- Code Signing Certificates For Mac Download
- Code Signing Certificates For Mac Computers
- Create Code Signing Certificate Mac
From Xojo Documentation
A feature called GateKeeper was added with the release of OS X 10.8 Mountain Lion in 2012. With this feature new apps that are downloaded or copied to a Mac with OS X 10.8 or newer, but that are not digitally signed using an Apple Developer Certificate, display an error when run: 'App' can't be opened because it is from an unidentified developer.
On older versions of macOS, this error can be overridden in System Preferences (Security & Privacy), by changing the 'Allow applications downloaded from' setting to 'Anywhere'. Unfortunately, the 'Anywhere' option is no longer available with macOS 10.12 Sierra. Alternatively, you can right-click on the app in Finder and click Open in the menu to indicate, 'I'd really like to run this app, thank you very much.'
Note that this only matters for new apps that you transfer to a Mac running macOS 10.8 or later. You'll be able to run the apps you create on your developer machine without this warning. You'll only run into this warning when you copy the app to another Mac, either by making it available for download or by copying it via a USB stick, the network or anything else.
So even though you don't technically need to sign your Mac applications in order to avoid this warning, you are probably going to want to. The truth is that most people will just leave the setting at the default and will not know that when they get the warning message that they can right-click on the app to open it. You could try explaining all this to them, but either way it is going to be a hassle for your users. Odds are they just won't bother with your app. The solution is to code-sign your app.
Request, load and use Mac code signing certificates This is a short step-by-step on how to generate a key on a YubiKey, create a certificate request, submit that request to Apple, load the certificate in the YubiKey and use it for code signing. The Apple code signing certificate is used to sign all iPhone applications and Mac OS X software. When the author of the publishing code sign the software with OS X code signing certificate, the user will know that the software comes from a trusted source and it is not being tampered or changed since you signed it. Please follow our Apple Mac instructions to sign your components using your Code Signing certificate: To sign code for Apple Mac OS X, the codesign binary is used. Double-click on your.pfx certificate file. Launch terminal.app (located in Utilitaries directory). Sign your application: codesign -s 'Symantec Inc.' Select the certificate that you want for digital signing. Before you click Choose a Certificate on the Certificate pop-up menu, you must first have a certificate added to the keychain on your computer. For information about how to request a digital certificate from a certification authority, see Mac Help.
Code Signing Configuration
To code sign your apps you need a developer certificate from Apple and the only way to get a Developer Certificate is to sign up for the Apple Developer Program, which costs $100 a year. However, the certificate you get is good for 5 years, so it looks like you do not need to pay the $100 fee each year unless you also want to distribute apps in the Mac App Store.
You can find out more about the Apple Developer Program here:
Once you have joined, you can create your own certificates using the Certificates, Identifiers & Profiles page of the Apple Developer site. The steps are a bit involved, but essentially you will request a Developer ID certificate from this page.
When you choose to create a new Mac certificate (Developer or Distribution), you are walked through the process of starting Keychain Access and downloading and uploading files until you have the certificate installed. It's a little tedious, but relatively straightforward.
That's the hard part. With the certificate installed, you can now use it to code sign any of your applications. You do this using the Terminal command codesign (pronounced 'code sign').
But before you begin, make sure you have the Intermediate Developer ID certificate installed. Go to this page:
and download the Developer ID certificate. Double-click it to install it into Keychain Access on your Mac.
Code Signing Your App
Now you are ready to code sign your application. Navigate to its folder using Terminal. There you can enter the commands below to code sign your application and all its libraries. Obviously you want to replace 'YourXojo.app' with the name of your application and 'Developer ID Application: YourName' with the name of your signing certificate specified in Keychain Access.
Now you can compress/package your app and transfer it to another computer for installation.
If you are also packaging your app into an installer, you'll need to install the 'Developer ID Installer' certificate and then code sign the installer package file as well. You can embed these commands into an IDE script that calls out to the shell (or a shell script) so that your app is automatically code-signed each time it is built.
Code signing must be done as the absolute last step. If you modify anything inside your application bundle (such as Info.plist) after you code sign, you will invalidate the signature and you'll have to code sign again. For a Build Step, this means it must be the last item after the Build item.
For more information about code signing from Apple, refer to the macOS Code Signing In Depth Technical Note at the Apple Dev Center.
3rd Party Alternative
For more complicated code signing situations you might want to consider a 3rd party code signing tool, such as App Wrapper.
Got an alert on El Capitan 10.11.4 server that the certificate is going to expire. I click the 'renew' button and it says Unknown Error. So I dig deeper and run the following on the command line
sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin --recreate-CA-signed-certificate 'macserver.local Code Signing Certificate' 'IntermediateCA_MACSERVER.LOCAL_1' dd3d0ec3
to which i got the following error:
/Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin --recreate-CA-signed-certificate: Unable to renew identity 'macserver.local Code Signing Certificate': unable to renew certificate: could not find original certificate 'macserver.local Code Signing Certificate' with serial number 'dd3d0ec3' issued by 'IntermediateCA_MACSERVER.LOCAL_1' (-25300)
So I run the following to search the certificate and it does find it:
sudo security find-certificate -c 'macserver.local Code Signing Certificate'
keychain: '/Library/Keychains/System.keychain'
class: 0x80001000
attributes:
'alis'<blob>='macserver.local Code Signing Certificate'
'cenc'<uint32>=0x00000003
'ctyp'<uint32>=0x00000001
'hpky'<blob>=0xA14502C168EB2D717615AA60535926B760804C8F '241E002301h353-qv025252`SY&267`200L217'
'issu'<blob>=0x308193312A302806035504030C21496E7465726D65646961746543415F46494C 455345525645522E4C4F43414C5F3131123010060355040A0C09727472616374696F6E312D302B06 0355040B0C244D41434F5358204F70656E4469726563746F727920496E7465726D65646961746520 43413122302006092A864886F70D010901161361646D696E40727472616374696F6E2E636F6D '02012231*0(006003U004003014!IntermediateCA_MACSERVER.LOCAL_110220020 006003U004012014011macserver1-0+006003U004013014$MACOSX OpenDirectory Intermediate CA1'0 006011*206H206367015001011001026023mymacserver@gmail.com'
'labl'<blob>='macserver.local Code Signing Certificate'
'skid'<blob>=<NULL>
'snbr'<blob>=0x00DD3D0EC3 '000335=016303'
'subj'<blob>=0x30553132303006035504030C2966696C657365727665722E6C6F63616C20436F 6465205369676E696E6720436572746966696361746531123010060355040A0C0972747261637469 6F6E310B3009060355040613025553 '0U1200006003U004003014)macserver.local Code Signing Certificate10220020006003U004012014011macserver10130011006003U004 006023002US'
Code Signing Certificates For Mac Download
Anyone have any ideas on this?
Code Signing Certificates For Mac Computers
Mac mini, OS X El Capitan (10.11.4)
Create Code Signing Certificate Mac
Posted on