Code Signing for dummies (i.e. me)

Hi All,

I write and distribute applications within my company, either as Applescript (Script Debugger) application bundles or Xcode ApplescriptObjC applications.

We don’t really have a policy on Gatekeeper. As a default the setting is probably left as the middle one (App Store and Identified Developers) but some machines have been set to allow from all.

Anecdotally, it seems as though if I distribute them across the network (over mounted servers) they work OK. If they are sent via email or over HTTP (via curl download from our web server) they fall foul on the Gatekeeper machines set to middle setting.

I have tried to read up about Code Signing but don’t really get it. I do not intend to distribute the applications outside of our company as they probably rely 100% on internal IP addresses etc. They are purely for our company. Do I still have to sign up for a $99 (or $299 enterprise) fully fledged Apple Developer ID just to be able to run my applications internally?

I am working on a system for distributing and updating apps easily so I need to tackle this issue now

Thanks for your insight

Ian

You are correct that it only happens with app distributed by email or the Web. And even if Gatekeeper is set to the middle setting, control-click Open lets users run them anyway. So from a practical point of view, there’s not a big need – unless you use GUI scripting, or script things like Contacts that need validation.

However, depending on your company, the reassurance that people are running the code as you intended might be worth a lot more than convenience. And it’s not just a question of code being tampered with in transit – it’s about eliminating the risk of apps being used as attack vectors.

You certainly don’t need to be involved in the enterprise program; that’s for distributing iOS stuff.

Code sign. It’s really not difficult, especially with changes coming down the line in macOS Sierra.

Once you’ve signed up, go and watch some of the WWDC videos at developer.apple.com for more information. https://developer.apple.com/videos/play/wwdc2016/401/ is especially relevant.

Signing from the command line is just as easy (if you are creating installer packages, say), using productsign:

productsign --sign 'Developer ID Installer: Acme,Inc' /Users/bob/Documents/com.acme.gizmo-V1.0.pkg /Users/bob/Documents/com.acme.gizmo-V1.0-signed.pkg

I’d also consider looking at Managing your Macs too, at the very least, to set the gatekeeper preferences. This isn’t as difficult as you’s expect and can be done using nothing more than Mac OS X server and profile manager

I concur with Shane’s comments also. There’s not a single company in the world that doesn’t have something to protect.

Thanks for the information and links both of you. Looks like it’s going to get a bit easier with Xcode 8 and Script Debugger 6

Ian

FWIW, it’s pretty easy with Xcode 7, too, if you’re just signing apps.