Previous 1 2 Next 24 Replies Latest reply: May 7, 2012 6:37 AM by TheSilverHammer
TheSilverHammer Level 1 Level 1 (0 points)

So gate keeper is comming out for OSX 10.8 and I need to do some things so users can download and install my app without GateKeeper causing trouble.

 

I went here: https://developer.apple.com/certificates/index.action#maccertrequest and got a developer ID application and installer certificate.

 

I am using XCode 3.2.6 and Packagemaker 3.0.4.  I am sticking with these versions so that I can support PPC builds.

 

In package maker, how do I 'sign' the install package so that GateKeeper will not complain about it?  The documentation doesn't really tell me anything about this.

 

In XCode under the code signing section I pick the Code Signing Identity and have a drop-down box appears.  I pick the common name from the cert that I just got from Apple.  I do a build and it fails with "Command /usr/bin/codesign failed with exit code 1".

 

Not very descriptive.  I did notice under the key store it says the certificate was signed by an unknow authority.  Well it was signed by Apple, so why is it saying this and what can I do about it if anything.  Anyway, I am kind of stuck at the moment and any help would greatly be appricated.

  • TheSilverHammer Level 1 Level 1 (0 points)

    I figured out the code signing issue with XCode, I was missing an intermedate certificte.  I suppose this will "satisfy" that requirement.  Correct?

     

    Now I just need to figure out how to sign the package made by package maker, if anyone can help me on that.

  • etresoft Level 7 Level 7 (25,890 points)

    TheSilverHammer wrote:

     

    I am using XCode 3.2.6 and Packagemaker 3.0.4.  I am sticking with these versions so that I can support PPC builds.

    Don't be so sure of that. If you are still building PowerPC applications, you don't have to worry about Gatekeeper at all. If you are planning on using Xcode 3.2.6, you will have other issues to worry about. I don't know what they are though.

     

    In package maker, how do I 'sign' the install package so that GateKeeper will not complain about it?  The documentation doesn't really tell me anything about this.

    There is a flag on the command line version. In the GUI, use Project > Edit Certificate.

     

    In XCode under the code signing section I pick the Code Signing Identity and have a drop-down box appears.  I pick the common name from the cert that I just got from Apple.  I do a build and it fails with "Command /usr/bin/codesign failed with exit code 1".

    As with all such issues, no one will care until you try it on Xcode4 first. You are going to have to do a release on currently supported tools. When that builds succesfully, then you can try Xcode3.

     

    Not very descriptive.  I did notice under the key store it says the certificate was signed by an unknow authority.  Well it was signed by Apple, so why is it saying this and what can I do about it if anything.  Anyway, I am kind of stuck at the moment and any help would greatly be appricated.

    Apple may be acting under its own authority. I haven't gotten that far myself.

  • TheSilverHammer Level 1 Level 1 (0 points)

    I see that project option, Edit Certifcate, but it is greyed out.  Do you know why and how I can let me add the cert? I also see on the main interface under configuration, it says Certifcate -> not supported.

  • TheSilverHammer Level 1 Level 1 (0 points)

    I need to revist the code signing thing. I thought I had it figured out, however, when I issue a command:

    codesign -v -v TestProg

    TestProg: valid on disk

    TestProg: does not satisfy its designated Requirement

     

    So it is signed, but now it is somehow not valid?  What is this designated requirement that it is not satisfying?

     

    Is there any web page I can go to that will explain everything I need to do, step by step to get read for GateKeeper?  I can't find any Apple GateKeeper for developers start page.

  • TheSilverHammer Level 1 Level 1 (0 points)

    I figured out the answer to this question:

     

    see that project option, Edit Certifcate, but it is greyed out.  Do you know why and how I can let me add the cert? I also see on the main interface under configuration, it says Certifcate -> not supported.

     

    I had to change the package target version to 10.5 to get it to use certs.

  • etresoft Level 7 Level 7 (25,890 points)

    TheSilverHammer wrote:

     

    Is there any web page I can go to that will explain everything I need to do, step by step to get read for GateKeeper?  I can't find any Apple GateKeeper for developers start page.

