March 2012 Archives

Code Signing Using New Apple Developer IDs

| No Comments

Mountain Lion comes with Gatekeeper and Apple will now provide you with a Developer ID to sign your applications.

If you need your application to work on older versions of OS X, you need to take care. By default, codesign will sign your application using a designated requirement that is built into the system. The default is controlled by the system that you are performing verification on, not the system that you’re signing on. The default on your current Lion system will be fine, but the default on Leopard (and possibly Snow Leopard) is not suitable and verification will fail. The problem is that if you use an Apple certificate it assumes that you’re writing actual Apple software (i.e. the requirements use “anchor apple”, rather than “anchor apple generic”).

To workaround this issue, you need to explicitly specify a designated requirement and have that passed into codesign. To pick a suitable designated requirement you can use the default. So sign your app just as you do now and then you can easily view the default by typing:

codesign -d -r- <path-to-app>

Now if you copy the “designated =>” bit and put it in a file (without the ‘#’ character at the beginning), you can now sign your app:

codesign -s -r <path-to-requirements> <other-codesign-flags> <path-to-app>

This will embed the requirements into your code signature and override any default that the system might try and use.

UPDATE: codesign in Mountain Lion has been changed so that it embeds explicit requirements so the above is no longer required. However, be aware of this issue in 10.8.0 regarding timestamps: