Help getting my App ready for GateKeeper. Code signing and Package depolyment

TheSilverHammer wrote:

I am using XCode 3.2.6 and Packagemaker 3.0.4. I am sticking with these versions so that I can support PPC builds.

Don't be so sure of that. If you are still building PowerPC applications, you don't have to worry about Gatekeeper at all. If you are planning on using Xcode 3.2.6, you will have other issues to worry about. I don't know what they are though.

In package maker, how do I 'sign' the install package so that GateKeeper will not complain about it? The documentation doesn't really tell me anything about this.

There is a flag on the command line version. In the GUI, use Project > Edit Certificate.

In XCode under the code signing section I pick the Code Signing Identity and have a drop-down box appears. I pick the common name from the cert that I just got from Apple. I do a build and it fails with "Command /usr/bin/codesign failed with exit code 1".

As with all such issues, no one will care until you try it on Xcode4 first. You are going to have to do a release on currently supported tools. When that builds succesfully, then you can try Xcode3.

Not very descriptive. I did notice under the key store it says the certificate was signed by an unknow authority. Well it was signed by Apple, so why is it saying this and what can I do about it if anything. Anyway, I am kind of stuck at the moment and any help would greatly be appricated.

Apple may be acting under its own authority. I haven't gotten that far myself.

TheSilverHammer wrote:

Is there any web page I can go to that will explain everything I need to do, step by step to get read for GateKeeper? I can't find any Apple GateKeeper for developers start page.

Try the Mountain Lion forum.

I think you may be stuck until building and installing with Xcode4. You should be able to use the Xcode4 PackageMaker (available as an other > other install) to install your Universal code. I strongly suggest getting it all working in Xcode4 and then building a separate installer for Xcode3. If you want to do the extra work to support PowerPC code, that't fine, but as the years progress, it will be come more and more work.

TheSilverHammer wrote:

This isn't my choice. I am not a lone programmer who is just being bull-headed. Management makes that decision, not me. Ill discuss it with them.

I understand that. But you also have a responsibility to have a deliverable. If you do everything in Xcode4, it should all work and you should have a deliverable package for everything that Xcode4 supports. Then you can tell management that you have 10.6 Intel (or whatever) ready to go but you are still working on the PowerPC part. That will also help them to see the actual cost in supporting old versions.

If you are working with current, supported tools then when you ask someone what is going wrong, they will be able to help. If you are trying something funky, people are just going to throw up their hands.

That is about all I can do right now. I haven't tried code signing myself yet. I will create a certificate and try it out later today. Then I can tell you what you should expect to see in Xcode4.

According to the Developer ID Tutorial, developers are expected to do the entire process in Xcode4. If you are shipping a PackageMaker installer, Apple suggests using the productsign tool and your Developer ID. There is no indication if the GUI certificate method works or not. This might work out nicely for you. Create your DeveloperID in Xcode4. Then build your application and installer package with Xcode3. You should be able to sign it using the command line with your Developer ID.

TheSilverHammer wrote:

PS. I just tried to go to that link you provided, and it didn't work for me. When I get to the developer downloads I do not have a documents category. I can download all sorts of OS's and tools, but I do not see any documents of any kind.

Perhaps that is the problem. You need a paid Mac developer account.

I just when through the process and signed one of my really old installers. I even had to blow away all of my old Developer account stuff in Keychain and Xcode because I've moved to Canada and needed a whole new set of accounts. So, I did it just now from a totally clean slate. I fired up Xcode, viewed my Provisioning Profiles, refreshed, got my Developer ID, and exported it. Then, I signed my old installer with my name and now I have a signed version. When I install it, it even has a little padlock in the upper right corner. No self-signed certificates.

You can continue to use Xcode3 to build your software. But you will need Xcode4 and a paid Developer account to stay current.

TheSilverHammer wrote:

We pay the $99 anual fee if that is what you mean by a paid developer account. I can download all the OS's to test with including the new 10.8 preview. Is there some other level of "paid" I need to be aware of?

Nope. That's the one.

1. You went to the apple's site and got your installer or developer certs by generating a cert request and uploading it to Apple (per their instructions). Then you downloaded and installed these certs.

No. I did it entirely through Xcode4. Not being able to see that tutorial document is probably what is causing you trouble. This is one of those things that makes perfect sense to Apple because they deal with it 1000 times a day. We deal with it once or twice a year and even if we do manage to understand it, we forget about by the time we have to do it again.

2. You went to package maker and selected these certs and rebuilt your installer.

No. I just applied an existing certification to an existing package, creating a new installer.

3. Now here is the important part. You took your installer to a NEW MACHINE, not your development one (because this most certainly WILL accept the certs you installed) and this machine was 10.8 with GateKeeper and when you ran your installer package, GateKeeper didn't complain at all? It didn't say your cert was untrusted? I did this with the Apple certs I got and GateKeeper said the cert was untrusted (although it did let me run the installer).

I will have to check this part. In theory, you don't need Mountain Lion. You can do it with Lion. Again, the tutorial has instructions for that.

You see I decided to use our VeriSign code signing cert which we use on other platforms. I installed the cert and it was trusted by default. No addition intermediate certs were needed, which is to be expected. Then I went to package maker and selected that cert. It signed it and everything seemed fine. I ran it on my machine and it all worked. I take it to a new 10.8 machine and run it and get the same untrusted cert error.

I'm pretty sure it has to be an Apple certification.

Now if this works for you then maybe I need to be at some other "Premium" level of developer that I need to pay Apple for? Does Apple (I have not found this) have a special programming support program were we can hire some Apple consultant Guru who can work with us directly to help us untangle this mess?

There is no other level of support available from Apple that I know of. There are the paid developer forums that you should have access to. You would certainly find more people there that are familiar with the process. Apple also provides a couple of free support tickets with a paid membership. I don't know if I would want to burn on of those on an issue like this.

I see you seem to have resolved the problem. I still wanted to provide some answers in case someone else came along.