How to deliver a code-signed app over the internet?

Launching our code-signed application after downloading its .dmg over the web (HTTPS) using Chrome or Firefox shows that the app "can't be opened because it is from an unidentified developer".


This is surprising because the app is correctly code-signed and is working fine on multiple Macs already. When opening the exact same image and launching the application directly from my local file system (i.e. not downloaded via the web) everything is fine, as expected - no warnings or errors.


Does the .dmg or .app inside get modified or treated diferently by the OS if it is downloaded over the web? If so, how can we deliver a code-signed app over the internet?

Up vote post of Babelchips Down vote post of Babelchips
480 views
Posted by
Babelchips
Reply
Add a Comment

Replies

Are you signing your 

.dmg
? That’s highly recommended these days. WWDC 2016 Session 706 What’s New in Security for details.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

I suggest keeping some pristine VMs around for testing app on-boarding. There are a number of features that work differently the first time you do them. Clearing quarantine and unsigned apps are two big examples. Your development box won't help you do this testing.


As eskimo says, if you are distributing via a DMG, then that will need to be signed as well. I don't recommend using DMGs anymore through. Just distribute a zip file and in most cases it will be automatically exapanded into the app. If there are "read me" files or similar things that you would have put into the root of the DMG image, move those into the app bundle and make them available via the Help menu or something.

Posted by
john daniel
Up vote reply of john daniel Down vote reply of john daniel
Add a Comment

I suggest keeping some pristine VMs around for testing app on-boarding.

Agreed. I maintain VMs for each major releases on macOS (my boss graciously funded a 1 TB SSD!), and each one has a ‘fresh’ snapshot that I use for testing situations like this.

Just distribute a zip file and in most cases it will be automatically exapanded into the app.

Yeah, I don’t like that approach because, unless the user moves your app, it ends up running translocated. While that shouldn’t affect its performance, it just seems wrong.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment