Code Sign Mac App

Leopard supports signed applications to improve its security model. All the system utilities, in fact, come signed by Apple. To sign and check applications, the codesign command line utility is available. For example, to display all information about Terminal.app's code signature, open up a terminal and type. Mac Apps for Components & Libraries. Sign in with Facebook Sign in with email. By joining Download.com. Create Code 128/128 GS1 barcodes and generate checksum automatically. If we're being honest, Mac apps are a bit of a lost art. There are great reasons to make cross-platform apps — to start, they're cross-platform — but it's just not who we are. Founded as a Mac software company in 1997, our joy at Panic comes from building things that feel truly, well, Mac-like.

Apple Code Signing Certificate Guide

Mac OS (and 9) Signing Code from the Command Line

Apple code signing is done from the command line using their (aptly named) codesign tool and should be very straightforward.

Note: You can use a DigiCert Code Signing Certificate (standard and EV) to sign your Mac OS software, tools, updates, utilities and applications. However, if you want your apps to open on a Mac that has Gatekeeper enabled or want to distribute apps in the App Store, you need to create a developer ID to sign your Mac apps and installer packages; only Apple Developer code signing certificates are compatible with GateKeeper.

Shortcut
  1. Check Code Signing Certificate Installation

    1. Make sure you've properly installed your code signing certificate to the Mac certificate store. If you used our easy installation tool, the certificate should have been imported to the certificate store through your web browser.

    2. Do you have a .pfx version of the file? To install it, click the file and enter the .pfx file password.

    3. Your certificate should appear in the My Certificates catagory of the Keychain Access Manager.

  2. Run the Command

    1. Once you have confirmed your certificate is properly installed, just run the command below.

      codesign -s 'Your Company, Inc.' /path/to/MyApp.app

    2. Don't know the common name of your code signing certificate? You can find it in the Keychain Access Manager.

      Select the certificate and find the common name field. You do not need to type the entire common name; type just enough to uniquely identify your certificate (this option is case sensitive).

    3. Did you receive the 'CSSMERR_TP_NOT_TRUSTED' error?

      1. You need to install an Intermediate certificate on your machine.

      2. View the details of your code signing certificate and find the Issuer Common Name.

      3. Download and install the Intermediate certificate that matches the Issuer Common Name (DigiCert Assured ID Code Signing CA-1 or DigiCert High Assurance Code Signing CA-1).

      4. You should now be able to use codesign without receiving any errors.

  3. Verify the Signature

    You can verify the signature by running the command below.

    codesign -v /path/to/MyApp.app

  4. Congratulations!

    You should now have a freshly signed piece of code, ready to use.

Get code signing certificates for just $474/year

Buy NowComments

If you’re building a Mac app with Electron (formerly known as Atom Shell), you will have to sign it before releasing. Code signature is actually a straightforward process, but it’s very hard to debug in case you run into any error, due to the lack of detailed error messages. In this post I will share my experience.

TL;DR

  1. Get a Developer ID certificate from Apple and install it into your Mac’s Keychain
  2. Sign your application bundle codesign --deep --force --verbose --sign '<identity>' Application.app
  3. Verify the signature codesign --verify -vvvv Application.app and spctl -a -vvvv Application.app

The code signature workflow

At the time of writing it’s not allowed to publish an Electron application to the Mac App Store, so you have to sign it with a Developer ID certificate and ask your users to download and install it manually. This is actually a strong limitation and I hope things will change in the next future.

UPDATE on Dec 2nd, 2015: since Electron 0.34.0, apps can be submitted to Mac App Store. You can get all information in the Mac App Store Submission Guide.

1. Get and install a Developer ID Certificate

Once you got your Developer ID certificate, you should install it into your Mac’s Keychain: a double click on the certificate file should be enough. The image below shows your what you should see once the certification has been successfully installed into your Keychain. The text between parenthesis is the identity and will be used in the next step.

2. Code signature

Now it’s time to sign the app. Create your application bundle (.app directory with the well-known Mac apps structure) and run the following command:

You should get an output similar to the following. Make sure the detected architecture is not generic, otherwise Squiller auto-update will give you an error while verifying the update package.

Code

3. Verify signature

There are a couple of commands that you should run to verify the signature: codesign and spctl. The first checks if the signature is valid but doesn’t run any certificate assessment, while the latter checks if the certificate used for signing is approved.

You may also be interested in ...

Upcoming conferences

How To Code Sign Mac Application

I will join the following conferences. Reach me out on Twitter if you wanna meet:

Codesign Mac App

Incontro DevOps 2020 Virtual 22 October 2020

Code Sign Mac App Download

Comments