OS X 10.8 Gatekeeper and Java applets

Question

With the new release of OS X 10.8, the Gatekeeper will popup the following warning, when you try to start a signed Java applet:

The applet has been signed with a valid code signing certificate and will work correctly on other platforms as well as previous versions of OS X. If I change "Allow applications downloaded from:" to "Anywhere", it works correctly.

As far as I can figure out "The digital signature could not be verified", actually means something like "the signature has not been made with a Mac Developer ID".

So: Can I sign Java applets with a Mac Developer ID? Can I sign it with both a Mac Developer ID and a standard code signing certificate? Is there a better approach?

Answer 1

Here's the answer that I got from Apple Developer Technical Support:

Thank you for your patience while we investigated this.

The alert is presented by Java, not by Gatekeeper. However, you're correct that the verification logic was changed on OS X Mountain Lion.

For a while now, users have been presented with this alert when running a signed applet, because signed applets can escape the Java sandbox and make unexpected changes to the user's system. Users have the option to check the "Allow all applets from " box if they trust the developer and thus they won't see the alert again unless they remove the item from the Java Security preferences.

What's changed in Mountain Lion is that the verification alert now basically means that the applet's signature is valid, but the applet is from an unidentified developer and is trying to escalate privileges when Gatekeeper is enabled and the user has to decide whether to allow that.

"Unidentified developer" means a source other than the Mac App Store or a Developer ID-identified developer. Note that Java applets cannot participate in the Developer ID program.

If Gatekeeper is set to trust only Mac App Store apps, then you will not be able to add the applet to the trusted list unless you add the applet's certificate to the keychain using the sheet that appears after clicking Show Details.

Unsigned applets are not allowed to escape the Java sandbox at all.

This is consistent with Gatekeeper's treatment of native Mac apps; apps from unidentified developers are not allowed to run by default.

If you'd like to see the wording of the alert changed, please file a bug report at https://developer.apple.com/bugreporter.

This basically means that there is no way to sign the applet in such a way that you can avoid this message to be shown. I filed a bug report to Apple saying that I want the wording of the message to be changed not to contain words like UNIDENTIFIED, UNVERIFIED, INSECURE... because that's the whole point of signing the applets, so that the users can feel all warm and cosy inside when they need to allow the applet to run, to assure them that what they are about to allow is OK and verified and it won't do any harm to their computer, and we need to show it on a place where it will be visible, to poke their eyes with it.

Answer 2

You answered your own question. Gatekeeper considers that certificates / signatures not issued by Apple are not trusted.

Apple Documentation will tell you how to export your certificate. You can then use it as usual. The codesign command may also do the trick.