standalones and Gatekeeper

Using Standalone Maker to build executables or delivering projects for use with the SuperCard Player? Discuss it here.

standalones and Gatekeeper

Postby hodger » Wed Nov 09, 2016 11:47 pm

I'm interested to know of any guidelines or experience for building a Standalone that passes Gatekeeper scrutiny with a developer ID. Sierra raise the bar with the removal of the "allow from anywhere" choice in the control panel. The annual developer fee is not prohibitive, but since my app isn't an Xcode app, there may be difficulties I cannot foresee in getting my standalone signed.

Thanks for any stories, successes or failures.

Greg
hodger
 
Posts: 32
Joined: Mon Jul 26, 2010 8:19 pm

Re: standalones and Gatekeeper

Postby codegreen » Thu Nov 10, 2016 9:30 am

FWIW IIRC users can still open unsigned apps under Sierra's GateKeeper by right-clicking them in the Finder and selecting Open from the popup menu.

As for the rest you don't need Xcode to sign apps, you can do it from the command line. You just need to join the developer program to obtain signing certificates. You WILL need to install the Xcode command-line tools package though (happily there's a separate DL containing just these, which is tiny compared to the whopping huge Xcode installers).

Once these are in place, you can automate signing the components of a standalone in recent OS versions with a simple script something like this one I whuffed up for Scott:

Code: Select all
on mouseDrop
  enum idx = 1
  put "" into cd fld 1
  repeat forever
    put dragData(idx, "hfs ", "path") into thePath
    if thePath is empty then exit repeat
    put shell(merge("/usr/bin/codesign --verbose" ¬
      && "--sign `<Your_3rd_Party_Mac_Developer_Application_Certificate_Name_Here>`" ¬
      && "--deep --force `[[hfsToPosix(thePath)]]` 2>&1")) ¬
      && shell(merge("/usr/bin/codesign --verify -vvvv" ¬
      && "`[[hfsToPosix(thePath)]]` 2>&1")) & cr after cd fld 1
    add 1 to idx
  end repeat
end mouseDrop

Under Sierra there's also the issue of app translocation to deal with (where until it's manually moved from its original download folder the system will insist on copying your app to a randomized read-only location each time before launch). This plague afflicts even signed Xcode-created apps, and can break standalones that depend on SuperTalk properties like the application to locate satellite files/folders.

You can supposedly get around that if you distribute as a DMG file by code signing the entire DMG itself. Also standalones created with b24 and up will automagically bypass this idiocy (which should give you an idea just how little protection it actually offers in exchange for the hassle it imposes).

Scott's the one who wrestles with signing here though, so he may have more words of wisdom to offer...

HTH,
-Mark
codegreen
 
Posts: 1517
Joined: Mon Jul 14, 2008 11:03 pm

Re: standalones and Gatekeeper

Postby codegreen » Thu Nov 10, 2016 10:24 am

Or if you want just the steak:

Code: Select all
function codesign hfsPath
  local posixPath = hfsToPosix(hfsPath)
  return shell(merge("/usr/bin/codesign --verbose --sign" && ¬
    "`<Your_3rd_Party_Mac_Developer_Application_Certificate_Name_Here>`" && ¬
    "--deep --force `[[posixPath]]` 2>&1;/usr/bin/codesign" && ¬
    "--verify -vvvv `[[posixPath]]` 2>&1"))
end codesign

-Mark
codegreen
 
Posts: 1517
Joined: Mon Jul 14, 2008 11:03 pm

Re: standalones and Gatekeeper

Postby hodger » Thu Nov 10, 2016 6:43 pm

Mark,

I appreciate the guidance and insight. Definitely helpful.

Thanks,
Greg
hodger
 
Posts: 32
Joined: Mon Jul 26, 2010 8:19 pm


Return to Building Standalones

Who is online

Users browsing this forum: No registered users and 1 guest