Signing Mac Application #616

tommoor opened this Issue Apr 11, 2013 · 22 comments


None yet
tommoor commented Apr 11, 2013

It would be great to see something in the Wiki on signing mac applications. I'm currently attempting this but am getting errors that the app is already signed and that the signature is invalid (not surprising).

Has anyone managed to do this?

Seems like quite an important part of the distribution steps




I've successfully signed many applications. What are you using to sign your application?

Try executing:

codesign -d --deep-verify -v -v -v /Path/To/Your/Bundle

It'll tell you what is signed and what isn't (and by whom). There may be something within the bundle thats previously been signed by someone else that you may be including that can't be resigned.

nyo16 commented Jul 29, 2013

Hello there , the "/Path/To/Your/Bundle" is the nw executable path?


Yes, its the path to your application, it would end with .app

@steffenmllr steffenmllr referenced this issue in nwjs/grunt-nw-builder Sep 16, 2013

Add the ability to sign the mac application #9

timhaak commented Dec 11, 2013

Has anyone else managed to get this to work. Or does it only work if you also then distribute the application via the app store.


@timhaak, yes i've successfully signed apps multiple times. Not to be a negative nancy, but is your developer certificate expired or has it been revoked?

You may also want to use Xcode "Projects", specifically the Archive feature to see if will give you any idea what's going on, generally this is more verbose about issues (especially if you're requesting push notifications or nee identities).

I've successfully submitted (and had accepted) node-webkit and tint applications into the MacStore. One caviet is you're not allowed to "run" packages which aren't yours. e.g., you can't use it as a runtime to execute other peoples apps, nor can you auto update the package without going through the app store.

timhaak commented Dec 18, 2013

Turned out that I didn't have right to generate the correct cert. I need to generate the Developer ID cert.

Bellow is the script that I'm using in case anyone else gets stuck.

#export CODESIGN_ALLOCATE="/Applications/"
#Run the following to get a list of certs

#security find-identity

echo "### signing frameworks"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/crash_inspector"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Framework.framework/node-webkit Framework.tmp"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Framework.framework/node-webkit Framework.TOC"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Framework.framework/"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit"

echo "### signing app"
codesign --force --verify --verbose --sign "$identity" "$app"

echo "### verifying signature"
codesign -vvv -d "$app"
sudo spctl -a -vvvv "$app"


@timhaak you are a saint for providing that script.

mlynch commented Mar 1, 2014

@timhaak thanks so much for that script! I was able to sign my node-webkit package on OS X and get passed the "unidentified developer" warning.

I also had to sign up for a Mac Developer Account and then import those signing certificates in the accounts section of XCode.

Edit: to get passed the unidentified developer warning, pick the "Developer ID Application" signing identity after running security find-identity and place the string there in the identity field of the script.

tommoor commented Mar 13, 2014

Does anyone zip their codesigned application? I don't think this is node-webkit specific - but a friendly warning as I'm having major issues with this since upgrading to Mavericks:

mlynch commented Mar 13, 2014

No, I kept it as a dmg which was also to get that "nice" drag-to-install

I'd suggest a .pkg if you want to send a compressed version of the

On Thu, Mar 13, 2014 at 1:51 PM, Tom Moor wrote:

Does anyone zip their codesigned application? I don't think this is
node-webkit specific - but a friendly warning as I'm having major issues
with this since upgrading to Mavericks:

Reply to this email directly or view it on GitHub

tommoor commented Mar 13, 2014

@mlynch appreciate the note, I agree - we need to change this. Unfortunately the zip is needed to update already deployed app :-(

semmel commented Mar 13, 2014

@tommoor It's a shame that zip invalidates the code signature on OS X 10.9.
I had to change the update file format from zip to dmg i.e. use the setup package for OS X.
Our automatic install script relies now on

hdiutil attach "our_product.dmg" -nobrowse -plist > "$TMPDIR"our_product_dmg_attach_result.plist

if [ -x /usr/libexec/PlistBuddy ]
    until [ $i -ge 3 ]
        MOUNT_POINT=`/usr/libexec/PlistBuddy -c "Print system-entities:${i}:mount-point" "${TMPDIR}our_product_dmg_attach_result.plist"`
        if [ $? -eq 0 ]
        i=`expr $i + 1`
    if [ $i -ge 3 ]
        echo "Warning: Error reading mount point from disc attachment output!"
    echo "Warning: Can not find and execute PlistBuddy on your system!"
# remove the old app bundle
hdiutil detach $MOUNT_POINT

I don't know how reliable that is, but at least the app bundle remains properly signed.

tommoor commented Mar 14, 2014

@semmel thanks, I'm moving over to this method - that's very useful :-)

tommoor commented Mar 15, 2014

This is what I've been working on, it might be useful for others:

@semmel semmel referenced this issue in sqwiggle/node-webkit-mac-updater Mar 15, 2014

Deleting the app folder from disk while running the app #4


@tommoor ๐Ÿ‘

rawberg commented Jun 22, 2014

@timhaak thanks for sharing the script, it helped ease the last little bit of the process for me ๐Ÿ‘


When upload app to the mac store, we must enable sandbox.

I use codesign with --entitlements build.entitlements
and the entitlements enable the sandbox

but after that. it will crash when start app. even i try to codesign the official app ( . the same problem will be happen. ; exit;
[3410:0922/] Breakpad initializaiton failed

someone know why? @tommoor @rogerwang
node v0.11.12 OSX 10.9.4

@tommoor tommoor closed this Nov 15, 2014
@reggi reggi referenced this issue in electron/electron Dec 8, 2014

Auto Update Event.js Error #905


I had a lot of code failed to satisfy specified code requirement(s) errors when using @timhaak's script. Turns out, I had to include

export CODESIGN_ALLOCATE="/Applications/"

Based on this post

@zcbenz zcbenz referenced this issue in electron/electron Apr 13, 2015

codesign fails on Yosemite 10.10.3 #1396


In addition to @timhaak script, I had to codesign some extra files:

codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit"

Note that you need to codesign all .app files. Run find apppath/ -iname "*.app" to be sure you're covering everything.

@michael-lefebvre michael-lefebvre added a commit to michael-lefebvre/Squid that referenced this issue Apr 23, 2015
@michael-lefebvre michael-lefebvre self signing Mac application f378aa3

Thanks a lot @timhaak! I had to do a few changes in the newer versions, as the node-webkit is changed to nwjs, but after that I was able to sign my app :)

timhaak commented Aug 3, 2015

Glad this is still helping :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment