When you download an application on OS X, the browser sets an extended attribute on the bundle that marks it as being quarantined. Starting in Mountain Lion, non-sandboxed apps with the quarantine flag set must be signed with a Developer ID. In practice, this means that if a user downloads an unsigned application from the internet and runs it, they’ll get an error message much like this one:
Developers who can’t sandbox their app because it needs extensive access to the system, or don’t want to for other reasons, can avoid this problem by getting a Developer ID certificate and signing their app before releasing it.
Signing an app
The first step is to get access to a machine running Mountain Lion. If you don’t have a physical machine with Mountain Lion, you can use VMWare Fusion and run Mountain Lion in a VM. This works quite well and it’s what we use here at Palomino Labs for making sure our apps work on non-developer machines.
Next you’ll need to get a Mac Developer account and generate a Developer ID in the web-based Developer Certificate Utility. Note that if you have a company ADC account, only the team agent can request Developer ID certificates.
Once you’ve downloaded the Developer ID certificate and installed it into the keychain you’re ready to sign and test it. To sign application bundle from the command line, do something like this:
codesign -s "Developer ID" YourAppBundle.app
-s switch tells the
codesign tool to use the signing identity whose name begins with “Developer ID”. If you have multiple Developer ID certificates installed on your machine the tool will complain that “Developer ID” is ambiguous and display a list of choices. You can solve this by providing the full name of the identity you want to use.
To test that the signing worked you’ll need to download the app bundle onto the Mountain Lion machine. Because the Developer ID restrictions are only applied to bundles with the quarantine attribute set, to properly test this the app bundle needs to be downloaded from the internet using a browser. You can verify that the app is quarantined by running
xattr -p com.apple.quarantine YourAppBundle.app
If that command prints something like
xattr: YourAppBundle.app: No such xattr: com.apple.quarantine
then the quarantine flag is not set and the Developer ID restrictions won’t be applied regardless of whether the app is signed correctly.
If you verify that the quarantine flag has been set and you don’t see the error when you open your application on a Mountain Lion machine then your app is correctly signed and your users will be able to download and run it without issue.