Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Signing Mac Application #616

Closed
tommoor opened this issue Apr 11, 2013 · 22 comments
Closed

Signing Mac Application #616

tommoor opened this issue Apr 11, 2013 · 22 comments

Comments

@tommoor
Copy link

@tommoor tommoor commented Apr 11, 2013

It would be great to see something in the Wiki on signing mac applications. I'm currently attempting this but am getting errors that the app is already signed and that the signature is invalid (not surprising).

Has anyone managed to do this?

Seems like quite an important part of the distribution steps

@sindresorhus
Copy link

@sindresorhus sindresorhus commented Apr 24, 2013

👍

@trevorlinton
Copy link

@trevorlinton trevorlinton commented Jun 26, 2013

I've successfully signed many applications. What are you using to sign your application?

Try executing:

codesign -d --deep-verify -v -v -v /Path/To/Your/Bundle

It'll tell you what is signed and what isn't (and by whom). There may be something within the bundle thats previously been signed by someone else that you may be including that can't be resigned.

@nyo16
Copy link

@nyo16 nyo16 commented Jul 29, 2013

Hello there , the "/Path/To/Your/Bundle" is the nw executable path?

@trevorlinton
Copy link

@trevorlinton trevorlinton commented Jul 30, 2013

Yes, its the path to your application, it would end with .app

@timhaak
Copy link

@timhaak timhaak commented Dec 11, 2013

Has anyone else managed to get this to work. Or does it only work if you also then distribute the application via the app store.

@trevorlinton
Copy link

@trevorlinton trevorlinton commented Dec 17, 2013

@timhaak, yes i've successfully signed apps multiple times. Not to be a negative nancy, but is your developer certificate expired or has it been revoked?

You may also want to use Xcode "Projects", specifically the Archive feature to see if will give you any idea what's going on, generally this is more verbose about issues (especially if you're requesting push notifications or nee identities).

I've successfully submitted (and had accepted) node-webkit and tint applications into the MacStore. One caviet is you're not allowed to "run" packages which aren't yours. e.g., you can't use it as a runtime to execute other peoples apps, nor can you auto update the package without going through the app store.

@timhaak
Copy link

@timhaak timhaak commented Dec 18, 2013

Turned out that I didn't have right to generate the correct cert. I need to generate the Developer ID cert.

Bellow is the script that I'm using in case anyone else gets stuck.

#export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/usr/bin/codesign_allocate"
#Run the following to get a list of certs

#security find-identity
app="$1"
identity="182F7BADDDFA459E45F0AAA394A6F797832E28B1"

echo "### signing frameworks"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/crash_inspector"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Framework.framework/node-webkit Framework.tmp"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Framework.framework/node-webkit Framework.TOC"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Framework.framework/"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper EH.app/"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper NP.app/"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper.app/"

echo "### signing app"
codesign --force --verify --verbose --sign "$identity" "$app"

echo "### verifying signature"
codesign -vvv -d "$app"
sudo spctl -a -vvvv "$app"

@rbrcurtis
Copy link

@rbrcurtis rbrcurtis commented Feb 28, 2014

@timhaak you are a saint for providing that script.

@mlynch
Copy link

@mlynch mlynch commented Mar 1, 2014

@timhaak thanks so much for that script! I was able to sign my node-webkit package on OS X and get passed the "unidentified developer" warning.

I also had to sign up for a Mac Developer Account and then import those signing certificates in the accounts section of XCode.

Edit: to get passed the unidentified developer warning, pick the "Developer ID Application" signing identity after running security find-identity and place the string there in the identity field of the script.

@tommoor
Copy link
Author

@tommoor tommoor commented Mar 13, 2014

Does anyone zip their codesigned application? I don't think this is node-webkit specific - but a friendly warning as I'm having major issues with this since upgrading to Mavericks:

https://stackoverflow.com/questions/22367809/code-signed-mac-app-broken-after-downloading

@mlynch
Copy link

@mlynch mlynch commented Mar 13, 2014

No, I kept it as a dmg which was also to get that "nice" drag-to-install
window.

I'd suggest a .pkg if you want to send a compressed version of the
application.

On Thu, Mar 13, 2014 at 1:51 PM, Tom Moor notifications@github.com wrote:

Does anyone zip their codesigned application? I don't think this is
node-webkit specific - but a friendly warning as I'm having major issues
with this since upgrading to Mavericks:

https://stackoverflow.com/questions/22367809/code-signed-mac-app-broken-after-downloading


Reply to this email directly or view it on GitHubhttps://github.com//issues/616#issuecomment-37572175
.