    Try the Mountain Lion forum.

     

    I think you may be stuck until building and installing with Xcode4. You should be able to use the Xcode4 PackageMaker (available as an other > other install) to install your Universal code. I strongly suggest getting it all working in Xcode4 and then building a separate installer for Xcode3. If you want to do the extra work to support PowerPC code, that't fine, but as the years progress, it will be come more and more work.

  • TheSilverHammer Level 1 Level 1 (0 points)

    This isn't my choice.  I am not a lone programmer who is just being bull-headed.  Management makes that decision, not me.  Ill discuss it with them.  However I have noticed even more additional problems.

     

    I can not copy a signed file.   Right now if I go to the directory that XCode dumps the file in, and run the code sign tool it tells me it is valid on disk but doesn't meet its requirements.

     

    This is the first problem.  Can you explain this to me?

     

    The secodn problem which is even worse is that if I copy the file, the cert error changes:

    it tells me "code or signature modified".

     

    I run an MD5 hash between the two and they are identical.  I must be able to copy this file around.  How can I do that?

     

    This is how my app is setup.  I have two projects, one is a daemon and the other is the client for the daemon, to provide the GUI.  I build both and then copy the executables to another folder.  There is my actual deployment package which gets both executables and that is what package makers uses.  I also have another copy which goes on a Linux server (which is just the executables) so the users can download updates to the current version if they so desire.  How am I supposed to do that with all this cert business?

  • etresoft Level 7 Level 7 (25,890 points)

    TheSilverHammer wrote:

     

    This isn't my choice.  I am not a lone programmer who is just being bull-headed.  Management makes that decision, not me.  Ill discuss it with them.

     

     

    I understand that. But you also have a responsibility to have a deliverable. If you do everything in Xcode4, it should all work and you should have a deliverable package for everything that Xcode4 supports. Then you can tell management that you have 10.6 Intel (or whatever) ready to go but you are still working on the PowerPC part. That will also help them to see the actual cost in supporting old versions.

     

    If you are working with current, supported tools then when you ask someone what is going wrong, they will be able to help. If you are trying something funky, people are just going to throw up their hands.

     

    That is about all I can do right now. I haven't tried code signing myself yet. I will create a certificate and try it out later today. Then I can tell you what you should expect to see in Xcode4.

  • TheSilverHammer Level 1 Level 1 (0 points)

    Thanks.  Its something every developer will have to deal with if you want your app to function on 10.8.  You can't even install your app unless it properly signed.  I have no idea how to even update it once it is signed.  There is a post that you only really need to sign the installer to get past GateKeeper, which would be great.

     

    Anway, Ill await your results from xcode 4.  I will be interested in these two things once you have signed the files:

     

    1.  If you do "codesign -v -v yourexecutable" do you get the result "satisfies its Designated Requirement".  I get the it does NOT for my program.

     

    2.  Can you copy your executable and retain the properly code signed status.  Using CP or the GUI, both cases for me result in "code or signature modified" error.

     

    Maybe it is just XCode 3.4, but I seriously doubt it.

  • etresoft Level 7 Level 7 (25,890 points)

    According to the Developer ID Tutorial, developers are expected to do the entire process in Xcode4. If you are shipping a PackageMaker installer, Apple suggests using the productsign tool and your Developer ID. There is no indication if the GUI certificate method works or not. This might work out nicely for you. Create your DeveloperID in Xcode4. Then build your application and installer package with Xcode3. You should be able to sign it using the command line with your Developer ID.

  • TheSilverHammer Level 1 Level 1 (0 points)

    I figured id have to code sign inside the package itself I was going to use for Packagemaker.  However, this still leaves the problems of updating.  I have a signed binary file that needs to go on a server and downloaded to a users machine that retains it's signed status.

     

    Anyway, did you sign a file yet and did you get the result:  "satisfies its Designated Requirement"  because I did not.  Mine says it does not satisfy its designated requirments. 

