Download breaks OSX signature?

Question

I've just started signing my OSX desktop app so it can be installed on OSX 10.8 easily. I'm getting a really weird issue whereby the signing works fine and I can in install if the dmg is transferred to the Mac by DropBox or FTP but if the dmg is uploaded to a server then downloaded to the Mac using a browser the signature fails (the user sees the same error as if the file wasn't signed).

Background: The application is Java, signed using the .p12 from Apple in Install4J. Interestingly for an un-signed or downloaded DMG the error OSX 10.8 shows is really odd, it says the installer is "damaged" and should be un-mounted.

Anyone know why the signature would fail when the DMG is downloaded with a browser?

Answer 1

You are using the wrong certificate for signing. For signing install4j installers you need the Application ID certificate, not the Installer ID certificate.

Unfortunately, install4j 5.1.1 does not complain during compilation if the certificate chain is incomplete. install4j 5.1.2 will fix this.

Answer 2

Ingo has the correct answer but I wanted to note what helped to confuse the issue. It appears that GateKeeper won't check signatures when the installer is moved over using dropbox / ftp - only when they're downloaded using a browser (or perhaps also other select methods).

So it appeared the transport method made the difference, when in fact the signature never worked at all.

Answer 3

To clarify, I would like to add that the apple certificate to use is the "Developer ID Application" certificate. It can be exported on the Mac from Applications -> Utilities -> Keychain Access.