2

I am trying to distribute an application (itself code-signed) inside a code-signed DMG volume, signed by a self-signed code certificate (generated using the Keychain Certificate Assistant).

I’m on macOS Mojave and I am creating the DMG using the following procedure:

  1. Create a new empty folder testsrc
  2. Copy code-signed app bundle into the new folder

  3. Run

    hdiutil create -volname test -srcfolder testsrc -ov -format UDBZ test.dmg

  4. Code-sign the DMG:

    codesign -s keyid test.dmg

This succeeds (no error message, return code 0). Furthermore, trying to execute codesign again leads to the message “test.dmg: is already signed”. I can verify the signature:

codesign -vvvv -d test.dmg

Executable=/path/to/test.dmg
Identifier=test
Format=disk image
CodeDirectory v=20100 size=291 flags=0x0(none) hashes=1+6 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=73…
Hash choices=sha256
Page size=none
CDHash=73… (same as above)
Signature size=1760
Authority=keyid
Signed Time=12 Dec 2018 at 18:26:31
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=1 size=96

However, when I try to open the quarantined (downloaded from localhost) DMG, I get the usual Gatekeeper error message:

Gatekeeper: "“test.dmg” can’t be opened because it is from an unidentified developer"

Furthermore, spctl -v -a -t open --context context:primary-signature test.dmg tells me: “test.dmg: rejected”.

Is this purely because my certificate is self-signed rather than being an Apple Developer ID Application certificate? Is there a way around it?

I’ve seen the answers in How to add codesigning to dmg file in mac but they assume that the above procedure should work.

Konrad Rudolph
  • 530,221
  • 131
  • 937
  • 1,214

1 Answers1

4

Is this purely because my certificate is self-signed rather than being an Apple Developer ID Application certificate?

In a nutshell: yes.

After using the key from an Apple signed developer certificate, the error went away and the application now passes validation by Gatekeeper.

Konrad Rudolph
  • 530,221
  • 131
  • 937
  • 1,214
  • 1
    It’s quite an unsatisfactory answer but I hope it helps people finding this question via googling. At the time when I was asking this, it was essentially impossible to find any information on the subject. – Konrad Rudolph Dec 18 '18 at 11:33
  • It's still difficult to find definitive information... Apple's documentation only covers very specific use cases that never seem to match up with mine. I signed with a Comodo certificate and it *appears* to work fine locally. However, if I move the DMG to our website and download from there, *then* it fails. I'll try an Apple cert next... – Brian Knoblauch Dec 26 '19 at 18:30
  • 2
    @BrianKnoblauch From macOS Catalina onwards code signing is no longer sufficient, [you need to get each app notarised](https://developer.apple.com/news/?id=09032019a). – Konrad Rudolph Dec 27 '19 at 18:25
  • Ah, good to know. I was under the mistaken belief notarization was only for App Store. Interestingly when I try to make my Developer ID cert the option is grayed out and it tells me to contact my Team Admin. I am an admin... Will see if one of the other admins can do it. – Brian Knoblauch Dec 27 '19 at 19:21