New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Signing Mac Application #616

Closed
tommoor opened this Issue Apr 11, 2013 · 22 comments

Comments

Projects
None yet
@tommoor

tommoor commented Apr 11, 2013

It would be great to see something in the Wiki on signing mac applications. I'm currently attempting this but am getting errors that the app is already signed and that the signature is invalid (not surprising).

Has anyone managed to do this?

Seems like quite an important part of the distribution steps

@sindresorhus

This comment has been minimized.

Show comment
Hide comment

👍

@trevorlinton

This comment has been minimized.

Show comment
Hide comment
@trevorlinton

trevorlinton Jun 26, 2013

I've successfully signed many applications. What are you using to sign your application?

Try executing:

codesign -d --deep-verify -v -v -v /Path/To/Your/Bundle

It'll tell you what is signed and what isn't (and by whom). There may be something within the bundle thats previously been signed by someone else that you may be including that can't be resigned.

I've successfully signed many applications. What are you using to sign your application?

Try executing:

codesign -d --deep-verify -v -v -v /Path/To/Your/Bundle

It'll tell you what is signed and what isn't (and by whom). There may be something within the bundle thats previously been signed by someone else that you may be including that can't be resigned.

@nyo16

This comment has been minimized.

Show comment
Hide comment
@nyo16

nyo16 Jul 29, 2013

Hello there , the "/Path/To/Your/Bundle" is the nw executable path?

nyo16 commented Jul 29, 2013

Hello there , the "/Path/To/Your/Bundle" is the nw executable path?

@trevorlinton

This comment has been minimized.

Show comment
Hide comment
@trevorlinton

trevorlinton Jul 30, 2013

Yes, its the path to your application, it would end with .app

Yes, its the path to your application, it would end with .app

@timhaak

This comment has been minimized.

Show comment
Hide comment
@timhaak

timhaak Dec 11, 2013

Has anyone else managed to get this to work. Or does it only work if you also then distribute the application via the app store.

timhaak commented Dec 11, 2013

Has anyone else managed to get this to work. Or does it only work if you also then distribute the application via the app store.

@trevorlinton

This comment has been minimized.

Show comment
Hide comment
@trevorlinton

trevorlinton Dec 17, 2013

@timhaak, yes i've successfully signed apps multiple times. Not to be a negative nancy, but is your developer certificate expired or has it been revoked?

You may also want to use Xcode "Projects", specifically the Archive feature to see if will give you any idea what's going on, generally this is more verbose about issues (especially if you're requesting push notifications or nee identities).

I've successfully submitted (and had accepted) node-webkit and tint applications into the MacStore. One caviet is you're not allowed to "run" packages which aren't yours. e.g., you can't use it as a runtime to execute other peoples apps, nor can you auto update the package without going through the app store.

@timhaak, yes i've successfully signed apps multiple times. Not to be a negative nancy, but is your developer certificate expired or has it been revoked?

You may also want to use Xcode "Projects", specifically the Archive feature to see if will give you any idea what's going on, generally this is more verbose about issues (especially if you're requesting push notifications or nee identities).

I've successfully submitted (and had accepted) node-webkit and tint applications into the MacStore. One caviet is you're not allowed to "run" packages which aren't yours. e.g., you can't use it as a runtime to execute other peoples apps, nor can you auto update the package without going through the app store.

@timhaak

This comment has been minimized.

Show comment
Hide comment
@timhaak

timhaak Dec 18, 2013

Turned out that I didn't have right to generate the correct cert. I need to generate the Developer ID cert.

Bellow is the script that I'm using in case anyone else gets stuck.