     

    Furthermore, I did sign an installer package using the cert I got from Apple, and when I brought it to a 10.8 machine, Gatekeeper did let it install, but it said the cert was not trusted.  So the cert Apple gave me isn't recongized by any machien but my own?  Not very useful.  Now how do I get a cert that works for any machine?  I tried looking around the cert area on Apple's site, but I couldn't see anything like that nor did I find any hint that these certs were test certs and wouldn't actually work for distribution.

     

     

    PS.  I just tried to go to that link you provided, and it didn't work for me.  When I get to the developer downloads I do not have a documents category.  I can download all sorts of OS's and tools, but I do not see any documents of any kind.

  • etresoft Level 7 Level 7 (25,890 points)

    TheSilverHammer wrote:

     

    PS.  I just tried to go to that link you provided, and it didn't work for me.  When I get to the developer downloads I do not have a documents category.  I can download all sorts of OS's and tools, but I do not see any documents of any kind.

    Perhaps that is the problem. You need a paid Mac developer account.

     

    I just when through the process and signed one of my really old installers. I even had to blow away all of my old Developer account stuff in Keychain and Xcode because I've moved to Canada and needed a whole new set of accounts. So, I did it just now from a totally clean slate. I fired up Xcode, viewed my Provisioning Profiles, refreshed, got my Developer ID, and exported it. Then, I signed my old installer with my name and now I have a signed version. When I install it, it even has a little padlock in the upper right corner. No self-signed certificates.

     

    You can continue to use Xcode3 to build your software. But you will need Xcode4 and a paid Developer account to stay current.

  • TheSilverHammer Level 1 Level 1 (0 points)

    We pay the $99 anual fee if that is what you mean by a paid developer account.  I can download all the OS's to test with including the new 10.8 preview.  Is there some other level of "paid" I need to be aware of?

     

    Now just to be sure you really tested your installer properly let me go over the steps you went though.

     

    1.  You went to the apple's site and got your installer or developer certs by generating a cert request and uploading it to Apple (per their instructions).  Then you downloaded and installed these certs.

     

    2.  You went to package maker and selected these certs and rebuilt your installer.

     

    3.  Now here is the important part.  You took your installer to  a NEW MACHINE, not your development one (because this most certainly WILL accept the certs you installed) and this machine was 10.8 with GateKeeper and when you ran your installer package, GateKeeper didn't complain at all?  It didn't say your cert was untrusted?  I did this with the Apple certs I got and GateKeeper said the cert was untrusted (although it did let me run the installer).

     

    You see I decided to use our VeriSign code signing cert which we use on other platforms.  I installed the cert and it was trusted by default.  No addition intermediate certs were needed, which is to be expected.  Then I went to package maker and selected that cert.  It signed it and everything seemed fine.  I ran it on my machine and it all worked.  I take it to a new 10.8 machine and run it and get the same untrusted cert error.

     

    Now if this works for you then maybe I need to be at some other "Premium" level of developer that I need to pay Apple for?  Does Apple (I have not found this) have a special programming support program were we can hire some Apple consultant Guru who can work with us directly to help us untangle this mess?

     

    I do not think it should be that hard, after all every single Apple developer out here is going to have to deal with this mess as soon as 10.8 hits the road.  There has to be some major source of wisdom out there that I am missing that explains all this. 

  • TheSilverHammer Level 1 Level 1 (0 points)

    I have written to Apple support (general developer support) about why I can't view that document you linked.  I have a paid memership as a Mac developer (not IOS or Safari) until Mach of 2013.  Maybe one of those is the issue.

     

    However I *DID* find out the problem.  You do not use Packagemake to sign the apps (you can, but it doesn't hurt).

     

    You take the finished package and use productsign instead.  This is the general from I got from another post:

    productsign --sign "Developer ID Application: XYZ" "/path/to/input" "/path/to/output"

     

    I did this and then moved my install package to another 10.8 machine and it worked like a charm.  No cert errors.

Previous 1 2 Next