Is it possible to code sign a screensaver?

I'd like to share a screensaver I developed (for OSX) but I couldn't find a way to code-sign it. Without it, it is almost impossible to install on other machines due to 'Gatekeepr' warnings. (right click & `open` works, but most people don't know about it.)


Any ideas on code-signing or distribution alternatives? I'm simply sending the .saver bundle at the moment

Replies

Xcode is quite capable of signing a screen saver, or any other bundle for that matter. It has no high-level code signing UI for bundles, but you can tweak the code signing build settings directly. AFAICT you just need to set Code Signing Identity to Developer ID (

CODE_SIGN_IDENTITY = Developer ID Application
).

Whether that resolves your Gatekeeper warnings is something you’ll have to test for yourself (I don’t spend a lot of time working on screen savers myself).

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Adding to the prior excellent advice, here's additional info on notarization:


You can’t notarize the .saver directly, but you can in a round-about-way notarize a ZIP file, which is how I distribute my screen saver. Here are the steps I use for my simple saver, your mileage will undoubtably vary:


  • /usr/bin/codesign -f -o runtime --timestamp --sign “insert Developer ID Installer certificate identifier here” XYZZY.saver
  • compress the code signed .saver e.g. XYZZY.saver.zip
  • /usr/bin/xcrun altool --verbose --notarize-app --primary-bundle-id “insert identifier here" -u “xyzzy@plugh.com" -p “insert app-specific PW for your Apple ID here" -t osx -f XYZZY.saver.zip
  • Aside: store the App-specific password in your keychain and reference it from the command line like this:

    /usr/bin/xcrun altool --store-password-in-keychain-item "AC_PASSWORD" -u xyzzy@plugh.com -p “insert App-specific PW from Apple here”

  • wait for notarization, check status like this:

    /usr/bin/xcrun altool --notarization-history 0 -u “xyzzy@plugh.com" -p "@keychain:AC_PASSWORD”

  • While you can notarize a ZIP archive, you can’t staple the notarization ticket to it directly. Instead, run stapler against each individual item that you originally added to the archive. Then create a new ZIP file containing the stapled items for distribution.
    • /usr/bin/xcrun stapler staple XYZZY.saver
    • Re-zip the saver and distribute

This is the only post I've been able to find which explains how to sign screensavers, thanks!


I am having some trouble using the installer certificate in the first step.

"security find-identity -p codesigning" only shows "Apple Development: My Name"

But "security find-identity" also shows my "Developer ID Installer" certificate (listed under X.509 Basic)


Do you know how to add the installer certificate to use it with codesigning? I tried "security add-trusted-cert" but couldn't get it to work. I was able to sign in the first step with the Apple Development certificate, but then the notarization was rejected (maybe because I didn't use the installer certificate).


Also, I am a bit confused by the final step. It seems you notarize a .zip file, but then you make a different .zip file in the final step?

I’ve posted a bunch of advice that applies here, including:

The first step in this process is to decide on your outermost container format. What type of file do you want your users to download? Once you make that decision, everything else falls out as a consequence of that.

For example, if you’re not using an installer package, your

Developer ID Installer
signing identity is irrelevant. You will only need your
Developer ID Application
one.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"