Getting past the unidentified developer problem

Question

Created Jun ’22

Replies 4

Boosts 0

Views 1.3k

Participants 3

We have an application written in C and C++ that runs on Windows, Linux, and Mac. Recently a customer trying to install it on macOS Monterey received a message saying "cannot be opened because it is from an unidentified developer".

To deal with this my company has joined the Apple Developer Program. So my question is how do we make use of that membership to get past this problem?

Of the three platforms mentioned above, Mac accounts for the fewest customers, so we're not Mac experts. The software is built using Xcode but with makefiles that directly invoke clang or clang++. The finished product is packaged into a .dmg file.

Note that we're not intending to put this software into the App Store.

Boost

Answer 1

Brigitte OP

Jun ’22

You have to sign the app and then notarize the app. Further informations you can find here: https://developer.apple.com/developer-id/

Greetings Brigitte

0

Answer 2

Brigitte OP

Jun ’22

You don't need a Xcode - Project, but within Xcode codesigning and notarization are much easier than in a separate Workflow. The decisive terminal commands are 'codesign' for signing and 'altool' for notarization. There are man-pages for the commands and a good documentation for manual codesigning: https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html

With codesigning you will get rid of the 'unidentified developer' message, but without notarization Gatekeeper still won't let you through, because your app isn't checked for malware. That is what notarization does.

Please keep in mind that 'altool' will stop working in fall 2023. There will be a replacement for it, but I haven't tried that yet (and forgot the name).

Good luck Brigitte

0

Answer 3

galad87 OP

Jun ’22

Yes, code sign first then notarise. There are some useful topics here on this forum too:

https://developer.apple.com/forums/thread/707080 https://developer.apple.com/forums/thread/707377

0

Answer 4

dcoup OP

Jul ’22

Our main Apple account holder initiated the process to generate a certificate for the "Developer ID Installer" option. To finish that, he needed a Certificate Signing Request file, which I generated on the Mac itself. He then used that file to create a .cer file, which I imported on the Mac by double clicking the file.

But I'm not sure what to do next, and I'm wondering if we missed something or did something wrong. For one thing, when I click on what I think is the certificate in Keychain Access, a message in red says it's not trusted. Plus what exactly do I need to specify in the codesign command for it to access what is (or should be) in the key chain? The documentation says it wants a "signing identity", but what exactly is that? What should I be looking for in the key chain?

Note that when I created the Certificate Signing Request file, I specified my Apple login. When our main account holder created the .cer file, he of course would have done it using his login. These two logins are both supposed to be associated with the same team, but could that be part of the difficulty?

0