0

OSX 10.12.3, i have a package which is code signed using EV code sign. 

$ codesign --force --sign "3rd Party Mac Developer Application: myname (code...)" mypackage.pkg

But when anyone download and try to install it in OSX, they all getting as following:

enter image description here

in English its same dialog box: “App can’t be opened because it is from an unidentified developer”

enter image description here

When i do checking for the code sign, i can see its working:

$ pkgutil --check-signature mypackage.pkg
Package "mypackage.pkg":
   Status: no signature

$ codesign -dv --verbose=4 mypackage.pkg
Executable=/Users/xxx/xxxxxx
Identifier=xxxx
Format=generic
CodeDirectory v=20200 size=177 flags=0x0(none) hashes=1+2 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha1=xx
CandidateCDHash sha256=xx
Hash choices=sha1,sha256
CDHash=xxxxx
Signature size=4715
Authority=3rd Party Mac Developer Application: xxxxx
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=1xxx
Info.plist=not bound
TeamIdentifier=xxxxx
Sealed Resources=none
Internal requirements count=1 size=196

How to i make sure its correctly done? so that it does not scare the OSX user, what is am i missing here?

  • You should probably state the error message since I don't see it (or translate it to english since the message probably has lots of hits on Google). – jww Mar 20 '17 at 17:45

1 Answers1

0

The code-signing identity "3rd Party Mac Developer Application: <Team Name>" is used to sign an app before submitting it to the app store. It is not useful for distribution outside of the app store.

To sign an app bundle for distribution outside of the app store, use the "Developer ID Application: <Team Name>" identity.

However, you said you're signing a "package" and showed a file with .pkg file extension. To sign an installer package, use the "Developer ID Installer: <Team Name>" identity. Furthermore, you should use productsign or the appropriate options to pkgbuild or productbuild, not codesign, to sign installer packages.

Ken Thomases
  • 88,520
  • 7
  • 116
  • 154
  • Sir, my package is as .pkg which contain precompiled .app in it. So should i first sign the .app and then sign the .pkg? (while using pkgbuild or productbuild do i use EV Code signing which is purchased from Global sign for 3 year?) –  Mar 20 '17 at 18:27
  • 1
    It can't hurt to sign your app bundle before building the installer package, but I don't think it's necessary. I'm not sure what your second question is about. You need to code sign with the right kind of certificate from Apple. Signing with a certificate from another source doesn't help you with Gatekeeper (which is what is showing the dialogs in your question). – Ken Thomases Mar 20 '17 at 19:20
  • Sir it worked (to sign my .pkg which contain .app). But i have one last question. I need to sign .app (third party open source binary), so when i went to my apple account i cant find `"Developer ID Application: "` see picture: http://i.imgur.com/7qim3oh.png and http://i.imgur.com/25Oba2j.png –  Mar 20 '17 at 21:23
  • 1
    The first of those screenshots actually shows a radio button to create your Developer ID Application certificate. You can also use Xcode to create and download the certificate automatically. See https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/MaintainingCertificates/MaintainingCertificates.html#//apple_ref/doc/uid/TP40012582-CH31-SW6 . – Ken Thomases Mar 20 '17 at 22:14