Signing applications for Gatekeeper


#1

http://arstechnica.com/apple/2012/07/os-x-10-8/15/ is part of Ars Technica’s usual excellent coverage of Mountain Lion (which is now out).

Seems our applications simply won’t work on Mountain Lion if they aren’t signed. :frowning:

Any plans to put this into the Juce framework?


#2

Jeez… Don’t know, I’d need to learn how the signing process works.

So now it’s impossible to release a signed app without paying Apple for a developer account, right?


#3

Figured I’d give you the heads-up ASAP because eventually we’re all going to have to work out how this goes. :frowning:

You are right - if you don’t pay Apple $99 and then sign your application with a Developer ID then when someone using Mountain Liar tried to run your program, they are prevented from doing so. They can turn this off in general from a control panel, deliberately open the app with a left-click menu item, or execute a command line statement to mark your application as OK.

I particularly expect a lot of my users to fire up a Terminal and type some shell commands in, because that’s one of those things users are good at. [/SARCASM]


#4

AFAIK you can register for free
https://developer.apple.com/programs/register/

you need to pay 99$ for ios store and mac app store developer program.


#5

I already have the free registration but you need the $99 one to sign your application.

That makes sense because they don’t want you to be able to create a throw-away account to sell your malware.


#6

How lucky for Apple that in order to keep their users safe, they need us to give them even more money.


#7

It’s not just the money - what if they decide they don’t like our application? They can simply refuse to renew our developer ID, right?


#8

haha - first i need to buy a new mac, my 3 year old mac mini(!!) isn’t compatible with mountain lion, thats why we love apple :x


#9

If you thought “IntroJucer REQUIRED for practical development?” was bad, now it seems we’re at “Apple permission plus payment REQUIRED for creating apps!”


#10

If you thought “IntroJucer REQUIRED for practical development?” was bad, now it seems we’re at “Apple permission plus payment REQUIRED for creating apps!”[/quote]

nice one :smiley:


#11

The Gatekeeper on Mountain Lion have 3 options:
[list][]Mac App Store – Only apps that came from the Mac App Store can open.[/]
[] Mac App Store and identified developers (default) – Only allow apps that came from the Mac App Store and developers using Gatekeeper can open.[/]
[]Anywhere – Allow applications to run regardless of their source on the Internet; Gatekeeper is effectively turned off. Note: Developer ID-signed apps that have been inappropriately altered will not open, even with this option selected.[/]
[/list]

All details here : http://support.apple.com/kb/HT5290


#12

It “can” have three options - in practice, few people will ever change their options from the default value.


#13

Apparently Steinberg was surprised by this as well.
They posted a nice overview page for this problem (including a light workaround): https://www.steinberg.net/en/support/knowledgebase_new/show_details/kb_show/mac-os-x-108-gatekeeper-and-steinberg-products.html


#14

Another thing on signing installers that we had to learn the hard way:
It turned out you can only sign “flat packages”. (http://web.archiveorange.com/archive/v/VCdoo3nKCyjztJQaY4zv) We were using the Iceberg software before to create or installers were AU/VST/RTAS were put into separate pkgs and then combined into a mpkg. Trying to productsign that file gave some obscure error.

We switched to using the “Packages” software (http://s.sudre.free.fr/Software/Packages/about.html) that creates such a “flat package” (and still allows to de-select specific plugin types in the installer).