Codesigning again please [solved, I hope!]


#1

Hi, I’m getting a little tired of almost constantly being in the dark about code signing my Mac plugins.

  1. I bought a new mac and I can download the installer ID but I can’t seem to add it to the key chain, the ‘Keychain Access’ app just shows my ‘Mac Developer’ cert. Is that correct? Is it all as one now? I know they changed it again recently.
  2. I codesign my code automatically with my dev code, and then use the package maker to codesign it again, with ‘Mac Developer’ because my ‘Installer ID’ is not there anymore.
  3. Then I make a zip file (so they can actually get it from the website) and codesign that manually in the terminal.
  4. Upload it to my website.
  5. The user still sees the ‘Can’t be opened because it is from an unidentified developer’ message which really P’s off my potential customers. Not to mention me.

Can anyone help? This is driving me nuts.


#2

You should have a separate certificate for signing your app and your installer.

Regarding step 3… I suggest you use DropDMG to sign your distributable otherwise you may run into TransLocation issues (depending on if your installer relies on external files).

Rail


#3

Thanks for your answer. I just found my ‘Dev ID Inst’ in ‘Certificates’ NOT in ‘My Certificates’ in the KeyChain app, which is odd.
But I STILL can’t add it to the Package maker though, probably because of this.

My installer just has three plugin. No external files.
Thanks again,
Dave H.


#4

Are you using Packages? If I recall when I added the Installer ID it was tricky… I had to get the right project focused in Packages before it would un-grey the option.

Rail


#5

It’s been working for years, and my old Mac had the certs. They didn’t move through the Migration Assistant though,
Anyway I might be a bit closer though, I noticed Mac Developer ID has a private sub-key, but my Mac Installer cert does not.
So I had to…

Create a NEW certificate in the web site by press the ‘+’ on the ‘production’ panel.
Select ‘Developer ID’ then ‘Developer Installer’ and go through the whole process of using the keychain App to Create a Certitifacate Signing Requst which I add to the desktop( it’s all in the web site instructions). Then using that file in web instructions to create a new certificate file which DOES now have the private key attached.
Relaunching the package maker now shows the installer ID, which I can now use… phew!

Do I really now have to sign the zip file I make from the package?


#6

Just tested it - no I don’t have to sign it again: I can make a zip file even on a Windows machine, and also rename it, and bung it on my web site and the installer cert stays intact. Excellent! Sorry for the noise, I had to brain-storm somewhere… :smiley: