Non-Apple Issued Code Signing Certificate: Can it Work with Mac OS 10.8 Gatekeeper?
https://stackoverflow.com/questions/11833481
-
24-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPregunta
Our company develops our application for both Mac OS X and Windows. We have an existing purchased code signing certificate from a non-Apple authority we use to ID our Windows installers. We distribute both our DMGs & MSIs through our own company website.
The code signing guide for Mountain Lion's new Gatekeeper feature seems to imply that a non-Apple issued standard certificate would work, though I could be misinterpreting what "third-party" means in this case:
Note: Apple uses the industry-standard form and format of code signing certificates. Therefore, if your company already has a third-party signing identity that you use to sign code on other systems, you can use it with the OS X codesign command...
Is it possible to use this non-Apple certificate, and if so, how could it be incorporated using the command line "codesign" command?
Solución
Cannot take credit for this, but the blunt answer is:
NO
I just spent a good three days converting certificates and searching the internets to find these:
http://successfulsoftware.net/2012/08/30/how-to-sign-your-mac-os-x-app-for-gatekeeper/ http://www.panic.com/blog/2012/02/about-gatekeeper/ http://arstechnica.com/apple/2012/02/developers-gatekeeper-a-concern-but-still-gives-power-users-control/
Otros consejos
No. The reason it will not work is: To pass through GateKeeper, you need a code signing certificate which is signed with your Apple Developer ID. This is not the same as a regular code signing certificate issued to your company. Only Apple issues Apple Developer IDs. (Or at least, at the time of this writing.)
This is very confusing because:
The company we bought the code signing certificate from specifically claimed it works with MacOS. But what they meant was we could sign Apple code technically speaking. But passing GateKeeper is different. (Unclear marketing to say the least.)
At this time, there are unclear Apple docs which talk about signing code with 3rd party certificates. Ex: https://developer.apple.com/library/mac/documentation/security/conceptual/CodeSigningGuide/Procedures/Procedures.html
However, while you can sign the code, it does not pass GateKeeper! Again, this may refer to either internal corporate application use, or it may just be out of date.
Gatekeeper only recognises Apple digital certificates. Windows only recognises Comodo, Verisign and a few other signing authorities. So you need to buy a Comodo (or similar) certificate for Windows and pay $99 per year for the Apple developer program so you can get an Apple certificate as well. It is rather annoying, to say the least.