#export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/usr/bin/codesign_allocate"
#Run the following to get a list of certs

#security find-identity
app="$1"
identity="182F7BADDDFA459E45F0AAA394A6F797832E28B1"

echo "### signing frameworks"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/crash_inspector"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Framework.framework/node-webkit Framework.tmp"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Framework.framework/node-webkit Framework.TOC"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Framework.framework/"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper EH.app/"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper NP.app/"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper.app/"

echo "### signing app"
codesign --force --verify --verbose --sign "$identity" "$app"

echo "### verifying signature"
codesign -vvv -d "$app"
sudo spctl -a -vvvv "$app"

timhaak commented Dec 18, 2013

Turned out that I didn't have right to generate the correct cert. I need to generate the Developer ID cert.

Bellow is the script that I'm using in case anyone else gets stuck.

#export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/usr/bin/codesign_allocate"
#Run the following to get a list of certs

#security find-identity
app="$1"
identity="182F7BADDDFA459E45F0AAA394A6F797832E28B1"

echo "### signing frameworks"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/crash_inspector"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Framework.framework/node-webkit Framework.tmp"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Framework.framework/node-webkit Framework.TOC"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Framework.framework/"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper EH.app/"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper NP.app/"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper.app/"

echo "### signing app"
codesign --force --verify --verbose --sign "$identity" "$app"

echo "### verifying signature"
codesign -vvv -d "$app"
sudo spctl -a -vvvv "$app"

@rbrcurtis

This comment has been minimized.

Show comment
Hide comment
@rbrcurtis

rbrcurtis Feb 28, 2014

@timhaak you are a saint for providing that script.

@timhaak you are a saint for providing that script.

@mlynch

This comment has been minimized.

Show comment
Hide comment
@mlynch

mlynch Mar 1, 2014

@timhaak thanks so much for that script! I was able to sign my node-webkit package on OS X and get passed the "unidentified developer" warning.

I also had to sign up for a Mac Developer Account and then import those signing certificates in the accounts section of XCode.

Edit: to get passed the unidentified developer warning, pick the "Developer ID Application" signing identity after running security find-identity and place the string there in the identity field of the script.

mlynch commented Mar 1, 2014

@timhaak thanks so much for that script! I was able to sign my node-webkit package on OS X and get passed the "unidentified developer" warning.

I also had to sign up for a Mac Developer Account and then import those signing certificates in the accounts section of XCode.

Edit: to get passed the unidentified developer warning, pick the "Developer ID Application" signing identity after running security find-identity and place the string there in the identity field of the script.

@tommoor

This comment has been minimized.

Show comment
Hide comment
@tommoor

tommoor Mar 13, 2014

Does anyone zip their codesigned application? I don't think this is node-webkit specific - but a friendly warning as I'm having major issues with this since upgrading to Mavericks:

https://stackoverflow.com/questions/22367809/code-signed-mac-app-broken-after-downloading

tommoor commented Mar 13, 2014

Does anyone zip their codesigned application? I don't think this is node-webkit specific - but a friendly warning as I'm having major issues with this since upgrading to Mavericks:

https://stackoverflow.com/questions/22367809/code-signed-mac-app-broken-after-downloading

@mlynch

This comment has been minimized.

Show comment
Hide comment
@mlynch

mlynch Mar 13, 2014

No, I kept it as a dmg which was also to get that "nice" drag-to-install
window.

I'd suggest a .pkg if you want to send a compressed version of the
application.

On Thu, Mar 13, 2014 at 1:51 PM, Tom Moor notifications@github.com wrote:

Does anyone zip their codesigned application? I don't think this is
node-webkit specific - but a friendly warning as I'm having major issues
with this since upgrading to Mavericks:

https://stackoverflow.com/questions/22367809/code-signed-mac-app-broken-after-downloading


Reply to this email directly or view it on GitHubhttps://github.com/rogerwang/node-webkit/issues/616#issuecomment-37572175
.

mlynch commented Mar 13, 2014

No, I kept it as a dmg which was also to get that "nice" drag-to-install
window.

I'd suggest a .pkg if you want to send a compressed version of the
application.

