Hi,
We develop the macOS app bundle for our product. I have a question for other developers/packagers. We codesign every binary and .dylib first before we create the app bundle. The app bundle is then codesigned again and notarised. I wanted to know if it's a must to code sign every binary or simply code sign the application is enough?
Do the minimum that you can get away with. In most cases, you will have to sign everything so you can run and test. Then when you submit, either via Mac App Store or Developer ID, you will have to submit with an appropriate signature. If you weren't already using the appropriate signature, then you will have to re-sign. But you could have been signing everything with Developer Id and then there is little else to do. Xcode might re-sign when you submit, but there is no harm in that. However, in some rare cases, you may need to sign some binaries individually. I saw a case just the other day here in the forums where someone was including some funky open-source cryptocurrency miner (as a separate executable) that required some special entitlements. The main app didn't need those entitlements. But that was very unusual.
You need to sign every code item, from the inside out. The only exception to this is the main executable of a bundle, where signing the bundle takes care of signing its main executable.
For more info on this, see my Signing a Mac Product For Distribution post.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"
Thanks for that. Signing a Mac Product For Distribution used to link to it but that was broken by the migration to the new DevForums (r. 64523131)-: And I can’t fix the broken link for other reasons (r. 65175233). I’m hoping that will change soon though (-:it's here