Signing Mac Application #616

Closed
tommoor opened this Issue Apr 11, 2013 · 22 comments

Projects

None yet
@tommoor
tommoor commented Apr 11, 2013

It would be great to see something in the Wiki on signing mac applications. I'm currently attempting this but am getting errors that the app is already signed and that the signature is invalid (not surprising).

Has anyone managed to do this?

Seems like quite an important part of the distribution steps

@sindresorhus

๐Ÿ‘

@trevorlinton

I've successfully signed many applications. What are you using to sign your application?

Try executing:

codesign -d --deep-verify -v -v -v /Path/To/Your/Bundle

It'll tell you what is signed and what isn't (and by whom). There may be something within the bundle thats previously been signed by someone else that you may be including that can't be resigned.

@nyo16
nyo16 commented Jul 29, 2013

Hello there , the "/Path/To/Your/Bundle" is the nw executable path?

@trevorlinton

Yes, its the path to your application, it would end with .app

@steffenmllr steffenmllr referenced this issue in nwjs/grunt-nw-builder Sep 16, 2013
Open

Add the ability to sign the mac application #9

@timhaak
timhaak commented Dec 11, 2013

Has anyone else managed to get this to work. Or does it only work if you also then distribute the application via the app store.

@trevorlinton

@timhaak, yes i've successfully signed apps multiple times. Not to be a negative nancy, but is your developer certificate expired or has it been revoked?

You may also want to use Xcode "Projects", specifically the Archive feature to see if will give you any idea what's going on, generally this is more verbose about issues (especially if you're requesting push notifications or nee identities).

I've successfully submitted (and had accepted) node-webkit and tint applications into the MacStore. One caviet is you're not allowed to "run" packages which aren't yours. e.g., you can't use it as a runtime to execute other peoples apps, nor can you auto update the package without going through the app store.

@timhaak
timhaak commented Dec 18, 2013

Turned out that I didn't have right to generate the correct cert. I need to generate the Developer ID cert.

Bellow is the script that I'm using in case anyone else gets stuck.

#export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/usr/bin/codesign_allocate"
#Run the following to get a list of certs

#security find-identity
app="$1"
identity="182F7BADDDFA459E45F0AAA394A6F797832E28B1"

echo "### signing frameworks"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/crash_inspector"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Framework.framework/node-webkit Framework.tmp"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Framework.framework/node-webkit Framework.TOC"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Framework.framework/"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper EH.app/"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper NP.app/"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper.app/"

echo "### signing app"
codesign --force --verify --verbose --sign "$identity" "$app"

echo "### verifying signature"
codesign -vvv -d "$app"
sudo spctl -a -vvvv "$app"

@rbrcurtis

@timhaak you are a saint for providing that script.

@mlynch
mlynch commented Mar 1, 2014

@timhaak thanks so much for that script! I was able to sign my node-webkit package on OS X and get passed the "unidentified developer" warning.

I also had to sign up for a Mac Developer Account and then import those signing certificates in the accounts section of XCode.

Edit: to get passed the unidentified developer warning, pick the "Developer ID Application" signing identity after running security find-identity and place the string there in the identity field of the script.

@tommoor
tommoor commented Mar 13, 2014

Does anyone zip their codesigned application? I don't think this is node-webkit specific - but a friendly warning as I'm having major issues with this since upgrading to Mavericks:

https://stackoverflow.com/questions/22367809/code-signed-mac-app-broken-after-downloading

@mlynch
mlynch commented Mar 13, 2014

No, I kept it as a dmg which was also to get that "nice" drag-to-install
window.

I'd suggest a .pkg if you want to send a compressed version of the
application.

On Thu, Mar 13, 2014 at 1:51 PM, Tom Moor notifications@github.com wrote:

Does anyone zip their codesigned application? I don't think this is
node-webkit specific - but a friendly warning as I'm having major issues
with this since upgrading to Mavericks:

https://stackoverflow.com/questions/22367809/code-signed-mac-app-broken-after-downloading

โ€”
Reply to this email directly or view it on GitHubhttps://github.com/rogerwang/node-webkit/issues/616#issuecomment-37572175
.