On Thu, Mar 13, 2014 at 1:51 PM, Tom Moor notifications@github.com wrote:

Does anyone zip their codesigned application? I don't think this is
node-webkit specific - but a friendly warning as I'm having major issues
with this since upgrading to Mavericks:

https://stackoverflow.com/questions/22367809/code-signed-mac-app-broken-after-downloading


Reply to this email directly or view it on GitHubhttps://github.com/rogerwang/node-webkit/issues/616#issuecomment-37572175
.

@tommoor

This comment has been minimized.

Show comment
Hide comment
@tommoor

tommoor Mar 13, 2014

@mlynch appreciate the note, I agree - we need to change this. Unfortunately the zip is needed to update already deployed app :-(

tommoor commented Mar 13, 2014

@mlynch appreciate the note, I agree - we need to change this. Unfortunately the zip is needed to update already deployed app :-(

@semmel

This comment has been minimized.

Show comment
Hide comment
@semmel

semmel Mar 13, 2014

@tommoor It's a shame that zip invalidates the code signature on OS X 10.9.
I had to change the update file format from zip to dmg i.e. use the setup package for OS X.
Our automatic install script relies now on

hdiutil attach "our_product.dmg" -nobrowse -plist > "$TMPDIR"our_product_dmg_attach_result.plist

if [ -x /usr/libexec/PlistBuddy ]
then
    i=0
    until [ $i -ge 3 ]
    do
        MOUNT_POINT=`/usr/libexec/PlistBuddy -c "Print system-entities:${i}:mount-point" "${TMPDIR}our_product_dmg_attach_result.plist"`
        if [ $? -eq 0 ]
        then
            break
        fi
        i=`expr $i + 1`
    done
    if [ $i -ge 3 ]
    then
        echo "Warning: Error reading mount point from disc attachment output!"
    fi
else
    echo "Warning: Can not find and execute PlistBuddy on your system!"
fi
...
# remove the old app bundle
rm -R $OLD_APP_BUNDLE
cp -R "$MOUNT_POINT"/our_product.app $TARGET_DIR
hdiutil detach $MOUNT_POINT

I don't know how reliable that is, but at least the app bundle remains properly signed.

semmel commented Mar 13, 2014

@tommoor It's a shame that zip invalidates the code signature on OS X 10.9.
I had to change the update file format from zip to dmg i.e. use the setup package for OS X.
Our automatic install script relies now on

hdiutil attach "our_product.dmg" -nobrowse -plist > "$TMPDIR"our_product_dmg_attach_result.plist

if [ -x /usr/libexec/PlistBuddy ]
then
    i=0
    until [ $i -ge 3 ]
    do
        MOUNT_POINT=`/usr/libexec/PlistBuddy -c "Print system-entities:${i}:mount-point" "${TMPDIR}our_product_dmg_attach_result.plist"`
        if [ $? -eq 0 ]
        then
            break
        fi
        i=`expr $i + 1`
    done
    if [ $i -ge 3 ]
    then
        echo "Warning: Error reading mount point from disc attachment output!"
    fi
else
    echo "Warning: Can not find and execute PlistBuddy on your system!"
fi
...
# remove the old app bundle
rm -R $OLD_APP_BUNDLE
cp -R "$MOUNT_POINT"/our_product.app $TARGET_DIR
hdiutil detach $MOUNT_POINT

I don't know how reliable that is, but at least the app bundle remains properly signed.

@tommoor

This comment has been minimized.

Show comment
Hide comment
@tommoor

tommoor Mar 14, 2014

@semmel thanks, I'm moving over to this method - that's very useful :-)

tommoor commented Mar 14, 2014

@semmel thanks, I'm moving over to this method - that's very useful :-)

@tommoor

This comment has been minimized.

Show comment
Hide comment
@tommoor

tommoor Mar 15, 2014

This is what I've been working on, it might be useful for others:

https://github.com/sqwiggle/node-webkit-mac-updater

tommoor commented Mar 15, 2014

This is what I've been working on, it might be useful for others:

https://github.com/sqwiggle/node-webkit-mac-updater

@adam-lynch

This comment has been minimized.

