork, Finder information, or similar detritus not allowed” then you need to run this first:

xattr -rc /path/to/your/application[/quote]
Technically this only solves one of the 5 reasons that I’m aware of and as Apple don’t publish what can cause this, there are potentially more.

[quote=359556:@Jared Feder]command = “codesign -s “”” + certName + “”" " + bundlePath
Call DoShellCommand(command)[/quote]
Running this line fails because the Keychain is not getting a login. It asks for the Keychain login when running the line in Terminal. I looked around and I don’t see anyway to supply a login or even a workaround. I’m running High Sierra. Perhaps past OX versions worked for this build script. Not working here.

It should ask you if you want to save your keychain login information when you run it from terminal.

That is what worked for me. I am still running Sierra, however, so something may have changed.

Have you looked at the Screll Script in Xojo2DMG? :wink:

Yes I have looked at it and it is quite a piece of work. Thanks for sharing it. Needs more time than I can give it now but it is the logical next step in this learning process. I’m about done with this phase.

[quote=359795:@Jared Feder]It should ask you if you want to save your keychain login information when you run it from terminal.

That is what worked for me. I am still running Sierra, however, so something may have changed.[/quote]
Yes it does ask for it in terminal and I did choose the “Always Allow” option. But then I run the Build again and it does not get signed.

There is an ‚unlock keychain‘ in the Xojo2DMG script.
I just can‘t look it up right now :slight_smile:

It looks like I’ll have to end up reworking my build script with that functionality in mind.

Thanks for sharing.

I just took a closer look at the code from @Jürg Otter

Does the build script work if you unlock your login keychain before building your application?
Open Keychain Access and click the lock in the upper left, then enter your password.

I’m asking for both of us really, so that I have the info when I end up going to High Sierra.