Preparing for Gatekeeper in OS X 10.8



OS X 10.8 is coming and one of its new features is Gatekeeper, which by default blocks all unsigned applications. So, if I want my apps to run at all on OS X 10.8, I have to start signing them ASAP.

I spent more time than I thought on this task, but it was mostly because I wasn't familiar with the signing process. I guess that for developers who are already familiar with the Mac App Store or iOS developement it's even easier, but I had to do a lot of poking around to get it right. However, in the end, it's rather simple. Here are the steps, for posterity:

Step 1: Have a Mac Developer account. Yeah, you have to pay the 100$/year tax now because as far as I know, it's the only way to get a Developer ID certificate.

Step 2: Setup certificates in XCode Organizer. Open the Organizer (In the Windows menu) and then select "Devices". Then, I don't remember exacly how to trigger the certificate fetching process, but I think it involved clicking a "Refresh" button somewhere (since my XCode is already set up, I don't remember what my Organizer looked like before I had those certificates). Then you're going to be prompted for your Developer ID login credentials and XCode is going to start fetching certificates. You're going to be repeatedly prompted for confirmation. It's weird, but it's not a bug: there are 5 certificates to fetch.

Step 3: Add code signing to your build process. This was the most confusing step to me. In XCode project properties, you have a little "Code Sign Application". I figured that I simply had to check this and that I would be fine. Wrong. The thing is that checking this box makes XCode sign with the "Mac Developer" identity. The problem is that for your app to be accepted by Gatekeeper, you have to sign your app with "Developer ID Application: [your name]". You can change the signing identity in your build settings, but I decided to perform the signing "manually", through the command line in my build script. The command is codesign --force --sign "Developer ID Application: [your name]" [app_path].

Here's an extra tip. It might seem obvious to you, but I got bitten by this: make sure you don't change the contents of your app after you've signed it.

Another tip: You can verify the signature of an app through codesign --verify --verbose [app_path].


This site is best viewed with Opera while listening to The White Stripes