Digitally sign a standalone on Mac with an Apple developers ID


    Sep 25 2015 | 1:54 pm
    I've recently created a standalone and noticed that on some Macs (Mavericks and Yosemite) the app doesn't open smoothly.
    The system gives messages of "damaged application" and also discovered that the issue is due to the fact that it isn't signed with an Apple Developer ID.
    I don't need to put my app on the Apple Store, just wanted to know the shorter way to sign it with Xcode (I suppose) and overcome this secutiry settings issue.
    I'm aware that it can be solved by changing the security settings to allow non official developers, but I can't ask that to my end users.

    • Sep 25 2015 | 4:17 pm
      Hi Alex,
      If you search the forums about "Max Standalones on the App Store" you will find an article and a big thread, both with plenty of hints and instructions about signing your standalone. Although they are a bit outdated, but helpful non the less.
      You can sign the standalone from the terminal.
      Do you have a developers account on apple?
      I haven't heard of "damaged application" because of non signed app. it doesn't open it and it informs you about it, but no errors (at least as far as I know).
    • Sep 25 2015 | 6:23 pm
      It seems that Flash projectors, when not signed, are announced as damaged. Is the question about a M4L device?
    • Sep 25 2015 | 7:42 pm
      Hi Nicolas,
      thanks for your reply. It seems that Apple has introduced more security measures from Mavericks. If you open the System Preferences > Securiy & Privacy, you will see that "Allow apps downloaded from" is on "Mac App Store and identified developers". That's why I want to sign the app.
      I've seen the said article but I was wondering if I just can sign the App, without following the AppStore guidelines, since I don't really need to put it there.
      Yes, I have opened a developer account on Apple and downloaded Xcode. But would something like this be enough to prevent the sign the app? Is it that simple? I'm new to that. Ex: codesign -f -s "Developer ID Application: Primus, Inc." -v --deep /abs/path/to/my/app/PorkSoda.app
      @Jean-Francois No, it's just a standalone App.
    • Sep 25 2015 | 9:21 pm
      @Alex_k you have some work to do! A standalone, to be singed, if I remember correctly, you must sign all the frameworks, mxo, mxf and generally almost all files in the standalone, then sign the .app like on the example you gave.
      You probably have seen the way to sign the frameworks if you look the other topic, but just in case: codesign -f -s "Developer ID Application: Primus, Inc." -v –deep /abs/path/to/my/app/PorkSoda.app/Contents/Frameworks/*******.framework/Versions/A
      The rest of the files just need the abs path, like: codesign -f -s "Developer ID Application: Primus, Inc." -v –deep /abs/path/to/my/app/PorkSoda.app/Contents/Contents/Resources/C74/extensions/max/clang.mxo
      Also, if you sign your app, I think you have to sign the .app with entitlements so it can read/write on disk and stuff like that. I had a standalone signed and all, but I missed an entitlement and the app couldn't write on disk. On my mac I worked fine because I was the admin, so test the app on another Mac where you are not an administrator. Take a look at the article's comments, there is extra info and the topic created also, and have somewhere an entitlements sample.Here you can see the available entitlements.
      It might look too much, but you will figure it out. It is just repeating stuff.
      Nik
    • Sep 25 2015 | 10:28 pm
      @Nikolas K Thanks for the help!
      I have seen this comment "1. Starting in OS 10.9, the codesign command now has a "–deep" option available. This will automatically handle signing all those "Max frameworks, audio drivers, midi drivers and/or extensions" included inside your app bundle. This cuts out a good chunk of work in tracking all those includes, and having to run a separate command for each. Ex: codesign -f -s "Developer ID Application: Primus, Inc." -v --deep /abs/path/to/my/app/PorkSoda.app"
      So, to recap, the two command lines with the -deep function enabled you posted, should be enough to sign all the main files, right?
      Then there are the entitlements: they look quite complex, as I'm new to this. Let's say I want the app to be able to write/read from anywhere on the user's Mac, even thru a network drive. Which is the correct command in codesign to enable that?
      Thanks again.
    • Sep 26 2015 | 9:26 am
      Well, just signing the .app with the -deep flag might be do it for the app to open without changing the System Preferences > Securiy & Privacy settings. I had in mind signing the app for the app store where entitlements are necessary.
      I run through the max standalone crash on mac 10.8.2 after codesigning with entitlements thread again, and as I understand, if you don't use entitlements at all, it should be fine on other machines. Unfortunately, I haven't got a my Mac at the moment, (on Windows now...) so I can't send you an entitlements sample file. The thread I mentioned has the most information about it though.
      Generally to add entitlements, you create an entitlement file (in the thread above I think there is a sample...) and the codesign command has a --entitlements flag (that;s with a double dash "- -" like the deep flag) used like this:
      codesign -f -s "Developer ID Application: Primus, Inc." --entitlements /abs/path/to/my/entitlements/file /PorkSoda.entitlements -v --deep /abs/path/to/my/app/PorkSoda.app"
      As far as I know there is no need to name the .entitlements the same as your app, but I do it for organization! Also, there is no need to include the .entitlements somewhere in the .app bundle, just do the codesigning of the .app with it.
      Again, you should try first without any entitlements to see if it works OK on other machines. If you add entitlements, that means that you enable the app sandboxing which stops the app from accessing almost anything without the corresponding entitlement enabled. If the app opens without alerts and works fine on other machines without entitlement signing, just forget about them!!
      About the disk writing, generally every app has full access (read/write) in the "~/Library/Application Support/AppName" folder. It is created once the app is first launched. There are a couple more places but I don't remember them now, they are mentioned in the Your Max Standalone on Mac App Store article. I don't think there is any entitlements letting read/write wherever you want, so better try without it.
      Anyway, sorry for the big post and for the non specific answer, but as far as it goes for Max Standalones, its trial and error for now.
      Nikolas
    • Sep 26 2015 | 5:20 pm
      Thank you so much for the insightful post, Nikolas!
      Alex