Help me figure out how to sign a macOS app

This Does Not Compute

Administrator
Staff member
Oct 27, 2021
287
432
63
www.youtube.com
So there's a bash script I wrote that, to make it more convenient to run, I package up using Platypus. Problem is the resulting app isn't signed, so it requires bypassing Gatekeeper in order to run it. With macOS Sequoia making it more difficult to bypass Gatekeeper, I need to finally get around to getting the app signed.

Problem is I don't know what's involved in this, other than paying Apple $100 a year for a developer account.

The documentation for Platypus says that one just needs to run this to sign the apps it creates:

/usr/bin/codesign -s "your-signing-identity" path/to/MyApp.app
Great, but what's my signing identity? Some Googling suggests this is something Xcode handles. Can anyone (on Discord they told me to ping @OneGeekArmy) give me some pointers on what I need to do between giving Apple some money for a dev account and being able to run the command above? I'm not a software developer, just a hapless sysadmin ;)
 

JDW

Administrator
Staff member
Founder
Sep 2, 2021
1,577
1,373
113
53
Japan
youtube.com
Colin, I have zero idea how to answer your question, but for the sheer fun of it, I sent a slightly edited (for clarity) version of your post to ChatGPT4o, and it replied back as follows (keeping in mind that it can make mistakes)...

To sign an app using codesign on macOS, you need an Apple Developer account (which costs $100/year) and an associated signing identity. Here's a step-by-step guide to getting from paying Apple to running the command you found in the Platypus documentation:​

1. Enroll in the Apple Developer Program

  • Visit Apple Developer and enroll in the Developer Program. This process will require your Apple ID and a $100/year fee.
  • After approval, you will have access to the necessary tools for signing applications.

2. Install Xcode

  • Download and install Xcode from the Mac App Store.
  • Open Xcode and sign in with your Apple Developer account.

3. Create a Signing Certificate

  • Open Xcode.
  • In the menu bar, go to Xcode > Settings > Accounts.
  • Select your Apple ID and click on Manage Certificates.
  • Click + at the bottom to create a new Developer ID Application certificate. This will create a signing identity that can be used with the codesign tool.

4. Get Your Signing Identity

  • After generating the certificate, you'll find your signing identity in the Keychain Access app.
  • Open Keychain Access (/Applications/Utilities/Keychain Access.app).
  • In the Certificates section, look for the certificate with Developer ID Application. The name attached to this certificate is your signing identity.

5. Sign Your Application

Now that you have your signing identity, you can use the command you mentioned in your script:​
Bash:
/usr/bin/codesign -s "Developer ID Application: Your Name (TeamID)" path/to/MyApp.app
Replace "Developer ID Application: Your Name (TeamID)" with the exact name of your signing identity as found in Keychain Access.​

6. Verify the Signing

After signing, you can verify it by running:​
Bash:
codesign -dv --verbose=4 path/to/MyApp.app
This will output details about the signing, and if successful, it will include the identifier you used.​

7. Distribute the Signed App

Once signed, the app will be able to bypass Gatekeeper, and you won't need to use workarounds to run it.​
If you encounter any issues, you can also look into Notarization for further security and smooth operation on macOS Catalina or later versions. However, notarization is a separate process and not mandatory for simple app signing.​



But knowing you don't want to pay that $100 per year, I wrote this prompt to ChatGPT4o...

But I don't want to pay that $100 per year. Isn't there any way to get it signed without paying?

To which ChatGPT replied as follows:

Unfortunately, to sign an app on macOS in a way that bypasses Gatekeeper without user intervention, you do need a paid Apple Developer account. There is no official method to sign and distribute apps with full Gatekeeper support without paying for the $100/year Apple Developer Program subscription.​
However, if your goal is to simply run the app on your own Mac and bypass Gatekeeper manually, there are some workarounds that don't require paying for a developer account, but they don't involve proper signing. Instead, you can:​
  1. Bypass Gatekeeper for Untrusted Apps:
    • After trying to open the unsigned app, macOS will prevent it and show a warning. You can then:
      • Open System Preferences.
      • Go to Security & Privacy.
      • In the General tab, you should see an option that says "App was blocked" with an Open Anywaybutton. Click that, and the app will be allowed to run.
    • Alternatively, you can use the Terminal to bypass Gatekeeper by running:
      Bash:
      sudo spctl --master-disable
    • This disables Gatekeeper entirely, allowing any app to run, but it also weakens system security. You can re-enable it later with:
      Bash:
      sudo spctl --master-enable
  2. Use an Ad Hoc Signature:
    • An alternative option is to sign the app with an ad hocidentity. This doesn't give you the same level of trust as a developer-signed app, but it can help in certain situations. Use the following command:
      Bash:
      codesign -s - --deep --force path/to/MyApp.app
    • This signs the app with a temporary signature but doesn't provide the same Gatekeeper bypass capabilities as a proper Developer ID. It can be useful in some local scenarios where macOS is strict about requiring signatures.

Alternatives for Distribution:​

If you're distributing the app to other users who don't want to bypass Gatekeeper manually, there are no reliable ways to sign it without paying for the Developer ID. Some people explore open-source or enterprise deployment options, but for standard macOS app distribution, the Developer ID remains the only recognized method to sign apps officially.​
 

OneGeekArmy

Tinkerer
Oct 31, 2021
95
246
33
Belgium
diskjockey.onegeekarmy.eu
So there's a bash script I wrote that, to make it more convenient to run, I package up using Platypus. Problem is the resulting app isn't signed, so it requires bypassing Gatekeeper in order to run it. With macOS Sequoia making it more difficult to bypass Gatekeeper, I need to finally get around to getting the app signed.

Problem is I don't know what's involved in this, other than paying Apple $100 a year for a developer account.

The documentation for Platypus says that one just needs to run this to sign the apps it creates:


Great, but what's my signing identity? Some Googling suggests this is something Xcode handles. Can anyone (on Discord they told me to ping @OneGeekArmy) give me some pointers on what I need to do between giving Apple some money for a dev account and being able to run the command above? I'm not a software developer, just a hapless sysadmin ;)
Hi!

I'm currently away from the computer and in the middle of nowhere in Normandy (I'm basking in the glory of an anemic 3G network right now) but I'll be back next week and we can take a look at it then if you want (and if the answer above didn't help).

The gatekeeper stuff is all a bit of a maze indeed and I need to refer to my notes constantly.