2

Can anybody tell me how to sign updates for mac application in sparkle. I checked https://github.com/sparkle-project/Sparkle/wiki/publishing-an-update

But did't get any clear idea.Please tell me

Is this done by Mac developer id ? And what are the other ways except Developer id of signing updates.

Jake Petroules
  • 23,472
  • 35
  • 144
  • 225
Gauri rawat
  • 109
  • 1
  • 10

1 Answers1

5

Indeed, as pointed out in the documentation you refer to, you may either:

(A) Codesign your application, using your Apple developer certificate - you should do that using Apple's signing tools and workflow. If you want to go command line style, that would be in the line of:

  • codesigning: codesign -f -s "$identity" "$somepath"
  • entitlements: codesign --entitlements "$entitlements_path" --resource-rules "$tpl" -f -s "$identity" "$somepath"

You will find more about that at Apple: https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html

or (B) if you can't / won't codesign, then you can still sign the update itself with a DSA key. This is documented in the page you linked. Pretty much, you should use the Sparkle provided scripts: ruby sign_update.rb path_to_your_update.zip path_to_your_dsa_priv.pem

And you should then add the signature into the appcast.

If you really want to do that all by yourself, then you could fire-up openssl and go something in the line - but again, why not use Sparkle nice scripts? ;)

# Generate keys
/usr/bin/openssl dsaparam 1024 < /dev/urandom > dsaparam.pem
/usr/bin/openssl gendsa dsaparam.pem -out dsa_priv.pem
/usr/bin/openssl dsa -in dsa_priv.pem -pubout -out dsa_pub.pem
rm dsaparam.pem

# Sign the update
/usr/bin/openssl dgst -sha1 -binary < "${dmgFinal}" | /usr/bin/openssl dgst -dss1 -sign "dsa_priv.pem" | /usr/bin/openssl enc -base64

Hope that helps.

Mangled Deutz
  • 11,384
  • 6
  • 39
  • 35
  • thanks for the response @Mangled Deutz for the option we should have apple developer paid id...??? – Gauri rawat Jan 21 '14 at 11:00
  • Yes, you need a paid Apple certificate for option (A) - also, you need to be aware that without said Apple certificate, it will be difficult for users to install your application starting with Mountain Lion (because of GateKeeper: http://support.apple.com/kb/ht5290), so, unless this is a corporate / internal application, I strongly suggest you pay that fee and get the apple cert. – Mangled Deutz Jan 21 '14 at 11:16
  • ok if i choose B option than there is no need to buy apple developer id, but when its is install in mountain lion app will not install due to gatekeeper. – Gauri rawat Jan 21 '14 at 12:12
  • Indeed - though, your users will still have the possibility to install your app, but that will require them to command+click + open and confirm, or disable gatekeeper in their prefs (and that's Mountain Lion and Mavericks now). – Mangled Deutz Jan 21 '14 at 12:51
  • I use ruby sign_update.rb path_to_your_update.zip path_to_your_dsa_priv.pem it give me a dsa signature. then i copied dsa signature into my xml file. after checking updates its give me error the update is improperly signed.Can you tell me what is going wrong with me – Gauri rawat Jan 22 '14 at 07:34
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/45783/discussion-between-gauri-rawat-and-mangled-deutz) – Gauri rawat Jan 22 '14 at 11:00
  • One important case for using DSA signatures: delta updates. You need to have a DSA signature for your appcast items if using delta updates http://sparkle-project.org/documentation/delta-updates/ – mz2 Aug 30 '15 at 15:37