AW: Re: Codesigning standalones for Mac OS 10.9.5

[Paul Dupuis]

On 10/9/2014 8:25 PM, David Beck wrote:
> Does anybody know what the status is with codesigning standalones built for
> Mac OS in a way that works with OS 10.9.5? I have not been able to find a
> definitive answer. I take it this article is out of date?
>
> http://revolution.screenstepslive.com/s/revolution/m/10695/l/112989
>
> Has anybody had success and if so can you please share how you've done it?
>
> Thank you!!
>
> David Beck
>
We have successfully code signed a LiveCode standalone under OSX
Mavericks 10.9.5 with a v2 signature such that our application is
recognized as an "identified developer" under both 10.9.5 and 10.8.5
with "Security Update 2014-004 1.0" (see
http://support.apple.com/kb/HT1222) and earlier versions of OSX (10.9.4
and below, 10.8.5 without "Security Update 2014-004 1.0" and earlier
10.8 versions, 10.7.x and 10.6.x), all where the user has their System
Preferences > Security set to "Mac App Store and Identified Developers"
(the default for Mountain Lion and Mavericks)

We did this by using "App Wrapper 2.5" from Ohanaware
(http://www.ohanaware.com/appwrapper/). We selected App Wrapper based on
a post on the Use-Livecode email mailing list from Tiemo Hollmann. He
provided the following steps:

1. Buy a developer codesigning certificate at Apple
2. Start App Wrapper
3. Drag an unsigned app onto App Wrapper
4. Go to TAB "Package"
5. Check the "Codesign" checkbox
6. Choose your developer certificate
7. Don't choose any of the options below
8. Choose "Wrap to" folder and click "Wrap" at topright

Initially App Wrapper would not successfully sign under 10.9.5. We
encounter the following issues:

1. On the "Package" tab, when the Codesign check box was selected none
of our Certificates showed up (the popup list of certificates to sign
with was empty). We have downloaded our certificated from our Apple
Developer Account and installed them into the Key Chain under 10.9.5.
None the less, they still were not showing up. Looking at our Key Chain
under 10.8.5 (where we had been signing our standalones) we noticed that
our certificates were listed BOTH under the "My Certificates" category
and "Certificates" category. Under 10.9.5 they were only listed under
the "Certificates" category.

We selected all our certificates in the "My Certificates" category of
our Key Chain under 10.8.5 and exported them into a single .p12 file. We
moved that file to 10.9.5 and imported them into our Key Chain under
10.9.5. Now all our certificates appeared both under the "My
Certificates" and "Certificates" category in the Key Chain under 10.9.5
and under the certificate popup menu on the Package tab in App Wrapper.

2. With the certificates in place we attempted to code sign our
standalone under 10.9.5 buy got warning that the code sign was
"rejected". Under App Wrapper Preferences... with discovered a popup
menu that was by default set to "App Wrapper Code Sign Engine 2.0" that
offered another option "Mavericks Code Sign Engine". Switching this
popup to the "Mavericks Code Sign Engine" then allowed us to
successfully sign our application.

NOTE: It has been reported that codesigning under 10.9.5 will also fail
if your standalone contains bundles (externals) with manifest files
(text files in the .bundle 'folders' that list the contents of the
bundle and that some people have had success by removing these manifest
files. Our standalone had NO externals and hence no manifest file for us
to remove.