Starting with OS X 10.10 existing code signing method doesn't work. If you have application signed for 10.9 and application works without problems, with 10.10 you will get following error:

How to verify application sign status from command line:

codesign -dvvv /Applications/APP.app</p>
<p>Executable=/Applications/Skipper.app/Contents/MacOS/Skipper<br />
Identifier=com.skipper.Skipper<br />
Format=bundle with Mach-O thin (x86_64)<br />
CodeDirectory v=20100 size=239848 flags=0x0(none) hashes=11986+3 location=embedded<br />
Hash type=sha1 size=20<br />
CDHash=98839e7aa72de4105ac5ad8a2612682ba3bca53f<br />
Signature size=4237<br />
Authority=Developer ID Application: Inventic s.r.o. (6BYV46LH6T)<br />
Authority=Developer ID Certification Authority<br />
Authority=Apple Root CA<br />
Signed Time=03 Feb 2015 17:38:21<br />
Info.plist entries=10<br />
TeamIdentifier=not set<br />
Sealed Resources version=1 rules=4 files=44<br />
Internal requirements count=1 size=300<br />

As it's seems from the verification output, application is correctly signed but OSX doesn't accept it. Another way how to verify application sign status is via **spctl **command:

spctl --assess --type execute --verbose Skipper.app/</p>
<p>Skipper.app/: rejected<br />
source=obsolete resource envelope<br />

We have some error at least. Now it's necessary to find out what is wrong. We can try one more test:

codesign -v Skipper.app/<br />
Skipper.app/: resource envelope is obsolete (version 1 signature)<br />

where we dest little bit more details. All these errors we get only on 10.10 mac, not on 10.9 or older.

After another investigation I found following article. The most important part is:

"Important: For your apps to run on updated versions of OSX they must be signed on OS X version 10.9 or later and thus have a version 2 signature."

Another post about this topic is in felix-schwarz.org blog.

So ,it's bad. We need to update our build machine to 10.9 or at least create new "sign machine" and make sure that everything will work as expected.

Additional links

• http://stackoverflow.com/questions/25760651/why-application-with-version-2-envelope-working-on-os-x-10-9-not-accepted-by-gat
• http://stackoverflow.com/questions/25152451/are-mac-app-store-code-sign-resource-envelopes-always-version-1
• https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html

Starting from Mac os 10.8 apple applications requires certificate. Without that certificate (or without additional system tweaks described here on our product support page: http://support.orm-designer.com/5/macos-mountain-lion-10-8-unidentified-developer ) user will se following message:

&quot;OrmDesigner2&quot; can't be opened because it is from an unidentified developer.<br />

[caption id="" align="aligncenter" width="435"] MacOS unidentified developer in ORM Designer[/caption]

Solution

To solve this error message it's necessary to do following steps:

1. Register in Apple developer program and pay $99 per year
2. Download and install developer certificate
3. Sign whole application
4. Test it!

1) Register on Developer.apple.com

You need to create registration here: https://developer.apple.com/. It's necessary to fill info about contact person and company. After that, your registration will be reviewed by apple team and if everything will be OK, your registration will be approved.

**2) Use Apple site to generate certificates**

Open https://developer.apple.com/account/overview.action ,choose **Certificates, ** Click Add. Than select certificate parameters suitable for your need. In my case it was **Mac Development** and ** Developer ID.**

Now you need to install this certificate to your developer machine. Simply double-click on certificate and let system to import it. You can check that certificate is imported in **Go->Utilities->Keychain Access->login. **Now search for "Developer ID Application: XXXX"

**Note: **In my case when I transfer certificate to several developer machines I need to migrate also other Apple certificates. Without that my certificate wasn't a valid.

**3) Sign your application**

Now you need to sign your application including all plugins and frameworks inside app bundle. **After you sing your app, you can't do any changes in the bundle.** So as first run your deploy as usual and as **last step **do app singing.

For ORM Designer sign script looks like this:

#go to deploy directory<br />
cd $StarkDeploy.directory$/deploy</p>
<p>#sign app<br />
codesign --force --verify --verbose --sign &quot;Developer ID Application: Inventic s.r.o.&quot; ./OrmDesigner2.app</p>
<p>#sign all *.dylib files<br />
find OrmDesigner2.app -name *.dylib | xargs -I $ codesign --force --verify --verbose --sign &quot;Developer ID Application: Inventic s.r.o.&quot; $</p>
<p>#sign all Qt* frameworks<br />
find OrmDesigner2.app -name Qt* -type f | xargs -I $ codesign --force --verify --verbose --sign &quot;Developer ID Application: Inventic s.r.o.&quot; $<br />

4) Test it!

As last step it's necessary to test that sign process was successful. As first you can try following command line to validate  it:

codesign -vvv -d OrmDesigner2.app</p>
<p>#RESULT:<br />
Executable=/OrmDesigner2/DeployFiles/macos64/deploy/OrmDesigner2.app/Contents/MacOS/OrmDesigner2<br />
Identifier=com.orm-designer.OrmDesigner2<br />
Format=bundle with Mach-O thin (x86_64)<br />
CodeDirectory v=20100 size=174478 flags=0x0(none) hashes=8717+3 location=embedded<br />
Hash type=sha1 size=20<br />
CDHash=5a491e16f7dcca15b44af4XXXX1a2d2dcc786518<br />
Signature size=4237<br />
Authority=Developer ID Application: Inventic s.r.o. (6BYV46LH6T)<br />
Authority=Developer ID Certification Authority<br />
Authority=Apple Root CA<br />
Signed Time=6 Jun 2013 23:16:08<br />
Info.plist entries=10<br />
Sealed Resources rules=4 files=27<br />
Internal requirements count=1 size=212<br />

Now when you checked that App is correctly signed, it's time to try it on clean computer where no security policy changes was made. Upload your app and execute it.

If you don't see annoying screen "Can't execute application from unidentified developer", **you win** ;-).

External links

• http://successfulsoftware.net/2012/08/30/how-to-sign-your-mac-os-x-app-for-gatekeeper/
• http://lynxline.com/submiting-to-mac-app-store/
• http://comments.gmane.org/gmane.comp.lib.qt.user/637

**How to transfer certificate: **

• http://apple.stackexchange.com/questions/57059/how-do-i-transfer-my-ios-developer-profile-to-another-computer

**How to import:**

• https://support.quovadisglobal.com/KB/a59/how-do-i-install-a-digital-certificate-onto-apple-mac-os-x.aspx and http://www.utexas.edu/its/help/user-certs/818

**Apple links**

• codesign man page
• codesign info