Signing applications for Gatekeeper

http://arstechnica.com/apple/2012/07/os-x-10-8/15/ is part of Ars Technica’s usual excellent coverage of Mountain Lion (which is now out).

Seems our applications simply won’t work on Mountain Lion if they aren’t signed. :frowning:

Any plans to put this into the Juce framework?

Jeez… Don’t know, I’d need to learn how the signing process works.

So now it’s impossible to release a signed app without paying Apple for a developer account, right?

Figured I’d give you the heads-up ASAP because eventually we’re all going to have to work out how this goes. :frowning:

You are right - if you don’t pay Apple $99 and then sign your application with a Developer ID then when someone using Mountain Liar tried to run your program, they are prevented from doing so. They can turn this off in general from a control panel, deliberately open the app with a left-click menu item, or execute a command line statement to mark your application as OK.

I particularly expect a lot of my users to fire up a Terminal and type some shell commands in, because that’s one of those things users are good at. [/SARCASM]

AFAIK you can register for free
https://developer.apple.com/programs/register/

you need to pay 99$ for ios store and mac app store developer program.

I already have the free registration but you need the $99 one to sign your application.

That makes sense because they don’t want you to be able to create a throw-away account to sell your malware.

How lucky for Apple that in order to keep their users safe, they need us to give them even more money.

It’s not just the money - what if they decide they don’t like our application? They can simply refuse to renew our developer ID, right?

haha - first i need to buy a new mac, my 3 year old mac mini(!!) isn’t compatible with mountain lion, thats why we love apple :x

If you thought “IntroJucer REQUIRED for practical development?” was bad, now it seems we’re at “Apple permission plus payment REQUIRED for creating apps!”

If you thought “IntroJucer REQUIRED for practical development?” was bad, now it seems we’re at “Apple permission plus payment REQUIRED for creating apps!”[/quote]

nice one :smiley:

The Gatekeeper on Mountain Lion have 3 options:
[list][]Mac App Store – Only apps that came from the Mac App Store can open.[/]
[] Mac App Store and identified developers (default) – Only allow apps that came from the Mac App Store and developers using Gatekeeper can open.[/]
[]Anywhere – Allow applications to run regardless of their source on the Internet; Gatekeeper is effectively turned off. Note: Developer ID-signed apps that have been inappropriately altered will not open, even with this option selected.[/]
[/list]

All details here : http://support.apple.com/kb/HT5290

It “can” have three options - in practice, few people will ever change their options from the default value.

Apparently Steinberg was surprised by this as well.
They posted a nice overview page for this problem (including a light workaround): https://www.steinberg.net/en/support/knowledgebase_new/show_details/kb_show/mac-os-x-108-gatekeeper-and-steinberg-products.html

Another thing on signing installers that we had to learn the hard way:
It turned out you can only sign “flat packages”. (http://web.archiveorange.com/archive/v/VCdoo3nKCyjztJQaY4zv) We were using the Iceberg software before to create or installers were AU/VST/RTAS were put into separate pkgs and then combined into a mpkg. Trying to productsign that file gave some obscure error.

We switched to using the “Packages” software (http://s.sudre.free.fr/Software/Packages/about.html) that creates such a “flat package” (and still allows to de-select specific plugin types in the installer).