Show comment
Hide comment
@rawberg

This comment has been minimized.

Show comment
Hide comment
@rawberg

rawberg Jun 22, 2014

@timhaak thanks for sharing the script, it helped ease the last little bit of the process for me 👍

rawberg commented Jun 22, 2014

@timhaak thanks for sharing the script, it helped ease the last little bit of the process for me 👍

@feliving

This comment has been minimized.

Show comment
Hide comment
@feliving

feliving Sep 22, 2014

When upload app to the mac store, we must enable sandbox.

I use codesign with --entitlements build.entitlements
and the entitlements enable the sandbox

com.apple.security.app-sandbox

com.apple.security.network.client

com.apple.security.network.server

com.apple.security.files.user-selected.read-write

but after that. it will crash when start app. even i try to codesign the official app (http://dl.node-webkit.org/v0.10.5/node-webkit-v0.10.5-osx-x64.zip) . the same problem will be happen.

....app/Contents/MacOS/node-webkit ; exit;
[3410:0922/211257:ERROR:breakpad_mac.mm(238)] Breakpad initializaiton failed
logout

someone know why? @tommoor @rogerwang
node v0.11.12 OSX 10.9.4

When upload app to the mac store, we must enable sandbox.

I use codesign with --entitlements build.entitlements
and the entitlements enable the sandbox

com.apple.security.app-sandbox

com.apple.security.network.client

com.apple.security.network.server

com.apple.security.files.user-selected.read-write

but after that. it will crash when start app. even i try to codesign the official app (http://dl.node-webkit.org/v0.10.5/node-webkit-v0.10.5-osx-x64.zip) . the same problem will be happen.

....app/Contents/MacOS/node-webkit ; exit;
[3410:0922/211257:ERROR:breakpad_mac.mm(238)] Breakpad initializaiton failed
logout

someone know why? @tommoor @rogerwang
node v0.11.12 OSX 10.9.4

@thekarel

This comment has been minimized.

Show comment
Hide comment
@thekarel

thekarel Jan 15, 2015

I had a lot of code failed to satisfy specified code requirement(s) errors when using @timhaak's script. Turns out, I had to include

export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate"

Based on this post

I had a lot of code failed to satisfy specified code requirement(s) errors when using @timhaak's script. Turns out, I had to include

export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate"

Based on this post

@ericsaboia

This comment has been minimized.

Show comment
Hide comment
@ericsaboia

ericsaboia Apr 22, 2015

In addition to @timhaak script, I had to codesign some extra files:

codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper EH.app/Contents/Resources/crash_report_sender.app"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper NP.app/Contents/Resources/crash_report_sender.app"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper.app/Contents/Resources/crash_report_sender.app"

Note that you need to codesign all .app files. Run find apppath/appname.app -iname "*.app" to be sure you're covering everything.

In addition to @timhaak script, I had to codesign some extra files:

codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper EH.app/Contents/Resources/crash_report_sender.app"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper NP.app/Contents/Resources/crash_report_sender.app"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper.app/Contents/Resources/crash_report_sender.app"

Note that you need to codesign all .app files. Run find apppath/appname.app -iname "*.app" to be sure you're covering everything.

michael-lefebvre added a commit to michael-lefebvre/Squid that referenced this issue Apr 23, 2015

@stephan-nordnes-eriksen

This comment has been minimized.

Show comment
Hide comment
@stephan-nordnes-eriksen

stephan-nordnes-eriksen Jul 31, 2015

Thanks a lot @timhaak! I had to do a few changes in the newer versions, as the node-webkit is changed to nwjs, but after that I was able to sign my app :)

Thanks a lot @timhaak! I had to do a few changes in the newer versions, as the node-webkit is changed to nwjs, but after that I was able to sign my app :)

@timhaak

This comment has been minimized.

Show comment
Hide comment
@timhaak

timhaak Aug 3, 2015

Glad this is still helping :)

timhaak commented Aug 3, 2015

Glad this is still helping :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment