Recently, Apple announced that from 10.9.5 and 10.10 onwards, the apps signed in OSX Mountain Lion and below will not be able to pass the Gatekeeper. Those signatures (v1) will be considered deprecated and you must sign your apps in 10.9 or above to have latest signature (v2).
At this point of time, it is unclear if Apple is really going to block the apps with v1 signatures. We can’t be sure until we have a GM build for OSX Yosemite. Anyway, it is better to start signing on 10.9 straightaway so that our apps are compliant to the changes done by Apple.
Following are some commands that may be useful:
Verify if any app will be accepted by Gatekeeper on 10.9.5 (OSX Mavericks) /10.10 (OSX Yosemite) or above.
Sign an app:
Resign an already signed app (Use –f flag):
Check the version of the signature. See the line starting with "Sealed Resources". There, version=2 indicates that this app has the new signature type as suggested by Apple:
You can find more options for "codesign" command at its man page.
At this point of time, it is unclear if Apple is really going to block the apps with v1 signatures. We can’t be sure until we have a GM build for OSX Yosemite. Anyway, it is better to start signing on 10.9 straightaway so that our apps are compliant to the changes done by Apple.
Following are some commands that may be useful:
Verify if any app will be accepted by Gatekeeper on 10.9.5 (OSX Mavericks) /10.10 (OSX Yosemite) or above.
vikrams-macbook-pro:~ admin$ spctl -a -t exec -vv Foo.app Foo.app: rejected source=obsolete resource envelope vikrams-macbook-pro:~ admin$ spctl -a -t exec -vv Foo.app Foo.app: accepted source=Developer ID origin=Developer ID Application: My Company
Sign an app:
codesign --sign “Developer ID Application: My Company” Foo.app
codesign --force --sign “Developer ID Application: My Company” Foo.app
vikrams-macbook-pro:~ admin$ codesign -dvvv Foo.app Executable=Foo.app/Contents/MacOS/Foo Identifier=com.vikrams.testapp Format=bundle with Mach-O thin (x86_64) CodeDirectory v=20200 size=42914 flags=0x0(none) hashes=2138+3 location=embedded Hash type=sha1 size=20 CDHash=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Signature size=7589 Authority=Developer ID Application: My Company Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=23-Aug-2014 4:32:13 pm Info.plist entries=17 TeamIdentifier=31ACEW5CBX Sealed Resources version=2 rules=12 files=137 Internal requirements count=1 size=192
The "source=obsolete resource envelope" can be in sub-components. To locate use the following:
ReplyDelete$ codesign --verify --deep --verbose=2 /Users/markf/test.app
...
--prepared:/Users/markf/test.app/Contents/Frameworks/Sparkle.framework/Versions/Current/.
/Users/markf/test.app: resource envelope is obsolete (custom omit rules)
In subcomponent: /Users/markf/test.app/Contents/Frameworks/Sparkle.framework
...