Thursday, August 2, 2012

Code Signing Real Studio Apps for Mountain Lion

Updated 2012-08-03: You do not have to sign dylibs for GateKeeper, only for Mac App Store submissions.
Updated 2012-11-05: Added note about codesign tool working with 10.6, 10.7 and 10.8.

With the release of OS X 10.8 Mountain Lion last month, the new GateKeeper functionality is now in effect.  This means that new apps that are downloaded or copied to a Mac with Mountain Lion, but that are not digitally signed using your Apple Developer Certificate, display this error when run on Mountain Lion:

Mountain Lion Error for Unsigned Applications

This error can be overridden in System Preferences, by changing the "Allow applications downloaded from" setting to "Anywhere":

Security & Privacy System Preferences

And you can right-click on the app and click Open in the menu to tell OS X, "I'd really like to run this app, thank you very much."

Note that this only matters for new apps that you transfer to a Mac running Mountain Lion.  If you have Real Studio running on Mountain Lion, you'll be able to run the apps you create just fine.  You'll only run into this warning when you copy the app to another Mac, either by making it available for download or by copying it via a USB stick, the network or anything else.

So even though you don't technically need to sign your OS X applications in order for them to run on Mountain Lion, you are probably going to want to.  The truth is that most people will just leave the setting at the default and will not know that when they get the warning message that they can right-click on the app to open it.  You could try explaining all this to them, but either way it is going to be a hassle for your users. Odds are they just won't bother with your app.

Unfortunately, to sign your apps you need a developer certificate from Apple.  And the only way to get a Developer Certificate is to sign up for the Mac Developer Program, which costs $100 a year.  However, the certificate you get is good for 5 years, so it looks like you do not need to pay the $100 fee each year unless you also want to distribute apps in the Mac App Store.

You can find out more about the Mac Developer Program at the Mac Dev Center:

Once you have joined, you can create your own certificates using the Developer Certificate Utility at the Mac Dev Center.  The steps are a bit involved, but essentially you will request a Developer ID certificate on this page:

Developer Certificate Utility page at the Mac Dev Center

And then the Utility walks you through the process of starting KeyChain Access and downloading and uploading files until you have the certificate installed.  It's a little tedious, but relatively straightforward.

That's the hard part.  With the certificate installed, you can now use it to code sign any of your applications.  You do this using the Terminal command codesign (pronounced "code sign").

But before you begin, make sure you have the Intermediate Developer ID certificate installed.  Go to this page:

and download the Developer ID certificate.  Double-click it to install it into Keychain Access.

Now you are ready to code sign your Real Studio application.  Navigate to its folder using Terminal.  There you can enter this command to code sign your application and all its libraries.  Obviously you want to replace "" with the name of your application and "Developer ID Application: YourName" with the name of your signing certificate specified in Keychain Access.

codesign -f -s "Developer ID Application: YourName"  ""

That's it.  Now you can compress your app and transfer it to another computer with Mountain Lion and you'll be able to run it just by double-clicking on it.

Here is a sample application that I've code signed using the above process.  Feel free to try it out:

Update (2012-08-03):
If you are having trouble with these steps, one thing you might try is to download and install the Command Line Tools for either Lion or Mountain Lion.

Update (2012-11-05):
You can use the codesign tool on Snow Leopard (10.6), Lion (10.7) and Mountain Lion (10.8) in order to sign your apps for Mountain Lion.



Russ said...

Will this need to be done with web apps we are running via Apache on 10.8?

Cho Sing Kum said...

Does the app need to be compiled on the Mac that signing is done? What if it is compiled in Windows?

Paul Lefebvre said...

@Russ: That's a very good question. It certainly won't hurt to code sign your web apps if they are running on a Mac server. I would guess that since Apache is starting the process, then a code signature would not be necessary, but I have not tried this.

Paul Lefebvre said...

@Cho Sing Kum: If you compile your Mac app on Windows, you'll need to transfer it to a Mac and code sign it there.

You can only code sign an OS X app on OS X, using either Lion or Mountain Lion.

Cho Sing Kum said...

@Paul Lefebvre: Of course I know have to code sign a mac app on a mac.

Will copying the compiled app over from another mac or Win "be aceptable" to Mountain Lion? Or must it be compiled on the mac where the code signing is to be done.

Altho I have upgraded to Mountain Lion, I am not yet able to test this. I am using Personal now and waiting for Desktop in Oct? before I can test.

Paul Lefebvre said...

@Cho Sing Kum: I don't see why it would matter where the app was originally compiled. This process worked fine for me:
1. Compile Mac app on Windows.
2. Copy archive to Mac and expand it.
3. Code sign it on the Mac.
4. Copy to Mountain Lion. Signature is recognized.

Stephen said...

Is it not enough to simply code sign the whole shebang with:

codesign -f -s "Developer ID Application" /Users/Stephen/Desktop/

Paul Lefebvre said...

@Stephen: I'm not sure if that single command is sufficient. In the past with Mac App Store submissions, it definitely was not sufficient as you would be rejected for not having the libraries signed. Perhaps that doesn't matter for GateKeeper. I'll have to try it again to find out.

Paul Lefebvre said...

@Stephen: Per Joe R., you are right. For GateKeeper, you do not need to sign the dylibs. That's only a requirement for Mac App Store submissions. I'll update the post.

Thomas Tempelmann said...

I've had discussions on this topic with JoeR and been also getting some feedback from Apple's "Perry the cynic", who is quite the master in this field.

Perry indicates that while it's _currently_ not checked by OSX whether the dylibs are signed, this might well be the case in the future.

Also, recent MBS plugins are already signed for GateKeeper.

Perry also points out that when signing any libs that are not part of Frameworks, e.g. dylibs, you should add your custom identifier using the "--prefix" option in the codesign tool. So that it reads something like:

codesign --prefix "com.mydomain." -s "Developer ID Application" ...

Lastly, such codesigned app use a default DR (designated requirements) setting that'll cause problems on Snow Leopard (1.6.8) when you either want to verify the signature (unlikely) or use the Keychain (more likely). To fix this, a custom DR has to be used, but don't ask me how, I haven't done this myself yet.

Lastly, I just read that using codesign on Mountain Lion (vs. Lion) may cause issues as it adds a date stamp, which some found troublesome. How to deal with that (other than avoiding ML) I don't know yet, either.

The program "App Wrapper" ( can perform the signing with a nicer UI if you don't like to deal with the details yourself.

And the program "RB App Checker" can be used to see if the signing is valid.

Patrick Besong said...

I'm getting the error " object file format unrecognized, invalid, or unsuitable" when I try to sign my app. Anyone know what's wrong? I have navigated to my app in the terminal prior to running the command.

Paul Lefebvre said...

@Patrick: Try installing the Command Line Tools (link is in the blog post). Others have found they get rid of odd errors with the codesign command.

Patrick Besong said...

Thanks, Paul. I will give that a shot.

Patrick Besong said...

okay, stupid question: I've installed the command line tools, but how do i access them? i don't see where it was installed, or does that just update my Terminal app?

Patrick Besong said...

After updating Command Line Tools, I opened the terminal and ran the command again and this time it worked, so I guess that was the fix. Thanks Paul!