Menu
Please note before reading this that: "Tell them to go to System preferences > Security & privacy and allow 3rd party applications to run. Is not an acceptable solve for this issue.
I have created an .app That has been signed with a valid Mac Developer certificate. Yet downloading it from the internet & running still throws the security prompt:
App can't be opened because it is from an unidentified developer
This is the codesign -vvv terminal dump for the .app:
Executable=/Users/me/Desktop/ADRA.app/Contents/MacOS/ADRA
Identifier=unity.Company.ADRA NSW 2016
Format=app bundle with Mach-O thin (i386)
CodeDirectory v=20200 size=178145 flags=0x0(none) hashes=5561+3 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha1=79ecf88721d6387749c1f6b10355c3683ef20eb2
CandidateCDHash sha256=0799e968a18a663a0c08d26d3fb7826017ce5a3a
Hash choices=sha1,sha256
CDHash=0799e968a18a663a0c08d26d3fb7826017ce5a3a
Signature size=4739
Authority=3rd Party Mac Developer Application: Company Pty Ltd (NH73TNDB28)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=20 Apr 2017, 2:46:12 PM
Info.plist entries=14
TeamIdentifier=NH73TNDB28
Sealed Resources version=2 rules=12 files=138
Internal requirements count=1 size=224
I don't understand why this does not pass Gatekeeper? Is there something missing? Does Apple require further payments / bribes or something?
@TheDarkKnight has suggested that I am using the incorrect certificate to sign the .app. Looks as though they are correct, so I went to create a new Developer ID Application certificate but apparently because I am not an 'Agent' in the group account, so I now have to wait until the 'Agent' creates one for me - seems backwards, is there no other way around waiting for the 'Agent' to make this for me?
(in Xcode) If the "Developer ID" radio button is greyed out you probably have a group account. These types of accounts only allow for the "Agent" role to create Developer IDs. Contact the person who created your group Apple Developer Account if you get stuck here.
https://developer.mozilla.org/en-US/docs/Mozilla/Signing_Mozilla_apps_for_Mac_OS_X
So I finally got my new cert today, re-signed the .app, downloaded it from the server ran and STILL GOT THE ERROR MESSAGE. The authority seems to be correct now:
Executable=/Users/me/Downloads/ADRA.app/Contents/MacOS/ADRA
Identifier=com.company.adra
Format=app bundle with Mach-O thin (i386)
CodeDirectory v=20200 size=178133 flags=0x0(none) hashes=5561+3 location=embedded
Library validation warning=OS X SDK version before 10.9 does not support Library Validation
OSPlatform=36
OSSDKVersion=657408
OSVersionMin=656896
Hash type=sha256 size=32
CandidateCDHash sha1=90d2a54162d6d018bf4f7602d7707c8e8e522fc6
CandidateCDHash sha256=dadfe5203d1367ea776f9501025dbd4ce751ee30
Hash choices=sha1,sha256
Page size=4096
CDHash=dadfe5203d1367ea776f9501025dbd4ce751ee30
Signature size=8930
Authority=Developer ID Application: Company Pty Ltd (NH73TNDB28)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=10 May 2017, 3:36:51 pm
Info.plist entries=14
TeamIdentifier=NH73TNDB28
Sealed Resources version=2 rules=12 files=138
Internal requirements count=1 size=184
I am only signing the .app is there anything else that I have to do to make this work? Is there a time period I have to wait before this will work?
973
Tap Settings > General > Profiles or Profiles & Device Management. Under the "Enterprise App" heading, you see a profile for the developer. Tap the name of the developer profile under the Enterprise App heading to establish trust for this developer. Then you see a prompt to confirm your choice.
Apple supply different certificates for different purposes.
If you look at a signature for an app downloaded from the App Store, you'll see that they usually contain the Common Name: Apple Mac OS Application Signing, as Apple re-sign applications that they distribute through the store.
For 3rd party developers that distribute via alternative streams, their Application certificates usually have a Common Name that begins with: "Developer ID Application...".
Note that other 3rd party certificates are available, such as an Installer certificate for signing installer packages, whose Common Name begins with "Developer ID Installer...".
The privilege of being able to sign a product with a certificate must be limited and tightly controlled.
Should a copy of your certificate be leaked, it can be used for nefarious purposes, such as distribution of malware, as was the case with KeRanger, which infected the Transmission BitTorrent application.
If you suspect a leaked certificate that you own, you need to revoke it, which can be initiated from your Apple Developer account.
So, Apple limits the creation of certificates to the Agent, as there can be only one registered with an Apple Developer account and is the person who has legally agreed to take responsibility for it.
150
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