@tommoor
Copy link
Author

@tommoor tommoor commented Mar 13, 2014

@mlynch appreciate the note, I agree - we need to change this. Unfortunately the zip is needed to update already deployed app :-(

@semmel
Copy link

@semmel semmel commented Mar 13, 2014

@tommoor It's a shame that zip invalidates the code signature on OS X 10.9.
I had to change the update file format from zip to dmg i.e. use the setup package for OS X.
Our automatic install script relies now on

hdiutil attach "our_product.dmg" -nobrowse -plist > "$TMPDIR"our_product_dmg_attach_result.plist

if [ -x /usr/libexec/PlistBuddy ]
then
    i=0
    until [ $i -ge 3 ]
    do
        MOUNT_POINT=`/usr/libexec/PlistBuddy -c "Print system-entities:${i}:mount-point" "${TMPDIR}our_product_dmg_attach_result.plist"`
        if [ $? -eq 0 ]
        then
            break
        fi
        i=`expr $i + 1`
    done
    if [ $i -ge 3 ]
    then
        echo "Warning: Error reading mount point from disc attachment output!"
    fi
else
    echo "Warning: Can not find and execute PlistBuddy on your system!"
fi
...
# remove the old app bundle
rm -R $OLD_APP_BUNDLE
cp -R "$MOUNT_POINT"/our_product.app $TARGET_DIR
hdiutil detach $MOUNT_POINT

I don't know how reliable that is, but at least the app bundle remains properly signed.

@tommoor
Copy link
Author

@tommoor tommoor commented Mar 14, 2014

@semmel thanks, I'm moving over to this method - that's very useful :-)

@tommoor
Copy link
Author

@tommoor tommoor commented Mar 15, 2014

This is what I've been working on, it might be useful for others:

https://github.com/sqwiggle/node-webkit-mac-updater

@adam-lynch
Copy link

@adam-lynch adam-lynch commented Mar 19, 2014

@tommoor 👍

@rawberg
Copy link

@rawberg rawberg commented Jun 22, 2014

@timhaak thanks for sharing the script, it helped ease the last little bit of the process for me 👍

@baiting98
Copy link

@baiting98 baiting98 commented Sep 22, 2014

When upload app to the mac store, we must enable sandbox.

I use codesign with --entitlements build.entitlements
and the entitlements enable the sandbox

com.apple.security.app-sandbox

com.apple.security.network.client

com.apple.security.network.server

com.apple.security.files.user-selected.read-write

but after that. it will crash when start app. even i try to codesign the official app (http://dl.node-webkit.org/v0.10.5/node-webkit-v0.10.5-osx-x64.zip) . the same problem will be happen.

....app/Contents/MacOS/node-webkit ; exit;
[3410:0922/211257:ERROR:breakpad_mac.mm(238)] Breakpad initializaiton failed
logout

someone know why? @tommoor @rogerwang
node v0.11.12 OSX 10.9.4

@thekarel
Copy link

@thekarel thekarel commented Jan 15, 2015

I had a lot of code failed to satisfy specified code requirement(s) errors when using @timhaak's script. Turns out, I had to include

export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate"

Based on this post

@ericsaboia
Copy link

@ericsaboia ericsaboia commented Apr 22, 2015

In addition to @timhaak script, I had to codesign some extra files:

codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper EH.app/Contents/Resources/crash_report_sender.app"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper NP.app/Contents/Resources/crash_report_sender.app"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper.app/Contents/Resources/crash_report_sender.app"

Note that you need to codesign all .app files. Run find apppath/appname.app -iname "*.app" to be sure you're covering everything.

michael-lefebvre added a commit to michael-lefebvre/Squid that referenced this issue Apr 23, 2015
@stephan-nordnes-eriksen
Copy link

@stephan-nordnes-eriksen stephan-nordnes-eriksen commented Jul 31, 2015

Thanks a lot @timhaak! I had to do a few changes in the newer versions, as the node-webkit is changed to nwjs, but after that I was able to sign my app :)

@timhaak
Copy link

@timhaak timhaak commented Aug 3, 2015

Glad this is still helping :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
You can’t perform that action at this time.