Help getting my App ready for GateKeeper. Code signing and Package depolyment

I have sent a message to Apple about my inability to see that document. They have fixed it, apparently it was a problem with my account.

I would be interested in seeing your method without using product sign works on 10.8 gatekeep machine that isn't one you developed on. Maybe other issues caused strangness with my account and those certs although using product sign worked.

However I still had issues with the individual code sign that gave me a requirments problem with the apple cert, but not the verisign cert.

I can sign my code with XCode 3.2 (whatever the full version is). However the file, while signed, still reports that it "doesn't meet it's requirements". If I sign with a verisign code cert instead of the Apple one, it does meet it's requirements.

The real problem was getting my install package signed, and I discovered productsign which does the trick. Just telling packagemaker to use a cert doesn't work. It is still untrusted by gatekeeper.

The is still the problem of product updates since you can't copy a signed file and keep it signed. It does seem that an actual program will only need to be signed to use some new APIs, not for anything I do now. I am ok with unsigned or untrusted binaries at this point because it will not be a problem in the immedate future and perhaps may never be a problem.

If it does become a problem some time will have gone by and perhaps people might know how we solve the update problem with signed files. I do not understand why Apple refuses to let you copy a signed file and have it's signature remain valid. If a file isn't altered, then it should still be trustworthy. Instead they pack some of the signed information in some kind of "extra data" which is part of the file-system, not the file itself. Whenever you copy a file, this extra data is lost.

I see you might be asking for help on how to sign the file. Install your certs and look at the code signing section of the project properties. Under that you should see something that lets you choose a cert, you click on that and you get a list of certs you can use. Then it will sign the file the next time you build it. Signing is the LAST step, so if you have some scripts that do things like copy the file, this will happen before the file is signed.

You may still be stuck unless your package and executable are in its final place before being signed since you can't copy the file. You can expand the codesigning step in your build results to see the actual codesign command and it's paramters. You can copy that and then move your file to where you wish and re-issue the command to sign your file again.

If you sign your file and then COPY it, then it is no longer trusted. Yes, that is exactly what I mean. If you use productsign on a package, and then compress / zip it, then the package will get past gatekeeper.

Just try it for yourself. Sign a binary file, some simple test excutable. Verifry it is signed useing the codesign tool. Then copy it. I used both "cp" from the bash shell or the simple copy / paste using the finder. Now re-example the file with codesing and you will see what I mean. Oh, the file has a signature, but it isn't trusted anymore.

As for how could you download a signed file? That is a great question, I do not have answer for that. If you do find such an answer, please post it here. Right now the only answer I know of is, "You can't".