This error can be caused by many things but I know about one more which I didn’t find anywhere else ;-).
In case you compile and deploy your app by using qtmacdeploy and sign your application immediately, everything will probably works fine. The problem occurs, when you need to copy your application to different location (for example during dmg building). In such cases, this error can occur:
bundle format is ambiguous (could be app or framework)
Althought codesign is executed as always, singing isn’t successful:
codesign --deep --force --verbose --sign "$SIGNNAME" ./Skipper.app
/path/Skipper.app/Contents/Frameworks/QtCore.framework: bundle format is ambiguous (could be app or framework)
The problem is, that during the copy it’s necessary to keep all symbolic links inside frameworks. Without this, singing will fail.
We encounter several problems when we tried to deploy our new version of ORM Designer – Skipper to our new web site skipper18.com. Although new Skipper installer is very simmilar to ORM Designer installer, when downloading this exe-file from the new site we are getting this error:
installer.exe is not commonly downloaded and could harm your computer
The problem is somewhere in chrome/IE when evaluating downloaded file. Probably combination of new site, new executable and new name of product is the problem.
To fix this issue, we decided to sign-in installer and application executable by Code-signing certificate. There are a lot of certificate providers and the costs are very different. A lot of providers are selling these certificate for around $500/year. Fortunately it’s possible to found certificates also for $75 – $95/year. The cheapest one is from tucows.com but based on the site and additional tools I decided for ksoftware.net, The price $95/year isn’t so different but they offer also command line and GUI signing tool for their certificates called kSign.
Order process
Fill your company details, pay with paypal and wait until someone from Comodo will contact you with additional details. It’s necessary to have the same contact information on the domain registration as on certificate registration. It is also necessary to have company registered in one of publicly available lists with the same company information as on certificate registration.
Next step is a validation through phone call. It is a quick call when you confirm registration info through the call in order to verify your phone number. Phone call is the last necessary step and then you receive email with certificate:
Usage
Signing of the application and installer is pretty easy. K-Software offers two applications for this purposes. The first one is with GUI, second one is command line based. Both applications need only few parameters like where the certificate is stored, certificate password, application description, link and executable location:
Command line application is executed through following command:
"OrmDesigner2" can't be opened because it is from an unidentified developer.
MacOS unidentified developer in ORM Designer
Solution
To solve this error message it’s necessary to do following steps:
Register in Apple developer program and pay $99 per year
Download and install developer certificate
Sign whole application
Test it!
1) Register on Developer.apple.com
You need to create registration here: https://developer.apple.com/. It’s necessary to fill info about contact person and company. After that, your registration will be reviewed by apple team and if everything will be OK, your registration will be approved.
Now you need to install this certificate to your developer machine. Simply double-click on certificate and let system to import it. You can check that certificate is imported in Go->Utilities->Keychain Access->login. Now search for “Developer ID Application: XXXX”
Note: In my case when I transfer certificate to several developer machines I need to migrate also other Apple certificates. Without that my certificate wasn’t a valid.
3) Sign your application
Now you need to sign your application including all plugins and frameworks inside app bundle. After you sing your app, you can’t do any changes in the bundle. So as first run your deploy as usual and as last step do app singing.
For ORM Designer sign script looks like this:
#go to deploy directory
cd $StarkDeploy.directory$/deploy
#sign app
codesign --force --verify --verbose --sign "Developer ID Application: Inventic s.r.o." ./OrmDesigner2.app
#sign all *.dylib files
find OrmDesigner2.app -name *.dylib | xargs -I $ codesign --force --verify --verbose --sign "Developer ID Application: Inventic s.r.o." $
#sign all Qt* frameworks
find OrmDesigner2.app -name Qt* -type f | xargs -I $ codesign --force --verify --verbose --sign "Developer ID Application: Inventic s.r.o." $
4) Test it!
As last step it’s necessary to test that sign process was successful. As first you can try following command line to validate it:
codesign -vvv -d OrmDesigner2.app
#RESULT:
Executable=/OrmDesigner2/DeployFiles/macos64/deploy/OrmDesigner2.app/Contents/MacOS/OrmDesigner2
Identifier=com.orm-designer.OrmDesigner2
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=174478 flags=0x0(none) hashes=8717+3 location=embedded
Hash type=sha1 size=20
CDHash=5a491e16f7dcca15b44af4XXXX1a2d2dcc786518
Signature size=4237
Authority=Developer ID Application: Inventic s.r.o. (6BYV46LH6T)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=6 Jun 2013 23:16:08
Info.plist entries=10
Sealed Resources rules=4 files=27
Internal requirements count=1 size=212
Now when you checked that App is correctly signed, it’s time to try it on clean computer where no security policy changes was made. Upload your app and execute it.
If you don’t see annoying screen “Can’t execute application from unidentified developer”, you win ;-).
