Login Item for an App showing unidentified developer

Question

Created Dec ’22

Replies 3

Boosts 0

Views 1.7k

Participants 2

In Macos 13 Ventura, after installing our app, it appears in Settings->General->Login Items with a line: Item from unidentified developer. I know there are other similar questions in this forums, the difference is we sign and build our code with the terminal, using a script. I am looking for a way to remove the warning and show the correct developer. We use an Apple Developer ID to sign and distribute the package from our own repositories. The code we use to sign(https://github.com/wazuh/wazuh-packages) is :

function sign_binaries() {
    if [ -n "${KEYCHAIN}" ] && [ -n "${CERT_APPLICATION_ID}" ] ; then
        security -v unlock-keychain -p "${KC_PASS}" "${KEYCHAIN}" > /dev/null
        # Sign every single binary in Wazuh's installation. This also includes library files.
        for bin in $(find ${INSTALLATION_PATH} -exec file {} \; | grep bit | cut -d: -f1); do
            codesign -f --sign "${CERT_APPLICATION_ID}" --entitlements "${ENTITLEMENTS_PATH}" --deep --timestamp  --options=runtime --verbose=4 "${bin}"
        done
        security -v lock-keychain "${KEYCHAIN}" > /dev/null
    fi
}

function sign_pkg() {
    if [ -n "${KEYCHAIN}" ] && [ -n "${CERT_INSTALLER_ID}" ] ; then
        # Unlock the keychain to use the certificate
        security -v unlock-keychain -p "${KC_PASS}" "${KEYCHAIN}"  > /dev/null

        # Sign the package
        productsign --sign "${CERT_INSTALLER_ID}" --timestamp "${DESTINATION}"/"${pkg_name}" "${DESTINATION}"/"${pkg_name}".signed
        mv "${DESTINATION}"/"${pkg_name}".signed "${DESTINATION}"/"${pkg_name}"

        security -v lock-keychain "${KEYCHAIN}" > /dev/null
    fi
}

Any help is welcome. Thanks!

Boost

Answer 1

DTS Engineer OP

Apple

Dec ’22

Accepted Answer

How are you installing this login item?

Also, you wrote:

The code we use to sign

That’s using --deep, which is something I specifically recommend against. For general advice on how to sign and package Mac products, see:

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1

Answer 2

verdx OP

Jan ’23

Hi, @eskimo, thanks for the answer. We are installing the Login Item as part of a package created with tool http://s.sudre.free.fr/Software/Packages/about.html using just the command-line tools. The files are copied to their final positions and then signed, including the files(the script I sent has been modified), then they are packaged and installed. I have had to compress and decompress the files so that the signature stays, but after installing and checking all files are signed, the Login Item still appears as coming from an unidentified developer.

The new signing code:

function sign_binaries() {
    if [ -n "${KEYCHAIN}" ] && [ -n "${CERT_APPLICATION_ID}" ] ; then
        security -v unlock-keychain -p "${KC_PASS}" "${KEYCHAIN}" > /dev/null
        # Sign every single binary in Wazuh's installation. This also includes library files.

        for bin in $(find ${INSTALLATION_PATH} -exec file {} \; | grep bit | cut -d: -f1); do
            codesign -f --sign "${CERT_APPLICATION_ID}" --entitlements "${ENTITLEMENTS_PATH}" --timestamp --options=runtime --verbose "${bin}"
        done

        codesign -f --sign "${CERT_APPLICATION_ID}" --identifier "com.wazuh.example" --entitlements "${ENTITLEMENTS_PATH}" --timestamp --options=runtime --verbose "${LOGIN_ITEM_PATH}/Wazuh" && echo "Correctly signed Login Item Wazuh" || echo "Error signing Login Item Wazuh"
        codesign -f --sign "${CERT_APPLICATION_ID}" --identifier "com.wazuh.example" --entitlements "${ENTITLEMENTS_PATH}" --timestamp --options=runtime --verbose "${LAUNCH_DAEMON_PATH}/com.wazuh.agent.plist" && echo "Correctly signed Launch Daemon" || echo "Error signing Launch Daemon"
        tar -cf "${LOGIN_ITEM_PATH}/Wazuh.tar" -C "${LOGIN_ITEM_PATH}" Wazuh && echo "Correctly tarred Login Item" || echo "Error tarring Login Item"
        tar -cf "${LAUNCH_DAEMON_PATH}/com.wazuh.agent.plist.tar" -C "${LAUNCH_DAEMON_PATH}" com.wazuh.agent.plist && echo "Correctly tarred Launch Daemon" || echo "Error tarring Launch Daemon"

        security -v lock-keychain "${KEYCHAIN}" > /dev/null
    fi
}

function sign_pkg() {
    if [ -n "${KEYCHAIN}" ] && [ -n "${CERT_INSTALLER_ID}" ] ; then
        # Unlock the keychain to use the certificate
        security -v unlock-keychain -p "${KC_PASS}" "${KEYCHAIN}"  > /dev/null

        # Sign the package
        productsign --sign "${CERT_INSTALLER_ID}" --timestamp "${DESTINATION}"/"${pkg_name}" "${DESTINATION}"/"${pkg_name}".signed
        mv "${DESTINATION}"/"${pkg_name}".signed "${DESTINATION}"/"${pkg_name}"

        security -v lock-keychain "${KEYCHAIN}" > /dev/null
    fi
}

The signed files:

sh-3.2# codesign -dv /Library/LaunchDaemons/com.wazuh.agent.plist 
Executable=/Library/LaunchDaemons/com.wazuh.agent.plist
Identifier=com.wazuh.example
Format=generic
CodeDirectory v=20200 size=273 flags=0x10000(runtime) hashes=1+5 location=embedded
Signature size=9049
Timestamp=Jan 19, 2023 at 11:32:44 AM
Info.plist=not bound
TeamIdentifier=KLZK8P68R5
Sealed Resources=none
Internal requirements count=1 size=180

sh-3.2# codesign -dv /Library/StartupItems/WAZUH/Wazuh 
Executable=/Library/StartupItems/WAZUH/Wazuh
Identifier=com.wazuh.example
Format=generic
CodeDirectory v=20200 size=273 flags=0x10000(runtime) hashes=1+5 location=embedded
Signature size=9048
Timestamp=Jan 19, 2023 at 11:32:43 AM
Info.plist=not bound
TeamIdentifier=KLZK8P68R5
Sealed Resources=none
Internal requirements count=2 size=228
sh-3.2#

1

Answer 3

DTS Engineer OP

Apple

Jan ’23

When a launchd daemon or agent shows up at a ‘random’, it’s hard to for TCC to understand who’s responsible for it. It should be able to do better than “unidentified developer” but… well… *shrug*

Does your product include an app that’s visible to the user in the Finder? If so, the easiest fix is to list that app’s bundle ID in the AssociatedBundleIdentifiers property of your launchd property list. See the launchd.plist man page for details. That’s usually enough to get TCC doing the right thing.

You seem to be signing your launchd property list (com.wazuh.agent.plist) as code. That doesn’t actually do anything useful and I recommend that you not do it.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1