Getting past the unidentified developer problem

We have an application written in C and C++ that runs on Windows, Linux, and Mac. Recently a customer trying to install it on macOS Monterey received a message saying "cannot be opened because it is from an unidentified developer".

To deal with this my company has joined the Apple Developer Program. So my question is how do we make use of that membership to get past this problem?

Of the three platforms mentioned above, Mac accounts for the fewest customers, so we're not Mac experts. The software is built using Xcode but with makefiles that directly invoke clang or clang++. The finished product is packaged into a .dmg file.

Note that we're not intending to put this software into the App Store.

Up vote post of dcoup Down vote post of dcoup
1.1k views
Posted by
dcoup
Reply
Add a Comment

Replies

You have to sign the app and then notarize the app. Further informations you can find here: https://developer.apple.com/developer-id/

Greetings Brigitte

Posted by
Brigitte
Up vote reply of Brigitte Down vote reply of Brigitte

  • So it seems to come down to generating a developer ID certificate and then assigning that certificate to the application. Is that correct? Is there a command that can do this assignment? We don't have any Xcode projects for this software; we just use makefiles.

    The information also talks about notarizing the application. Is that necessary to avoid this "unidentified developer" message?

    dcoup
Add a Comment

You don't need a Xcode - Project, but within Xcode codesigning and notarization are much easier than in a separate Workflow. The decisive terminal commands are 'codesign' for signing and 'altool' for notarization. There are man-pages for the commands and a good documentation for manual codesigning: https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html

With codesigning you will get rid of the 'unidentified developer' message, but without notarization Gatekeeper still won't let you through, because your app isn't checked for malware. That is what notarization does.

Please keep in mind that 'altool' will stop working in fall 2023. There will be a replacement for it, but I haven't tried that yet (and forgot the name).

Good luck Brigitte

Posted by
Brigitte
Up vote reply of Brigitte Down vote reply of Brigitte
Add a Comment

Yes, code sign first then notarise. There are some useful topics here on this forum too:

https://developer.apple.com/forums/thread/707080 https://developer.apple.com/forums/thread/707377

Posted by
galad87
Up vote reply of galad87 Down vote reply of galad87
Add a Comment

Our main Apple account holder initiated the process to generate a certificate for the "Developer ID Installer" option. To finish that, he needed a Certificate Signing Request file, which I generated on the Mac itself. He then used that file to create a .cer file, which I imported on the Mac by double clicking the file.

But I'm not sure what to do next, and I'm wondering if we missed something or did something wrong. For one thing, when I click on what I think is the certificate in Keychain Access, a message in red says it's not trusted. Plus what exactly do I need to specify in the codesign command for it to access what is (or should be) in the key chain? The documentation says it wants a "signing identity", but what exactly is that? What should I be looking for in the key chain?

Note that when I created the Certificate Signing Request file, I specified my Apple login. When our main account holder created the .cer file, he of course would have done it using his login. These two logins are both supposed to be associated with the same team, but could that be part of the difficulty?

Posted by
dcoup
Up vote reply of dcoup Down vote reply of dcoup
Add a Comment