Mac OS X 10.8 Mountain Lion and Gatekeeper

[DaveHoskins]

A typical thread ender.

Let's not discuss then.

OK I'll go along then, errm, (matrix) "welcome to your inevitability" or something.


Crap's sake.

.

[hibrasil]

for anyone who is staying with 10.68 and wants to sign their binaries without xcode4.2 here is how i am doing it...

Code: Select all

codesign -f -s "Developer ID Application: NAME" PATH_TO_BINARY
productsign --sign "Developer ID Installer: NAME" PATH_TO_UNSIGNED_PKG PATH_TO_SIGNED_PKG

previously i was making .mkpg installers using iceberg. These cannot be signed with productsign, so I switched to use Packages http://s.sudre.free.fr/Software/Packages/about.html

I didn't actually test this on 10.7 yet but hopefully it's OK. Still not sure if i also need to sign .dmgs or plugin binaries

[Urs]

using iceberg. These cannot be signed with productsign

Gaaaaaaah!

Thanks for the link - does it work well?

[george]

Thanks a lot hibrasil!

DMGs are required to be signed. Plug-ins like Audio Units, VST or RTAS are not (yet, knock on wood).

Packages looks very similar to Apple's PackageMaker which I finally learnt to use, right? I'd keep using the latter, just for 10.8.

Fiddling with Automator made me discover that you can write a installer script without any code signing. Can't see much point on this certification thing when you are required to enter an admin password on the process.

[hibrasil]

packages seems like an updated version of iceberg, which i like because it doesn't remove bundle icons like apple's packagemaker. Packages is really simple to use, but i think the pkg installers it makes will only work on 10.5> (not sure about that).

oli

[george]

Thanks, not a problem since all the products here require 10.5+. I think I will stick to PackageMaker if keeping icon bundles is the only advantage

[thevinn]

The REAL problem here is the implication that in the near future, you will have to agree to the terms of Apple's Developer Agreement in order to write software for OS X and iOS. This is without precedent.

This has dire consequences for open source. Someone cannot take DSP Filters Demo, modify it, recompile it, and distribute new binaries without agreeing to Apple's terms. Which include a $99 yearly fee.

[george]

You can use Ctrl+Click (right click) > Open to bypass Gatekeeper. Not a big deal. I don't think Apple is forcing anyone to pay a $99 / year fee.

Also, one can do an Automator based installer to bypass Gatekeeper too.

[inharmonicity]

for anyone who is staying with 10.68 and wants to sign their binaries without xcode4.2 here is how i am doing it...

Code: Select all

codesign -f -s "Developer ID Application: NAME" PATH_TO_BINARY
productsign --sign "Developer ID Installer: NAME" PATH_TO_UNSIGNED_PKG PATH_TO_SIGNED_PKG

Thanks, hibrasil. This is what I was going to add to the discussion - using the command line there's no need to go to XCode 4 (yet). You only need XCode 4 if you want the whole process integrated into the IDE. Most devs I know build releases from scripts anyway.

The other lingering question here that hasn't been totally answered yet is whether or not a signed thingamajig will work pre 10.7. I haven't found a clear cut answer other than people saying stuff on forums, but what I've heard is it'll work at least back to 10.5. It should definitely work on 10.6, since both codesign and productsign are in 10.6. As someone else pointed out, it doesn't seem like there's any technical reason it should break on any older version of OSX.

[ZenPunkHippy]

The other lingering question here that hasn't been totally answered yet is whether or not a signed thingamajig will work pre 10.7.

We (Camel Audio) have signed the installer for the v1.30 Alchemy update and yes it does work exactly same on all prior versions of OS X that we support (10.5 onwards).

For anyone doubting why you should play Apple's game - it's entirely possible to bypass the check by using Right-click / Ctrl-click -> Open, but this is an extra layer of support emails (or FAQ text) between your users and a working installer.

Basically, there will almost certainly be an endless stream of support requests from Mac users if you don't sign the installer ...

Peace,
Andy.

[AdmiralQuality]

it's entirely possible to bypass the check by using the Alt-double-click trick

Macs have ALT keys now?

My favorite Mac-key was always "Unpronounceable symbol, the key formerly known as ALT." Unfortunately they went and added the word "Command" on it which really takes all the WTF? fun out of it.

[ZenPunkHippy]

Err ... I was holding it wrong

[inharmonicity]

This is a great story about that if you haven't read it:

http://folklore.org/StoryView.py?story= ... ground.txt

Folklore is one of my favorite sites on all of the internets

Chris

[AdmiralQuality]

This is a great story about that if you haven't read it:

http://folklore.org/StoryView.py?story= ... ground.txt

Folklore is one of my favorite sites on all of the internets

Chris

Yeah, I've heard that as well, that "unpronounceable squiggle" meant and should be called "Feature". Which made it all the more confusing when they labelled it "Command". Man, I hate hieroglyphics. What did I spend the first 4 years of my life learning to read for?

Of course, we've had a "Windows key" for quite some time now as well. Though I've never used it. (Indeed, I used to physically remove it from keyboards as accidentally bumping it would pop you out of game!) Ctrl-Esc still works just fine for "show me the taskbar". AFAIK, the Mac doesn't have any alternate for the "Apple key".

[Urs]

We've been busy otherwise, but what's the word on signing AUs/VSTs? - Just installer or also binaries?