Previous 1 2 Next 24 Replies Latest reply: May 7, 2012 6:37 AM by TheSilverHammer Go to original post
  • etresoft Level 7 (27,838 points)

    TheSilverHammer wrote:


    We pay the $99 anual fee if that is what you mean by a paid developer account.  I can download all the OS's to test with including the new 10.8 preview.  Is there some other level of "paid" I need to be aware of?


    Nope. That's the one.


    1.  You went to the apple's site and got your installer or developer certs by generating a cert request and uploading it to Apple (per their instructions).  Then you downloaded and installed these certs.


    No. I did it entirely through Xcode4. Not being able to see that tutorial document is probably what is causing you trouble. This is one of those things that makes perfect sense to Apple because they deal with it 1000 times a day. We deal with it once or twice a year and even if we do manage to understand it, we forget about by the time we have to do it again.


    2.  You went to package maker and selected these certs and rebuilt your installer.


    No. I just applied an existing certification to an existing package, creating a new installer.


    3.  Now here is the important part.  You took your installer to  a NEW MACHINE, not your development one (because this most certainly WILL accept the certs you installed) and this machine was 10.8 with GateKeeper and when you ran your installer package, GateKeeper didn't complain at all?  It didn't say your cert was untrusted?  I did this with the Apple certs I got and GateKeeper said the cert was untrusted (although it did let me run the installer).


    I will have to check this part. In theory, you don't need Mountain Lion. You can do it with Lion. Again, the tutorial has instructions for that.


    You see I decided to use our VeriSign code signing cert which we use on other platforms.  I installed the cert and it was trusted by default.  No addition intermediate certs were needed, which is to be expected.  Then I went to package maker and selected that cert.  It signed it and everything seemed fine.  I ran it on my machine and it all worked.  I take it to a new 10.8 machine and run it and get the same untrusted cert error.


    I'm pretty sure it has to be an Apple certification.


    Now if this works for you then maybe I need to be at some other "Premium" level of developer that I need to pay Apple for?  Does Apple (I have not found this) have a special programming support program were we can hire some Apple consultant Guru who can work with us directly to help us untangle this mess?


    There is no other level of support available from Apple that I know of. There are the paid developer forums that you should have access to. You would certainly find more people there that are familiar with the process. Apple also provides a couple of free support tickets with a paid membership. I don't know if I would want to burn on of those on an issue like this.


    I see you seem to have resolved the problem. I still wanted to provide some answers in case someone else came along.

  • TheSilverHammer Level 1 (0 points)

    I have sent a message to Apple about my inability to see that document.  They have fixed it, apparently it was a problem with my account.


    I would be interested in seeing your method without using product sign works on 10.8 gatekeep machine that isn't one you developed on.  Maybe other issues caused strangness with my account and those certs although using product sign worked.


    However I still had issues with the individual code sign that gave me a requirments problem with the apple cert, but not the verisign cert.

  • etresoft Level 7 (27,838 points)

    I was using productsign. I have yet to have much interaction with the app stores. In places like that where I don't know what is going on, I follow the tutorials to the letter. That's what they are for.

  • Tomeranaray Level 1 (85 points)

    @TheSilverHammer: I'm in a similar situation as you. Our project is stuck in Xcode 3.2.5 (due to Applescript-dependencies). We are working on updating to Xcode 4, but that will not happen before the summer and the release of Mountain Lion.


    So, based on this thread, can I assume that you managed to successfully sign your Xcode 3 project?

  • TheSilverHammer Level 1 (0 points)

    I can sign my code with XCode 3.2 (whatever the full version is).  However the file, while signed, still reports that it "doesn't meet it's requirements".   If I sign with a verisign code cert instead of the Apple one, it does meet it's requirements.


    The real problem was getting my install package signed, and I discovered productsign which does the trick.  Just telling packagemaker to use a cert doesn't work.  It is still untrusted by gatekeeper.


    The is still the problem of product updates since you can't copy a signed file and keep it signed.  It does seem that an actual program will only need to be signed to use some new APIs, not for anything I do now.  I am ok with unsigned or untrusted binaries at this point because it will not be a problem in the immedate future and perhaps may never be a problem. 


    If it does become a problem some time will have gone by and perhaps people might know how we solve the update problem with signed files.  I do not understand why Apple refuses to let you copy a signed file and have it's signature remain valid.  If a file isn't altered, then it should still be trustworthy.  Instead they pack some of the signed information in some kind of "extra data" which is part of the file-system, not the file itself.  Whenever you copy a file, this extra data is lost.

  • TheSilverHammer Level 1 (0 points)

    I see you might be asking for help on how to sign the file.  Install your certs and look at the code signing section of the project properties.  Under that you should see something that lets you choose a cert, you click on that and you get a list of certs you can use.  Then it will sign the file the next time you build it.  Signing is the LAST step, so if you have some scripts that do things like copy the file, this will happen before the file is signed. 


    You may still be stuck unless your package and executable are in its final place before being signed since you can't copy the file.  You can expand the codesigning step in your build results to see the actual codesign command and it's paramters.  You can copy that and then move your file to where you wish and re-issue the command to sign your file again.

  • Tomeranaray Level 1 (85 points)

    I'm affraid I don't understand the part of copying the file: do you mean that if you sign your executable or package the way you describe, and then later on distribute it, it will not be trusted anymore by gatekeeper?

  • TheSilverHammer Level 1 (0 points)

    If you sign your file and then COPY it, then it is no longer trusted.  Yes, that is exactly what I mean.  If you use productsign on a package, and then compress / zip it, then the package will get past gatekeeper.

  • etresoft Level 7 (27,838 points)

    TheSilverHammer wrote:


    If you sign your file and then COPY it, then it is no longer trusted.  Yes, that is exactly what I mean.

    Sorry, but that is not true. You were doing some funky stuff and I'm still not sure what was going on. If you copy a signed application, that copy is still signed and valid. Otherwise, how could you possibly download a signed file anyway?

  • TheSilverHammer Level 1 (0 points)

    Just try it for yourself.  Sign a binary file, some simple test excutable.  Verifry it is signed useing the codesign tool.  Then copy it.  I used both "cp" from the bash shell or the simple copy / paste using the finder.  Now re-example the file with codesing and you will see what I mean.  Oh, the file has a signature, but it isn't trusted anymore.


    As for how could you download a signed file?  That is a great question, I do not have answer for that.  If you do find such an answer, please post it here.  Right now the only answer I know of is, "You can't".

Previous 1 2 Next