Getting a public service app not to send scary messages

Question

Created 4d

Replies 3

Boosts 0

Participants 3

I’ve developed a macOS app, but I’ve had trouble using a script to fully codesign it and package it into a .dmg file. I was only able to complete codesigning using the third-party app itself—not via command-line scripts.

Is it possible to write a script that automates the entire process of codesigning the app?

To provide the best user experience for those downloading the app outside of the Mac App Store, is it correct to first package it as a .app and then wrap that into a .dmg file for distribution?

Currently, the app is available on the web as a .dmg. When downloaded, it appears in a folder and can be double-clicked to launch. However, macOS displays a warning that it was downloaded from the internet. Can I use a script to remove that quarantine warning?

If possible, I’d appreciate a step-by-step explanation and a sample command-line script to:

Codesign the app properly

Package it into a signed .dmg

Remove the quarantine attribute for local testing or distribution

Is the reason I was only able to codesign it inside the third-party app due to how that app was built, or can this always be done from the command line?

Answered by DTS Engineer in 834939022

Written by Micki in 834836022

The warning just says it is an app downloaded from the internet and do you want to proceed.

If Gatekeeper presents an alert and lets the user easily proceed, that’s the expected behaviour for apps that are directly distributed. Apple Support has an article, Safely open apps on your Mac, that explains this process.

Written by Micki in 834836022

Which is the best?

I generally recommend that you sign everything from the inside out and then notarise your outermost container. So, sign your app, sign your disk image, notarise your disk image, and then staple your disk image.

Note It’s better to reply in a reply rather than in the comments. If you reply in the comments, I can’t quote you nicely )-:

Otherwise, it misses the MicrosoftCSharp.dll.

That sounds like something you should raise with your tool vendor.

For context, .dll files are not considered code by Apple’s code signing infrastructure. Given that, you should expect them to be packaged inside your app’s bundle as data, that is, somewhere within Content/Resources. See the discussion of scripts in Placing Content in a Bundle.

Finally, some general links.

We have detailed instructions for signing a Mac product outside of Xcode in:

And there are links to many other docs and resources in the Trusted Execution Resources post.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

Etresoft OP

4d

Can you clarify the warning? Does it say the app was downloaded from the internet and no malware was found? Or does it say something worse?

If this is an app downloaded from the internet, then it's going to say it was downloaded from the internet. No way around that unless you want to put it in the Mac App Store.

If it is just an app, then there is no reason to put it inside a DMG. Just compress it into a zip file.

I have no idea what you mean by "complete codesigning using the third-party app itself—not via command-line scripts".

Are you saying that you didn't use Xcode to build the app? If so, then you're on your own. You are totally at the mercy of whatever tool you are using to build the app. These things are a single button click in Xcode.

0

Answer 2

Micki OP

3d

The warning just says it is an app downloaded from the internet and do you want to proceed. The app was built in C# in VS Code. That directly translates to XCode, does it not? I want the best user experience possible. I can make an app, sign it, make a dmg, sign it and notarize it. I can make a dmg and sign and notarize it. Which is the best?

0

Answer 3

DTS Engineer OP

Apple

2d

Recommended

Written by Micki in 834836022

The warning just says it is an app downloaded from the internet and do you want to proceed.

If Gatekeeper presents an alert and lets the user easily proceed, that’s the expected behaviour for apps that are directly distributed. Apple Support has an article, Safely open apps on your Mac, that explains this process.

Written by Micki in 834836022

Which is the best?

I generally recommend that you sign everything from the inside out and then notarise your outermost container. So, sign your app, sign your disk image, notarise your disk image, and then staple your disk image.

Note It’s better to reply in a reply rather than in the comments. If you reply in the comments, I can’t quote you nicely )-:

Otherwise, it misses the MicrosoftCSharp.dll.

That sounds like something you should raise with your tool vendor.

For context, .dll files are not considered code by Apple’s code signing infrastructure. Given that, you should expect them to be packaged inside your app’s bundle as data, that is, somewhere within Content/Resources. See the discussion of scripts in Placing Content in a Bundle.

Finally, some general links.

We have detailed instructions for signing a Mac product outside of Xcode in:

And there are links to many other docs and resources in the Trusted Execution Resources post.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0