Login/Register
Download breaks OSX signature?
Asked Answered
Solved macosinstall4josx-gatekeeper
C

3

6

I've just started signing my OSX desktop app so it can be installed on OSX 10.8 easily. I'm getting a really weird issue whereby the signing works fine and I can in install if the dmg is transferred to the Mac by DropBox or FTP but if the dmg is uploaded to a server then downloaded to the Mac using a browser the signature fails (the user sees the same error as if the file wasn't signed).

Background: The application is Java, signed using the .p12 from Apple in Install4J. Interestingly for an un-signed or downloaded DMG the error OSX 10.8 shows is really odd, it says the installer is "damaged" and should be un-mounted.

Anyone know why the signature would fail when the DMG is downloaded with a browser?

Cicisbeo answered 26/7, 2012 at 17:49 Comment(14)
Sounds like it could be any number of things, from crushing metadata to viral interference.Kief
It does seem like perhaps some meta-data is attached to the downloaded file - btw I checked the file sizes and a working dmg is exactly the same size as a broken one.Cicisbeo
does it only not work in one browser?Kief
No - fails with every browser I have (FF / Chrome / Safari). Also I've tried uploading and downloading both using my own server and S3... in both cases the DMG fails when downloaded by a browser.Cicisbeo
Does it work on other computers?Kief
Good question, unfortunately I only have one Mac with Mountain Lion.Cicisbeo
All of your software is up to date? You have an AV running?Kief
Everything is up to date / no AV. All good questions Wug!Cicisbeo
Get an AV. Everyone should have one. Also, can you calculate a hash of each file to determine if they are in fact byte for byte identical?Kief
md5 hashes are identical - which I guess basically leaves file meta-data.Cicisbeo
& I note that in the info popup the where from meta-data shows the url it's from / or nothing if it didn't come through a browser. Really can't see why that would make a difference though.Cicisbeo
No idea then. I don't own a mac :)Kief
Thanks for the input anyway - at least confirms to me I'm not going crazy!Cicisbeo
Gatekeeper is looking for signatures using Mac App Store or Developer ID certificates. Maybe "the .p12 from Apple in Install4J" isn't the right kind.Matchbox
V
3

You are using the wrong certificate for signing. For signing install4j installers you need the Application ID certificate, not the Installer ID certificate.

Unfortunately, install4j 5.1.1 does not complain during compilation if the certificate chain is incomplete. install4j 5.1.2 will fix this.

Vacua answered 27/7, 2012 at 15:54 Comment(1)
Thanks Ingo... I should note that I opened a support request & Hannes helped me very quickly. Well done on the support & product guys.Cicisbeo
C
4

Ingo has the correct answer but I wanted to note what helped to confuse the issue. It appears that GateKeeper won't check signatures when the installer is moved over using dropbox / ftp - only when they're downloaded using a browser (or perhaps also other select methods).

So it appeared the transport method made the difference, when in fact the signature never worked at all.

Cicisbeo answered 30/7, 2012 at 13:5 Comment(0)
V
3

You are using the wrong certificate for signing. For signing install4j installers you need the Application ID certificate, not the Installer ID certificate.

Unfortunately, install4j 5.1.1 does not complain during compilation if the certificate chain is incomplete. install4j 5.1.2 will fix this.

Vacua answered 27/7, 2012 at 15:54 Comment(1)
Thanks Ingo... I should note that I opened a support request & Hannes helped me very quickly. Well done on the support & product guys.Cicisbeo
A
0

To clarify, I would like to add that the apple certificate to use is the "Developer ID Application" certificate. It can be exported on the Mac from Applications -> Utilities -> Keychain Access.

Aruba answered 28/11, 2012 at 15:3 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.