30

Our company develops our application for both Mac OS X and Windows. We have an existing purchased code signing certificate from a non-Apple authority we use to ID our Windows installers. We distribute both our DMGs & MSIs through our own company website.

The code signing guide for Mountain Lion's new Gatekeeper feature seems to imply that a non-Apple issued standard certificate would work, though I could be misinterpreting what "third-party" means in this case:

Note: Apple uses the industry-standard form and format of code signing certificates. Therefore, if your company already has a third-party signing identity that you use to sign code on other systems, you can use it with the OS X codesign command...

Is it possible to use this non-Apple certificate, and if so, how could it be incorporated using the command line "codesign" command?

Christopher Bradshaw
  • 2,615
  • 4
  • 24
  • 38
GNat
  • 475
  • 1
  • 6
  • 9
  • Having the same situation. Tried using our pre-existing certificates, the signing worked, but the Gatekeeper still blocking the launch. – sereda Aug 13 '12 at 14:19
  • Same as @sereda. I think it's something to do with setting up the plist.info file. I got started with this, but it's not enough to pass Gatekeeper: http://www.digicert.com/code-signing/mac-os-codesign-tool.htm I am now reading this doc from Apple: https://developer.apple.com/library/mac/documentation/security/conceptual/CodeSigningGuide/Procedures/Procedures.html Still working on the issue, but I hope this helps. – SilentSteel Jun 03 '14 at 22:24
  • Update: No, it won't work. – SilentSteel Jun 16 '14 at 16:11

3 Answers3

22

Cannot take credit for this, but the blunt answer is:

NO

I just spent a good three days converting certificates and searching the internets to find these:

http://successfulsoftware.net/2012/08/30/how-to-sign-your-mac-os-x-app-for-gatekeeper/ http://www.panic.com/blog/2012/02/about-gatekeeper/ http://arstechnica.com/apple/2012/02/developers-gatekeeper-a-concern-but-still-gives-power-users-control/

Agent86
  • 424
  • 4
  • 7
15

No. The reason it will not work is: To pass through GateKeeper, you need a code signing certificate which is signed with your Apple Developer ID. This is not the same as a regular code signing certificate issued to your company. Only Apple issues Apple Developer IDs. (Or at least, at the time of this writing.)

This is very confusing because:

  • The company we bought the code signing certificate from specifically claimed it works with MacOS. But what they meant was we could sign Apple code technically speaking. But passing GateKeeper is different. (Unclear marketing to say the least.)

  • At this time, there are unclear Apple docs which talk about signing code with 3rd party certificates. Ex: https://developer.apple.com/library/mac/documentation/security/conceptual/CodeSigningGuide/Procedures/Procedures.html
    However, while you can sign the code, it does not pass GateKeeper! Again, this may refer to either internal corporate application use, or it may just be out of date.

SilentSteel
  • 2,344
  • 1
  • 28
  • 28
10

Gatekeeper only recognises Apple digital certificates. Windows only recognises Comodo, Verisign and a few other signing authorities. So you need to buy a Comodo (or similar) certificate for Windows and pay $99 per year for the Apple developer program so you can get an Apple certificate as well. It is rather annoying, to say the least.

Andy Brice
  • 2,297
  • 1
  • 21
  • 28