I've just submitted an app to the Mac App Store that uses some external dynamic libraries.
I got an email from Apple saying that:
Invalid Signature - the executable something.app/Contents/Frameworks/some.dylib is not signed, the signature is invalid, or it is not signed with an Apple submission certificate. Refer to the Code Signing and Application Sandboxing Guide for more information.
The problem is of course caused by the fact that I only signed "my" executable, not the libraries.
Is it common/good practice to also sign the libraries, even though they're not written by me?
Think of digitally signing a file as:
A means of verifying the integrity of that file, thus making it possible to detect whether it’s been modified;
A means of verifying who published that file, which is not the same as writing the corresponding source code. You’re attesting that it was really you who’s shipped that file.
Since dynamic libraries contain executable code, it’s good practice (and in some cases, such as the MAS, mandatory) to digitally sign them for the same reason you sign the main executable file: guaranteeing that your application is exactly what you (and only you) have shipped from your build machine, no changes whatsoever. A running program includes the main executable file and all loaded libraries. If you sign the main executable file only, leaving the dynamic libraries unsigned, it would be possible to alter the dynamic libraries (or even replace them), thus changing what your program does.