Our company develops our application for both Mac OS X and Windows. We have an existing purchased code signing certificate from a non-Apple authority we use to ID our Windows installers. We distribute both our DMGs & MSIs through our own company website.
The code signing guide for Mountain Lion's new Gatekeeper feature seems to imply that a non-Apple issued standard certificate would work, though I could be misinterpreting what "third-party" means in this case:
Note: Apple uses the industry-standard form and format of code signing certificates. Therefore, if your company already has a third-party signing identity that you use to sign code on other systems, you can use it with the OS X codesign command...
Is it possible to use this non-Apple certificate, and if so, how could it be incorporated using the command line "codesign" command?
Generate a Code Signing Certificate manuallyOpen your Keychain Access app on macOS. Select Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority... Fill in the User's Email Address and the Common Name and select Saved to Disk .
Code signing is a macOS security technology that you use to certify that an app was created by you. Once an app is signed, the system can detect any change to the app—whether the change is introduced accidentally or by malicious code.
A signing certificate is the first requirement you need in order to be able to sign apps for installation on iOS devices. Specifically, you need a development certificate, which lets an individual install and run an app on a device.
Cannot take credit for this, but the blunt answer is:
NO
I just spent a good three days converting certificates and searching the internets to find these:
http://successfulsoftware.net/2012/08/30/how-to-sign-your-mac-os-x-app-for-gatekeeper/ http://www.panic.com/blog/2012/02/about-gatekeeper/ http://arstechnica.com/apple/2012/02/developers-gatekeeper-a-concern-but-still-gives-power-users-control/
No. The reason it will not work is: To pass through GateKeeper, you need a code signing certificate which is signed with your Apple Developer ID. This is not the same as a regular code signing certificate issued to your company. Only Apple issues Apple Developer IDs. (Or at least, at the time of this writing.)
This is very confusing because:
The company we bought the code signing certificate from specifically claimed it works with MacOS. But what they meant was we could sign Apple code technically speaking. But passing GateKeeper is different. (Unclear marketing to say the least.)
At this time, there are unclear Apple docs which talk about signing code with 3rd party certificates. Ex: https://developer.apple.com/library/mac/documentation/security/conceptual/CodeSigningGuide/Procedures/Procedures.html
However, while you can sign the code, it does not pass GateKeeper! Again, this may refer to either internal corporate application use, or it may just be out of date.
Gatekeeper only recognises Apple digital certificates. Windows only recognises Comodo, Verisign and a few other signing authorities. So you need to buy a Comodo (or similar) certificate for Windows and pay $99 per year for the Apple developer program so you can get an Apple certificate as well. It is rather annoying, to say the least.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With