Search code examples
macoscode-signinginstall4j

Code signing app bundle on OS X with Install4j 6, sealed resource is missing or invalid

I am having troubles producing a signed app bundle for OS X with Install4j 6. I have read the blog entry at http://blog.ej-technologies.com/2014/09/the-v2-signature-scheme-for-application.html and it lead me to believe that it is not possible to create a signed installer app (my client requires a few steps, including agreeing to a license) that installes a signed app.

Example:

  1. User downloads MyApplication.dmg
  2. User mounts it in Finder and clicks on "Install MyApplication.app"
  3. User follows instructions in installer and application bundle ends up in /Application/MyApplication.app

The problem here is that if I use a Single Bundle Installer, only the 'Install MyApplication.app' (the installer) is signed. I can verify this with spctl.

$ spctl -a  -v /Volumes/<VOLNAME>/Install\ MyApplication.app
/Volumes/<VOLNAME>/Install MyApplication.app: accepted
source=Developer ID

The problem is, the app bundle itself is not signed, and I'm getting the annoying firewall popup, because the app has to open a TCP port.

$ spctl -a  -v /Applications/My\ Application.app
/Applications/My Application.app: rejected
source=no usable signature

So what I did is convert it to a Single Bundle Archive. What I then do is open the DMG, and drag the MyApplication.app to the /Applications folder. But then spctl still complains:

$ spctl -a  -v /Applications/My\ Application.app
/Applications/My Application.app: a sealed resource is missing or invalid

Can anyone point me in the right direction? How do I fix that issue? And is it completely impossible to have a signed installer (i.e. something with a GUI wizard) that extracts a signed app bundle? Why does it need to modify the bundle anyway when installing it?

Solution

  • The problem here is that if I use a Single Bundle Installer, only the >'Install MyApplication.app' (the installer) is signed

    That is correct. It's technically not possible otherwise since there are variable runtime files in a contained directory (.install4j) that will break the signature. We would not add this media file type today, but we obviously cannot remove it.

    It will get past gatekeeper, but if you need a signed application bundle, you have to use the single bundle archive or the folder installer.

    So what I did is convert it to a Single Bundle Archive. What I then do is >open the DMG, and drag the MyApplication.app to the /Applications folder. >But then spctl still complains:

    That should not happen. Something must have modified a file in between. Try to sign a different installer like the "hello world" sample and check what happens in that case.