@tommoor
tommoor commented Mar 13, 2014

@mlynch appreciate the note, I agree - we need to change this. Unfortunately the zip is needed to update already deployed app :-(

@semmel
semmel commented Mar 13, 2014

@tommoor It's a shame that zip invalidates the code signature on OS X 10.9.
I had to change the update file format from zip to dmg i.e. use the setup package for OS X.
Our automatic install script relies now on

hdiutil attach "our_product.dmg" -nobrowse -plist > "$TMPDIR"our_product_dmg_attach_result.plist

if [ -x /usr/libexec/PlistBuddy ]
then
    i=0
    until [ $i -ge 3 ]
    do
        MOUNT_POINT=`/usr/libexec/PlistBuddy -c "Print system-entities:${i}:mount-point" "${TMPDIR}our_product_dmg_attach_result.plist"`
        if [ $? -eq 0 ]
        then
            break
        fi
        i=`expr $i + 1`
    done
    if [ $i -ge 3 ]
    then
        echo "Warning: Error reading mount point from disc attachment output!"
    fi
else
    echo "Warning: Can not find and execute PlistBuddy on your system!"
fi
...
# remove the old app bundle
rm -R $OLD_APP_BUNDLE
cp -R "$MOUNT_POINT"/our_product.app $TARGET_DIR
hdiutil detach $MOUNT_POINT

I don't know how reliable that is, but at least the app bundle remains properly signed.

@tommoor
tommoor commented Mar 14, 2014

@semmel thanks, I'm moving over to this method - that's very useful :-)

@tommoor
tommoor commented Mar 15, 2014

This is what I've been working on, it might be useful for others:

https://github.com/sqwiggle/node-webkit-mac-updater

@semmel semmel referenced this issue in sqwiggle/node-webkit-mac-updater Mar 15, 2014
Open

Deleting the app folder from disk while running the app #4

@adam-lynch
Member

@tommoor ๐Ÿ‘

@rawberg
rawberg commented Jun 22, 2014

@timhaak thanks for sharing the script, it helped ease the last little bit of the process for me ๐Ÿ‘

@feliving

When upload app to the mac store, we must enable sandbox.

I use codesign with --entitlements build.entitlements
and the entitlements enable the sandbox

com.apple.security.app-sandbox

com.apple.security.network.client

com.apple.security.network.server

com.apple.security.files.user-selected.read-write

but after that. it will crash when start app. even i try to codesign the official app (http://dl.node-webkit.org/v0.10.5/node-webkit-v0.10.5-osx-x64.zip) . the same problem will be happen.

....app/Contents/MacOS/node-webkit ; exit;
[3410:0922/211257:ERROR:breakpad_mac.mm(238)] Breakpad initializaiton failed
logout

someone know why? @tommoor @rogerwang
node v0.11.12 OSX 10.9.4

@tommoor tommoor closed this Nov 15, 2014
@reggi reggi referenced this issue in electron/electron Dec 8, 2014
Closed

Auto Update Event.js Error #905

@thekarel

I had a lot of code failed to satisfy specified code requirement(s) errors when using @timhaak's script. Turns out, I had to include

export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate"

Based on this post

@zcbenz zcbenz referenced this issue in electron/electron Apr 13, 2015
Closed

codesign fails on Yosemite 10.10.3 #1396

@ericsaboia

In addition to @timhaak script, I had to codesign some extra files:

codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper EH.app/Contents/Resources/crash_report_sender.app"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper NP.app/Contents/Resources/crash_report_sender.app"
codesign --force --verify --verbose --sign "$identity" "$app/Contents/Frameworks/node-webkit Helper.app/Contents/Resources/crash_report_sender.app"

Note that you need to codesign all .app files. Run find apppath/appname.app -iname "*.app" to be sure you're covering everything.

@michael-lefebvre michael-lefebvre added a commit to michael-lefebvre/Squid that referenced this issue Apr 23, 2015
@michael-lefebvre michael-lefebvre self signing Mac application f378aa3
@stephan-nordnes-eriksen

Thanks a lot @timhaak! I had to do a few changes in the newer versions, as the node-webkit is changed to nwjs, but after that I was able to sign my app :)

@timhaak
timhaak commented Aug 3, 2015

Glad this is still helping :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment