How to sign a Mac OS X application in Linux?

Question

For OS X, I distribute my Java application inside a DMG. Since Mountain Lion's release, opening the app gives the following error message:

[app name] is damaged and couldn't be opened. You should eject the disk image.

Apparently the fix is to sign the .app file so I read the Code Signing Guide . Everything seems to be straightforward apart from the important question of how to integrate this into my one-click build process .

Building my product on all platforms happens on my Linux development machine. I run an Ant script and the Windows installer, starter EXE, Linux installer, OS X application and DMG are all built. So I'd like to integrate code signing into this process.

Is there an equivalent of 'codesign' for Linux?

Answer 1

There is no documented way of code signing a Mac OS X application in Linux.

The only way I've found to do this so far is to SSH into a Mac and use that.

On the other hand, according to @Steve McLeod ( https://stackoverflow.com/a/55906962/28190 ) the installer package install4j does offer this:

Integrated code signing on Windows and Mac OS X . In the “General Settings” section, install4j now has a “Code signing” tab where you can configure code signing certificates for Windows and Mac OS X. Code signing will be applied to all launchers and installer applications in the corresponding media files. The implementations for code signing are cross-platform, so you can sign Windows and Mac OS X media files from a Linux build server, for example.

So it must be technically possible.

Answer 2

You could workaround this by only signing the JavaApplicationStub and info.plist of your application and exclude the "Resources" folder from signing. Then you'd have to change your build process to use the pre-signed container. Of course this is not the sense of codesigning but it will work ;-)

To achieve this, do the following steps:

• create your .app as usual
• move it to your mac
• create a file "ResourceRules.plist" with the following contents:

ResourceRules.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>rules</key>
        <dict>
                <key>^Resources/</key>
                <false/>
                <key>^version.plist$</key>
                <true/>
        </dict>
</dict>
</plist>

• now sign with the following commands: CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/usr/bin/codesign_allocate" codesign -s "Certificate Name" --resource-rules ResourceRules.plist -fv MyApp.app

• Then delete everything in Resource and verify the signature (codesign -v -v MyApp.app). You will see that it's still valid

• Use the complete signed stub in your build process. You can change everything in Resources but you cannot change info.plist.

Answer 3

I use a product called install4j to create the DMG files for my app. It code signs the app correctly within the DMG file, and can do so from OS's other than macOS.

Warning though: install4j is not free software, and is actually quite pricey.