Distributing Applications Outside the Mac App Store

In some cases, you may want to distribute an application outside the Mac App Store. Because that application won’t be distributed through the Mac App Store, use a Developer ID certificate to give your users assurance that you’re an Apple-identified developer.

Mac users have the option of turning on Gatekeeper, a security feature that gives users the ability to install software only from the Mac App Store and identified developers. If your application isn’t signed with a Developer ID certificate issued by Apple, it won’t launch on a Mac that has Gatekeeper enabled. To avoid this situation, sign your applications and installer packages using a Developer ID certificate. Also, thoroughly test the end-user experience using a Gatekeeper-enabled Mac before distributing your application outside of the Mac App Store.

This chapter describes the Xcode steps to create and test Developer ID-signed applications for distribution outside of the Mac App Store.

Creating Developer ID-Signed Applications or Installer Packages

Creating a Developer ID-signed application or installer package is a multistep process. First you tell Xcode that you intend to distribute your application outside of the Mac App Store and then request Developer ID certificates. There are two types of Developer ID certificates: a Developer ID Application is used to sign applications, and a Developer ID Installer is used to sign installer packages. Using Xcode, you export and sign an archive of your application using the Developer ID Application certificate. You can also use command-line utilities to sign an installer package using the Developer ID Installer certificate.

Setting the Code Signing Identity to Developer ID

First set the code signing identity in the General pane to Developer ID.

bullet
To set the signing identity to Developer ID
  1. In the project navigator, select the target to display the project editor.

  2. Click General and, if necessary, click the disclosure triangle next to Identity to reveal the settings.

  3. Verify that your bundle ID is unique.

  4. Under Signing, select Developer ID as the signing identity.

    ../Art/14_developerid_option_2x.png
  5. If necessary, choose your team or “Add an Account” from the Team pop-up menu.

    A warning message and Fix Issue button may appear below the Team pop-up menu. You don’t use a team provisioning profile when signing your app with a Developer ID certificate so can ignore this message.

You can’t use key technologies and services if you distribute outside of the Mac App Store. If you enable a capability in the Capabilities pane, as described in “Adding Capabilities,” the Signing radio button reverts to Mac App Store.

Requesting Developer ID Certificates

You use signing certificates that begin with the text “Developer ID” to distribute your application outside the Mac App Store.

When you refresh provisioning profiles for the first time, as described in “Refreshing Provisioning Profiles in Xcode,” Xcode asks whether to request all types of certificates on your behalf. Be sure to select the Developer ID certificates from the Certificates Not Found dialog and click Request.

../Art/14_certificates_not_found_dialog_2x.png../Art/14_certificates_not_found_dialog_2x.png

Otherwise, use Accounts preferences to specifically request any missing Developer ID certificates, described in “Requesting Signing Identities.”

To use these certificates, you also need the Developer ID Certification Authority intermediate certificate that Xcode installs in your keychain for you, to use these certificates. If you’re missing this intermediate certificate, read “Installing Missing Intermediate Certificate Authorities” to restore it.

You should immediately backup your Developer ID signing identities after creating them, as described in “Exporting Your Developer Profile.”

If you want multiple Developer ID certificates, read “Requesting Additional Developer ID Certificates.”

Verifying Your Steps

To verify your steps, view your Developer ID certificates in Accounts preferences, as described in “Viewing Signing Identities and Provisioning Profiles.”

../Art/14_mac_developerIDcerts_2x.png../Art/14_mac_developerIDcerts_2x.png

Code Signing Your Application

Optionally, code sign your application during development and testing using the Developer ID Application certificate. Later, you re-sign the application with this certificate when you archive and export it from Xcode.

bullet
To code sign an application with your Developer ID Application certificate
  1. In the Xcode project editor, select the target.

  2. Click Build Settings.

  3. Click All.

  4. Type Code Signing in the search field in the Build Settings pane of the project editor.

    The list of build settings now shows only the Code Signing settings.

  5. From the Code Signing Identity pop-up menu, choose your Developer ID Application certificate.

  6. Click Run.

Exporting a Developer ID-Signed Application

To export your application for distribution outside of the Mac App Store, use the Archives organizer.

bullet
To create a Developer ID-signed application
  1. In Xcode, choose Product > Archive.

    Xcode constructs an archive containing your code-signed application and opens the Organizer window, showing the archive.

    ../Art/14_archivesorganizer_2x.png
  2. Select the newly created archive in the Organizer window, and click Distribute.

  3. In the dialog that appears offering a choice of distribution methods, select Export Developer ID-signed Application, and click Next.

    ../Art/14_selectsavesignedapp_2x.png
  4. Choose your Developer ID certificate name from the Developer ID pop-up menu, and click Export.

    If you’re an individual developer, your name appears in the pop-up menu; otherwise, your company name appears in the pop-up menu.

    ../Art/14_selectsigningidentity_2x.png
  5. Enter a filename and location to save the signed application, and click Save.

