RS2013, AppWrapper, & Mavericks 10.9.5

I just got an alert from Apple about changes they’re making to Gatekeeper starting with Mavericks 10.9.5 that affect code signing, and I thought other users who are still maintaining older apps might want to know.

Here’s the relevant change:

“Mavericks signatures record nested code by its code signature and embed that information in the (outer) signature’s resource envelope, recursively. This means that when a code signature is created, all nested code must already be signed correctly or the signing attempt will fail.”

I have a Universal app (Intel & PowerPC) that is built using RealStudio 2011 R2, the last RS version that supports PowerPC (I’m working on a newer version with Xojo 2014r2, but it’s not ready yet).

I have been using AppWrapper to code sign the universal app, but AppWrapper doesn’t sign nested code resources. So to keep up with the 10.9.5 changes, I use the Terminal codesign command as usual but I add the --deep option. This signs all of the nested code resources within the application bundle, including the RS runtime and plugin library code.

Example: codesign -s “MyDeveloperID” --deep MyAppPathAndName

Without the --deep option, Yosemite rejects the app, and I expect Mavericks 10.9.5 will also. With it, Yosemite’s GateKeeper is happy.

John, I seem to rememberer reading somewhere that the “–deep” option was a deprecated hack and not to be used. Have you run into that opinion?

The Apple developer page says it’s recommended only when making repairs, though they don’t use the word deprecated.

I suppose I could sign every single component one at a time, but that’s really tedious when --deep is working for me in 10.9.4.

Here’s what Apple says:

Crystal clear, it is not…

This sounds like the job for a shell script?

Please see this thread