Is it possible to code sign a screensaver?

I'd like to share a screensaver I developed (for OSX) but I couldn't find a way to code-sign it. Without it, it is almost impossible to install on other machines due to 'Gatekeepr' warnings. (right click & `open` works, but most people don't know about it.)


Any ideas on code-signing or distribution alternatives? I'm simply sending the .saver bundle at the moment

Xcode is quite capable of signing a screen saver, or any other bundle for that matter. It has no high-level code signing UI for bundles, but you can tweak the code signing build settings directly. AFAICT you just need to set Code Signing Identity to Developer ID (

CODE_SIGN_IDENTITY = Developer ID Application
).

Whether that resolves your Gatekeeper warnings is something you’ll have to test for yourself (I don’t spend a lot of time working on screen savers myself).

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Adding to the prior excellent advice, here's additional info on notarization:


You can’t notarize the .saver directly, but you can in a round-about-way notarize a ZIP file, which is how I distribute my screen saver. Here are the steps I use for my simple saver, your mileage will undoubtably vary:


  • /usr/bin/codesign -f -o runtime --timestamp --sign “insert Developer ID Installer certificate identifier here” XYZZY.saver
  • compress the code signed .saver e.g. XYZZY.saver.zip
  • /usr/bin/xcrun altool --verbose --notarize-app --primary-bundle-id “insert identifier here" -u “xyzzy@plugh.com" -p “insert app-specific PW for your Apple ID here" -t osx -f XYZZY.saver.zip
  • Aside: store the App-specific password in your keychain and reference it from the command line like this:

    /usr/bin/xcrun altool --store-password-in-keychain-item "AC_PASSWORD" -u xyzzy@plugh.com -p “insert App-specific PW from Apple here”

  • wait for notarization, check status like this:

    /usr/bin/xcrun altool --notarization-history 0 -u “xyzzy@plugh.com" -p "@keychain:AC_PASSWORD”

  • While you can notarize a ZIP archive, you can’t staple the notarization ticket to it directly. Instead, run stapler against each individual item that you originally added to the archive. Then create a new ZIP file containing the stapled items for distribution.
    • /usr/bin/xcrun stapler staple XYZZY.saver
    • Re-zip the saver and distribute

This is the only post I've been able to find which explains how to sign screensavers, thanks!


I am having some trouble using the installer certificate in the first step.

"security find-identity -p codesigning" only shows "Apple Development: My Name"

But "security find-identity" also shows my "Developer ID Installer" certificate (listed under X.509 Basic)


Do you know how to add the installer certificate to use it with codesigning? I tried "security add-trusted-cert" but couldn't get it to work. I was able to sign in the first step with the Apple Development certificate, but then the notarization was rejected (maybe because I didn't use the installer certificate).


Also, I am a bit confused by the final step. It seems you notarize a .zip file, but then you make a different .zip file in the final step?

I’ve posted a bunch of advice that applies here, including:

The first step in this process is to decide on your outermost container format. What type of file do you want your users to download? Once you make that decision, everything else falls out as a consequence of that.

For example, if you’re not using an installer package, your

Developer ID Installer
signing identity is irrelevant. You will only need your
Developer ID Application
one.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

hello, want to share how i'll do it in 2023....

sudo codesign --timestamp --options=runtime -s "Developer ID Application: John Doe (XXXXXXXXXX)" -v XX.saver

zip the file...

xcrun altool --verbose --notarize-app --primary-bundle-id "com.xxxxxx.Xx" --username "xxxatxx.***" --password "xxxx-xxxx-xxxx-xxxx" -itc_provider ***00000 -t osx -f XX.saver.zip

check status.... if ok delete the .zip

xcrun stapler staple XX.saver

zip the file again and you're done... upload and share where you want

...store this as a script in the same folder where you have your screensaver... M.

Some feedback:

sudo codesign …

Don’t use sudo when code signing; it causes more problems than it solves. I touch on this in Resolving errSecInternalComponent errors during code signing.

codesign … --options=runtime

The hardened runtime flag is not necessary for a screen saver because it’s not a main executable. I define that term and explain how it affects code signing in Creating Distribution-Signed Code for Mac.

xcrun altool

altool is deprecated for the purposes of notarisation and will stop working in late 2023. Please switch to notarytool. For specific advice on how to do this, see TN3147 Migrating to the latest notarization tool.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Is it possible to code sign a screensaver?
 
 
Q