sign_pkg

Zwetan Kjukov edited this page May 15, 2016 · 4 revisions

Signing Under Mac OS X

To sign command-line programs under Mac OS X you need 2 signing identities: one for the application and one for the installer.

For example in build/make-macosx-pkg

var DEVELOPER_ID_APPLICATION:String = "3rd Party Mac Developer Application: Zwetan Kjukov (4AT3SFJR6C)";
var DEVELOPER_ID_INSTALLER:String   = "3rd Party Mac Developer Installer: Zwetan Kjukov (4AT3SFJR6C)";

Signing an Installer

You basically use the DEVELOPER_ID_INSTALLER identity with the pkgbuild command-line tool.

For example to sign a .pkg (installer) file
$ pkgbuild --sign "3rd Party Mac Developer Installer: Zwetan Kjukov (4AT3SFJR6C)"
(yes you need to use the whole string)

A full command would look like

$ pkgbuild --root path/to/pkgdir \
           --identifier com.corsaair.helloworld \
           --version 1.2.3 \
           --ownership recommended \
           --sign "3rd Party Mac Developer Installer: Zwetan Kjukov (4AT3SFJR6C)"

Signing an Application

There you use the DEVELOPER_ID_APPLICATION identity with the codesign command-line tool.

For the signing to work the executable have to be a Mach-O executable.

For example

$ codesign --force \
           --sign "3rd Party Mac Developer Application: Zwetan Kjukov (4AT3SFJR6C)" \
           path/to/cli/executable

Special case with Redtamarin projectors

Even if the executable is a regular Mach-O executable, because we embed our program into it, codesign will report "main executable failed strict validation".

If you absolutely need a signed executable, you can sign one of the redshell executable and provide either the ABC or SWF file as an external file to accompany it.

First, you will need to sign a redshell executable

Copy one of the redshell
$ cp /usr/lib/redtamarin/runtimes/redshell/macintosh/64/redshell redshell-signed

Sign it
$ codesign --force --sign "3rd Party Mac Developer Application: Zwetan Kjukov (4AT3SFJR6C)" redshell-signed

Verify that it is signed
$ codesign -dvvv redshell-signed

output should be

Identifier=redshell-signed
Format=Mach-O thin (x86_64)
CodeDirectory v=20200 size=15979 flags=0x0(none) hashes=793+2 location=embedded
Hash type=sha1 size=20
CDHash=028ac8507770397c5f395548c36aa5b83d3f356d
Signature size=4350
Authority=3rd Party Mac Developer Application: Zwetan Kjukov (4AT3SFJR6C)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=3 May 2016 00:49:25
Info.plist=not bound
TeamIdentifier=4AT3SFJR6C
Sealed Resources=none
Internal requirements count=1 size=196

Then you will need to change how you build the projector in build-macosx.as3

projector( "helloworld", false, null, [ "helloworld.abc" ], null, "redshell-signed" );

You will then need to alter your deployment structure

.
|_ usr
    |_ local
         |_ lib
             |_ helloworld
                    |_ lib                 either
                    |   |_ helloworld.abc  your program as an ABC file
                    |   |_ helloworld.swf  your program as a SWF file
                    |
                    |_ runtime
                        |_ redshell        the signed redshell executable

You will also need to change the wrapper script

For example:
/usr/bin/helloworld
would become

#!/bin/sh
/usr/lib/helloworld/runtime/redshell /usr/lib/helloworld/lib/helloworld.abc -- $@
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.