Signing an Installer Package

If you want to distribute your application outside the Mac App Store as part of an installer package, create the package as you normally do. One way to create the installer package is to use the packagemaker(1) command-line utility. Code sign the package with your Developer ID Installer certificate with the productsign command. To test your installer package, use the following command and replace MyPackageName.pkg with the filename of your package:

spctl -a -v --type install MyPackageName.pkg

If your development process includes code signing from the command line, read Code Signing Guide.

Verifying Your Steps

Before you distribute your application, test the end-user experience by launching your application with Gatekeeper enabled and disabled. You can enable and disable Gatekeeper using System Preferences. Use the spctl(8) command-line utility for verifying and testing Gatekeeper too. To simulate the end-user experience, you need to quarantine your application and test it again with Gatekeeper enabled.

Enabling and Disabling Gatekeeper

You turn on and off Gatekeeper by using the Security & Privacy preferences in System Preferences. You can turn off Gatekeeper and verify the status of Gatekeeper using the spctl(8) command-line utility.

bullet
To enable or disable Gatekeeper using the Security & Privacy preferences
  1. In the Finder, launch System Preferences and select Security & Privacy.

  2. Click the lock button if it appears locked, and enter the administrator password.

  3. To enable Gatekeeper, select “Mac App Store and identified developers.”

    ../Art/14_securitypreferences_2x.png../Art/14_securitypreferences_2x.png
  4. To disable Gatekeeper, select Mac App Store or Anywhere.

bullet
To disable Gatekeeper using the spctl command
  1. In Terminal, enter the following command:

    $ sudo spctl --master-disable
  2. Press Return.

  3. When prompted, enter your administrator password.

bullet
To confirm that Gatekeeper is enabled using the spctl command
  1. In Terminal, enter the following command:

    $ spctl --status
  2. Press Return.

    If Gatekeeper is enabled, the output of this command is:

    assessments enabled

    If Gatekeeper is disabled, the output of this command is:

    assessments disabled

Testing Gatekeeper Behavior

After signing your application with a Developer ID certificate, you can test whether it was signed correctly and simulate the launch behavior of your application when Gatekeeper is enabled. On a Mac with Gatekeeper enabled, a quarantined copy of your application launches only if it’s Developer ID signed. (Learn about quarantine in this Knowledge Base article.) You can also test the behavior of Gatekeeper for an application that isn’t Developer ID signed.

Testing a Developer ID-Signed Application

You can use the spctl command-line utility to test whether your application is signed correctly using a Developer ID certificate.

bullet
To test your Developer ID-signed application
  1. Enable Gatekeeper on your test Mac by selecting “Mac App Store and identified developers” from the Security & Privacy preferences in System Preferences.

  2. Enter the following command in Terminal by replacing TrackMix.app with the path to your application.

    $ spctl -a -v TrackMix.app
  3. Press Return.

    If the application is correctly signed, the output of this command is:

    ./TrackMix.app: accepted
    source=Developer ID

Testing the Launch Behavior

To thoroughly test your Developer ID-signed application, simulate launching the application on a Mac not used for development.

bullet
To prepare for testing Gatekeeper behavior
  1. Enable Gatekeeper on your test Mac, as described in “Enabling and Disabling Gatekeeper.”

  2. Quarantine a copy of your Developer ID–signed application. You can do this in either of the following ways:

    • Email your Developer ID–signed application to yourself and use the copy that Mail downloads.

    • Host your Developer ID–signed application on your own local or remote server and use the copy that Safari downloads.

You’re ready to test Gatekeeper behavior.

bullet
To test Gatekeeper behavior for your Developer ID-signed application
  • In the Finder, locate the quarantined copy of your Developer ID–signed application and double-click its icon.

    The Mac displays an alert asking whether you’re sure you want to open the application.

    ../Art/14_identified_developer_2x.png

    This alert, which allows you to open the quarantined application with Gatekeeper enabled, confirms that your Developer ID application is built correctly.

bullet
To test Gatekeeper behavior for blocking applications that aren’t Developer ID signed
  1. Enable Gatekeeper on your test Mac, as described in “Enabling and Disabling Gatekeeper.”

  2. Quarantine a copy of your application that isn’t Developer ID signed.

    As before, you can invoke quarantine on this copy of your application in either of the following ways:

    • Email your application to yourself and use the copy that Mail.app downloads.

    • Host your Developer ID-signed application on your own local or remote server and use the copy that Safari downloads.

  3. In the Finder, locate the quarantined copy of your non-Developer ID-signed application and double-click its icon.

    The Mac displays an alert that blocks you from opening the application. By way of this alert, Gatekeeper protects a Mac by preventing first-time opening of applications from unidentified developers. Applications previously opened by a user are no longer quarantined, and Gatekeeper doesn’t prevent them from launching.

Recap

In this chapter, you learned how to distribute your Mac application outside of the Mac App Store so that users won’t block your app from launching.