¿Cómo firmar una aplicación Mac OS X en Linux?

For OS X, I distribute my Java application inside a DMG. Since Mountain Lion's release, opening the app gives the following error message:

[app name] is damaged and couldn't be opened. You should eject the disk image.

Apparently the fix is to sign the .app file so I read the Guía de firma de código. Everything seems to be straightforward apart from the important question of how to integrate this into my one-click build process.

Building my product on all platforms happens on my Linux development machine. I run an Ant script and the Windows installer, starter EXE, Linux installer, OS X application and DMG are all built. So I'd like to integrate code signing into this process.

Is there an equivalent of 'codesign' for Linux?

preguntado el 31 de julio de 12 a las 09:07

3 Respuestas

Yo uso un producto llamado instalar4j to create the DMG files for my app. It code signs the app correctly within the DMG file, and can do so from OS's other than macOS.

Warning though: install4j is not free software, and is actually quite pricey.

Respondido 29 Abr '19, 16:04

There is no documented way of code signing a Mac OS X application in Linux.

The only way I've found to do this so far is to SSH into a Mac and use that.

On the other hand, according to @Steve McLeod (https://stackoverflow.com/a/55906962/28190) the installer package install4j does offer this:

Integrated code signing on Windows and Mac OS X . In the “General Settings” section, install4j now has a “Code signing” tab where you can configure code signing certificates for Windows and Mac OS X. Code signing will be applied to all launchers and installer applications in the corresponding media files. The implementations for code signing are cross-platform, so you can sign Windows and Mac OS X media files from a Linux build server, for example.

So it must be technically possible.

Respondido 29 Abr '19, 19:04

This is the best I've found so far. If someone knows how to do this in Linux I'll award the answer their way... - Dan Gravel

The problem is that we are getting the error "User interaction is not allowed." when invoking the codesign tool via SSH. :( - palabra

Maybe something to do with the keys installed in your OS X instance? Sorry, can't be much more help than that. - Dan Gravel

Probably the keychain needs to be unlocked before: security unlock-keychain - mstrap

You could workaround this by only signing the JavaApplicationStub and info.plist of your application and exclude the "Resources" folder from signing. Then you'd have to change your build process to use the pre-signed container. Of course this is not the sense of codesigning but it will work ;-)

To achieve this, do the following steps:

  • create your .app as usual
  • move it to your mac
  • create a file "ResourceRules.plist" with the following contents:


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  • now sign with the following commands: CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/usr/bin/codesign_allocate" codesign -s "Certificate Name" --resource-rules ResourceRules.plist -fv MyApp.app

  • Then delete everything in Resource and verify the signature (codesign -v -v MyApp.app). You will see that it's still valid

  • Use the complete signed stub in your build process. You can change everything in Resources but you cannot change info.plist.

respondido 08 nov., 12:08

BTW, how do you build the dmg files on linux? - miguel wyraz

Ha! well that's another story. Originally I used hfsutils (see blog.serverhorror.com/2011/02/26/… ). However, since then I discovered hfsutils writes the DMG incorrectly to maintain the signed application (worked through a ticket with Apple support which concluded this). I've since had to change my build to ssh to a Mac Mini and create the DMG there. - Dan Gravel

Does this actually help with e.g. Avoiding Gatekeeper warnings? - Malcolm MacLeod

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.