Two days ago, Apple updated its Technote 2206 with a new paragraph on changes in OS X 10.9.5 and Yosemite DP5:
Beginning with OS X version 10.9.5, there will be changes in how OS X recognizes signed apps. Version 1 signatures created with OS X versions prior to Mavericks will no longer be recognized by Gatekeeper and are considered obsolete.
Apple further emphasizes:
Important: For your apps to run on updated versions of OS X they must be signed on OS X version 10.9 or later and thus have a version 2 signature.
Apple also suggests what you can do if you build on older versions of OS X and distribute outside the Mac App Store:
If your team is using an older version of OS X to build your code, re-sign your app using OS X version 10.9 or later using the codesign tool to create version 2 signatures. Apps signed with version 2 signatures will work on older versions of OS X.
Pretty straightforward. Now what about apps on the Mac App Store?
If your app is on the Mac App Store, submit your re-signed app as an update.
Does that mean that Mac App Store apps submitted with a v1 signature will stop working on 10.9.5 and later?
I quickly ran some tests:
@danielpunkass Just tested with a MAS application built and submitted on OS X 10.6.8: installed & launched w/o problems. Non-MAS/GK: failed.
— Felix Schwarz (@felix_schwarz) August 4, 2014
While this works now, it's not clear to me whether apps submitted with a v1 code signature will continue to be available on the Mac App Store and continue to work fine with OS X 10.9.5 and later.
I prefer to be safe, not sorry, so I stick to what the Technote says (or seems to say), which is to submit an update with a v2 code signature.
From the Technote, it's not really obvious how to do this for apps that have to be built on OS X 10.8 and earlier. Apple makes it clear that trying to use a copy of Mavericks' version of codesign on your build machine won't solve this:
The actual code signing machinery is part of the operating system, not thecodesigntool. It will not work to copy thecodesigntool from Mavericks to an older OS X version.
Currently I have to build parts of Remote Buddy in Xcode 3 running on OS X 10.6.8.
Up to this date, this has never been a problem since I could still submit updates to the special Mac App Store version right from within Xcode 3.
The only way to obtain a v2 signature is by code signing under 10.9, but since Xcode 3 doesn't run on anything newer than 10.6.8, I'll have to separate the build process from the signing, packaging and submission process.
Here's what I'm doing now:
- Build Remote Buddy Express on OS X 10.6.8 as usual.
- Copy the built app to a Mac running OS X 10.9.
- Run a script (SignAndPackageForMAS.sh, more on that later) that signs the app and packages it as a signed pkg file ready for submission to the Mac App Store.
- Use Application Loader (Xcode > Open Developer Tool > Application Loader) to submit the package (pkg) file to the Mac App Store.
A copy of SignAndPackageForMAS.sh that you can adjust to your needs can be found at the end of this post or directly in this gist. For most apps, you should only have to change the names of your signing identities and paths in the Configuration section to match your own setup.
What the script does is to search for Cocoa bundle and frameworks inside your application and sign these before signing the application itself. It then uses productbuild to create a signed package ready for submission to the Mac App Store.
If your app contains other types of binaries, be sure to sign these before signing the app bundle itself, starting with the binaries located at the deepest filesystem level, working up your way to the highest filesystem level.
Update: Thanks to feedback from Daniel Jalkut (@danielpunkass), I moved the codesign options to its own variable and added some information on --preserve-metadata.