Gatekeeper
122 views
Skip to first unread message
Rob McBroom
Oct 16, 2013, 1:32:44 PM10/16/13
to quicksilver-...@googlegroups.com
First off, I’m going to be more or less inactive for the next week, but I’ll be back around the 23rd.
Now, Gatekeeper. I went to 10.9 last night and found that code signing would suddenly fail.
I found some helpful information, courtesy of Craig Otis.
http://stackoverflow.com/questions/17263967/codesign-of-dropbox-api-fails-in-xcode-4-6-3-code-object-is-not-signed-at-all
So I tried setting `OTHER_CODE_SIGN_FLAGS = "--deep"` in my build script. That got the project building again, but validating with Gatekeeper would fail with `Quicksilver.app: nested code is modified or invalid`.
So after some more screwing around, I found something that will work: Build, then sign manually `codesign -s "Developer ID Application" --deep /tmp/QS/build/Release/Quicksilver.app`. Since I have a script that does all this anyway, it’s not that big a deal.
Here’s the problem. The DMG is created as part of the build process, so the application is put into the DMG *before* it’s signed. (And, as previously discussed, we can’t make signing part of the build process because it only works for me.)
What would you think about pulling the DMG step out of the project and I’ll just add it to my script? I hate waiting for it all the time anyway, and it doesn’t do you any good unless you’re actually putting out a release.
--
Rob McBroom
<http://www.skurfer.com/>
Now, Gatekeeper. I went to 10.9 last night and found that code signing would suddenly fail.
I found some helpful information, courtesy of Craig Otis.
http://stackoverflow.com/questions/17263967/codesign-of-dropbox-api-fails-in-xcode-4-6-3-code-object-is-not-signed-at-all
So I tried setting `OTHER_CODE_SIGN_FLAGS = "--deep"` in my build script. That got the project building again, but validating with Gatekeeper would fail with `Quicksilver.app: nested code is modified or invalid`.
So after some more screwing around, I found something that will work: Build, then sign manually `codesign -s "Developer ID Application" --deep /tmp/QS/build/Release/Quicksilver.app`. Since I have a script that does all this anyway, it’s not that big a deal.
Here’s the problem. The DMG is created as part of the build process, so the application is put into the DMG *before* it’s signed. (And, as previously discussed, we can’t make signing part of the build process because it only works for me.)
What would you think about pulling the DMG step out of the project and I’ll just add it to my script? I hate waiting for it all the time anyway, and it doesn’t do you any good unless you’re actually putting out a release.
--
Rob McBroom
<http://www.skurfer.com/>
Patrick Robertson
Oct 16, 2013, 8:35:20 PM10/16/13
to quicksilver-...@googlegroups.com
Sounds good to me, perhaps you could do the following:
* Leave the build DMG tool in the Tools folder
* Create a new 'tool' in the Tools folder for doing the whole build/sign/DMG/release process. Maybe you can use an environment variable for "Developer ID Application"?
That way, if anybody else wants to/has to sign in the future they can just run that one last tool and not worry about having to know any fancy code signing commands ;-)
> --
> You received this message because you are subscribed to the Google Groups "Quicksilver - Development" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to quicksilver---deve...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
* Leave the build DMG tool in the Tools folder
* Create a new 'tool' in the Tools folder for doing the whole build/sign/DMG/release process. Maybe you can use an environment variable for "Developer ID Application"?
That way, if anybody else wants to/has to sign in the future they can just run that one last tool and not worry about having to know any fancy code signing commands ;-)
> You received this message because you are subscribed to the Google Groups "Quicksilver - Development" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to quicksilver---deve...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
Patrick Robertson
Oct 16, 2013, 8:35:59 PM10/16/13
to quicksilver-...@googlegroups.com
Oh, and thanksgiving holiday?
Whatever it is - have fun and enjoy :)
Whatever it is - have fun and enjoy :)
Rob McBroom
Oct 17, 2013, 8:21:56 AM10/17/13
to quicksilver-...@googlegroups.com
On Oct 16, 2013, at 8:35 PM, Patrick Robertson <robertso...@gmail.com> wrote:
> Sounds good to me, perhaps you could do the following:
>
> * Leave the build DMG tool in the Tools folder
Yeah, I was planning on it.
> Sounds good to me, perhaps you could do the following:
>
> * Leave the build DMG tool in the Tools folder
> * Create a new 'tool' in the Tools folder for doing the whole build/sign/DMG/release process. Maybe you can use an environment variable for "Developer ID Application”?
The signing ID can just be hard-coded to “Developer ID Application” I think. I discovered that yesterday. Previously, it was “Developer ID Application: Your Name”, which *would* have to be in a variable, but there’s a new setting in Xcode labeled “Developer ID Application: *” and if you set it, it gives the value I’m using now. It still seems to sign correctly with that value.
Reply all
Reply to author
Forward
0 new messages