Hi,
I have a question regarding expired codesign certificate.
Will users able to install my old app from a DMG when a codesign certficate gets expired?
I sign the app bundle and then sign the DMG package.
After reading this official information:
https://developer.apple.com/support/certificates/
I don't understand it clearly. Apple declares that installed app continues to work, but "users can no longer launch installer packages for your Mac applications". Does it mean that app from a DMG also cannot be mounted and copied to Applications by users?
Quote: "Developer ID Installer Certificate (Mac applications) If your certificate expires, users can no longer launch installer packages for your Mac applications that were signed with this certificate. Previously installed apps will continue to run however new installations won't be possible until you have re-signed your installer package with a valid Developer ID Installer certificate. If your certificate is revoked, users will no longer be able to install applications that have been signed with this certificate."
Will users able to install my old app from a DMG when a codesign certficate gets expired? I don't understand it clearly. Apple declares that installed app continues to work, but "users can no longer launch installer packages for your Mac applications". Does it mean that app from a DMG also cannot be mounted and copied to Applications by users?
Since you would sign a disk image, (DMG), with a Developer ID signing identity and not a Developer ID Installer identity you would be to still use existing DMGs and signed apps that were signed before the identity expired. The Notarization ticket here, if that applies, is equally still valid because it contains a hash of the signature at the time it was valid and signed. Newly signed DMGs and apps with an expired signing identity, no. Also, if this identity gets revoked in any way it will make all signatures invalid.
Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com