Re: Codesigning for Gatekeeper on Xcode 3.2.6 build
Re: Codesigning for Gatekeeper on Xcode 3.2.6 build
- Subject: Re: Codesigning for Gatekeeper on Xcode 3.2.6 build
- From: Scott Johnson <email@hidden>
- Date: Fri, 16 Mar 2012 10:49:54 -0700
That seems to do the trick, thanks so much!
Part of the issue I had here was the need to go straight to the Dev center and create Mac OSX Developer IDs (as opposed to iOS provisioning profiles, which still show up on my machine). Part of it is also that there is a poorly explained (by Apple) step requiring you to download the WWDR Intermediate Certificate and the Developer ID Intermediate Certificate. One or both of those was required to get this all to work, but yes, it eventually did work.
I struggled with both of those after looking at your advice, but yes, what you describe allows me to build on Snow Leopard/Xcode 3.2.6 and the run the app successfully on Lion with Gatekeeper turned on.
Thanks again!
Scott
On Mar 15, 2012, at 5:29 PM, Rick C. wrote:
> It really should be easy...if I was able to figure it out I know you guys can... :-)
>
> I didn't follow the instructions posted in Dev Center because they are for Xcode 4. If you have ever submitted an app to the App Store via Xcode 3 it will work exactly the same way. I did everything from Snow using Xcode 3.2.6. You will need to:
>
> 1. Create your 2 Developer ID certificates in Dev Center and install those into Keychain
> 2. Install the additional Dev certificate that Apple provides
> 3. Once this is done in your Build prefs select the Developer ID certificate for Application not installer
> 4. That's it!
>
> No profiles or anything with Organizer was needed. You might need to focus on selecting the actual certificate key instead of the profile. Not sure but again I didn't use a profile...
>
> Final note...this was basically the way to do it when submitting to the App Store before Xcode 4. Again I just took that and did Dev certificates instead...
>
> Let us know!
>
>
>
> On Mar 16, 2012, at 4:10 AM, Alexander von Below wrote:
>
>> No kidding, this seems to be more difficult than I thought.
>>
>> I tried to build an executable with clang and codesign it on the command line with 10.7. --verify tells me:
>>
>> /Users/below/executable: valid on disk
>> /Users/below/executable: satisfies its Designated Requirement
>>
>> However, it is not executed when gatekeeper is active. Building with Xcode produces a file that will be executed
>>
>> Apparently, some special "build foo" is necessary to perform the trick. I would ask on the devforums, or file a DTS.
>>
>> Alex
>>
>> Am 15.03.2012 um 18:39 schrieb Scott Johnson:
>>
>>> I tried this and it did not help. In fact, I made several attempts at codesigning an app, putting it on a web server, then downloading onto a Lion machine with Gatekeeper turned on and in (almost) every case it failed to run. By failed, I mean I get the dialog with the red stop sign and exclamation point that says "(This program) has not been signed by a recognized distributor and may damage your computer. You should move it to the trash." with an option to move the app to the trash or merely cancel.
>>>
>>> To be specific, this is what I have tried, after which I moved the app to a web server, downloaded it on Lion and attempted to run:
>>>
>>> - Build my company's app on Snow Leopard/Xcode 3.2.6 after having selected "Code Signing Identity" and chosen one of our Provisioning Profiles. THIS FAILED TO RUN ON LION after downloading from a web server.
>>>
>>> - Build a dummy test app on Lion/Xcode4.3.1, after having selected "Code Signing Identity" and chosen one of our Provisioning Profiles. THIS FAILED TO RUN ON LION after downloading from a web server.
>>>
>>> - Build a dummy test app on Lion/Xcode4.3.1, after having selected "Code Signing Identity" THEN choosing Product->Archive. THIS SUCCEEDED TO RUN ON LION after downloading from a web server.
>>>
>>> In fact, if I do a build on Lion/Xcode4.3.1 with the "Code Signing Identity" selected, then do a Product->Archive on exactly that same build, and do a recursive diff of these two apps (one archived, one not, both signed during the build), they are exactly the same EXCEPT the binary in the archived version is different than the binary in the non-archived version. By binary, I refer to the inner executable in Contents/MacOS. So there is clearly more than just code signing that is necessary to get past Gatekeeper.
>>>
>>> Also, if I run the command "codesign -force -sign '{code sing identity}' --entitlements {xcent} {app}" which is essentially what the non-archive build (on Xcode 4.3.1) does in its code signing portion, the app still will not run after downloading. Nor does a simple "codesign -f s..." on Xcode 3.2.6 fix the problem, again using the same profile. Only the Product->Archive step in Xcode 4.3.1 fixes the problem.
>>>
>>> So to restate the problem again: I need to find a way to allow my Snow Leopard/Xcode 3.2.6 build to be signed, but not just codesign (which is easy) but signed in a way that will allow it to run on Lion with Gatekeeper turned on so that the error dialog above does not appear, and the app can actually run.
>>>
>>> Thanks,
>>>
>>> Scott
>>>
>>> On Mar 14, 2012, at 5:30 PM, Rick C. wrote:
>>>
>>>> I do this too it's no problem. As long as your certificates are installed properly just specify your key in Build prefs - Code Signing Identity. You can do everything in 3.2.6 you don't need Xcode 4...
>>>>
>>>>
>>>>
>>>> On Mar 15, 2012, at 4:27 AM, Scott Johnson wrote:
>>>>
>>>>> Hello--
>>>>>
>>>>> We are currently building a desktop Mac app on Snow Leopard with Xcode 3.2.6 (and would like to remain there for the time being) and would like to be able to setup codesigning so that our app, which is NOT distributed via the Mac app store, can pass through Gatekeeper. So the questions are:
>>>>>
>>>>> - How can I codesign for Gatekeeper on the command-line on a Snow Leopard machine with Xcode 3.2.6?
>>>>> - Failing that, how can I codesign an app BUILT on Xcode 3.2.6, using a Lion machine with Xcode 4.3.1 just for codesigning? That is, do the build on one machine then just sign it on the other machine.
>>>>>
>>>>> I have attempted to simply use the command-line "codesign" command on the Snow Leopard/Xcode 3.2.6 machine, using a certificate that we created for iOS app distribution. The app validates as "satisfies its Designated Requirement" on both the Snow Leopard machine and the Lion machine with Gatekeeper turned on, but Lion will still not allow me to run this same app after downloading it from a web server.
>>>>>
>>>>> So I should also be clear that simply "codesigning" is not sufficient. I need codesigning that will pass Gatekeeper.
>>>>>
>>>>> The only solution I have found is to move our entire build process to Lion/4.3.1 but that would be a huge hassle and it would be great if there were a way we could work around that temporarily.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Scott Johnson
>>>>> Software and Support Engineer
>>>>> KCP Technologies, Inc.
>>>>> _______________________________________________
>>>>> Do not post admin requests to the list. They will be ignored.
>>>>> Xcode-users mailing list (email@hidden)
>>>>> Help/Unsubscribe/Update your Subscription:
>>>>>
>>>>> This email sent to email@hidden
>>>>
>>>
>>>
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Xcode-users mailing list (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>> This email sent to email@hidden
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Xcode-users mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Xcode-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden