Friday 29 August 2014

Codesign on Mavericks/Yosemite: Some useful commands

Recently, Apple announced that from 10.9.5 and 10.10 onwards, the apps signed in OSX Mountain Lion and below will not be able to pass the Gatekeeper. Those signatures (v1) will be considered deprecated and you must sign your apps in 10.9 or above to have latest signature (v2).
At this point of time, it is unclear if Apple is really going to block the apps with v1 signatures. We can’t be sure until we have a GM build for OSX Yosemite. Anyway, it is better to start signing on 10.9 straightaway so that our apps are compliant to the changes done by Apple.
Following are some commands that may be useful:
Verify if any app will be accepted by Gatekeeper on 10.9.5 (OSX Mavericks) /10.10 (OSX Yosemite) or above.
vikrams-macbook-pro:~ admin$ spctl -a -t exec -vv Foo.app
Foo.app: rejected
source=obsolete resource envelope

vikrams-macbook-pro:~ admin$ spctl -a -t exec -vv Foo.app
Foo.app: accepted
source=Developer ID
origin=Developer ID Application: My Company

Sign an app:
codesign  --sign  “Developer ID Application: My Company”  Foo.app

Resign an already signed app (Use –f flag):
codesign  --force --sign  “Developer ID Application: My Company”  Foo.app 

Check the version of the signature. See the line starting with "Sealed Resources". There, version=2 indicates that this app has the new signature type as suggested by Apple:
vikrams-macbook-pro:~ admin$ codesign -dvvv Foo.app 
Executable=Foo.app/Contents/MacOS/Foo
Identifier=com.vikrams.testapp
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=42914 flags=0x0(none) hashes=2138+3 location=embedded
Hash type=sha1 size=20
CDHash=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Signature size=7589
Authority=Developer ID Application: My Company
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=23-Aug-2014 4:32:13 pm
Info.plist entries=17
TeamIdentifier=31ACEW5CBX
Sealed Resources version=2 rules=12 files=137
Internal requirements count=1 size=192
You can find more options for "codesign" command at its man page.

1 comment:

  1. The "source=obsolete resource envelope" can be in sub-components. To locate use the following:

    $ codesign --verify --deep --verbose=2 /Users/markf/test.app
    ...
    --prepared:/Users/markf/test.app/Contents/Frameworks/Sparkle.framework/Versions/Current/.
    /Users/markf/test.app: resource envelope is obsolete (custom omit rules)
    In subcomponent: /Users/markf/test.app/Contents/Frameworks/Sparkle.framework
    ...

    ReplyDelete