Apple Security - Publishing Software on Mac (2015)

Publishing Software on Mac (2015)

Chapter 3: Apple Security


Gatekeeper is a feature Apple added in OSX Lion 10.7.5 and later. If the user downloads a file from the Internet for installation, GateKeeper will check to ensure it was from the Apple Store, or from a certified Apple developer. If Gatekeeper finds the file isn't from an approved source, it will prevent installation and notify the user that file might be evil. While there is a way the user can install it anyway, you, the developer, want to avoid this. You must get an Apple Developer Certification.

Developer Certification

To obtain a developer application & installer certificate from Apple, you must be a registered Apple Developer in the Mac Developer Program. To enroll in the Mac Developer Program, visit the following website:

You also need a computer with OS X v10.7 or later.

After you've paid your $99, you will be awarded membership. Visit the Member Center by clicking on Member Center at:

Choose Member Center at the top, sign in with your Apple ID.

You should see a dialog like this:

Description: certs

Click on Certificates, Identifiers, & Profiles.

Description: cert2

Under Mac Apps, click on Certificates.

Description: plusign

Click on the + sign.

Description: developercert

Click on Continue and then follow the instructions to generate a CSR (Certificate Signing Request). You will need to launch Applications>Utilities>Keychain

Description: keychain

Select Certificate Assistant > Request a Certificate from a Certificate Authority.

Description: csr

Enter Apple Account Developer email address, common name (Your Name not Robert Underwood), skip CA email address, and select Saved to Disk. Click Continue. Save the file to your hard drive. Click Done.

Now you can go back to the Development Certificate section still active in your browser and choose "Choose File."

Navigate to the file you just saved on your hard disk.

Next, choose "Generate"

Now, choose "Download" The file will download into your download folder. Go to the download folder and double-click on the .cer file you just downloaded. This will install your certificate in your keychain for this computer. You may need to refresh your browser and download again for the other certs.

The 'installer' cert is for .pkg files. The 'application' cert is for .app files.

Codesign for Apps

Codesign is tool for signing applications. If you run Codesign on an app that has already been signed, it will resign it.

Productsign for distribution packages

Productsign is command line tool for signing packages. It has an input path and an output path. Warning: if the output path file exists, it generates an error.

It is recommended you run these in a batch script. In the following order:

Build the Application ( See the command line for your language (Xcode, XOJO, etc.)

Sign the Application

Build the Package

Remove the old signed package

Sign the new package

Wrap the package in a .dmg file

(Upload the .dmg file to your website to sell downloads.)

A SampleBatch file exists in the script folder for your reference.

You may use this as a template of sorts, substituting real names, real Developer certifications, and real paths. The command verbs, options, and arguments should work as is.