Getting Started With Developer ID for Mountain Lion

Overview

When you download an application on OS X, the browser sets an extended attribute on the bundle that marks it as being quarantined. Starting in Mountain Lion, non-sandboxed apps with the quarantine flag set must be signed with a Developer ID. In practice, this means that if a user downloads an unsigned application from the internet and runs it, they’ll get an error message much like this one:

GatekeeperError

Developers who can’t sandbox their app because it needs extensive access to the system, or don’t want to for other reasons, can avoid this problem by getting a Developer ID certificate and signing their app before releasing it.

Signing an app

The first step is to get access to a machine running Mountain Lion. If you don’t have a physical machine with Mountain Lion, you can use VMWare Fusion and run Mountain Lion in a VM. This works quite well and it’s what we use here at Palomino Labs for making sure our apps work on non-developer machines.

Next you’ll need to get a Mac Developer account and generate a Developer ID in the web-based Developer Certificate Utility. Note that if you have a company ADC account, only the team agent can request Developer ID certificates.

Once you’ve downloaded the Developer ID certificate and installed it into the keychain you’re ready to sign and test it. To sign application bundle from the command line, do something like this:

codesign -s "Developer ID" YourAppBundle.app

The -s switch tells the codesign tool to use the signing identity whose name begins with “Developer ID”. If you have multiple Developer ID certificates installed on your machine the tool will complain that “Developer ID” is ambiguous and display a list of choices. You can solve this by providing the full name of the identity you want to use.

To test that the signing worked you’ll need to download the app bundle onto the Mountain Lion machine. Because the Developer ID restrictions are only applied to bundles with the quarantine attribute set, to properly test this the app bundle needs to be downloaded from the internet using a browser. You can verify that the app is quarantined by running

xattr -p com.apple.quarantine YourAppBundle.app

If that command prints something like

xattr: YourAppBundle.app: No such xattr: com.apple.quarantine

then the quarantine flag is not set and the Developer ID restrictions won’t be applied regardless of whether the app is signed correctly.

If you verify that the quarantine flag has been set and you don’t see the error when you open your application on a Mountain Lion machine then your app is correctly signed and your users will be able to download and run it without issue.

Posted by Manuel Wudka-Robles

Manuel is a sponge for software knowledge. Manuel’s software development expertise ranges from Rails web development to obscure 3rd party APIs and long-forgotten web properties. Manuel was the “API guy” at Genius.com, recognized for his deep knowledge of how to build and scale APIs. At Turn, Manuel focused on improving the exciting world of display advertising. Most recently at Tello, Manuel led the integration with Twilio and KISSMetrics. At Palomino Labs, Manuel also serves as Director of IE Compatibility.

About Palomino Labs

Palomino Labs unlocks the potential of software to change people and industries. Our team of experienced software developers, designers, and product strategists can help turn any idea into reality.

See the Palomino Labs website for more information, or send us an email and let's start talking about how we can work together.