I am having troubles producing a signed app bundle for OS X with Install4j 6. I have read the blog entry at http://blog.ej-technologies.com/2014/09/the-v2-signature-scheme-for-application.html and it lead me to believe that it is not possible to create a signed installer app (my client requires a few steps, including agreeing to a license) that installes a signed app.
Example:
The problem here is that if I use a Single Bundle Installer, only the 'Install MyApplication.app' (the installer) is signed. I can verify this with spctl.
$ spctl -a -v /Volumes/<VOLNAME>/Install\ MyApplication.app
/Volumes/<VOLNAME>/Install MyApplication.app: accepted
source=Developer ID
The problem is, the app bundle itself is not signed, and I'm getting the annoying firewall popup, because the app has to open a TCP port.
$ spctl -a -v /Applications/My\ Application.app
/Applications/My Application.app: rejected
source=no usable signature
So what I did is convert it to a Single Bundle Archive. What I then do is open the DMG, and drag the MyApplication.app to the /Applications folder. But then spctl still complains:
$ spctl -a -v /Applications/My\ Application.app
/Applications/My Application.app: a sealed resource is missing or invalid
Can anyone point me in the right direction? How do I fix that issue? And is it completely impossible to have a signed installer (i.e. something with a GUI wizard) that extracts a signed app bundle? Why does it need to modify the bundle anyway when installing it?
The problem here is that if I use a Single Bundle Installer, only the >'Install MyApplication.app' (the installer) is signed
That is correct. It's technically not possible otherwise since there are variable runtime files in a contained directory (.install4j) that will break the signature. We would not add this media file type today, but we obviously cannot remove it.
It will get past gatekeeper, but if you need a signed application bundle, you have to use the single bundle archive or the folder installer.
So what I did is convert it to a Single Bundle Archive. What I then do is >open the DMG, and drag the MyApplication.app to the /Applications folder. >But then spctl still complains:
That should not happen. Something must have modified a file in between. Try to sign a different installer like the "hello world" sample and check what happens in that case.