Code Signing Certificates For Mac

Posted on
  1. Code Signing Certificates For Mac Os
  2. Code Signing Certificates For Mac Download
  3. Code Signing Certificate For Mac
  4. Code Signing Certificate Format
  5. Code Signing Certificates For Mac High Sierra

A Code Signing Certificate. Is a digital signature technology, which allows authorized software publishers to sign their executable scripts, code and content to authenticate their identification over the Internet. It assures software publishers and consumers about the safety of software code and content. It contains a digital signature for 32-bit and 64-bit. Code Signing Certificates help inspire the same level of trust in your software that customers would have if they purchased your software in a store. Improve your software security with a digital signature. Inspire user confidence by authenticating the source and integrity of your code with a GoDaddy Code Signing Certificate.

  1. A macOS application distributed outside the Mac App Store will generally have 3–4 separate layers of signing: The application itself will be code signed using an application certificate. If the application has an installer, the package file will be signed using an installer certificate.
  2. Apple Mac Code Signing Certificates. With Apple code signing from Thawte, you can assure users that your code and content is safe to download, and protect your most valuable business asset: your reputation. Apple Code signing authenticates the code's source and confirms the integrity of content distributed online.

This article applies to macOS only.

See also: Multiplatform Programming Guide

Certificates

This article applies to iOS only.

See also: Multiplatform Programming Guide

English (en)


Code Signing Certificates For Mac Os

Note: For Apple Notarization requirements for kernel extensions and applications from Mojave 10.14.5 onwards (for kernel extensions from 7 April 2019 and for developers whose first use of their code signing certificate occurred from 7 April 2019) and for all software from Catalina 10.15 onwards that is not distributed via the App Store, see Notarization for macOS 10.14.5+


Catalina

Introduction

Code signing ensures both authenticity and integrity of executables that have been downloaded from wide area networks like the Internet. The discussion below applies equally to App Store distribution and distribution outside the App Store.

Code signing is required in iOS. On macOS 10.7 and later, it enables programs downloaded from the Internet to be opened without any warnings (if they are signed with an Apple-issued certificate) and it is required when using certain functionality (eg APIs used by debuggers; note that in this case a self-signed certificate that is marked as 'trusted' suffices). This functionality is performed by Apple's Gatekeeper software.

The evolution of Gatekeeper

Gatekeeper, first introduced in Mountain Lion (10.8, 2012), is a Mac security feature that was designed to protect Apple computers from malicious software. Gatekeeper checks applications against the list of apps that Apple has approved for its App Store or have been code signed by developers who have Apple-issued certificates where the application is not offered through the app store. It does not perform any safety checks by itself, other than that the application wasn't changed since the developer signed it, nor does it offer any guarantees about the developer other than that they are paying Apple $US 99 per year (aka an 'Identified Developer').

The original Gatekeeper options introduced in Mountain Lion, accessed from Preferences > Security and Privacy > General, were:

  • App Store
  • App Store and Identified Developers
  • Anywhere

By choosing the Anywhere option, the user was once able to entirely disable Gatekeeper. The default setting only allowed the launching of applications from the App Store or from a developer who had signed their application with an Apple-issued certificate.

When macOS Sierra was released in 2016, Apple made some important changes to Gatekeeper and limited the the Gatekeeper options to:

  • App Store
  • App Store and Identified Developers

However, you can restore the missing Gatekeeper Anywhere' option in Preferences by opening a terminal and executing the command:

which still works up to and including macOS Catalina. The better, as in more secure, alternative was to instead bypass Gatekeeper by opening the application from the right-click context menu or by control clicking on the application. This still triggered the alert dialog but it now contained an Open button to successfully launch the application. This method of bypassing Gatekeeper still works in macOS Catalina.

Gatekeeper Dialogs

  • Simple warning after opening a downloaded application in Leopard.

  • Default settings are more strict in Mavericks, where they prevent downloaded unsigned apps from being started via double-clicking.

  • If the application is launched via context menu in Mavericks a simple warning is displayed similar to that of earlier versions.

  • Gatekeeper shows a simplified warning, if a code-signed app has been downloaded and launched for the first time. In subsequent launches the program is starts immediately.

  • Overview of code-signing a program written with Lazarus and Free Pascal

Overview

Check code signing certificate mac

The basic steps to sign an application that has been written with Lazarus and/or Free Pascal are:

  1. Obtain a Developer ID from Apple and install it in your system's key chain.
  2. Note the alphanumeric key of your Developer ID (aka TeamIdentifier).
  3. Sign your application with the codesign command.
  4. Sign your installer pkg with the productsign command.

It is not possible to use certificates from third-party providers like Comodo because they will not pass Gatekeeper which requires an Apple developer issued certificate. Also note that you cannot sign Windows applications with the Apple developer certificate (this time you do need a third-party Comodo etc certificate).

Code signing certificates for mac download

A macOS application distributed outside the Mac App Store will generally have 3–4 separate layers of signing:

  • The application itself will be code signed using an application certificate.
  • If the application has an installer, the package file will be signed using an installer certificate.
  • The disk image containing the application or installer will be signed using an application certificate.
  • The disk image will notarized, and then the ticket generated by the notary service will be stapled to it.

Gatekeeper requirements

  • Your application should be standalone with no unacceptable external dependencies. The only acceptable external dependencies are system libraries. All other dependencies should be copied to your MyApp.app bundle folder. Gatekeeper rejects any application that has non-system external dependencies.
  • All binary files inside MyApp.app should be code signed.
  • All binary files should be located in standard locations inside the MyApp.app bundle folder. Refer to the table below.
Standard locations for code inside a bundle
LocationDescription
ContentsTop content directory of the bundle
Contents/MacOSMain executable; helper apps and tools
Contents/FrameworksFrameworks, dylibs
Contents/PlugInsPlug-ins, both loadable and extensions
Contents/XPCServicesXPC services
Contents/HelpersHelper apps and tools
Contents/Library/AutomatorAutomator actions
Contents/Library/SpotlightSpotlight importers
Contents/Library/LoginItemsInstallable login items
Contents/Library/LaunchServicesPrivileged helper tools installed by the ServiceManagement framework

Note: No non-binary files should ever be located in the folders specified in the table above.

Using codesign to sign your application

1. Sign your application with:

2. Display basic information about the result of the signing process:

If your application was successfully signed this command will return information similar to this:

3. Verify your signature:

If your app was successfully signed this command will return the strings 'valid on disk' and 'satisfies its Designated Requirement', respectively, after the path to your application.

Using productsign to sign your pkg installer

1. Sign your installer pkg file with:

2. Verify your signature with:

which should yield information similar to this if it was successful:

Using codesign to sign your disk image

Beginning in macOS 10.11.5, you can apply a code signature to read-only, compressed disk images that you use to distribute content. In this case you do not need to separately sign your application.

Code Signing Certificates For Mac Download

1. Sign your disk image with:

2. Verify your signature with:

which should yield information similar to this if it was successful:

After 3 February 2020 Apple is fully enforcing notarization for macOS 10.14.5+ (Mojave) with the consequence that the above verification of your disk image will now return information similar to this:

See Notarization for macOS 10.14.5+ for more details.

Code Signing Certificate For Mac

See also

Code Signing Certificate Format

External links

Code Signing Certificates For Mac High Sierra

Retrieved from 'https://wiki.freepascal.org/index.php?title=Code_Signing_for_macOS&oldid=138798'