Using existing CA-issued cert to sign OS X application and keep Gatekeeper happy

775 views Asked by At

I build an OSX app which is distributed as a DMG outside of the Mac App Store, and I'd like to continue to have it be that way once Gatekeeper enforcement begins.

From studying code signing documentation, it looks like the recommended approach is to get a "Developer ID" certificate and use that to codesign. However, you must be a registered OSX developer and pay Apple $99 each year. I already have a certificate from a recognized CA, and I would like to use it with codesign. I found documentation on how to do this, but I cannot tell whether Gatekeeper will allow applications signed using certs issued by other CAs, not Apple.

Does anyone know?

1

There are 1 answers

0
JWWalker On BEST ANSWER

Gatekeeper only recognizes apps signed with Developer ID, not just any signature. See this which also explains how to test Gatekeeper functionality under Lion.

The point is that if Apple owns the certificate authority, they can revoke the certificate if your app turns out to be a trojan or something.